Fake Anti-Virus Popups – This Is A Virus

I get a lot of experience removing computer viruses as a computer repair technician but rarely do I get to see a virus actually infect a computer “in the wild”. Two days ago my main computer, which is a fully updated Windows 7 PC with up-to-date antivirus, was infected by a drive-by virus (specifically the very nasty TDSS rootkit virus). The following is how the virus infected the computer and how I removed it.

I was downloading a file from Megaupload and another browser window popped open and started playing a video. The popup browser windows looked innocent enough but when I went to close it a warning dialog telling me to install up-to-date antivirus software immediately showed up in my system tray.

The best thing is that the warning misspelled the word Unauthorized as Unauthosrized:
fake anti-virus warning popup

Then I started getting a fake Windows Security Center window warning me that my computer had no anti-virus software installed:
fake security center popup

The virus begins with a trojan virus that installs itself into the c:\Users\Username\AppData\Local\Temp directory. The trojan then downloads many more infected files including a rootkit that is set to install itself as soon as you reboot your computer.

Here is the actual trojan file that installed itself:
popup virus identified

I immediately ran a full scan using Malwarebyte’s Anti-Malware which detected quite a few infected files (including the persistent TDSS rootkit) that the trojan attempted to install onto the computer.

This is what Malwarebytes detected and removed:
anti-virus popup virus removed

After I ran Malwarebytes I rebooted the computer, ran Malwarebytes again (it caught a few more infected files that tried to re-install themselves) and then I ran a full scan using AVG Free Anti-virus.

If you follow the above steps immediately after an infection you should be able to remove this virus with no problems.

Good luck!


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments are closed.