Full FeedShields Up!:Vista Internet Security 2010
Late Sunday night my husband was working on his blog when he decided to check out one of his trackbacks. Bad idea. He was immediately redirected to a fake anti-virus site and even though he knows not to click on anything and shut the browser down via Task Manager, somehow the program, called Vista Internet Security 2010 installed itself anyway! He was immediately tormented by pop up after pop up with dire warnings like:
System warning!
Intercepting programs that may compromise your privacy and harm your system has been detected on your PC. It’s highly recommended you scan your PC right now.
and
System warning!
Continue working in unprotected mode is very dangerous. Virus can damage your confidential data and work on your computer. Click here to protect your computer.
All fake of course. A fake version of the Windows Security Center opened up as well, and it claimed that his anti-virus and firewall were nowhere to be found. The infection happened about 11pm and it took me until 8am to finally get him back to a clean system. This rogue anti-virus is particularly nasty and frightening too. Here’s why:
- Our firewall didn’t stop it and neither AVG nor Malwarebytes detected it when I ran scans with each of them. They are both fully updated so this means either this rouge so new the anti-virus programs haven’t caught up with it yet, or it is able to avoid detection/disable anti-virus programs.
- It completely disabled Windows Security Center. Even when I went to Control Panel and launched it there, it presented me with the fake one.
- It dropped a nasty Trojan that inserts a browser hijack into every browser it finds installed on the system. The hijack throws up a fake warning that the site you are accessing is infected and keeps redirecting you to scam sites.
- It also dropped a keylogger-not the fake one it claims Firefox is infected with, but a real one. For those not familiar with the term, a keylogger is a malicious program that records everything typed into a computer, saves that info, and sends it off to the hackers. So if you have a keylogger installed and log into say, Paypal or your bank, the hacker gets your login and password.
So how did I clean up the mess? Well since neither MalwareBytes or AVG was able to detect the malicious files, first I went to my computer and downloaded Malwarebytes to a flash drive and tried to run it on the infected system. No dice. I then opened the Windows Registry and tried to delete the files it had placed there but I was denied access. Finally I fought through the redirects, went to TrendMicro’s site and used their HouseCall scanner. I did two full scans and it found all the nasty files and deleted them. Once the system was clean I ran a Hijack This log to make sure no rogue files were lurking around plus another virus scan. Once I was confident the system had been cleared, I had my husband change the password to every site, service and forum he’s registered with.
If you find yourself redirected to a fake anti-virus site, shutting down the browser via Task Manager may not be enough. If it’s not the first thing to do is disconnect any other computers from your network, if you have one. This will keep all them from getting infected if the rouge anti-virus happens to be network aware. If your anti-virus software didn’t catch the infection, it’s probably been disabled or the variant is so new the anti-virus companies haven’t caught up yet. It is possible to manually delete some of these rouge anti-virus programs but if you get an access denied or you don’t feel comfortable messing with your registry (if you don’t know what you’re doing you can render your entire computer inoperable!) try using another computer to download an antivirus program to a flash drive or use an online scanner like HouseCall.
How do you prevent infections in the first place? Think before clicking on any link. If it’s got gibberish in it, came in an email from a stranger or from a friend but with no explanation, delete it. When dealing with URL shortened links like bit.ly, don’t click unless you know and trust the source completely. Never ever click on a banner ad or pop up that warns you your system is infected, and always keeps your anti-virus program updated and your firewall on. It’s not fool proof but following these steps will help significantly reduce your chances of getting infected.
Keep up with the latest gadget goodness! - 
Subscribe to our feed
Who's on Crack in Tech?
Gadgetell's own version of William Shatner, JG Mason tackles the seemingly bizarre moves in the tech world. Catch his Friday column to see who gets called out this week..
Palm Pre and Palm Pixi Information
Interested in Palm? Want to know more about webOS, the Pre or the Pixi? Not to worry because Gadgetell's got the latest news and information right here.
I read with great interest your article on Vista Internet Security 2010.
It’s a bug with many variants that we’ve been fighting for a while now. Our new portable scanner is the tool for that job. As you pointed out, some of the other tools won’t run remotely, but our portable has an up-to-date definition database and will run from a USB without software installation or internet access on the infected PC.
You can access it here: http://www.superantispyware.com/portable
It’s free!
I’m happy to help in any way, and thank you again for the good advice you provide to computer users. It’s very much appreciated.
Mike Duncan
on February 18, 2010 at 07:06 PM - LINKSUPERAntiSpyware
Hi,
Can’t thank you enough for posting this.
My version looked slightly different but I had the exact same problem.
It was an extremely good job :S, it looked entirely genuine (apart from a later notice of a grammar mistake :P). A number of other sites had suggested various programs to download, however like you said, the program had hijacked internet explorer 8 and attempts to navigate away from a “warning” page were of no use.
Thanks Mike for the great program, I could download it onto a USB and run it from its original location, on the infected computer without installing anything onto the start menu or program files. The software saves itself as a random generated filename, so the virus doesn’t pick up the software.
Thankyou sooo much Sue, and Mike.
on February 19, 2010 at 10:41 PM - LINKYour information was very much appreciated!
Thank you so much for posting this! I, at first, thought that it was actually something from the security center except that it wanted me to buy something. AVG didn’t work. Hopefully HouseCall will. (I’m running it as I type this on another computer.)
Thanks Again!
on February 22, 2010 at 02:35 AM - LINKKelsie
Housecall didn’t work for me- all it found was a trojan. The program Mike provided did- I suspect it may have taken out a necessary file though, or something else got screwed up- that may be entirely my fault (I was drunk when I was running it LOL). I wound up restoring my system back to last week (after fighting my way through EVERY shortcut on my computer being broken…I had to open Firefox by first going into MSN messenger, lol.)
Seems to be all clean now though. Thanks guys!
on February 22, 2010 at 10:17 PM - LINKI used the program from Mike and it seemed to work. But I also ran into the same problem the D went through in that all my shortcuts arent working and when I try to access the internet I keep getting an ssvagent.exe warning. I also cant restore my system cause the shortcut for that isnt working either. Can anyone help?
on February 23, 2010 at 02:01 AM - LINKthanks for this .You can protect your system with a good antivirus like nod32 <a >eset-nod32-antivirus.co.uk </a>
on February 23, 2010 at 02:41 AM - LINKNever mind, I think I got it.
on February 23, 2010 at 04:00 AM - LINKM.R. -
Restore your system back to before you got the virus (say, last week or something). Right click on system restore and hit “run as administrator”, that should work (it did for me).
on February 23, 2010 at 09:14 AM - LINKThanks for the program mike. However, I foolishly ran the program without checking to see if i had any system restore points created, which of course i didn’t. Is there any other way to get my short cuts to work again?
on February 25, 2010 at 03:45 AM - LINKDoesn’t your system automatically create restore points?
I have no idea. :(
on February 25, 2010 at 08:26 AM - LINKIt was set to not create restore points i guess
on February 25, 2010 at 04:00 PM - LINKI don’t know what to tell you. If you can go on Mike’s site and contact their support? If three of us here have had this problem, I’m sure a lot more have had this problem with the program.
on February 25, 2010 at 08:09 PM - LINKThank you for your post. AT
on February 27, 2010 at 09:01 PM - LINKI’ve got the damn thing. I didn’t download it or register for it or whatever it says but it has still managed to place a fake windows security centre.
I’ve tried HouseCall but it hasn’t found anything and neither has my McAfee Security. I downloaded HijackThis but I’m not techie enough to be able to do anything on it without wiping my whole hardrive.
As I haven’t registered for it, can I just ignore it? This would mean my Windows Security Centre wouldn’t work. It has also not started to mess up any internet sites I go on to, though pops up all the time.
Am I safe to log on to my accounts as well?
Shall I download Mike’s programme?
Please help!! Thanks!
on February 28, 2010 at 01:52 PM - LINKDon’t ignore it- it downloads other #### on your comp and besides, it’s annoying as hell!
Check to make sure you have restore points then use the program mike posted in comments- it’ll disable your icons. Go to Start-programs-accessories-system tools-system restore *right click* on system restore and do “run as administrator”. That should bypass the disfunctional icon BS and restore to before you got the virus, you should be good to go. Worked for me, anyways.
on February 28, 2010 at 02:05 PM - LINKCan anyone help me? I bought the program vista security 2010 but, it did not download onto my computer or how does it work also does anyone know the # for the program i could not find one? I need help I’m lost here
on March 4, 2010 at 03:42 PM - LINKWait…you BOUGHT the virus? Um….
Or am I missing something here.
on March 4, 2010 at 04:41 PM - LINKI downloaded the program onto another machine. I then transferred it using a USB from an uninfected machine to the infected machine. Opened the program and ran the quick scan. The quick scan found 7 threats to be quarantined. I then rebooted and the desktop appeared however no icons were functional ie if I clicked on superantispyware you get “chose the program you want to use to open the file”, this is the same message I get when clicking on any icons. Starting in safe mode produced the same result. Could not even use system restore. Thank you in advance for any assistance.
on March 7, 2010 at 01:39 AM - LINKYea everyone who used that program had the same problem.
Go to Start -> programs -> accessories -> system tools -> system restore RIGHT CLICK on system restore and hit “run as administrator”. that should bypass the broken icon issue and get it running for you. Restore to before you got the virus (like last week or something) and you should be fine. All your icons should work again. :)
on March 7, 2010 at 09:20 AM - LINKDOES THIS WORK OR DOES MIKES
on March 8, 2010 at 09:34 PM - LINKMike’s. But it will disable your icons, look above for instructions on how to fix that.
on March 8, 2010 at 09:41 PM - LINKok but does ur icons work when u run as administraor
on March 8, 2010 at 09:46 PM - LINKRight click and hit run as administrator and it should- it did for me.
on March 8, 2010 at 09:47 PM - LINKdo u have 2 run as admin each time
on March 8, 2010 at 09:47 PM - LINKSystem restore (make sure you have restore points before you run the program!) will work if you run as admin- and THAT will fix the icon issue.
on March 8, 2010 at 09:49 PM - LINK