Monday, May 2, 2011

How to Block Fast Windows Antivirus 2011 Annoyances

Anybody who’s a big fan of Google Image Search has probably noticed a major nuisance lately: The fake Fast Windows Antivirus 2011 scan. In the past couple of weeks this annoyance has become more prevalent while searching for images that would otherwise be safe to view. Many people want to know how to stop it from showing up or how to get rid of it altogether.

The fake scan has been causing panic in one of two ways among those who don’t understand exactly what’s happening:
  1. Some people believe this is a real scan and panic, thinking that their computer is infected with multiple viruses (and might end up clicking on the provided link to install antivirus software).
  2. Others immediately recognize this as a fake but worry that a virus is being loaded onto their computer anyway.
Here’s how you end up in this situation: First, you do a Google Image Search and results are shown; you click an image to see a preview and, since Google loads the full web page in the background, the page is redirected to http://avar-antivirus.cz.cc which triggers a browser alert. The alert looks like this:

All other tabs in that browser window are disabled; your choices are to minimize/maximize the browser window or click OK. Clicking OK here is safe, as we will discuss later.

You are then redirected to a page with the title “Fast Windows Antivirus 2011” which features a fake Windows Explorer window, and a fake progress bar counts its way from 0 to 100%. Along the way, multiple “viruses” appear in the progress window.

When it’s done, the webpage prompts you with a fake Windows Security Alert that features two actions: Remove all and Cancel. Clicking either will prompt you to download an executable file which is a virus.

 
At this point you should either navigate back by three or more pages or close the browser tab. Doing so will trigger yet another alert which looks like this:

In this case, clicking OK is also safe.

The end result is that no harm will come to your computer unless you install that executable file, which you must be prompted to do. As long as you don’t authorize that installation, your computer is uninfected. However, it’s a serious nuisance. I decided to take a closer look at the source code to figure out what’s happening here.

The initial popup does this:

window.resizeTo(0,0);
window.moveTo(width1,height1);

alert('Windows Security has found  critical process activity  on your PC and will perform fast scan of system  files');

It resizes your browser window to 0 by 0 pixels and triggers a standard alert with the above text. Your only choice is to click OK, but there is no consequence; it just allows the browser to proceed. At this point, whether immediately or hours later, you can navigate away from the page without damage being done to your computer.

Why is this happening?

The group that is behind this most likely has a web crawler which checks Google Image Search for popular pictures, archives them, and then repeats them over several domains (the most common one I’ve seen is ichthus.org) so that your search results are clogged with dozens of these images that send you to the fake virus scan page.

What can you do?

The very first thing you can do is navigate away from this page, but the most important thing you should do is avoid installing that executable file.

However, there’s more; you can block this website altogether so that attempts to load this page will show a browser error, like this:



This way your browser won’t be resized, you won’t have to deal with the redirects taking you back to the page, viruses trying to install, etc. You do so by adding a line to the hosts file on your computer. Here’s how it’s done:

In Windows:
  • With Notepad, open the hosts file found here: C:\windows\system32\drivers\etc\hosts
  • Move the cursor to the bottom line and enter this text:
127.0.0.1 avar-antivirus.cz.cc
  • Now save the file.

In Mac OS X:
  • Open the Terminal (found in the Applications/Utilities folder)
  • Type sudo nano /private/etc/hosts
  • Move the cursor down to the bottom line and enter this text:
127.0.0.1 avar-antivirus.cz.cc
  • Now hit CTRL+X and press Y to save the changes.

Both methods perform the same action in different operating systems. Now when your computer tries to load avar-antivirus.cz.cc, it’ll send your browser to 127.0.0.1 which is a local IP address with nothing attached to it. Instead of sending you to the fake virus scan, you’ll just get the harmless error.

This method is a temporary fix; most likely this group will begin redirecting you to other domains. When this happens, you can use this same method to block that URL as well. Hopefully soon something more permanent will be done about this issue.

18 comments:

  1. Thank you very much for posting this.

    ReplyDelete
  2. Finally! Thank you so much, I was losing my mind with this horrible site...

    ReplyDelete
  3. Nice blog. Thanks for sharing the information.

    ReplyDelete
  4. Perfect!!! What I can say is this article is very important to be written as it may help everybody to get awareness. Good job done.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. My brother has this problem. I am glad I found this. I will try it tonight.

    ReplyDelete
  7. thanks... really helpful reading :)

    ReplyDelete
  8. The postings on your site are always excellent. Thanks for the great share and keep up this great work!
    Read Best Antivirus for windows 10 and 7
    .

    ReplyDelete
  9. Such an ideal piece of blog. It’s quite interesting to read content like this. I appreciate your efforts.
    Keep it up!!!
    Read Are spyware and malware the same thing.

    ReplyDelete
  10. Thanks for Sharing your experience with Us...!
    Interesting and beautiful blog lovely presentation thanks for sharing your views.
    Read difference between antivirus and anti-malware.

    ReplyDelete
  11. Professionally written blogs are rare to find, however I appreciate all the points mentioned here. I also want to include some other writing skills which everyone must aware of.
    โปรแกรม ไวรัส ฟรี

    ReplyDelete
  12. https://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-creating-anti-virus-signatures.html?showComment=1539838088497#c5180997984252213801I welcome all the suggestion mentioned in this blog related to new learning skills. It is definitely going to help me to adopt new exited way of learning. I think, others will also feel helpful this blog for their needs.
    Sometime few educational blogs become very helpful while getting relevant and new information related to your targeted area. As I found this blog and appreciate the information delivered to my database.
    แอนตี้ ไวรัส

    ReplyDelete
  13. It’s such nice blog with good content thanks for sharing with us.

    Get how to place the Norton Activation key and apply it to activate your Norton products.
    norton installation with product key
    www.norton.com /setup

    ReplyDelete

  14. Intressting stuff written by you.I really enjoyed to read your complete blog.If any one want to know how to activate McAfee Antivirus, Call McAfee Toll Free Number +1-866-535-9089 or visit Mcafee activate for read updated Information.

    ReplyDelete
  15. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    ซื้อ antivirus

    ReplyDelete
  16. The writer of this blog deserves more exposure as such talent is rare to find, I am sharing this piece further and I appeal to the readers to do the same as it will boost up the morale and confidence of the writer and get instant support for Avast Antivirus visit at Avast Support Number & Avast Contact Number & Avast Phone number

    ReplyDelete