Fake AntiVirus At Epidemic Proportions

av2009

YOUR COMPUTER IS INFECTED!

Download AV 2009 now.


Each week I see computers hog tied by Trojans masquerading as AntiVirus and Protection software. Sometimes it’s a neighbor and sometimes it’s a friend, but the story is always the same. “A pop-up said I was infected, so I downloaded a program to remove it.”

The warnings look real, mimicking Microsoft or well known AntiVirus products. The names sound legitimate.

coreav-scaled1

Once you click the link, you’ve been scammed. The link will direct you to buy a product, bilking you of your hard earned cash. Then it scans your computer looking to find more credit and banking information, and you know it will find it.

Can it get any worse? Why sure it can. After you’ve been scammed by false pop-ups, after you’ve paid good money to the very people who gave you the crapware, and after they receive and sell your personal information, they can then connect your system to botnets. Botnets which leave your computer vulnerable to a whole world of scammers and thieves. An automated thief that never tires of passing along your personal information for a profit.

When I tell people what has happened they immediately ask, ” How am I supposed to know what’s real and what’s not?”

HOW TO IDENTIFY ROGUE MALWARE

1. Check questionable files. There are several places that offer lists of known malware. Not as many have libraries of thousands of files, malicious or not. PC Pitstop has one of the best. It gives you complete information on malware and safe files. Search the file in our PC Pitstop Processes Library. Use it to identify files that you suspect are malicious. The legend helps determine whether the file is safe, spyware, or virus. There are thousands of files in this list and all have been identified and labeled.

process-scallllll

2. Use Google search. This is the quickest and easiest way to check whether a program or process is legitimate. It also requires that you make a judgment on the results you find. You’ll quickly learn to spot key words and phrases like Remove, How To Uninstall, Free Removal Tool. It’s always best to NOT INSTALL a program you can’t identify.

3. Use a good AntiVirus software to protect your system against infections. Be aware that all antivirus software are not created equal. I have compiled a list of reputable and effective software companies that I use and that we suggest through our help desk. Be sure to update the definitions regularly and use realtime protection. These programs work when others don’t. When every minute counts you can’t waste time with products that don’t find and remove the threat.

Safe Antivirus Software
  • Avast from ALWIL **
  • AVG
  • Comodo
  • F-Secure
  • Kapersky
  • Malwarebytes **
  • Norman
  • Superantispyware **

Knowing that you’re infected can initially be tough to figure out, but once it takes hold this crapware prevents you from accessing sites on the Internet, particularly sites that could help remove it. Then, as if that weren’t enough, you’ll find you’re unable to download anything. You especially can’t download antivirus software, and if you can download it, you won’t be able to open or run it. CAN’T ACCESS INTERNET, CAN’T DOWNLOAD PROGRAMS, CAN’T INSTALL PROGRAMS, just perfect. Now what do I do?

INFECTED NOW WHAT

Take action immediately to remove the already introduced malware. Know that once you see these pop-ups, you are already infected and that taking the wrong steps can only let the infection strengthen. If you wait too long, your system will literally come to a halt. No downloads, no internet access. Yes, these beasts prevent you from accessing the very sites that could offer you assistance with legitimate antivirus removal tools. Eventually there is no escape without spending big bucks to erase your drives and reinstall Windows.

We of course recommend Exterminate but be aware that no single software can cover all threats. Use a minimum of two programs to search out threats. If you would rather take advantage of the free programs available, choose one from those suggested in our Safe Software list above.

If you are experiencing these symptoms please take the following action immediately.

HOW TO REMOVE ROGUE SOFTWARE

1. Boot into SafeMode With Networking. To do this, reboot your system while continuously tapping the F8 Key.

2. At the Options screen choose SafeMode With Networking.

3. Download each of the following free software programs.

a. Malwarebytes

b. Superantispyware

c. Avast Home

d. Exterminate scan

4. Be sure to update the definitions for each program before running. These threats are changing by the hour and updating definitions is a must. Without updating, you are wasting your time.

5. Once you have downloaded and installed at least two of these, I suggest Avast Home as a second choice, turn off your system restore, and run the antivirus. It’s necessary to turn off system restore because this is a favorite hiding place of Fake AntiMalware. Turning it off allows access to your complete drive. The restore function is usually disabled by the virus anyway so your not loosing anything. Running System Restore when infected only strengthens the trojans hold.

6. If given the option, allow the programs to check memory and boot sector on reboot.

7. I would run each program at least once in SafeMode With Networking and again in regular Windows Mode.

8. When clear, be sure to turn on System Restore and create a new clean restore point.

If fortunate, you’ll successfully remove these threats, but be aware that these nasty thieves are getting better and better at disguising themselves. If ignored for too long, their strangle hold is impossible to break.

____________________________________________________

PITSTOP MALICIOUS PROCESS LIBRARY

LINKS TO FREE AV


Malwarebytes

Superantispyware

PREVIOUS ARTICLE ON CONFICKER WORM REMOVAL

Conficker Worm Removal

386 total views, 4 views today

(Visited 46 times, 1 visits today)

36 thoughts on “Fake AntiVirus At Epidemic Proportions

  1. Here’s a quick fix. In safe mode, go to:
    StartRun, type in msconfig. Click the startup tab and look at your items. Note anything that looks weird like “goronc” or “bhqrzt”. If in doubt about the file google it if you’re able to. Look at the location of the file then go to this location and manually delete this file. Then, go to: StartControl PanelInternet OptionsAdvanced then click the reset button to reset your browser. Restart your PC and you should be good to go.

  2. In my running processes, I have svchost.exe listed 8 times, all with different PID #’s. Are any of these legit, or how to tell??

  3. My Daughter was doing her maths homework on a website, mymaths.co.uk recommended by her school. The school had a few hits which they dealt with as they are filtered to the hilt, but they still gave it out for children to use on their PC. My Daughter clicked on an answer box in the subject section she was on, and the scamming thing popped up by itself, fake AV. We phoned dad up and he researched for us and got us to load the malwarebytes site, and it killed it, but not before we had tried Norton, Windows Defender and Tune-up, but malwares recommended by PC Pitstop did it! Thanks for info, no thanks to School………..!

  4. My granddaugther bought a Acer mini-laptop. In less than 1 week she had the AV 2009 malware on it. Spybot, AVG & McAfee will not remove it. I turned on Windows Defender that came preloaded on the computer and did a scan. This removed it. I think she picked it up off of MySpace or Facebook. This was the 3rd time I helped somebody remove it. Previously on other computers, I was able to turn it off and it didn’t run until a reboot was performed. I did finally find software that completely removed the malware.

  5. The fake scan we encountered downloaded automatically and there was no way to stop it. (on Mangafox.com) So, you don’t HAVE to click the thing at all. It just pops up like a pop-up ad. It did it to my laptop, too, but fortunately Vista always asks for confirmation, so I got to say no.

  6. The more people I talk to the more I find out how bad this was. Most of my friends found that it invaded Facebook and Twitter. Thanks for your advice, I’ll pass along the next time I get one of those panic calls (hey dude what do I to fix this?)

  7. I just recently had a call from one of my friends that got hit with this while using Facebook. Good thing I just read your article. It saved us from a lot of useless work. Thanks.

  8. In regard to the fake AV programs. A few weeks back my brother-in-law ask me to come help him. He had no AV installed and his PC was a mess! In the taskbar on the desktop was this realistic looking icon with a message that “Your PC has 3,126 virues”. I worked on that thing for over 3 hours and was about to give up when I remembered one last thing I had not tried. I opened up
    msconfigstartup and there it was! I unchecked everything
    in there, restarted, went to Programs on the HD and deleted the hateful thing! My brother-in-law installed AVG and it has so far not showed its ugly face again.
    Albert

  9. Great information! I know a girl named Joy that just had her computer corrupted and then she spent $300 to get it fixed. I’ll pass this information on to her because she needs it.

    Thanks for the great article

  10. Just thought of something I need help with… I get spam and one of the ones I get has “me” in the “from” line. I tried to set up a filter to delete any emails that are from “me”. It made a mess trying to delete all the emails I’ve ever sent because gmail shows all of my own emails as coming from “me” too. How can I filter this spam out?

  11. Steve, great article and very informative. My Mom’s in Boynton Beach with problems on her computer…know anyone on that side who will help a senior (81) as a good Samaritan volunteer?

  12. David A, Spybot S&D is an excellent program that I use occasionally. What I recommend is what I’ve found most effective. Spybot would certainly be a good additional program to use. I also use HJT or HiJack This, but because it can ruin your installation I don’t recommend it to the average user without getting some trained help.

    We also have a help forum completely devoted to the removal of Virus, spyware, and HiJackers. Excellent help there. http://forums.pcpitstop.com/index.php?s=1958cd855e408f4106a65318eece5b49&showforum=9

  13. I got one when I clicked a link the the latest Pcpitstop newsletter. I killed it with end task. Then I wasn’t able to get on to Pcpitstop after that. I’m using another computer and was able to get on to Pcpitstop but got the same kind of redirect when I clicked the link for newsletter archives.

    I have some of the suggested software but I have a problem. I can not run my computer in safe mode because I am blind and screen readers do not run in safe mode. So, I have to find someone to help me clean both computers.

  14. B R DULLITH , a few of my friends had antivirus system pro also . I shut it down with killbox . Then removed it with Superantispy . I added these programs with a thumbdrive .Hope this helps !

  15. I got it. It was called System Security.I got on to Bigpond Security by phone and was put on to GIZMO.$99 and 2 hours later they got rid of it using Safemodea etc and Malware.

  16. Im a computer repair tech. And I found out the best way to avoid getting this fake antivirus is to install netcraft. It would stop the site from loading up. It install on your browser and it monitors fake web sites.

  17. Have you heard of “Antivrus System PRO”?
    This one is a real bear. I was invaded last weekend. Luckily I have two hard drives and can only use one at a time. I was still able to access the NET with my uninfected drive. The afore mentioned malware takes control of your system very quickly. I Googled the subject and tried “geekpolice.net” as well as “bleepingcomputer.com”. The only answers I got from them was to purchase software after running a “FREE” scam…scan. The only way I was able to get rid of it was to run a total format-reinstall of the operating system. Do you have any suggestions.

  18. I was quite surprised that your list of safe antivirus software did not include either McAfee or Norton.

    These fake antivirus are becoming even worse. I’ve had some that you cannot navigate away from their site without closing the tab. Sometimes you even have to close the entire session (all tabs). I also had one time when the only way to kill it was by using Task Manager.

    Any suggestions for dealing with those?

  19. Oh and I would add: As soon as you get your computer functional and seemingly-clean via a small number of established tools as mentioned in this article, generate some additional reports with a greater variety of recommended tools (e.g. online scans, HijackThis, etc.). Often each finds different things, and once a computer is infected it is especially vulnerable, and additional opportunistic infections may have piggybacked on the original one. If you need help with interpreting any reports/logs you generate, get thee to a reputable security forum where you can post your results.

    It’s worth the time — this be some serious stuff!

  20. Have seen this AVG “Lookalike” a while ago. Stubborn to remove. Best way is to move it to a cheap thumb drive and then throw it away. Only thorough solution I have really used that is predictable.

    There is a lot of “so called” Anti-Virus solutions out there. There is one on the top of the heap. Kaspersky! It is superior for two main reasons. First, hourly virus database updates. Second, most virus’s are written in the Ukraine. They are a twelve year old company based in Moscow, Russia. Have NEVER been compromised using Kaspersky. I highly recommend it.

  21. For people who don’t have a network set up and so can’t use the Safe Mode with Networking method, remember that you can put removal tools on external media from a different, functioning computer and use them in safe mode.

    (If it wouldn’t be easy for you to get to another computer, not a bad idea to create such emergency media in advance to have on hand. Even a somewhat outdated app may be enough to at least get your foot in the door of the battle.)

  22. I have a husband that clicks on anything that looks real.
    We got one.
    I ran our McAfee and Spybot and then downloaded AVG. It got it out.
    Thank you for telling everone

  23. Hi to all at Pitstop
    I had enormous problems with malware that in the end resulted in a complete system restore. I managed to burn some files and photos which were saved by e-mailing them to my brother as attachments.

    I had several ‘attacks’ including Zango, Blue Streak, Double Click and others. I had AdAware and AVG but these became unaccessible as I was told that I was not the ‘administrator’ of my own PC. Comodo constantly errored also. On investigation by a colleague who (lucky for me) runs an IT bureau it was discovered that even the PC address and ID had been hacked and changed to the extent that my PC wasn’t mine anymore. Luckily I NEVER buy online so no banking details are used or publicised. I had to crash everything and start again.

    I got rid of Norton and d’loaded Malwarebites, Spybot Search and Destroy, Comodo Firewall and AV and BOClean. Ever since nothing has got onto the PC and if stuff does, one sweep with Spybot or MWBites usually cleans everything. this and the usual getting rid of temporary stuff and regular disc cleaning and I’ve been safe ever since. I regularly receive and read Pitstop bulettins and they’re priceless for the depth of info and the different sites one can access through them. Great to know you.
    Cheers
    Sim

  24. That article is great! I sat here and laughed because me sister reports to me about every few months how her computer is no longer functioning because her Tweenage kids keep clicking on things that then bring it a scretching halt.

  25. Twice I was infected by fake anti-virus. Both times I removed it with Spybot Search and Destroy. I’m surprised that’s not on your list.
    .

  26. I believe I have succeeded in my battle with this beast. I’m going to give it a few days before I celebrate.
    I have to share with you something I got a laugh from with the first version that appeared.
    I was in a battle of wits with the popup screen. I would click to close it. It would switch up the position of the close button. I assume they were trying to get you to the edge of sanity and when you couldn’t take any more you would give your first born to make it stop! I don’t know how long our “battle” had gone on, but after one of my clicks no screen appeared. But I heard a small male voice say “you win!” I looked around to make sure I was still alone and waited for the next assault. But nothing! I just think that is funnier than heck.
    Unfortunately, my joy was short lived. A week or so later a new screen showed up. I almost cried when I saw it. But found your instructions and informative article. You saved my already fragile sanity and several others I’m sure. Thank You, Thank You, Thank You!

  27. Great information Tim. I use Firefox and IE but have not checked to see if Firefox was better at getting through the blockade that is put up.

    Will give that a go next time.

  28. I was called to help an elderly friend repair her computer already infected with this malware (virus). I was able to work around the malware (virus) before this article was released, lol which would not have mattered as PC Pitstop is blocked by the malware (virus) as well, I know I tried. With virtually no internet access on her computer I was able to download Firefox to replace the affected IE7. The malware (virus) did not try to stop this installation. Using Firefox I was able to download and install Avast and Malwarebyts. All attempts to download or search anything that would remove the Malware(virus) with IE7 was blocked.

  29. I’ve had that fake antivirus pop up on me before and when it did i killed the internet explorer process using the task manager without touching anything else on the screen and avoided all the problems. My girlfriend wasn’t as lucky with her laptop and got it. She couldn’t go online to get help but fortunatly her I put Norton Antivirus on it before it happened. It didn’t stop it from getting on her computer but it did monitor the registry changes the fake program made so after deleting the browser helper object it installed i was able to go online and research the problem and remove it. Its was a hassle but at least it failed in its atempts to steal info!

  30. Can you advise if PC Pitstop have a solution to removel of
    lbcore1.metacafe.com
    Every thing I try will not remove the issue.
    I’m using Trend Internet Security and have done a complete scan using Windows Mal. all with no success.

    Regards Laurie Garsden

  31. Great article, good advice. I got one of these “you are infected messages” but was fortunate enough to doubt the validity and checked with Shogan before acting on it. Thanks, Shogun, for keeping us on top of things.

  32. I believe I must be in “advanced meltdown” I got my laptop to save Superantispyware after several attempts. Now it says “The system administrator has set policies to prevent this installation”
    If only they used their powers for good! Wish me luck!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.