Fake Anti-Virus Virus

This is a nasty little virus that McAfee can’t protect you from, and so you will find little instruction on how to cure yourself of it — as it is an embarrassment to them.

I come home from racing, and my wife tells me that her computer has a virus — and is hosed. I was quite surprised, because she has an active subscription to McAfee and nightly updates.

The symptoms are a McAfee looking error message saying that you have a virus, that certain files are missing, and do you want to run a scan. Regardless of what you say – it runs what appears to be a scan, and presents a web site (in my case it was antivirvip.com/shop – don’t go to that site!) selling you anti-virus software.

You look down in your systray — and you see what looks like a McAfee shield, but a closer look and you will see it is green instead of red and doesn’t have the big M in the center.

You can’t go to other web sites, start McAfee (which has been disabled) and you can’t do anything in your control panel like add/remove programs.

Restarting the computer, you will see that McAfee starts, then gets disabled, and you get all of the error messages and the computer is otherwise useless.

The messages say things like:

Virus Alert
mcagent.exe is damaged
Do you want to activate your antivirus now?

First — Here’s what doesn’t work

  • I first turned off all of the shared external (net work) drives the computer has access to through a map to keep them from getting attacked, started the computer in Safe Mode (press F8 as soon as you hear the beep at start up — then select Safe Mode) without network support — logged in as an administrator, fired up McAfee, and had it run a full scan. After three hours — it finds nothing. The Virus wins!
  • So I restart the computer in Safe Mode with network support so I can get to the Internet through my wireless network. I do a search on the Internet — and while I see a ton of people with this problem — 2 hours of reading only tells me how you get the virus (explained below) — and none will tell you more than you are screwed. McAfee is silent on their web site, but their support offers a free program called “McAfee Virtual Technician” (you will have to search for it). It is a program that you download, install, and run. It identifies problems and fixes them — so it says. I downloaded, installed, and ran. It said that protection was turned off, my McAfee needed to be updated — and something else that I forget. I select the option to automatically fix — and it comes back saying that it can’t. Virus wins over McAfee again!

What I did to fix — that I couldn’t find how to do anywhere on the Internet

  • I started the computer in Safe mode, and logged on as an administrator
  • Since my Registry was hosed, I did a system restore to a known good backup (which your computer routinely does if you have it set up right, and let Windows automatically update). You can do a search for “Windows System Restore” for more information — but in the case of my wife’s computer running XP, I clicked Start/All Programs/Accessories/System/System Restore. You are presented with a calendar, and I selected a date about 2 weeks earlier. The computer takes the next 10 minutes going about it’s process of restoring to that date. This is a reversible process — but you’ll just get your registry with a virus back.
  • I restarted the computer in regular mode — and logged in as an administrator.
  • At this point, McAfee still turns itself off after you turn it on — so I went back to the McAfee site and downloaded, installed, ran McAfee Virtual Technician (the registry I restored from knows nothing of the previous installation of it, so I had to install it again — as any other program installed between the restore date and the virus date) — and let it fix the errors — which it did. Now my McAfee stays on.
  • I then did Window Update to catch up what the older registry doesn’t know of. Fortunately, no new applications were installed in the two weeks between the restore date and the virus date — so I didn’t have to reinstall any of them.
  • I finally ran a Full Scan — and came out clean.
  • I had my wife go to all of here shopping web sites and change her password — and to monitor her credit cards on-line over the next couple of months.

So how Did the Computer get this Virus — and what does it do?

From the Internet I learned that you get this from those sites that pop up a McAfee looking message saying your computer just identified a virus, and asking if you want to run a virus scan. THIS IS THE TIME TO NOT PANIC — BUT TO STOP, TAKE A BREATH, AND THINK!

Right then if you close the browser and restart the computer without moving your cursor onto the box — you will be Ok and not been infected by the virus. However if you move your cursor over the message or click it — you’ve just hosed your registry. I verified from my wife that his is what happen.

The virus first turns off real time scanning of viruses, tries to steal your passwords, and attempts to get you to buy their fake anti-virus service to steal your credit card information.

I hope all of this will save someone many of the hours I wasted trying to figure it out.

Please share a link to this thread on Facebook, and to all of your family and friends so they do not get the virus — and know how to handle it if they do. I’m seeing people all over the Internet reformatting their drives and reinstalling Windows — or paying someone big bucks to fix this Virus. That’s using an axe when a scalpel is required. It is really easy if you know how you get it — and what to do if you get it.