Karlonia.com
For Gold, Peace, and Freedom

Karlonia.com

Antivirus Scam Warning: VirusIsolator

July 8th, 2008

virusisolator.jpgMy brother, who runs a computer repair business, reported earlier today that one of his customer’s computers had been infected by a fake antivirus program called VirusIsolator (also spelled as Virus Isolator). After doing some research on this rogue program, I found out that some users are having it installed on their systems through Trojans such as Zlob or Vundo, although many others are simply being fooled into downloading the free “online security scaner” from the website VirusIsolator.com.

After someone runs a scan, the program will display several pre-written fake virus alerts regardless of the actual condition of the user’s system. Here is a screenshot of what these false reports look like:

virusisolator-screenshot.jpg

The program will then use various advertising methods and fake alert messages to trick users into purchasing the full version of VirusIsolator. However, even after someone purchases the full version, the program does not actually remove any viruses or malware from computer systems; it is simply a scam designed to separate fools from their money and show them a little adware as a side benefit.

Fortunately the website reveals several clues indicating to savvy users that the program is likely not legitimate. The first paragraph of text content on the home page reads:

WHAT IS SPYWARE / MALWARE?

SpyWare is part of an overall public concern about privacy on the Internet2. Spyware collects your private information, and reports it to advertising providers, who will show you tremendous amount of advertising beyond your control. How Virus Isolator can help you?

So let’s see…we have an obvious typo (Internet2), an unnecessary comma, and an awkwardly worded last sentence (the word can should be placed before “Virus Isolator” not after it). These kinds of errors are a clue that something is amiss because a professional, legitimate company would at least take the time to proofread their own home page and clean up these kinds of obvious mistakes before releasing their product to the public. As if this wasn’t enough, the last question of the FAQ section provides another comical display of their questionable English skills:

Q: Why do you ask for time-based payments?
A: We are the professionals. We are the warriors. We fight against spyware and adware that try to invade your privacy, steel your money and data. This is hard work. We collect and examine hundreds of new threats every month. Now our database counts 6106 most widely spread spyware viruses. Your payments help it growing and make you even more protected.

Meanwhile, their order page (/buy.php) gives away another little tidbit of information. Under the heading “Satisfaction Guaranteed”, they refer to themselves as “SpywareIsolator”, not VirusIsolator. This is not just another instance of mangled English — it turns out that this site is actually a clone of SpywareIsolator, another known scam program. These scammers were so sloppy that they forgot to remove the reference to their previous scam! Yet somehow people are still dumb enough to download this stuff and even give away their credit card information to these folks– ouch!

VirusIsolator Removal

Now that we have figured out that this program is a scam, if you happen to be one the poor fools victims that managed to end up with VirusIsolator on your PC, there are steps that you can take to remove it and get rid of that annoying adware. First of all, you can go to Start >> Control Panel >> Add/Remove Programs and uninstall it from there. Additionally, you can search for remnants of the program that may be left on your system and delete these manually. Here are the program’s known files, directories, and registry entries as reported by other users and antispyware sites:

VirusIsolator Files:

  1. uninstall.exe
  2. virusisolator.exe
  3. virusisolator_1.exe
  4. %desktopdirectory%\virusisolator.lnk
  5. %program_files%\virusisolator\uninstall.exe
  6. %program_files%\virusisolator\zlib.dll
  7. %programs%\virusisolator\uninstall.lnk
  8. %programs%\virusisolator\virusisolator.lnk
  9. %program_files%\virusisolator\virusisolator.exe
  10. %program_files%\virusisolator\vscan.tsi
  11. %program_files%\virusisolator\zlib.dll
  12. %program_files%\virusisolator\virusisolator.exe
  13. %program_files%\virusisolator\uninstall.exe

DLL Files:

  1. %program_files%\virusisolator\zlib.dll

Directories:

  1. %program_files%\virusisolator
  2. %program_files%\virusisolator\infected
  3. %program_files%\virusisolator\suspicious
  4. %programs%\virusisolator

Registry Entries:

  1. HKEY_CURRENT_USER\software\virusisolator
  2. HKEY_CURRENT_USER\software\virusisolator autorun
  3. HKEY_CURRENT_USER\software\virusisolator basesversion
  4. HKEY_CURRENT_USER\software\virusisolator checkforupdates
  5. HKEY_CURRENT_USER\software\virusisolator coreversion
  6. HKEY_CURRENT_USER\software\virusisolator id
  7. HKEY_CURRENT_USER\software\virusisolator lastscandate
  8. HKEY_CURRENT_USER\software\virusisolator lastscantime
  9. HKEY_CURRENT_USER\software\virusisolator lastupdatedate
  10. HKEY_CURRENT_USER\software\virusisolator lastupdatetime
  11. HKEY_CURRENT_USER\software\virusisolator quickscanatstartup
  12. HKEY_CURRENT_USER\software\virusisolator registershellextension
  13. HKEY_CURRENT_USER\software\virusisolator scanarchives
  14. HKEY_CURRENT_USER\software\virusisolator scanfiles
  15. HKEY_CURRENT_USER\software\virusisolator scanmail
  16. HKEY_CURRENT_USER\software\virusisolator scanprocesses
  17. HKEY_CURRENT_USER\software\virusisolator scanregistry
  18. HKEY_CURRENT_USER\software\virusisolator startminimized
  19. HKEY_CURRENT_USER\software\virusisolator totalscans
  20. HKEY_LOCAL_MACHINE\software\microsoft\windows\
    currentversion\run virusisolator

  21. HKEY_LOCAL_MACHINE\software\microsoft\windows\
    currentversion\uninstall\virusisolator

  22. HKEY_LOCAL_MACHINE\software\microsoft\windows\
    currentversion\uninstall\virusisolator displayname

  23. HKEY_LOCAL_MACHINE\software\microsoft\windows\
    currentversion\uninstall\virusisolator nomodify

  24. HKEY_LOCAL_MACHINE\software\microsoft\windows\
    currentversion\uninstall\virusisolator norepair

  25. HKEY_LOCAL_MACHINE\software\microsoft\windows\
    currentversion\uninstall\virusisolator uninstallstring

  26. HKEY_LOCAL_MACHINE\software\microsoft\windows\
    currentversion\run virusisolator

Note that manually editing the registry is a rather complicated and risky process; most casual users should not attempt this unless they really know what they are doing. If you still think that you might be infected and are not comfortable with performing a manual removal process, you can use a registry cleaner like RegCure or a more legitimate antispyware tool such as XoftSpySE.


4 Responses to “Antivirus Scam Warning: VirusIsolator”

  1. comment number 1 by: jeric

    Nice informative post! Thanks for warning the public.

  2. comment number 2 by: D.L. Pompili

    neither recommended programs work on IE Anti Virus

  3. comment number 3 by: Marisol

    I am one of those FOOLS/Victims of this so called VirusIsolator. I actually purchased it and was never able to install and kept trying to contact them thru email and phone which I never was able to speak to anyone! When I would email them, to request my refund, they just kept saying they would only refund the money if I was not able to install the antivirus, and I said well,”I have been trying to contact you guys to get that help and never hear from you,” then they would ask for a number to contact me, and just never did! I had an idea of what was going on by the time I contacted them for the 10th time and then just never heard from them again, until last time I tried emailing them again and had a response email saying that the email was not located. So I figured what happened, I just dont know if I will be able to find them to get my money back…

  4. comment number 4 by: Marisol

    Do you think if this is a scam and I gave out my credit card information, they will keep charging stuff, and do you think there’s a way to find out how to get them and have my money back???

Post Your Comments, Opinions, or Suggestions Here:

Name

Email (optional)

Website (optional)