WARNING Scare-Ware

[BFM_Kiwi]

There seems to be an increase in "scare-ware", specifically programs that look to be legitimate anti-virus programs, that will popup while you are browsing and tell you they've detected dozens of trojans and viruses. 

Two people at work, a neighbor and my son have all got these, most while in Google images.

These look pretty realistic - most look a lot like Windows Vista or Windows 7 screens.  They have names like "Windows 7 Antivirus 2011" and you'll see popups that look a lot like the real windows popups. 

They can lock down your computer so that you can't run programs or scans, and may hijack your browser so that you can't easily browse the internet for solutions.  You'll want to shut down, get on the internet on another computer and print off instructions how to remove the specific version you've got.

I had one of these pop up, and I immediately hit Ctrl-Alt-Del and logged off and back on, and had no trace of the virus.  My son clicked on a Cancel button, or the red "X" to close the window and it installed hooks in the registry and startup so that it kept coming back.  We ran malwarebytes and that removed it completely.  My neighbors weren't so lucky.  Malwarebytes couldn't run due to the virus, so we booted in Safe Mode and it still wouldn't run, so we had to restore from a restore point.  Took about 3 hours to remove the thing.

So if you see an over-the-top virus scan reporting dozens of trojans and suggesting you purchase the software to remove them, know that it's most likely a scam.  Try not to click on the window at all.   Log off or shutdown your computer instead and you may escape.

If you do end up with one of these, you'll want to do the following - and it will depend on exactly which variant you get

1) Shut down and start in Safe Mode.  In most cases the computer will start up cleanly and you can then do one of two things:
  a) Restore your computer from a Restore Point (from Conrol Panel - Recovery)
  b) run a full scan with your antivirus - if you're lucky it will find and remove it
  c) install and run malwarebytes (from malwarebytes.org or cnet) - this has worked 100% in all cases I've helped with
  d) Ad-Aware may remove it - it didn't in one case I know of

2) If safe mode doesn't work, you'll want to boot from the Windows CD (or recovery disk - if you never made one, and that would be most of you!).  Choose the option to install or repair, choose the windows installation, and then the option to recover using a restore point.

Like I said, I know three people (myself included) who had these pop up when searching through google images, so it can happen to anyone.  Some antivirus and anti-spyware/malware programs will stop these better than others.  Apparently Kaspersky is good at stopping it.  I use AVG and haven't had any virus problems in years, but it did not detect this.  Norton Corporate at work did.

Suggest you all make sure you have a recent restore point and if you don't have a recovery disk, you might want to make one now. 

[BFM_JANE]

I've had these pop up a few times over the last couple of months. I know better than to think it's the computer telling me about viruses, but I had a hard time getting out of the "window". The red X, Cancel and ALT+F4 didn't do it, ended up with the ctrl+alt+del to end it.

Good to know about malwarebytes though. Maybe I'll do that now...

[Còól]

Yeah I just had that. It was called Windows Vista Security 2011. I got rid of it but since it locks alot down it was hard to. If it is going on your comp you will not be able to use browsers. What I did was Octane pulled up instructions and I did what they said. First off you have to bring up task manager and shut down the process. it will be a random .exe process. In my list it was guw.exe. I shut it down and was able to access my browser. It kept popping back up and I would just shut the process down again. Once you find the process you can go to your start menu search and type in "msconfig" hit enter and select the startup tab. Find that .exe file in that list and uncheck it and restart. It will come back but it will buy you a little time. Once you get the process stopped I recommend using MalwareBytes. It will completely remove it. It was very aggravating.  

[BFM_Kiwi]

I didn't see this, but another thing some of these do is change your browser to point to a proxy server which then redirects everything to wherever they want, their website I guess.  You can go into internet options, Connections > LAN and remove the proxy server.  Might have to do that in Safe mode.

I've heard these are hitting Macs now as well.

Not sure if this is only affecting IE, or if Firefox or Chrome are also susceptible.

[gamepanther]

OK I am scared now if they are going to Macs... Macs don't ever get viruses!

[MrMxyzptlk]

Ya, I forgot to post about this beasty, sorry....  

It began on, yes, you guessed it: April 1, 2011.... 

The REALLY bad thing about this virus is that you can get it from MANY, MANY sites - even ones that you might consider to be "safe" - since it spreads (in the background) by infecting existing, innocent websites with the "bait" part - the popup that you get.

Once you click on any part of the popup you've got this malware that keeps taking you to various sites, where, if you interact with the site, can give you some really nasty trojan viruses....

If you're somewhat "Windows savvy" another way to exit without clicking anything is to bring up the Task Manager and kill off any/all "odd-looking" processes.

There are several different versions of what is basically the same "trick & infect" scenario, under names such as:

Personal Internet Security 2011
AV Defender 2011
Vista Security 2011
BitDefender 2011

If you want more info and details about this outbreak, search on "Lizamoon".


P.S. Um, to give you a real scare: the iTunes store site was infected for while with this thing!

[BFM_Octane]

It seemed to be a rather defiant little thing that attached itself to a number of executables so when you opened pretty much anything, so would this infection. Stopping you from loading up webpages to even so much as look up removing the infection. Luckily we got around that with cool as his ventrilo still worked and so did XFire. So managed to send him the removal software via that.

The process is listed either as a combination of 3 letters that will be different for each person, or as "winupdate86.exe".

We got our info via http://www.precisesecurity.com/rogue/vista-home-security-2011/
Which also lists the registry entries it throws in. Recommended "Malwarebytes Anti-Malware" and as a known software to get rid of these new infections.

[MrMxyzptlk]

Download MalwareBytes Anti-Malware (MBAM) directly from HERE.  (I.e. This link STARTS THE DOWNLOAD of the MBAM free version.)

BE SURE TO USE THE "UPDATE" FEATURE BEFORE RUNNING YOUR FIRST (FULL) SCAN.

(Scans thereafter will notify you if your malware database needs updating,
and offer you the option to do that before scanning.
ALWAYS DO THE UPDATE when it offers one!)

Note: If you're system is incapable of accessing the download link due to infection, then get MBAM onto a thumb drive from ANOTHER COMPUTER, and copy it to the up-and-running infected computer, install it, do the Update, and then run a FULL SCAN....

[Ðrèpër]

I got hit by one of these too when i was on google images a week or so ago. got rid of it pretty fast though, ctrl alt delete fixxed it. used my normal scans afterwards with avast and spybot, cleaned it all out and no problems since then.

[Lº§tMyMiNÐ]

L°§tMyMiNÐ here.

Yeah, I know about this type of virus.

Knew someone who ended up getting this kind of virus many times over on her Windows 7 laptop. However, this was long before April 2011, last year, around summer, I think. Anyway, same symptoms, but she brought the problem to me, I Googled it, learned about the good ol' MBAM, then deployed it on the infected computer. The problems ceased for then, but then viruses like it kept popping up in the subsequent months, too, until time came that one super-bug got on the computer, then the profile had to be deleted permanently, and the backup profile, made just in case, had to be used.

However, it's funny, but I've never had problems with viruses of this type. I have had problems with computer-killer viruses before, but not anything like scareware. Anyway, that's that.

Ciao!
- L°§tMyMiNÐ

[Fraggle]

Ugh! Just got it. I killed the process immediately and fired up MalwareBytes (which I had previously installed and fully updated two days ago on the advice of this thread. Thank You!!!) and it's running a scan right now to see if it can find it and kill it.

This is definitely a devious one. I think it's the first time I've ever had a virus or trojan. (i can be smug about it because MABM declared my PC infection free yetserday after several hours of digging around.

So anyway, I would have been in it very deeply if it wasn't for you guys, so thank you!

 ~edit: Infection cleaned.

[Marty]

Does MalwareBytes run alongside other antivirus programs or is it a replacement? I'm running Microsoft Security Essentials, recommended to me by my techie. Would I replace MSE with MalwareBytes or could I have both on my PC?

[Trael]

Both,

I recently got flagged that this virus was attempting to install on my computer, so I quickly went and stopped the process and squashed it before it could start.

[BFM_Crimson]

Wow, never thought I, ME, CRIMSON, would ever get threatened by a virus, but looking for an image on google today, it popped up!
So, I immediately Ctrl-Alt-Del'd out, started hacking away at any processes I didn't recognise, and am installing MalwareBytes right now (thanks for the link, by the way, Mxy).
Fingers crossed 

[Marty]

As I now know that there's no problem having MBAM and an Anti-Virus on the same PC:

Downloaded, installed and updated.

Thanks, all!