Wednesday, February 10, 2010

Antivirus Soft is Malware

Sorry I have no pictures or anything especially fun or interesting today; instead I have important computer information (trojan warning and solution), and I couldn't copy and paste the screenshots. Hope this is helpful to someone, though if so I'm sorry you have the problem.

Yesterday I was uploading and editing some jewelry photos, and a notification popped up on my computer saying my computer was infected with Spyware. This note come from a program I hadn't seen before, called Antivirus Soft. When I clicked on the icon (even right click) it brought up the program which would let me scan. There was no way to remove or delete it. This note kept popping up every few minutes, and then an error message started popping up every few minutes randomly and every time I tried to open something, saying "Application cannot be executed. The file [filename].exe is infected." Then Internet Explorer started popping up with porn sites. If I clicked on "yes" or "scan now" on the antivirus warnings it just took me to the website where I could buy this "scanner" called Antivirus Soft. I scanned with SuperAntiSpyware and Avast instead, but they found nothing. Finally I looked this up (on the other computer, since I couldn't open Firefox here), and here's what I found.

What this programs does:

Antivirus Soft is a rogue anti-spyware and ransomware program from the same family as Antivirus Live. These infections are installed on to your computer through the use of malware that installs the program onto your computer without your permission or knowledge. It is also common for this rogue to be installed on your computer through the use of malicious PDF files that exploit known vulnerabilities in older versions of Adobe Reader. Once installed, Antivirus Soft will be configured to start automatically when Windows starts. Once running it will scan your computer and display numerous infections, but will state it will not remove them until you purchase the program. In reality, the infected files it detects are all fake and do not actually exist on your computer.

This program also uses aggressive techniques to protect itself from being removed by anti-malware programs. When the Antivirus Soft process is running it will close almost any running program while falsely stating that they are infected. Antivirus Soft will also change the Proxy settings in Internet Explorer so that you cannot browse to any web site other than the site for Antivirus Soft so that you can purchase the program. It does this so that you cannot browse the web to find removal guides or download software that will help you remove the infection. Using these two methods, the program essentially ransoms the normal use of your computer until you purchase the program or use the guide below to remove the infection.


Here's an example of an alert that pops up (exactly what I saw):

Antivirus Software Alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
Threat: Win32/Nuqel.E

Screenshots and instructions for getting rid of this (and the description above) are on bleepingcomputer.com. To sum it up, you'll need to go into safe mode and scan with Malware Bytes Anti-Malware (MBAM)(free); but there are other things you'll need to know on the webpage; there's too much for me to share here. This virus was really frustrating and stressful, and I was really happy to find the website and fix the problem. It doesn't cost anything to use the bleepingcomputer solution, and it worked for me. I just wish I knew how I got this thing in the first place.


EDIT: Update 2.14.10 a couple days ago I scanned with SuperAntiSpyware (just a regular weekly scan) and it found an item of Antivirus Soft although it wasn't bothering my computer anymore. So just keep watching out and scanning if you ever get this problem, even after you fix it.

2 comments:

  1. Wow, that's awful! I'm glad you were able to fix it though! Thanks for sharing the information!

    ReplyDelete