Fake Alert infections generate millions in revenue.  8 Simple steps to remove a modern fake alert infection.

Over the past few months fake-alert malware infections have become more sophisticated at preventing the installation of common security products like MalwareBytes, AdAware, and Spybot S&D.

Fake Alert infections are those pesky pop-ups that tell your customer that their computer is infected with a ton of nastiness, when in fact the only infection is the fake-alert its self.  Typically these programs ask consumers to pay between $25 and $100 to activate the software (stopping the popups).  Unfortunately this also leaves the computer infected and under the control of the malware writer.

The Early Days of Fake Alert Infections

In early 2009 removing these infections because a profit center for many computer repair shops.  Simply rebooting in Safe Mode, installing a free scanning program, and removing the infection was all that was needed to earn an hour of labor and seed a security software sale.

As the year progressed however, these infections became more advanced.  Most of today’s fake alert infections run in both regular and safe mode, and will actively thwart any installation of common security or scanning software.

Fake Alert Infections are Smart, but not too Smart

Although the fake alert infections are getting smarter, they are still only programmed with a fixed set of “detections” designed to kill the process of installing security software. Much like the early days of anti-virus software, fake alert infections do not scan for types of activity – they scan for specific files, processes, and events.

In my service center we use MalwareBytes to remove many infections.  In our opinion it is much more thorough than Spybot and it doesn’t have all of the annoying extras like the resident shield that complicate advanced malware removal.

There are some specific steps you can take to make certain that you have the tools in your shop, car, or briefcase to thwart any fake alert infection, as long as you come prepared.

How To Defeat Fake Alert Defenses

1. First, you are going to need a blank CD.  Your flash drive won’t work for this procedure because newer fake alert infections prevent the installation of new storage devices.  When you plug in your drive, the infection will block its installation.
2. Next, download a copy of MalwareBytes and save it on your desktop.  Rename the installer to some name other than its default.  Many of the newer infections will scan for the na,e of the installer and kill it when it is found.
3. After you have renamed the MalwareBytes installer, you need to download the latest MalwareBytes detections.  It is common practice for infections to block access to update servers, so having the latest detections on hand is essential to a complete removal.
4. Now burn the files to your CD and reboot the infected computer into Safe Mode (this is more a safety step than anything else – Safe Mode is the safest possible environment for removing infections) and disconnect its internet connection.
5. Install MalwareBytes on the infected computer from your CD.  After the installation completes you will most likely receive an error message.  That is the infection killing the MalwareBytes updater.
6. Double click on the detections file you downloaded to install it.  Disregard any error messages.
7. Re-launch MalwareBytes and check that the detections date is the current date under the Update tab.
8. Run a Quick Scan – not a thorough scan.  Some infections will detect a scan in progress after some time and kill it.  GO for the quick scan and after it finds a few infections, stop the scan clean the results, reboot and repeat.  Once your Quick Scan comes back clean, do a thorough one afterward to ensure a complete removal

Preventing Reinfection – IMPORTANT

We are in a service business, so it is important to realize that even though we have removed the infections that our customer will not be very happy with us if they get reinfected again tomorrow.  In fact, they will probably accuse you of not doing your job the first time!

Most fake alert infections come from the following:

• Pornographic Websites
• Infected Torrents
• Free *anything* websites
• Websites about music lyrics
• Search Engines displaying infected websites within results for currently hot topics

The bottom line is that if your customer got infected once, it is because of their Internet habits.  That means they will get infected again.

I strongly recommend to all of my customers that they install Norton 360 after recovering from a fake alert infection.

There is honest debate among technicians about which anti-virus software is better.  There is a valid argument that can be made that AVG is better because it is free.  In my service center we warranty our customers against reinfection when we remove malware *if* they install Norton 360.

We use it because things don’t bounce back under warranty with infections.  I can honestly say that using AVG people – especially high risk users – get reinfected constantly.

This is a SERVICE industry, so I would rather recommend a product that I know is going to work rather than get a high five for saving my customer some money up front so they can pay me again in the future.

What are your opinions on preventing reinfection?