ATTENTION! If your computer is struck by the spyware, you could suffer

…from all sorts of bad things. We know.

However, you may be seeing this mis-spelled message, which has changed a little bit over the past few months:
“ATTENTION! If your computer is struck by the spyware, you could suffer data loss, erratic PC behaviour, PC freezes and creahes.”

By the spyware? Creahes? Who writes this stuff?

“Detect and remove viruses before they damage your computer!
Antivirus 2009 will perform a 100% FREE and quick scan of your computer for Viruses, Spyware and Adware.
Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)”

Please be wary of this sort of scheme through the end of the year. A number of banner ads on very popular web sites have been redirecting users to sites serving up this garbage. This rogueware “Antivirus 2009″ ad in particular will re-direct your browser to a web site using only javascript to mis-represent a common online malware scan of your windows system. As we’ve discussed before and at Virus Bulletin (slides on flash here), this stuff will attempt to shock you with a number of malware detections that are not really present on your computer, coercing you to pay for phony AV software. They detect the make-believe “Spyware.IEMonster.b”, “Zlob.PornAdvertizer.Xplisit”, and “Trojan.Infostealer.Banker.s”, made-up names which unsurprisingly do not change:

This entry was posted in Online Fraud. Bookmark the permalink.

5 Responses to ATTENTION! If your computer is struck by the spyware, you could suffer

  1. Disk4mat says:


    “The spyware” to imply there is only one out there. If only, if only right?

  2. Kurt says:

    Hah, right!

  3. redmapleleaf says:

    This problem is a server side, not a client side. That is your computer is probably OK. My webserver has been infected with this problem and all my clients are suffering from it every time they connected to my website.

    Upon contacting my host, they were able to determine the problem which was in the .htaccess file. Some how this file was compromised on their server and start redirecting traffic to the site in Modova/Eastern Europe that you are seeing. Here is the content of the .htaccess file that responsible for this problem:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    RewriteRule .* [R,L]

    I hope this could help somebody from too much suffering.

  4. ThreatFire Blogger says:


    Sorry to hear that your server was compromised, and thanks for posting that valuable information about htaccess.
    At the same time, the problem that is described in the post is a client issue. Your redirected site visitors unfortunately were coerced into downloading and running a file similar in name to “A9installer_880147.exe”, and then saw the problems described in the post on their system.

    Thanks again, and nice work cleaning up the issue on your site.

  5. Brad Peterson says:

    In my case, it was the Vundo malware.

    I first tried finding and removing it with AVG anti-virus, Spybot, Lavasoft Ad-aware, Microsoft Defender, Vundo removal tool, and Hijackthis. They did very little finding it or giving me clues on how to remove it.

    I then tried Malwarebytes’ Anti-Malware, and that found a lot more, but not enough.

    The fix came from SuperAntiSpyware. That was far and away the best tool to find this bugger and remove it for good.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>