The punishment for creating scareware should be execution. Cap the rear of a few of these bastards and the problem should take care of itself.

I just spend over 6 hours in the task of removing a similar nasty application that performed the same actions. I believe that this should require a completed format to clear up the issue but time was of the essence in this instance causing the effort to resolve just short of that action. This little critter was even worse. After a previous two hour process I had thought I got rid of the malware but was surprised the next day when it started back up and even exhibited even worse popups and finally C5 bluescreens. After suspecting a possible rootkit, which was confirmed finally using McAfee's rootkit tool. But the registry that contained the "Sky'Crapware'" entry had locked down and could not be deleted because the Malware had remove all rights to the entry. After reviewing the entry I discovered which Device driver sys file was causing the blue screens and deleted it from the system32 directory. The McAfee app did rename and/or delete the other modules and registry entries.

I just cannot understand why MS choose not to block all, except for approval, RootKit installations and registry entries out of the box.

Making money on this insidious malware is just not for the creator.

This sounds like a great way to get people to give up credit card and identity information. If someone's selling a phony product why should they be trusted with anything else? Be a real easy way to get info they could exploit for other purposes, even if the cc is canceled they have the person's other info, so the game goes on.

I don't know why the Credit Card companies don't take more of a lead on this kind of stuff. It would be pretty hard to for the perpetrators of this stuff to make any money if they couldn't received funds through a merchant account.

You've made it this far without contracting this? I've seen it and its variants plenty of times with many different security software programs running and up-to-date.

Yes, a real threat but not so difficult to deal with using tools those of us on the front lines use all the time. To the uninitiated, it presents a huge hazard.

This sounds a lot like a variant of either the Antivirus 2008/2009 scamware or something I encountered on a customer's computer a couple of weeks ago called Personal Antivirus, which performed similarly to the AV200x series. I have always had good success removing the AV200x with MalwareBytes, but it had no effect whatsoever on the Personal AV scamware. So I then found and installed a removal tool called SuperAntiSpyware, or SAS for short, and it did a wonderful job of destroying every remnant of the Personal AV.

So, interesting observation about who gets rich off of this -- the creator of the malware, the antivirus and the platform. Interestingly, my Vista machine didn't get whacked. I wonder if Vista's requirements for user approval for new installation guards against drive-by downloads and Trojan installations? I haven't looked at Vista that way.

So, we're now officially on Day 2 of this infection. My admin spent the afternoon repeatedly cleaning out the registry only to have this Trojan rear its ugly head again. At least the BSOD have stopped. So far, he's used MalwareBytes, Spyware Doctor and Ad-Aware. None worked. Tomorrow, we're going to try a few more tricks. If that doesn't work, we're going nuclear.

I had the same happen 2 days ago. It even changing my wallpaper to solid blue with the virus warning in the center. According to what little research I could, it also installs in the startup. I eventually found the program, (or so I think I got it all), on my hard drive by doing a search of my C drive using "advance". I located 2 entries and a folder called "C:\program files\advancedvirusremover". Deleted the items and so far have stayed up and running.
I have dial up access and didn't expect any drive by shootings. I picked it up on IWON.com playing Spin 2 Win.

Maybe this will help,
Their support puts this out. Probably to prevent prosecution.

Please follow my instructions to uninstall Personal Antivirus

1.Open My computer, choose Disk C;
2.Find the folder Program Files\Common Files\Uninstal\PAV\Uninstall.exe;
3.Run the file Uninstall.exe

After that our product will be removed.
Feel free to contact us if you need any help

support@softsupportmail.com

We have removed this from customers machines very cleanly. When all else fails - Google! That's how we found it.

These type of infections rely on social engineering as well, I tell all my customers to never close any dialog/ display boxes when they pop up by the use of even the close "X". They have recoded the X to read "yes install". I tell them to stop them using task manager and killing any open Web Browser and you will also see the Nasty program box as well. Then Use ATF Cleaner, MBAM, Spybot S&D, SAS, and your AV program too. All of that before letting it shut down.

Dave, I hear you loud and clear, and that was the first thing I went to do. But this little bug disabled my Task Master.

Scareware is expensive to try to repair and, in any "repair" situation seems often to leave the victim machine with some hidden beacon.

Best, fastest, cheapest and only really through fix is restore/reinstall the OS.

Scareware is a great reason to get into off-site versioned backups. Then, if the OS's built-in restore is made ineffectual by the scareware, you just "reinstall" and reload the backup. Cool

PS: To imprision or get restitution or whatever the punishiment is, I'd settle for any action at all by DHS agencies to stop this sort of crime. Any action at all?

Ironically, I just had to clear up a PC for my daughter the other evening with a similar "Scareware" called "Personal Anti-Virus". I just gave my daughters an older PC that I had and set it up with Vista Ultimate. I installed my daughters copy of NAV 2008 and she failed to register it, so it didn't protect it against this nasty booger. Anyway, I did the smart thing and made an image, yes 6 DVD-DL's worth of the installation, prior to giving it to them and restored the computer, so all they lost, was a couple of photos they downloaded from some friends. I also installed my licensed copy of Norton 360 for this computer and turned UAC back on for them. I failed to tell them that Vista will not install anything, unless they think about it first. So now they know to call me 1st, before installing anything.

The only way to beat these scammers is either in the pocketbook or jail time. I say a class action lawsuit billing them at triple full cost for the time it takes techs to remove the malware. Or better still, some international laws with teeth that would lead to jail time. Maybe even block entire countries IP range if they don't enforce compliance.

Mr. Walsh:

I just have to make this observation...the only way to get this type of scareware is to be stupid enough to install it! I have ran into numerous websites (haaretz.com is one that is frequently compromised and attempts to install scareware 1 our every 10 times when I access news articles). The website runs a "fake" scan, and than gives you a choice to either fix the "found" virues and trojans or cancel. Either button will attempt to download the malicious file. All I do is cancel the dowload and if needed end task to close the site. It seems to me that you ran the executable and installed the fake AntiVirus/Anti Malware software. Me thinks maybe you should find another line of work....

Your observations are interesting in that they are baseless and myopic. The pervassiveness of malware and ability of hackers to circumvent user actions and technical controls makes such infections not only possible but probable. As many people have written to this blog, this type of infection is not a matter of if but when. Even legimtate sites are being compromised by hackers to spread their malicious wares, and this had led to attempts by AV vendors to assess and filter such sites based on their discreet security posture and long-term reputation. Stupidity, sir, is a factor, but increasingly a smaller factor than in the past.

What puzzles me is that large companies haven't seen this kind of deliberate infection and waste of IT resources as a pure business decision and have these guys capped?

Seriously- what is the cost to huge companies in terms of virii/infection abatement? It has to be in the millions. Thousands of hours lost across a company quickly means millions in revenue. If 1 company took the lead ( albeit a morally questionable one--to someone, sure as hell not me--) and hired some eastern block spook to find who's responsible and gut them like a carp, the world would start being a better place quickly. I say this is war and we should be treating it as such.

While they're at it, see if they'd do Alan Ralsky and his ilk for an extra hundred K, everyone would be happy to chip in a few bucks. Added bonus is that half of these guys are from some backwater former russky republic or North Korea anyway and it's not like they have a statute of limitations in Crapspamistan.
Whatever ass said violence isnt the answer wasnt asking the right question.

Well, interesting idea, but not practical. If the terrorist groups have taught us anything its that removing the head does not kill the body.

While I would agree in the instance of ideologues, these are merely opportunists who are motivated by money and by preserving their own skin. If corporal responses didnt work, then there'd be little if any point in establishing a rule of law in the first place. Further, the head, greed, is fundamentally inaccessable being an inextricable component of human nature. Im not even speaking in terms of a social movement, but as a, shall we say, corporate initiative. Word gets around quickly when bodies start piling up.

Personally, its a whole lot more ethical than political action committees, wouldnt you say? and with respect to terrorists, they've shown that senseless bloodshed results in concessionary politics and asskissery to statistically irrelevant fringe dwellers.

Regardless, many of the viruses and bot-nets originate out of the *vakias, where programmers are actively recruited by the Russian Mob, many of whom are former KGB and even economists. The point here, is that John Law and Flaccid McAttorney, impotent mouth-breathers that they are, cannot and will not help. Witness the astoundlingly vacant Can-Spam Act which has resulted in... Anyone... Buhler? MORE SPAM! It all went off-shore. And a few small fish went to club fed.

If there's any results that can be had, they most certainly will not be from legislators, but from the cold, enterprising hand of people who refuse to take it anymore. So the only question that I have is who's in charge of the discretionary budget over at IBM?

have you tried Hijack This? I had pretty good success with it against Antivirus 2008. It didn't get everything but it did disable it, at which point I was able to run Spybot, do a registry scrub, etc....

I am not totally computer literate, and I just purchased the Advanced Virus Remover for $69.00. All sorts of things were popping up and I could not figure it out after trying yesterday and today. Is there a way I can get my money back? I feel like such a fool to let them dupe me into doing this. Somebody tell me what to do please.

I just got one thats called Total Security. It changed my background on my desktop, I can't open ANY programs, not even the task manager! On top of that I can't even run Windows(XP) in safe mode. Mr. Walsh, any update on your situation? How do I get this off? I foolishly don't have any backups, and would like to get back to normal without reinstalling Windows, but its not the end of the world if I have to. I just want to try everything first before doing so...Hell, I don't even know where my windows cd is...The biggest thing I'm worried about is that I have Visual Studio 2008 Professional and in the middle of a big and awesome open source project, and I don't know where my VS2008 cd is :-( Guess I better get looking for both

I wonder if you could make a claim with the credit card company for a fraudlent purchase. Now that would be an interesting experiment.

I had some mystery charges show up on my cellphone bill. When I called AT&T to inquire, they could only tell me that it was a third-party charging against my account for ringtone downloads -- which I had never done. Without question, they refunded my money. It would be interesting to see if the same could apply to scareware.

I encountered Green AV 2009 on a customer's computer and googled for a solution. I found several. None worked. In fact, with some of the sites, as has been mentioned earlier, there were entries that seemed to be purposely misleading- removing some of the infection but leaving other parts that allowed it to continue to operate.

I didn't trust any of the old standbys, such as Malwarebytes, to completely remove the thing, since the various instructions on the internet are wrong. I didn't want a partial removal that would hid the total signature of the problem.

I believe I have a process that removed all the threads, but it required a long time using HighJackThis, reviewing and searching the registry, and cross referencing the registry to the possible modules on the computer, etc.

On another customer's computer I had a W32Lovegate variant. That one had disabled windows update by deleting an entire branch of the registry. Working with MS Support, we had to reconstruct the branch, as well as run a couple of different malware programs. Now I have the branch as a local reg file, as well as all the other things I did in "snapshot form" so I can quickly go after the thing if I again encounter it.

These are all stories to the question I have. How in the world can the good guys communicate amongst each other without the bad guys mucking up the information or using it to change their "signature." Do we have to end up sending the information to the big Security Application sites, where they then use the information to make a profit? Is there some web site where solutions I find, get some credit, and not have the information misused?