There is fake antivirus software called “Antivirus Security Pro” that takes screenshots and webcam pictures to scare you into purchasing more of the malware.
The program disguises itself as a free antivirus scan. The scan from this criminal decoy reveals you are infected with several malware packages by displaying results like this:
Experienced IT professionals would boot into safe mode to remove the listed viruses. However, all of Microsoft’s Advanced Boot Options, Safe Mode, Safe mode with Networking, Safe mode with Command prompt, directory services restore mode, and so forth are blocked. No matter which boot option you choose the computer returns to normal mode with the same flagging of files.
If that isn’t clever enough, they scare you into purchasing the software with a webcam photo or a screen shot. If you don’t pay to “activate” this new criminal ransom-ware it will warn you that a process is trying to send a picture from your webcam to an unidentified source. The only way to stop this is to activate “Antivirus Security Pro”. To really frighten its victims this criminal invader will display a warning with a webcam picture like this one (that is one handsome victim):
I did not see any evidence of my beautiful mug shot being sent out. The only network traffic I observed with Wireshark was the malware trying to download its own components.
Check to see if your antivirus software has this deviant malware in its definition list. If it does the real time / web security feature will block it before you are infected. If you have that feature turned off, which some gamers do, a complete system scan should fix the problem.
If you have to remove this infection manually here are some tips. The malware disables system restore but does not delete restore point so by enabling system restore you can go back to an earlier system image. To turn on System restore: Click Start > Right click computer > select properties > Click System protection > Select your OS Drive (Typically C:) > Click Configure > Check “Restore system settings and previous version of files.” This will only remove the registry entries. That means after you reboot you will have to manually remove the following files:
- %CommonAppData%\”random name”\
- %CommonAppData%\”random name”\DD1
- %CommonAppData%\”random name”\”random name”.exe
- %CommonAppData%\”random name”\”random name”.exe.manifest
- %CommonAppData%\”random name”\”random name”.ico
- %CommonAppData%\”random name”\”random name”kassgxDq.in
- %CommonAppData%\”random name”\”random name”kassgxDq.lg
In Windows XP %CommonAppData% = C:\Documents and Settings\All Users\Application Data\
in Windows Vista/7/8 %CommonAppData% = C:\ProgramData\