Late Sunday night my husband was working on his blog when he decided to check out one of his trackbacks. Bad idea. He was immediately redirected to a fake anti-virus site and even though he knows not to click on anything and shut the browser down via Task Manager, somehow the program, called Vista Internet Security 2010 installed itself anyway! He was immediately tormented by pop up after pop up with dire warnings like:
Intercepting programs that may compromise your privacy and harm your system has been detected on your PC. It’s highly recommended you scan your PC right now.
Continue working in unprotected mode is very dangerous. Virus can damage your confidential data and work on your computer. Click here to protect your computer.
All fake of course. A fake version of the Windows Security Center opened up as well, and it claimed that his anti-virus and firewall were nowhere to be found. The infection happened about 11pm and it took me until 8am to finally get him back to a clean system. This rogue anti-virus is particularly nasty and frightening too. Here’s why:
- Our firewall didn’t stop it and neither AVG nor Malwarebytes detected it when I ran scans with each of them. They are both fully updated so this means either this rouge so new the anti-virus programs haven’t caught up with it yet, or it is able to avoid detection/disable anti-virus programs.
- It completely disabled Windows Security Center. Even when I went to Control Panel and launched it there, it presented me with the fake one.
- It dropped a nasty Trojan that inserts a browser hijack into every browser it finds installed on the system. The hijack throws up a fake warning that the site you are accessing is infected and keeps redirecting you to scam sites.
- It also dropped a keylogger-not the fake one it claims Firefox is infected with, but a real one. For those not familiar with the term, a keylogger is a malicious program that records everything typed into a computer, saves that info, and sends it off to the hackers. So if you have a keylogger installed and log into say, Paypal or your bank, the hacker gets your login and password.
So how did I clean up the mess? Well since neither MalwareBytes or AVG was able to detect the malicious files, first I went to my computer and downloaded Malwarebytes to a flash drive and tried to run it on the infected system. No dice. I then opened the Windows Registry and tried to delete the files it had placed there but I was denied access. Finally I fought through the redirects, went to TrendMicro’s site and used their HouseCall scanner. I did two full scans and it found all the nasty files and deleted them. Once the system was clean I ran a Hijack This log to make sure no rogue files were lurking around plus another virus scan. Once I was confident the system had been cleared, I had my husband change the password to every site, service and forum he’s registered with.
If you find yourself redirected to a fake anti-virus site, shutting down the browser via Task Manager may not be enough. If it’s not the first thing to do is disconnect any other computers from your network, if you have one. This will keep all them from getting infected if the rouge anti-virus happens to be network aware. If your anti-virus software didn’t catch the infection, it’s probably been disabled or the variant is so new the anti-virus companies haven’t caught up yet. It is possible to manually delete some of these rouge anti-virus programs but if you get an access denied or you don’t feel comfortable messing with your registry (if you don’t know what you’re doing you can render your entire computer inoperable!) try using another computer to download an antivirus program to a flash drive or use an online scanner like HouseCall.
How do you prevent infections in the first place? Think before clicking on any link. If it’s got gibberish in it, came in an email from a stranger or from a friend but with no explanation, delete it. When dealing with URL shortened links like bit.ly, don’t click unless you know and trust the source completely. Never ever click on a banner ad or pop up that warns you your system is infected, and always keeps your anti-virus program updated and your firewall on. It’s not fool proof but following these steps will help significantly reduce your chances of getting infected.