Millions of computers are being infected by fake anti-virus programs using names such as Antivirus XP 2008 and Antivirus 2009. We have seen a very large number of these infections since early August. Typically you will see a warning pop-up on your computer saying that it may be infected, and that you should scan your computer with this software. Even if you click on the "No" button, the software scan runs and almost immediately tells you that it has found a bunch of dangerous viruses. To remove these threats they advise you to pay them a lot of money. Strangely, no other anti-virus program is able to find these supposed threats. Instead all they find are Trojans, such as Zlob, which were used to load the fake warnings. Needless to say, you should never pay for a program that launched itself on your computer without you asking for it. Even if your computer really was infected, the chances are that this software will not remove any real infections.
When the warning appears.
The warning may appear to be from your anti-virus software, or Windows Defender, or Windows Security Center. Some even claim to be from Google.
Clicking "Cancel" or "No" buttons often has the same effect as clicking OK. It is safer to click on the X at the top right corner to close the window but sometimes even clicking on that X still runs the software. Instead, if you see such a fake warning, press Ctrl-Alt-Del to run Task Manager (provided that the infection has not disabled this) and then end the application.
If the rogue program gets established it will completely take over your computer, constantly popping up warnings and nagging you to purchase it. Some versions will block you from doing anything except entering your credit card number to "register" the software. Some users have been asked to pay $109 or even $149 to get rid of the threat but even then there is no guarantee that the threat will go away - the software on your computer can be used to download other malware.
Once upon a time it was easy to answer this question: you became infected by downloading a suspicious file (or "Trojan Horse") which was infected. Typical inducements were free videos, which when you downloaded them asked you to install a new "codec", or free ringtones for your phone. File sharing networks such as Limewire were common sources of infected files. Other dangerous web sites could be detected by free software such as Site Advisor, from Siteadvisor.com
Unfortunately now the criminals behind this scheme have found new ways to distribute their software: they are using the advertising servers used by many big web sites and have placed infected adverts there which include a link to download their Trojans along with the adverts. Consequently you could be infected just by visiting major web sites such as CNN or Myspace and then clicking on a completely innocent looking link.
Other infections come from spam emails claiming to show you video of the latest celebrity caught with her panties down. Any claims of "XXX rated videos of Madonna", "Angelique Jolie naked", and soon no doubt Britney, Lindsay or Paris, are likely to be tricks to get you to download the rogue program Antivirus 2009. Beware of any kind of attachment in emails, even one that might appear to be safe and even if it appears to have been sent by someone you know (senders may be forged, or else their computer may be infected).
Another new trick seems to involve the theft of friend lists from Myspace and Facebook profiles. You receive an email which appears to be from a friend, even links to a fake copy of their Profile page, and then invites you to view a "Youtube" video. The video, which is not really on Youtube, tells you it requires a "codec" to view it.
Other spam emails claim to be from trusted news sources such as CNN or MSNBC with an alarming headline (such as US troops invade Iran) and a link to click to read more. This link then takes you to a fake web site that asks you to download a video player.
However, provided that you have all the latest security updates for Windows, you can't get infected without some warning. A Windows or Internet Explorer security alert will pop up and you normally would have to agree to allow some software to run on your computer. The above tricks deceive you into expecting some kind of download - relying on the fact that most users don't understand what a codec is. Allowing teenagers to use your computer may be a significant source of infection. Some users though report that the software got onto their computer without any warning.
Removal can be very difficult, even for experts. There is big money being made from these programs and their authors make them as hard as possible to remove. They are able to employ some very clever programmers, who are constantly thinking of new methods of infection and new ways to hide their software. They have many hidden components and removing one causes the others to immediately replace it. They may search for and disable existing anti-virus software. They may disable System Restore, so preventing you from going back to a time before the infection. One of their tricks is to set a registry key that prevents you from editing the registry! They may even block installation of new anti-virus software.
In addition the software is frequently modified, sometimes as often as every other day, so that new versions escape detection by virus scanners. Once installed the software downloads new versions and updates itself daily.
The first thing to try is to see if your present anti-virus or anti-spyware software can remove the problem. Make sure you get the latest updates. Since the malware may install by means of a "root-kit" which hides files from detection, you should reboot in Safe Mode. To reach Safe mode restart Windows and then, after you see the initial Bios screen but before you see the first Windows splash screen, press the F8 key repeatedly. Timing is tricky on some computers (too early and you will get a keyboard failure warning, too late and it ignores the key) but if successful you will see a text menu that gives Safe mode (or Safe mode with Networking) as one of the choices). Run your anti-virus and anti-spyware scanners in safe mode.
Alternatively, if you have another computer available, you could remove the hard drive from the infected computer and connect it to your other computer for scanning. This needs some technical expertise though - if you are not familiar with dismantling computers, leave it to an expert.
You may find that your antivirus software has been removed or won't find the infection and so will need to download and install new software to fix the problem. Since the infection may block many antivirus makers' websites, try visiting http://www.filehippo.com/ which is a fast and reliable source of many popular programs.
Since the rogue software is constantly changing, you may need to download several programs before you find one that works on your particular variant. Some may partially remove the problem but leave remnants which reinstall it later. Reliable free anti-spyware tools include AVG version 8 (which includes both the Antivirus and Antispyware programs), Ad-Aware 2008, Spybot Search and Destroy, PC Tools Spyware Doctor or Malwarebytes Rogue remover http://www.malwarebytes.org/rogueremover.php
In addition, once you have identified the problem you face, use Google to search for manual removal instructions for that particular malware: like the removal procedures built into antispyware programs, these most likely won't work without modifying, because the software constantly changes file names and other details. However they will give you a good idea of where to look in order to find any components left behind by spyware removers.
To Prevent Future Infection
Hopefully by now you know enough to resist any emails purporting to show you naked pictures of popular celebrities. Be particularly careful if any video asks you to install a "codec" or other viewer software. Apart from that though, these programs have shown considerable ingenuity in finding new ways to get their software on to your computer and even experts are being fooled by them.
To guard against these threats make sure that you have up to date antivirus and antispyware software on your computer. Some security suites (including Kaspersky, F-Secure and AVG) cover both but apart from these, most anti-virus programs don't do a very good job of detecting spyware and you need additional protection. Having antivirus /anti-spyware software is no good unless the signature files are up to date against the latest threats. Check that your software updates automatically or else make sure you update it at least once a week.
You also need to make sure your software has "real-time" protection, constantly watching for suspicious changes. If yours doesn't, or if you want additional protection I recommend a neat little watchdog called WinPatrol, available free from http://www.Winpatrol.com/.
To avoid dangerous web sites I recommend Site Advisor from http://www.siteadvisor.com/ or else AVG now has its own very similar protection (using both of them may slow down display of web search results).
Better still there is a wonderful free service at http://www.opendns.com/ which will completely block access from your computer to many bad web sites. You can also configure it to block your children from accessing adult sites. DNS is the internet service that translates web site names like www.yahoo.com into the numeric addresses of the computer they reside on. Normally your computer will be using a DNS service provided by your Internet Service Provider. Switch to using the OpenDNS server and you can configure it to block requests for several categories of site. By blocking DNS requests for websites known to house harmful software, this service can prevent your computer downloading many harmful programs.
Finally, now that advertising on reputable web sites has become a major source of infections, you may want to consider software to block those annoying adverts. If you use Mozilla Firefox there is a free add-on available called Adblock Plus. When you install this you can choose from several filtering services, which block many ad servers, others can be blocked manually as you encounter annoying ads online.
Nerds in a Flash Support
Providing Computer Repair in Austin and Computer Repair in San Antonio
How You Were Infected