First, don’t click on any emails claiming to be an update from MSN or Microsoft.  MSN/Microsoft never sends emails about a “Free Update”.  If you want to update your PC *always* go to Microsoft.com (NEVER click on any links in an email offering windows updates).

Next, I did click on this link through one of my clean Virtual Machines.  Let’s see what happens, let us observe the path to infection!

1.  I received an email to my personal business account.  Spam Assassin does not recognize it as spam and lets it on through.

2.  I click on the link.  I can see the link takes me to a .swf (a flash file) hosted at imageshack.com.

3.  As soon as the .swf loads (almost instantly)  I am prompted to download install.exe.  I choose to open the file (pretending I am non-suspecting user seeking a windows update).

4.  We are now presented with a license agreement for AntiVirus XP 2008 which we can only agree to.

5.  As soon as I agree, Antivirus XP 2008 is loaded almost instantly.

6.  Oh WOW!  2506 infections on a clean PC!  Obviously a complete lie designed to scare people.

7.  …and if I try to uninstall it…oh, what a shock!  The uninstaller crashes.

8.  Well, I guess I’ll just remove those viruses.  When I click the remove viruses button I’m sent to a website to purchase this fake antivirus program for $49.95.

Not only will I lose $49.95, but I’ll also give up my identity to a international ring of thieves!!!

Tom Fergunsan called me and asked for an appointment ASAP. He said he was being inundated with popups saying that he had no Antivirus (he did, AVG Antivirus 8.0) and that he needed to purchase Vista Antivirus 2008. Obviously, this is Rogue Antivirus (fake Antivirus) designed to coerce users into paying for it and then stealing their identity (names and credit card numbers).

Vista Antivirus 2008 is fake! Do not purchase it. If you did purchase this don’t bother asking for a refund, you’re better off canceling that credit card number.

You can remove Vista Antivirus 2008 with a couple of free applications (via on-demand scans):

1. MalwareBytes Anti-Malware 1.20 manual scan removes Vista Antivirus 2008
2. SuperAntiSpyware manual scan removes Vista Antivirus 2008
3. Spyware Doctor with Antivirus automatically removes Vista Antivirus 2008

Looks pretty convincing huh? This is what I got when I typed in malwarebytes.org.

This is SpyGuarder, a rogue antivirus program loaded and advertised via Virtumonde. SpyGuarder is fake antivirus (rogue antivirus). Never pay for this application. If you paid for SpyGuarder I would really recommend that you cancel your credit card and watch your credit in general (because you’ve just handed your credit card over to a pack of thieves).

You can remove SpyGuarder with a few applications

1. Spyware Doctor with Antivirus (removes spyguarder and all virtumonde infections)
2. MalwareBytes AntiMalware (removes spyguarder and some virtumonde infections)
3. MalwareBytes RogueRemover (removes spyguarder only)

AdvancedXPFixer (Advanced XP Fixer) is rogue anti-malware. Do not download this application or pay for it…it’s a FAKE application. AdvancedXPFixer is usually loaded via a Virtumonde infection or a malvertised site.

I personally used Spyware Doctor with AntiVirus to remove it, but I suppose you could also use MalwareBytes Anti-Malware (or their rogue remover).