Be on the lookout for fake anti-virus programs - East Valley Tribune: Business

Be on the lookout for fake anti-virus programs

Font Size:
Default font size
Larger font size

Posted: Thursday, January 8, 2009 5:45 pm | Updated: 2:53 am, Sat Oct 8, 2011.

Q. I have Norton Internet security, yet my computer has been infected with the Antivirus 2009 program. How can this happen, and how do I get rid of it? - Glenn

A. Your question underscores an often mistaken mind-set of many computer users: If I have security software in place, I shouldn't get any infections. Nothing could be further from reality.

Anti-virus/anti-spyware programs and firewalls are of no protection if the user decides to click on links that generate malicious code or download and run questionable files. The user's interactions can easily override the installed protection and in some cases actually disable your protection programs while making it look like they're still running.

The fake anti-virus program scams actually started last year as "Antivirus 2008," and it was so successful that it lives on in many variations, including "Antivirus 2009". A clever author of malware discovered a sneaky way to fool folks into installing malicious software, then extract money from them by posing as a legitimate program for removing the malicious software.

The reason this approach has been so successful is that these programs very closely mimic Windows warning screens and legitimate antivirus programs. Virtually every legitimate anti-virus company has a product called Antivirus 2009, which further confuses the uninitiated.

The most common ways to come in contact with this infection include maliciously coded Web sites that pop up a warning message that you are infected, e-mail messages that trick folks into clicking on a link, Web sites that claim you need to download software to see a posted video and links or downloads spread through social networking sites such as MySpace and Facebook as well as all of the instant-messaging systems.

At this point, any form of popup or error message that refers to Antivirus 2008 or 2009 (including System Antivirus, Ultimate Antivirus, Vista Antivirus, Pro Antivirus or XP Antivirus, followed by a number) should be considered extremely suspicious.

If you ever see any reference to a virus that is not specifically from the product that you have installed in your computer for protection, you should consider it to be a fake. In the same manner, any Web site that claims you need to download a new video program or "codec" to view a video should be considered a threat.

Users of file-sharing networks are at high risk of contracting malicious software because it's often hidden in what appears to be a legitimate program. This is referred to as a Trojan.

The writers of malicious code count on users who are not really paying attention, and they are fooling people by the millions around the Internet. This type of infection is amongst the worst that I have seen in my 20 years of servicing computers.

Getting rid of the code once it has infected your system can be very involved and is different for the various versions of the infections. So if you are a novice, don't attempt this without help.

Those with more experience should start by identifying the exact version of the malware they have and placing it in quotation marks followed by the words "removal instructions" in Google (example: "Antivirus 2009" removal instructions).

If you know how to work with the Windows registry and operate in Safe Mode and you have a current backup of your critical files, you should be able to find instructions online for removing the exact version of the infection that you have.

WARNING: There are so many people infected with this family of malware that many new scam programs have popped up that claim to clean the code. Some appear to be free programs that will only scan your system for free but charge you to remove the code. Often, they don't even do that properly.

In our service business, we use a combination of several manual detection and removal processes (again, based on the exact version of the infection) along with multiple scanning programs to ensure that all potential re-infection avenues (temp files, restore points, modified dll files, etc.) have been removed or restored.

Depending on how long you've had it and which version of the malware you have, you may also need to run a Windows repair after you remove the code, because certain Windows files can become corrupted as a side effect.

Ken Colburn is president of Data Doctors Computer Services and host of the "Computer Corner" radio show, which can be heard at Readers may send questions to

  • Discuss

'EV Women in Business'

A PDF of the Tribune special section, featuring a mix of sponsored content from our loyal advertisers and newsroom coverage of the East Valley business community.

Your Az Jobs