Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Fake security software distributor mimics Google attack site warning

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

I usually don’t check my site statistics log everyday, every week or even every month, I usually have a occasional glance to get a general idea about the browsers being used to access this site and from where the visitors are coming if I sense a spike in website traffic. Last night I was bored enough to browse the stats, when I found number of visitors referred from a curious looking URL: h**p://

May be a script to log the outgoing links?

Loading the link in the web browser threw up a Google warning that you see in Firefox when visiting links that Google determined as attack sites….or is it? On closer inspection the differences between the original and the masquerader began to resolve clearly. The appearance is deceptively same as the original Google warning, similar in color, logo and placement of the buttons. Though the text is different, it’s similar in tone. The link is actually an attempt to de-fraud people into buying a fake security software.

fake google warning Fake security software distributor mimics Google attack site warning

Fake Google Warning

original google warning Fake security software distributor mimics Google attack site warning

Original Google Warning

Clicking on the “Continue Unprotected” button in the fake google warning page loads the anti-spyware software download page on this website, While clicking on the “Get security software” button loads the URL h**p://, a payment gateway page promoting a fake anti-virus software going by the name “Personal Antivirus“. The payment processor for this campaign is through

The block.php file is just a (open) redirect script which makes it possible to redirect to any valid webpage using a code similar to the following:

    h**p:// YOUR URL HERE

The domain is registered to one Sunil A Mittal, No.13 1ST AVENUE, Adyar, India and hosted at IP appears to be located in Berlin, Germany. The IP address seems to be a den full of questionable websites with many involved in the distribution of fake security and other unwanted software. Some of the domains associated with this IP are:


Domains directly associated with this scam


This is another case where the scammers use the visual recognition associated with brands like Google to channel victims from reputable sites to those that harbor fake security software for phishing.

Update (17 Apr 2009)

If you are infected with the “Personal Antivirus” rogue, the procedure below should help you to get rid of it.

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware should remove this rogue security software.

  1. If Internet Explorer is hijacked, use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Also download CCleaner.
  3. Boot in to Windows Safe mode.
  4. Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
  5. Turn System Restore off and on.
  6. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

If you still see symptoms associated with this rogue security software, please post your problem at one of the Recommended Online Forums for Malware Help.

You may also like to read

{ 5 comments… read them below or add one }

jeremy April 16, 2009 at 10:46 AM

This thing is blocking everything – I have current norton protection but it doesnt help.
any idea how to block this website ?


Ashok April 16, 2009 at 2:25 PM

How to remove this.


Wayne April 17, 2009 at 3:09 AM

Need help removing this


Shanmuga April 17, 2009 at 12:14 PM

I have updated the post with generic removal procedure for the scareware. Hope this helps.


Jon S. April 19, 2009 at 1:44 PM

Yes. Thank the geniuses. These cleanup tips worked. The hack was the worst malware I ever encountered.


Leave a Comment

Previous post:

Next post: