Spoof AV site

[TechMonkey]

Had a few students & staff come across this site:
Personal Antivirus
It is a fake antivirus site. Not sure what payload or scam it is but I'm sure it isn't fun.

[rolfea]

its easy to see how people would fall for that.

[TechMonkey]

Definitely. It also has the classic dialogue boxes that guide you in no matter what you select.

[Andie]

Teacher has just come to say her laptop is flashing up anti-virus warning messages. Get there to find a web page pretending to show that there are no end of trojans on all her disks, and a message box asking if we want to remove them. Trying to click cancel on this box just brings up a box asking to install Personal Anti-virus. No matter what i did with this box it kept trying to install program. Closed web page in end which then let me close all other windows. But too late - it looks like it had installed itself anyway. Teacher had just been browsing the Internet when all of a sudden all webpages disappeared and this antivirus stuff came up. Not the sort of teacher to do anything silly. We already have sophos on the laptop. There is now a desktop shortcut to something called Personal Antivirus, but the program is not listed when I go to the Add/Remove Programs list in Control Panel. The program is also now on the Start menu, and had an uninstall option in its Start menu folder, but that does nothing. There is also a button in the system tray on the taskbar. This is screaming messages about a critical file infection.

I have just set sophos to scan the computer. If that doesn't find anything, does anyone know how to get rid of this????

[rush_tech]

Here's what I got

[Stuart_C]

Depending on how nasty it is;

• Disable system protection
• look in the registry for random things staring up - HKLM\software\microsoft\windows\current version\run\ and check what everthing is on google.
• Make a note of any dodgy files, find them and delete them (use task manager to terminate processes if necessary)
• Delete registry keys

editing the registry incorrectly can totally knacker your computer.

It's a bit rough but it's a general principle. Software like AdAware and SpyBot can help as well.

[mrtechsystems]

Yeah I have working on a machine today that tries to look like AVG

Malware Bytes - to removed the problems

[SC-UK]

Good old Safari, here's what I get as well:

[FN-GM]

chrome gave me warning message. I have blocked the site anyway i doubt IE will stop it.

[gibbo_ap]

on anti virus 2009 i used wi sys restore worked a treat tho this one was a manual reg jobbie ah the fun!

[SC-UK]

chrome gave me warning message. I have blocked the site anyway i doubt IE will stop it.

I have just tried it on W7 with IE8 and no warning message whatsoever! (Although I am not running any AV at the moment as it is a test VM)

[Jackd]

I have just tried it on W7 with IE8 and no warning message whatsoever! (Although I am not running any AV at the moment as it is a test VM)

Probably because safari, firefox, chrome etc all do lookups to the google safe browsing database, whereas IE doesn't i dont think :P

[Andie]

Sorry I didn't get back to this earlier. I got rid of the thing eventually. Although the uninstall didn't work from the Start Menu, it did work if I double clicked it directly from the Personal AV folder in Program Files. I also did a scan with sophos and deleted any references to Personal AV it found. Probably not the best way to do it though. I gave the laptop to my helpful secondary school backup team, and they scanned it for malware, etc. and found nothing. It looks like it was an aggressive program, hopefully not having done any major damage. Haven't had any further problems.

[Andie]

I've had another machine attacked by a slightly different and more aggressive spoof AV. This one is called Personal Security. I have no idea what the teacher did to allow it on, if anything. Standalone laptop with fully updated Norton AV and Norton Internet Security running. Neither reported anything. Anyone know if this is a web based thing like Personal AV, and if so what the site is so I can ask Internet Provider to block? I'm going to do a search myself using Firefox, which seems a lot better at detecting and stopping this stuff.

[ianniow]

I had a laptop with Personal security warning of virus. Could not do anything. Either access denied or when I tried to install malawarebytes it did nothing.
Eventually found on a forum somewhere. "Go to C:\program files\common files\psecurity\ double click uninstall.exe"

I could not believe that it would work but I thought I had nothing to loose and it did work.
So I then installed malawarebytes and ran a scan which picked up a few bits that were left.

Who ever heard of a virus with an un install