Wednesday, January 26, 2011

Rogue Antivirus: The most common computer virus and what to do about it

Many of the people who come to me for virus cleanup make the same comment: “I have no idea how this happened!”

To the untrained professional this might sound like these people are covering up for the fact that they are embarrassed about having a virus, as if the only way they could have contracted one was by visiting questionable web sites.

But I happen to know better.

There are MANY innocent ways to pick up a computer bug and what I’m going to write about here is currently one of the most common… Rogue Antivirus.

How did THAT get on there?

Think about pop-up ads. We see them all the time on the internet and think nothing of them. Whether it’s our local newspaper web site, favorite music download spot or major retail store - we simply close them and move on.

This is the exact same method that the evil virus people use. The only difference is, their pop-up window isn’t an ad. Instead, it’s an ominous warning that looks exactly like a legitimate virus software product telling you that your computer has been infected.

Here’s one example:

Now, here’s where the problem begins. If you were to simply do nothing and close your browser screen you would most likely be fine and virus-free. But since this kind of warning looks so legitimate, many people choose to click either the “Remove All Spyware” or the “Ignore” button, which then triggers the actual virus to download and execute its installation onto your computer. By the way, it doesn’t matter which button you choose, the “Ignore” button will install the virus as well.

At this point you may even be reminded by Windows that you’re about to install an executable program that could contain a virus, but since we’re so programmed to click “Ok” every time we install something in the first place, we choose to ignore this warning and continue. “Besides,” you’re thinking, “ how else am I supposed to get this virus removal program updated so it can clean off the virus it says I have?”

Of course once you execute the fake virus removal program it’s too late. Your computer is infected for real.

Why didn’t my virus protection catch it?

Because, the first it time was presented (as the fake virus protection screen) it was just a harmless “pop up” and not an actual virus. It didn’t become a virus until you clicked on one of the buttons and authorized it to download the virus onto your computer. THAT’S why this one is so tricky!

So how do I know I just ran a fake virus program if it looks real?

The first way you know is because your gut will tell you that something went wrong. We don’t normally get presented with a warning that we have a virus so our first instinct is to follow the directions we’ve so conveniently been presented to remove it. And that’s how the virus people are hoping we will react. If we slow down and check some things out before we click the “Remove all spyware” button like the one on the example above, we will discover that the program we are looking at is not actually the same program we are using for our virus protection (i.e. Mcafee or Norton). So far, no fake virus program I’ve seen has been good enough to mimic the actual screens of the product you have installed.

The next way you’ll know you’ve run a fake virus program is because your computer will start acting up… usually within a few hours to a couple of days. After that you won’t even be able to use your computer because the only thing you’ll be presented with are more fake screens. And left untreated, your computer will no longer even boot up and may eventually get to the point where the only cure is a full blown reinstall of the operating system. Yuk.

What do I do now?

If you encounter some version of the fake antivirus program I’ve describe above you should follow these steps immediately:

1. The FIRST thing you should do is close your internet browser. Then open up your “real” virus protection software and check to make sure it is up to date. If not, run the updater (if you can) to get its current definitions. This, of course, is assuming you actually have something like McAfee, Norton, Microsoft Security Essentials or AVG installed and running on your system.

2. Next, unplug your Ethernet cable and disable your wireless connection. You need to do this because the longer you are connected to the internet, the more damage the virus can do. The initial install of the virus has most likely opened up a direct port to a malicious server that will continue to download nasty things onto your computer. If you disconnect the internet you can minimize that possibility.

3. Run your actual virus protection software. If you haven’t waited too long and you have decent software, it should catch the bug and zap it.

4. If your software isn’t fixing it, or worse yet won’t even run, then the virus has probably dug itself in too deep and you’ll need to take more extreme measures to remove it. Some people have luck finding their own solution on the internet and other people choose to have it fixed professionally. The level of success you’ll have is directly related to the length of time you’ve let the virus run rampant. By far the easiest computers I’ve cleaned are the ones where the customers have simply hit the power button and turned off their computer the first time they suspected the infection. In other cases where they’ve waited too long, I’ve had to deliver the bad news that their only option is a total reformat. Again, yuk.

So hopefully this article will help prevent at least one person from getting this nasty virus in the future. However if it does manage to happen - by all means don't be embarrassed. These people have spent years figuring out the best way to trick us... and millions of people fall for it every day.

Happy, safe computing!

for more tips on keeping your computer safe check out the Virus Stompers safety survey here


Memarie Lane said...

I've had that before and it was actual a virus in itself. My ACG and Adaware didn't removed it, I had to use 2 different online (legit) scanners to detect and remove it, then go into my startup regsitry and delete a .exe attached to it before it was completely gone. Blah.

Kathy said...

I feel your pain. I have to totally re-do at least two PCs a week that are infected by this crud. I stumbled this post. Word needs to get out!

Kathy said...

Oh, and Marie! It's good to see you again. Blast from the past :)

Unknown said...

Good info! I think that happened on my school computer last year. I would have hit the "ignore" button, and I would not have had the admin privs to allow the install, but IT still had to come muck about a bit.

Anonymous said...

Or you could just spring for a Mac and not bother with lousy antivirus software.

Unknown said...

reboot into safe mode and run anti virus, spybot, malwarebytes, etc.

Jeff and Charli Lee said...

shithead - Yes, that's the approach I take. I didn't want to get into the possible solutions here because there are so many variables depending on how infected the computer is. But in general I put it in safe mode and run CCleaner (first so the software doesn't have to scan a bajillion temp files) Malwarebytes, Superantispyware, and Spybot. That usually does the job.

Anonymous said...

I think I have a virus, because I do not get any more of your blogs!

Janna said...

OMG, you're back to blogging again! Yay!
Well, sort of yay. I just noticed this is from last January.
But still, Yay.

I've been kind of depressed these past few days and have been searching cyberspace for some of the cool people who used to comment on my blog. Since you fit both those criteria, I naturally thought of you.

Even if you never did send me that Livingston Fury CD.

Have a nice day, and come back to the blog soon.

P.S. My anti-spam word is "aines", which I am totally going to use on a future Jannapedia post because it looks like someone badly misspelled "anus."

sewa mobil said...

Nice article, thanks for the information.

Babs-beetle said...

Very informative post! I always ignore any pop up that tells me anything. You can tell that they are Windows produced messages, aimed at Windows users.

Thankfully, being a mac user, I don't have these problems :)

Annette said...

This post was so informative! Looks like MANY people can relate! I was wondering, would you be interested in sharing your articles with other like-minded tech parent bloggers? If yes, please email me
at with Parents in the subject line.


klapool said...

WOW! This is good stuff! THANK YOU!!!!!

Anonymous said...

"Macs will NEVER EVER get viruses! Why worry?"
Umm... Not true!

See... Macs are starting to get viruses VERY SLOWLY and, one day, might get a many viruses as Windows does. Although, Macs are somewhat more protective over their system files from what I heard from others and will have significantly less viruses than Windows, hackers might find a way to exploit and find their way into Mac's system files and the viruses might become more aggressive after that. If you want to know what current Macintosh viruses are out there, google it.

Anonymous said...

I looked at this. I have a virus, and I searched up its name on the Internet, and it came up with no results. I use anvira. It's logo is an umbrella. Is it real? And safe? Or is it a fake? Please help. My computer is taking serious damage. Please help!

Jeff said...

It is best to keep a back up of your computer. This way if you get a virus you can than wipe the computer clean and kill all infections with it. I have many computers that are close 10+ years old running just as fast as new ones. Doing a clean wipe every year is a great way to keen them from ending up in the junk yard.

we buy junk cars orlando