- slide 1 of 4
I recently had to respond to a tech support call from a user who said that their computer was popping up all kinds of messages that said he had dozens of virus infections. I told him to unplug the Ethernet cable to get the PC off the network, then I went over to his desk and started to diagnose the problem. It turned out that he had a trojan called FakeVimes that was allowing other malware to be installed, including a fake virus scanner.
- slide 2 of 4
Smart Virus Eliminator
The pop up windows indicating virus infections came from a fake virus scanner called 'Smart Virus Eliminator' that was basically taking over the PC and trying to get the user to pay for a 'full' version of the software to remove the multitude of viruses it says were found on the hard drive. This is the typical behavior of the variety of fake virus scanners that try to scam the user into paying for bogus software. These type malware programs are rampant on the Internet and I deal with them on a regular basis at my work and on computers belonging to friends and family.
In case you were wondering, the Smart Virus Eliminator software is a scam. It is not a real virus scanner and does not do anything but try to con people out of their money. If you didn’t know any better, you would think this was legitimate antivirus software because it looks like a real antivirus program. The graphics and menus all seem legit and your computer will behave like it has a virus while this software is running. Smart Virus Eliminator is one of many dozens of similar programs that look like the real deal, but they are all fake. I wish something could be done to stop these things, but most of them come from countries where there is little you can do to legally go after them. If you did send them your credit card info, this type malware could end up making you the victim of a phish scam. Your best defense is to take preventative measures to keep this type of malware from ever getting on your PC.
- slide 3 of 4
To remove the infection, I first ran a Quick Scan in Windows Defender and it identified the malware as Trojan/FakeVimes and gave me the option to remove. I let it remove the trojan, then I rebooted the PC and ran another quick scan. This time, it found multiple instances of the program, including links to the executable hidden in the user's profile in their Desktop folder as well as in the Application Data and the Temporary Internet Files folders. I told Windows Defender to remove them all again, then I rebooted again and ran a full scan in Defender. This time, it found nothing.
I put the machine back on the network and waited about half an hour to make sure it wouldn't find anything, since sometimes an active Internet connection will revive this type of malware. Just to be on the safe side, I also rebuilt the user’s roaming profile by renaming the local and server copy, then letting him log in to create a new profile. I did this because the Trojan was replicating itself in the Application Data directory and it seemed to only affect that user’s profile. Once I got everything clear, I also turned off System Restore to clear out all the restore points, then turned it back on to start over. I did this because often times System Restore will save the malware and you could accidentally restore the infection.
- slide 4 of 4
You should familiarize yourself with the security software on your PC. When it comes to these type fake virus scanners, you have to know what you do or do not have installed. Don’t just think ‘my computer said I have a virus’ and go with it. Your computer only does what the software allows it to do, so if you never installed a virus program called Smart Virus Eliminator, then you shouldn’t be getting messages from it saying that you have a virus.