How to Block Fast Windows Antivirus 2011 Annoyances

Anybody who’s a big fan of Google Image Search has probably noticed a major nuisance lately: The fake Fast Windows Antivirus 2011 scan. In the past couple of weeks this annoyance has become more prevalent while searching for images that would otherwise be safe to view. Many people want to know how to stop it from showing up or how to get rid of it altogether.

The fake scan has been causing panic in one of two ways among those who don’t understand exactly what’s happening:

1. Some people believe this is a real scan and panic, thinking that their computer is infected with multiple viruses (and might end up clicking on the provided link to install antivirus software).
2. Others immediately recognize this as a fake but worry that a virus is being loaded onto their computer anyway.

Here’s how you end up in this situation: First, you do a Google Image Search and results are shown; you click an image to see a preview and, since Google loads the full web page in the background, the page is redirected to http://avar-antivirus.cz.cc which triggers a browser alert. The alert looks like this:

All other tabs in that browser window are disabled; your choices are to minimize/maximize the browser window or click OK. Clicking OK here is safe, as we will discuss later.

You are then redirected to a page with the title “Fast Windows Antivirus 2011” which features a fake Windows Explorer window, and a fake progress bar counts its way from 0 to 100%. Along the way, multiple “viruses” appear in the progress window.

When it’s done, the webpage prompts you with a fake Windows Security Alert that features two actions: Remove all and Cancel. Clicking either will prompt you to download an executable file which is a virus.

 

At this point you should either navigate back by three or more pages or close the browser tab. Doing so will trigger yet another alert which looks like this:

In this case, clicking OK is also safe.

The end result is that no harm will come to your computer unless you install that executable file, which you must be prompted to do. As long as you don’t authorize that installation, your computer is uninfected. However, it’s a serious nuisance. I decided to take a closer look at the source code to figure out what’s happening here.

The initial popup does this:

window.resizeTo(0,0);
window.moveTo(width1,height1);

alert('Windows Security has found  critical process activity  on your PC and will perform fast scan of system  files');

It resizes your browser window to 0 by 0 pixels and triggers a standard alert with the above text. Your only choice is to click OK, but there is no consequence; it just allows the browser to proceed. At this point, whether immediately or hours later, you can navigate away from the page without damage being done to your computer.

Why is this happening?

The group that is behind this most likely has a web crawler which checks Google Image Search for popular pictures, archives them, and then repeats them over several domains (the most common one I’ve seen is ichthus.org) so that your search results are clogged with dozens of these images that send you to the fake virus scan page.

What can you do?

The very first thing you can do is navigate away from this page, but the most important thing you should do is avoid installing that executable file.

However, there’s more; you can block this website altogether so that attempts to load this page will show a browser error, like this:

This way your browser won’t be resized, you won’t have to deal with the redirects taking you back to the page, viruses trying to install, etc. You do so by adding a line to the hosts file on your computer. Here’s how it’s done:

In Windows:

• With Notepad, open the hosts file found here: C:\windows\system32\drivers\etc\hosts
• Move the cursor to the bottom line and enter this text:

127.0.0.1 avar-antivirus.cz.cc

• Now save the file.

In Mac OS X:

• Open the Terminal (found in the Applications/Utilities folder)
• Type sudo nano /private/etc/hosts
• Move the cursor down to the bottom line and enter this text:

127.0.0.1 avar-antivirus.cz.cc

• Now hit CTRL+X and press Y to save the changes.

Both methods perform the same action in different operating systems. Now when your computer tries to load avar-antivirus.cz.cc, it’ll send your browser to 127.0.0.1 which is a local IP address with nothing attached to it. Instead of sending you to the fake virus scan, you’ll just get the harmless error.

This method is a temporary fix; most likely this group will begin redirecting you to other domains. When this happens, you can use this same method to block that URL as well. Hopefully soon something more permanent will be done about this issue. Follow @torqtorq