My Most Difficult Virus Cleanup
One of my clients called me and stated that his computer was throwing up ads all over the place and some were pornographic.
The first thing I noticed was that his computer had a half dozen different “anti-virus” programs installed on it, and several were displaying popups from the system tray stating that the “System detected virus activities”. Ironically his McAfee Anti-Virus didn’t detect anything. This was going to be a long clean-up.
After isolating the computer (he had dial-up Internet, so that was easy), I inserted my write-protected USB drive that contained all my tools for virus removal). I then started to search the hard drive and right away I noticed a strange folder with the name “Your Company Name” and inside the sub-folder was named “Your Product Name”. Alright, that is strange, it was just after I found the folder, a pop-up window appeared. It was telling me that Spyware was installed on the computer and I can remove it by simply clicking the ‘Yes’ button and if I don’t I can click the ‘No’ button. Yeah, right, I’m falling for that one, that is what got my client into the trouble he is currently in. I am 100% sure that this warning is from a “Fake Anti-Virus” program.
A “Fake Anti-Virus” program is a computer program (what we call App today) that looks like a real ant-virus program (today we would call them “Fake Anti-Malware App”), The fake program is basically malware masquerading as a real Anti-Virus program. Often you will end up with a ton of these installed along with a bunch of other undesired programs. I launched one of the tools to help me clean up this mess, but first, it has to scan and tell me what it has discovered. I came back to check the results and a few seconds later Internet Explorer opened up with a web page to download and install Secure PC Cleaner, nope, sorry, not happening. Then another pop-up appeared.
The next pop-up was “Porn Controls Your PC!” which is an ad for Secure PC Cleaner.
I took some time to archive the results of what I discovered, including screen grabs of more ads which I will share below. Since the Fake programs were easy to remove using Add/Remove Programs, I removed 13 different fake programs and then I cleaned out a long list of entries in his hosts file and then performed a scan using a real anti-virus program and he was clean and ready to go back online again.
Here are some of the screen grabs from my clean-up.
Gee, it wants me to download and install another anti-malware tool, not!
Wow, 92% of all PCs are infected with threats that can’t be identified by most security programs.
If you notice that during this session, the built-in pop-up blocker for IE, blocked 1,006 pop-ups. That is a little excessive.
All said and done, it took me several hours to stop the pop-ups (for everyone that I stopped a new one would trigger), investigate the cause, and clean up the damage.