I recently responded to a tech support call from a user who said that he could no longer get on the Internet. No matter what website he went to, including our own internal sites, he would get a maroon box on screen warning about the site. It would turn out that this computer was infected with a type of fake virus scanner malware called Antivirus Pro 2010.
Here is the full, unedited message that popped up every time the user tried to visit any website:
Warning! Visiting this site may harm your computer!
This web site probably contains malicious software program, which can cause damage to your computer or perform actions without your permission. Your computer may be infected after visiting such web site.
We recommend you to install (or activate) antivirus security software.
I do realize that visiting this site can cause harm to my computer.
Antivirus Pro 2010
Antivirus Pro 2010 is the latest in a long line of fake virus scanners that includes Antivirus Pro 2008, Antivirus Pro 2009, PC Antispyware 2010, PC Security 2009, and many more. You can mix any combination of the words PC, Windows, Computer, Antivirus, Antispyware, Pro, Security, and whatever the current year is and get a variety of names for these type rogue malware programs. One thing that makes them harder to catch is that the names frequently change. As soon as security sites start publishing warnings about the programs, the crooks making this stuff release them under a new name.
Rogue software like this gets installed on a PC because the user did something that allowed it to be installed. Of course, the user in this case had no idea how it could have happened, although our IT department knows they spend a lot of time on the Internet. It could be that they clicked on a link in a spam email that took them to a site where they were prompted to download the software, or they could have just been surfing the web and hit a site that had a pop up telling them they were infected. Whatever the case may be, most legitimate websites don’t advertise this sort of thing, so there is no telling what kind of site the user was visiting when they got infected.
Oddly enough, Windows Defender did detect this software, but it was after the fact. Instead of blocking the installation of Antivirus Pro 2010, it later prompted that the infection was there. I had to run several scans and reboot the PC a couple of times to get it clear, then I also had to rebuild the user’s roaming profile because these type malware programs tend to hide themselves in temp folders and in the Application Data folder under the user’s profile. I always recommend that you unplug the network cable to take the machine offline while removing the malware, because a live internet connection often fuels these programs and they can fight whatever software you are using to remove them. Once you get the system clean, you should also turn off System Restore to wipe all the restore points, then turn it back on to get a safe restoration save.
Another interesting thing about this software was that it wasn’t prompting the user with the usual random pop-ups warning about virus infections that really weren’t there. Instead, the only issue they had was when trying to go online. Perhaps the actual software had not yet been installed, and was waiting for the user to hit one of those buttons to enable the install process and put the program on the computer. Either way, the PC was disabled in that it could not get on the Internet.
When dealing with these fake virus scanners, the important thing to remember is that you should familiarize yourself with the security software on your PC. You should know what is installed on your machine and what is not. Just because a message pops up saying that you have a virus does not mean you are really infected with anything. Your computer only does what its software tells it to do, so you shouldn’t be getting virus messages from anything other than your own antivirus software, and Antivirus Pro 2010 is not a real antivirus program.