Malware Removal Tips

Quick Links
How did I get infected? Who would program a fake AV and Why? Removal Instructions

 Introduction

What is a Fake Antivirus?

A common issue faced by IT Professionals and end users alike is the trend towards Fake Antivirus type malware.  It is different than the old fashioned computer virus because it makes itself visible immediately.  A virus would rather go undetected so that it can do damage for as long as possible.  The point of the Fake Antivirus is hoping that YOU will let it access your computer while it’s tricking you into believing that it is your antivirus program.  A secondary goal is a hope that you will purchase the “Full Version” either online or on the phone.  It is easy to fall for because of the surprisingly convincing way in which this malware presents itself.

This looks like a legitimate antivirus software, honestly it reminds me of Windows Defender.

This looks like a legitimate antivirus software, honestly it reminds me of Windows Defender.

The example above is a good representation of most Fake Antivirus software.  Most people don’t pay much attention to what type of antivirus software they have on their computer, or it changes its appearance slightly with every upgrade or update.  The trick here is that the malware attempts to create a belief in you that your computer is infected, and your personal files are in danger.  If successful, most people will quickly take action, and the action they want you to take is to purchase their fake antivirus product.  Once you do that you’ve given your credit card to a malicious third party, who will certainly charge it the agreed upon amount, and then may sell it or just continue to charge small amounts periodically.  This instant payoff for the hacker, coupled with the fear factor of losing data have contributed to the quick rise of this type of malware.

How did I get it?

Most people get fake antivirus from clicking on a malicious ad on a website.  The website may be infected with or without the knowledge of the person running the site, or the website owner may have placed ads on his/her site that contained malicious code without knowing it.  Usually you will see these on websites that are, lets just say out of the main stream.  It’s highly unlikely that you will get exposed to malware of this sort on Yahoo, MSN, CNN etc.  The first time I saw this my wife was listening to Pandora, and decided to look up the lyrics to a song that was playing.  She did a search for the lyrics to that song and the site she clicked on had malicious code.  By the time I saw the computer it was going crazy!  Pop up ads on sites that didn’t usually have pop up ads, some sites not working at all.  The main thing was this program kept coming up over whatever you were trying to do telling you that you were infected, which really is ironic because it IS THE INFECTION!  Sometimes a fake antivirus is just stage two of an unrelated malware infection.  If you get spyware or adware on your computer, that will cause pop-ups to appear on sites that do not have them embedded.  When someone calls me and says Google.com is full of weird ads, I want to cut the end off of their CAT5 cable.  Sometimes the ads imbedded by adware/spyware will contain links that lead to fake antivirus software, which could potentially be more profitable for the person in charge of the infection.

Who Makes This Malware, and Why?

The short answer to the question of why is that there is money to be made.  The sad truth is that there are people who have no trouble taking advantage of others, and no one does anything long term that does not benefit them in some way.  Let me expound, I have two main reasons for creating this blog and adding content: 1. To help people through my knowledge and life experiences and 2. To make money along the way.  If I don’t feel like I’m helping anyone AND/OR I do not ever make any money I will quit posting.  It makes me feel good to help people.  I also truly enjoy writing and I also have a family to provide for.  That is my motivation.  I can only guess at the motivation of a scammer, but I do know that every infected computer can net them money.  Somehow their conscience is warped to the point that how they are making money doesn’t bother them.  When I get a scammer on the phone I (if I have time) immediately let them know that I’m not falling for their trick, and after that I try to understand why they would want to trick people for a living.  My favorite call is the “I’m from Microsoft and I’m calling because you have a problem with your computer.”  Boy did you call the wrong guy.  Usually they hang up on me or stay with the script.  What I’ve learned from discussions with friends is that in some cultures it’s okay (even “honorable”) to trick people.  I really hope that some day I can have an honest discussion with one of these scammer phone call guys.  If I just want them to hang up I might say “Are you being held against your will?  Do you need rescuing?  Is your Momma proud of what you do?”

Removal

Step 1. STOP!

As soon as you see the infamous “YOUR COMPUTER HAS BEEN INFECTED” screen, stop what you are doing!  I would take my hand off of the mouse just so you aren’t tempted to try to click off of the software.  The first thing I try is to click Alt+F4 to close the window and it will go away forever.  I have had to click ALT+F4 multiple times to get rid of the window, as sometimes it pops back up quickly.  Essentially what you are seeing may just be a website, posing to be an antivirus program.  By simply clicking on it, yes even on the bright red X on the screen you may be giving it access to your computer.

Don't get your mouse near this thing! ALT + F4, multiple times if necessary. If that doesn't work hold your power button down.

Don’t get your mouse near this thing! ALT + F4, multiple times if necessary. If that doesn’t work hold your power button down.

If ALT+F4 makes the annoying window go away, you may have dodged a bullet.  Close down all of your browsers and be more careful about the websites you visit.  If it does not go away or comes back in a short period of time or after a reboot you are likely infected.

Step 2. Reboot

If you can’t get the Fake Antivirus window to go away with ALT+F4, you need to reboot your computer.  I personally hold the power button down in situations like this.  There is a sense of urgency in that you want that off of your screen as soon as possible.  If you reboot your computer and it is still behaving badly then you’re almost certainly infected.  I’ve had users do this and then all traces of it were gone, because all that had happened was the initial fake screen trying to get you to click on it.

Step 3. Verify

What exactly are we to Verify?  After an ALT+F4 and/or reboot, you need to observe your computer and see if it is still acting strangely.  At any point along the way you could be done with removal, as long as the symptoms are gone.  Unfortunately if you have rebooted and still have the Fake Antivirus popping up, or every website you visit is inundated with pop up ads, then you have verified that you are indeed infected.  I almost eliminated this step altogether, as it works for a graphic but hardly necessitates it’s own step.  However I include it because if you catch it fast enough, the Fake Antivirus intrusion can be stopped before it does practically any damage.

Step 4. Remediate

Once you’ve verified that you are indeed infected, you must begin the sometimes tedious task of remediation.  There are several free removal tools for fake antivirus out there, the one I trust the most is Combofix.  The proper download link is from BleepingComputer.com.  It doesn’t look like most antivirus software, which I think is funny.  It looks less like a legitimate antivirus software that the malware which infected your computer.  However it has been my experience that it works practically every time.  It is easily identified for me because it looks like the ThunderCats logo.

Is it Combofix, or is it ThunderCats?

Is it Combofix, or is it ThunderCats?

You may have to run it twice, but usually it will tell you so after it determines the severity of the infection.  Incidentally I use Combofix for just about any adware/spyware infection.  Once you start Combofix my advice is to do everything it asks.  It will tell you to disable your antivirus, DO IT!  I’ve had luck without disabling it but most antivirus software will have an option like “Disable for 1 hour” or something like that.

I also like Malwarebytes for this type of thing, but I’m a creature of habit.  I found ComboFix first and it pretty much works every time.  The only exception that I can think of is when someone kept using their computer for days after infection.  It had rootkits, adware, spyware and full blown viruses.  By the time it got to me it was toast.

Step 5. Evaluate

Once Combofix, or Malwarebytes has done its thing, you are probably anxious to start using your computer again.  You have arrived at the point in your journey that you must do just that.  I advise people to watch your computer carefully for several days.  Does it act the way it always has?  At this point I would make sure that there weren’t any Windows updates that you need to install.  I’ve had to re-install antivirus software after an infection, so you may want to make sure that it is running properly and do a full scan on your system.  In any event I would probably shut down your computer when I wasn’t using it, if for no other reason than to observe it during a few reboots.  Maybe that’s paranoid but when dealing with Malware it sometimes pays to be a little on the paranoid side.  If you see any symptoms that your computer may still be infected I would run your removal software again.  You may also find it helpful to run another software, for example if you’ve already tried Combofix, you might try Malwarebytes on the second try.

Conclusion

I hope this has been helpful to someone.  I know that I have had many headaches in dealing with these type of infections and to be honest with you, I don’t mind one bit if I’m able to allow an end-user to remediate a problem of this type.  The more awareness we have on this the less power it can have to infect other computers.  It gives me warm feelings to know that Lion-O and crew are hard at work protecting my computers.

Thundercats....Thundercats....Thundercats HOOOO!!!!

Until next time, Thundercats….Thundercats….Thundercats HOOOO!!!!

Leave a Reply

Your email address will not be published. Required fields are marked *