Fake Malware Scanner Site Brings Popup to Mac and Windows

While’s malware Antivisus2009, etc probably cannot affect Macs, it is best to avoid any risk by using the COMMAND-OPTION-ESC key combination to effect a FORCE QUIT of Safari when a malware scanner popup appears. Don’t click on the popup, don’t click on the OK button, and don’t click on the CANCEL button. More Windows information below.

What does a malware popup look like? Screen shots show the popup and the FORCE QUIT APPLICATION window that allows users to quit Safari without engaging the antimalwarescanner website. This popup appeared on a Mac on February 5, 2009. If you use Windows, press CTRL + ALT + DELETE to open your Task Manager, and click “End Task.”

Norton Safe Web Alert for &

The websites mentioned above are possibly from Luxembourg and distribute fake scanner malware. The websites are associated with distribution of MS Antivirus, also known as XP Antivirus; Vitae Antivirus; Windows Antivirus; Win Antivirus; Antivirus Pro; Antivirus Pro 2009; Antivirus 2007, 2008, 2009, 2010, and 360; System Antivirus; Vista Antivirus; AntiSpywareMaster; and XP AntiSpyware 2009, is a scareware rogue anti-virus which claims to remove bogus virus infections found on a computer running Microsoft Windows if a user purchases the full version of the software. More on possible criminal connections of American citizens with these websites, below.

Windows Users
MS Antivirus is known to infect users using the Microsoft Windows operating system, and is browser independent. MS Antivirus is made to look professional and functional to fool a computer user into thinking that it is a real anti-virus system in order to convince the user to “purchase” it. In a typical installation of Antivirus 2009 or MS Antivirus, the malware runs a scan on the computer and gives a false spyware report claiming that the computer is infected with spyware. Once the scan is completed, a warning message appears that lists the spyware ‘found’ and the user has to either click on a link or a button to remove it. Regardless of which button is clicked — “Next” or “Cancel” — a download box will still pop up. This deceptive tactic is an attempt to scare the Internet user into clicking on the link or button to purchase MS Antivirus, Antivirus 2009 or malware with other names. If the user decides not to purchase the program, then they will constantly receive pop-ups stating that the program has found infections and that they should register the antimalware in order to fix infection. This type of behavior can cause a computer to operate slower than normal. The infection affects the Windows registry.

Most variants of this malware will not be overtly harmful, as they usually will not steal a user’s information (as spyware) nor critically harm a system (bring a complete shutdown or erase hard drive data). However, the malware will act to inconvenience the user by frequently displaying popups that prompt the user to pay to register the software in order to remove non-existant viruses. Some variants are more harmful; they display popups whenever the user tries to start an application or even tries to navigate their hard drive, especially after they restart their computer. It does this by modifying the Windows registry. It can also disable real antivirus programs to protect itself from removal. Whichever variant infects a computer, MS Antivirus always uses system resources when running, potentially making an infected computer run slower than before infection.

The malware can also block access to known spyware removal sites and in some instances, searching for “antivirus 2009” (or similar search terms) on a search engine will result in a blank page or an error page. Some variants will also redirect the user from the actual Google search page to a false Google search page that states that the user has a virus and should get Antivirus 2009 with a hotlink to the malware’s distribution/registration page.

MS Antivirus (Antivirus 2009) is constantly updated and re-released to prevent detection by common anti-virus scanners.

AntiVirus2009 can also disable a user’s antimalware programs and prevent the user from opening or re-enabling them. Antimalware applications disabled by AntiVirus2009 include McAfee, Spybot – Search & Destroy, AVG and Superantispyware.

How Criminals Gain by Annoying Users and the Criminal Charges
Innovative Marketing, Inc. is the company being investigated by the FTC with allegations that Innovative Marketing, Inc. is behind the malware deception. Criminals involved in the malware scheme gain income by charging $39.95 or more to people duped into believing registration for full versions of software would rid their computers of the malware that (1) didn’t exist and then (2) DID exist after a click on a popup caused download of malware that slowed down the user’s computer and caused even more annoying popups to appear.

MyGeek (an Internet advertising agency) and advertising partners were victims as the ads displayed by distributors of the malware contained autodownload commands that placed malware on user’s computers without their consent.

Innovative Marketing, Inc. is also accused of creating sham Internet advertising agencies (Burn Ads, Preved Marketing, AdTraff, NetMediaGroup, and Uniqads) that offered to purchase ads on legitimate company websites, such as, FrontGate,, and OxFam International (an anti-poverty charity). Innovative Marketing, Inc. is accused of using a technique of blocking their suspicious ads from IP addresses where legitimate companies, such as Priceline, would review ads from the advertising agency. Executives of innocent companies would approve different ads — having never seen the suspicious malware ads.

Don’t Blame Your Favorite Website!
A similar method of deceptive Internet address techniques also apparently resulted in Innovative Marketing, Inc. ads directing visitors of websites, such as Major League Baseball (, the National Hockey League (, The Economist Magazine (, the National Associaton of Realtors (,, E-Harmony Dating Site ( and more to cause bogus Internet scans, alerts and autodownloads. The redirection and popups could occur without users even clicking on any ad banners. The malware popup can appear while a page is idle or while a user switches to another page or website.

Affiliate networks are also duped when the malware causes false clicks that earn affiliates money for each click.

According to an FTC complaint, two companies are charged in the case – Innovative Marketing, Inc. and ByteHosting Internet Services, LLC – they operate using a variety of aliases and maintain offices in various countries. Innovative Marketing is a company incorporated in Belize that maintains offices in Kiev, Ukraine, Argentina and India. ByteHosting Internet Services is based in Cincinnati, Ohio. Individuals named in the charges are James Reno (ByteHosting — website temporarily unavailable as of Feb. 5, 2009), Sam Jain (CEO Innovative Marketing), Daniel Sundin (Innovative Marketing), Marc D’Souza (Innovative Marketing,), Maurice D’Souza (related to Marc), and Kristy Ross (Innovative Marketing).

On December 2, 2008 the U.S. District Court for the District of Maryland issued temporary restraining against Innovative Marketing, Inc. (FTC v. Innovative Marketing, Inc. case info) and ByteHosting Internet Services, LLC after receiving a request from the Federal Trade Commission (FTC). According to the FTC, the combined malware of WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus has fooled over one million people into purchasing the software marketed as security products. The court also froze the assets of the companies in an effort to provide some monetary reimbursement to affected victims. The FTC established claims that the companies established an elaborate ruse that duped Internet advertising networks and popular Web sites into carrying their advertisements.

What to Do If You See A Malware Popup
If you’re faced with any of the warning signs of a scareware scam or suspect a problem, shut down your browser. Don’t click “No” or “Cancel,” or even the “x” at the top right corner of the screen (Windows) or the red circle at the top left (Mac). Some scareware is designed so that any of those buttons can activate the program. If you use Windows, press Ctrl + Alt + Delete to open your Task Manager, and click “End Task.” If you use a Mac, press Command + Option + Esc to “Force Quit.”

If you get an offer, check out the program by entering the name in a search engine. The results can help you determine if the program is on the up-and-up. But if you are already infected, you may be directed to sites that cause more harm and you may not even see the sites that can help you.

Good Security Practices
Malware can be a minor annoyance, but usually leads to a major slow down of computers. Malware can also come in the form of keyloggers and “bots” or even programs that can be set by organized criminal gangs to coordinate multiple attacks of computers of major companies or the government. For example every infected computer with the right “bot” can be signaled to attack a major server of importance to the government or the economy. These DoS or Denial of Service attacks can cause a computer resource to become unavailable to its intended users. Target sites include credit card payment gateways, banks, and the Pentagon. They have even been used in acts of revenge to attack host companies that contain services that fight e-mail spam.

Check that your security software is active and current: at a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. You can buy stand-alone programs for each element — or a security suite that includes these programs — from a variety of sources, including commercial vendors and your Internet Service Provider. The security software that was installed on your computer when you bought it generally works for just a short time — unless you pay a subscription fee to keep it in effect. Visit for a list of security tools from legitimate security vendors selected by GetNetWise, a project of the Internet Education Foundation.

Make it a practice not to click on any links within pop-ups.

Report possible fraud online at or by phone at 1-877-FTC-HELP. Details about the purchase — including what website you were visiting when you were redirected — are helpful to investigators.

Visit to learn more about protecting your computer from bugs, viruses and scammers.

The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.


  1. But what if you clicked on the red circle (mac) to get rid of it and activated it? I couldn’t get Safari to quit after that, until I clicked “OK” to get out of it. I couldn’t restart my computer or anything without finally clicking “OK” once I tried to get rid of it the other way. Ugh.

    So what do I do? What can happen?

  2. Most likely it is not activated because it is software that is made to work on a Windows PC, so on the Mac it would just sit inactive on your Mac’s hard drive. For peace of mind, you can download MacScan 2.6 from (official site) and follow instructions for security check.

    The software will find a lot of cookies for sure. But it should also alert you and help you quarantine anything more harmful.

  3. PS … you can then periodically check your Mac with MacScan. In the preferences you can set MacScan to clean your preferred browser(s).

  4. What if you are a window’s user and the browser was not shut down correctly (OK, cancel or the x was clicked instead). Now the pop up comes up dozens of a times a day. McAfee reports that the virus is on the computer, but states that it cannot clean it. How do we deal with that situation?

  5. What if you’re a window’s user and the pop-up wasn’t shut down correctly? When I run the Norton 360 scan, it shows that there are no threats. Should I trust that?

Comments are closed.