While similar to older versions called Spyware Protect 2009 and Windows Antivirus Pro, these new versions are much more annoying and virtually take control of the system.  These are examples of a more generalized group of rogue antivirus programs called Scareware. While the symptoms vary from mildly annoying to absolutely crippling (denying you access to task manager, Window Explorer or other programs), the end result is much the same. They are in the business of getting in your wallet. They will say whatever is required to get you to enter your credit card information. It’s all about the money.

Even the best antivirus programs available seem unable to slow this newest threat. One of the first things that the malware does once in control of your computer is to disable the resident antivirus program.

How does the virus infect a computer?  The most common way is to trick users into thinking they are visiting a news site to be updated on a current event.  When the user clicks on a link, the virus is loaded onto their system.  Another way is just by visiting a rouge site, the infection can be downloaded.

The symptoms of the infection are obvious.  A fake virus alert appears on the right hand side of the system tray.  Then a fake virus scan appears detailing all sorts of bogus system infections.  Next, an activation window appears asking for a code.  Then, a purchase window appears requesting credit card information.

Each variation of the virus may appear differently, but the end result is the same, the rogue has almost complete control of the system. 

While some might be tempted to give their credit card information just to get rid of the thing, this is not advisable.  First, this is a totally bogus program that has no value whatsoever other than to extort money from users and possibly steal confidential information off the system.  Do not enter any information into these boxes.

A common remedy to rid systems of this pest was to use system restore to roll back the system to an earlier time, before the virus struck.  This was a simple, effective way of removal and required no other antivirus or removal product.  However, these newer versions block system restore with a file is infected message and does not permit the restore, as well as many other Windows features, such as using the control panel.

How Can This Threat Be Removed?
Antivirus 2010, while blocking many Windows functions, still allows the use of Windows Explorer, so a malware removal tool, such as Malwarebytes (www.malwarebytes.org) can be installed from a USB disk (not the Internet, because the virus blocks Internet access). Malwarebytes offers a free download that includes a program that kills or disables the virus so that it can be removed.
Antivirus Soft disables Windows Explorer so the hard drive has to be removed from the computer and scanned as an external drive.  In addition to Malwarebytes, PC Tools Spyware Doctor (which is not free) is also effective in removing this threat.  There are several other tools, including one from Microsoft (www.microsoft.com) that may be helpful in dealing with these threats.

The other alternative is to completely reload Windows (after backing up all data) and associated programs.  This alternative can be attractive for older systems because it will clean up many of the items that may be causing the system to function poorly.  Careful planning should be used before performing a reload, such as locating all program disks, or the names of the Web sites that will be used in re-installing the programs.  Be sure that the data backup is complete and has been tested before beginning the reload.

What can be done to prevent being infected? Don’t follow links unless you trust the source. If there are pop ups on your screen – even if they look legitimate, don’t click anywhere inside the box (don’t click yes/no/cancel/anything), just close the box. If suspicious, just turn off your computer rather than click inside the box. Keep your antivirus up to date. Do not open any e-mail attachment unless it is from a trusted source.

Geoff Griswold is a field engineer and general manager of the Omni Group, an IT services company specializing in the hospitality industry.  He can be reached at (678) 464-2427 or geoff@atlantaomnigroup.com.