Antivirus Scam Warning: VirusIsolator
July 8th, 2008
My brother, who runs a computer repair business, reported earlier today that one of his customer’s computers had been infected by a fake antivirus program called VirusIsolator (also spelled as Virus Isolator). After doing some research on this rogue program, I found out that some users are having it installed on their systems through Trojans such as Zlob or Vundo, although many others are simply being fooled into downloading the free “online security scaner” from the website VirusIsolator.com.
After someone runs a scan, the program will display several pre-written fake virus alerts regardless of the actual condition of the user’s system. Here is a screenshot of what these false reports look like:
The program will then use various advertising methods and fake alert messages to trick users into purchasing the full version of VirusIsolator. However, even after someone purchases the full version, the program does not actually remove any viruses or malware from computer systems; it is simply a scam designed to separate fools from their money and show them a little adware as a side benefit.
Fortunately the website reveals several clues indicating to savvy users that the program is likely not legitimate. The first paragraph of text content on the home page reads:
WHAT IS SPYWARE / MALWARE?
SpyWare is part of an overall public concern about privacy on the Internet2. Spyware collects your private information, and reports it to advertising providers, who will show you tremendous amount of advertising beyond your control. How Virus Isolator can help you?
So let’s see…we have an obvious typo (Internet2), an unnecessary comma, and an awkwardly worded last sentence (the word can should be placed before “Virus Isolator” not after it). These kinds of errors are a clue that something is amiss because a professional, legitimate company would at least take the time to proofread their own home page and clean up these kinds of obvious mistakes before releasing their product to the public. As if this wasn’t enough, the last question of the FAQ section provides another comical display of their questionable English skills:
Q: Why do you ask for time-based payments?
A: We are the professionals. We are the warriors. We fight against spyware and adware that try to invade your privacy, steel your money and data. This is hard work. We collect and examine hundreds of new threats every month. Now our database counts 6106 most widely spread spyware viruses. Your payments help it growing and make you even more protected.
Meanwhile, their order page (/buy.php) gives away another little tidbit of information. Under the heading “Satisfaction Guaranteed”, they refer to themselves as “SpywareIsolator”, not VirusIsolator. This is not just another instance of mangled English — it turns out that this site is actually a clone of SpywareIsolator, another known scam program. These scammers were so sloppy that they forgot to remove the reference to their previous scam! Yet somehow people are still dumb enough to download this stuff and even give away their credit card information to these folks– ouch!
VirusIsolator Removal
Now that we have figured out that this program is a scam, if you happen to be one the poor fools victims that managed to end up with VirusIsolator on your PC, there are steps that you can take to remove it and get rid of that annoying adware. First of all, you can go to Start >> Control Panel >> Add/Remove Programs and uninstall it from there. Additionally, you can search for remnants of the program that may be left on your system and delete these manually. Here are the program’s known files, directories, and registry entries as reported by other users and antispyware sites:
VirusIsolator Files:
- uninstall.exe
- virusisolator.exe
- virusisolator_1.exe
- %desktopdirectory%\virusisolator.lnk
- %program_files%\virusisolator\uninstall.exe
- %program_files%\virusisolator\zlib.dll
- %programs%\virusisolator\uninstall.lnk
- %programs%\virusisolator\virusisolator.lnk
- %program_files%\virusisolator\virusisolator.exe
- %program_files%\virusisolator\vscan.tsi
- %program_files%\virusisolator\zlib.dll
- %program_files%\virusisolator\virusisolator.exe
- %program_files%\virusisolator\uninstall.exe
DLL Files:
- %program_files%\virusisolator\zlib.dll
Directories:
- %program_files%\virusisolator
- %program_files%\virusisolator\infected
- %program_files%\virusisolator\suspicious
- %programs%\virusisolator
Registry Entries:
- HKEY_CURRENT_USER\software\virusisolator
- HKEY_CURRENT_USER\software\virusisolator autorun
- HKEY_CURRENT_USER\software\virusisolator basesversion
- HKEY_CURRENT_USER\software\virusisolator checkforupdates
- HKEY_CURRENT_USER\software\virusisolator coreversion
- HKEY_CURRENT_USER\software\virusisolator id
- HKEY_CURRENT_USER\software\virusisolator lastscandate
- HKEY_CURRENT_USER\software\virusisolator lastscantime
- HKEY_CURRENT_USER\software\virusisolator lastupdatedate
- HKEY_CURRENT_USER\software\virusisolator lastupdatetime
- HKEY_CURRENT_USER\software\virusisolator quickscanatstartup
- HKEY_CURRENT_USER\software\virusisolator registershellextension
- HKEY_CURRENT_USER\software\virusisolator scanarchives
- HKEY_CURRENT_USER\software\virusisolator scanfiles
- HKEY_CURRENT_USER\software\virusisolator scanmail
- HKEY_CURRENT_USER\software\virusisolator scanprocesses
- HKEY_CURRENT_USER\software\virusisolator scanregistry
- HKEY_CURRENT_USER\software\virusisolator startminimized
- HKEY_CURRENT_USER\software\virusisolator totalscans
- HKEY_LOCAL_MACHINE\software\microsoft\windows\
currentversion\run virusisolator - HKEY_LOCAL_MACHINE\software\microsoft\windows\
currentversion\uninstall\virusisolator - HKEY_LOCAL_MACHINE\software\microsoft\windows\
currentversion\uninstall\virusisolator displayname - HKEY_LOCAL_MACHINE\software\microsoft\windows\
currentversion\uninstall\virusisolator nomodify - HKEY_LOCAL_MACHINE\software\microsoft\windows\
currentversion\uninstall\virusisolator norepair - HKEY_LOCAL_MACHINE\software\microsoft\windows\
currentversion\uninstall\virusisolator uninstallstring - HKEY_LOCAL_MACHINE\software\microsoft\windows\
currentversion\run virusisolator
Note that manually editing the registry is a rather complicated and risky process; most casual users should not attempt this unless they really know what they are doing. If you still think that you might be infected and are not comfortable with performing a manual removal process, you can use a registry cleaner like RegCure or a more legitimate antispyware tool such as XoftSpySE.
Nice informative post! Thanks for warning the public.
neither recommended programs work on IE Anti Virus
I am one of those FOOLS/Victims of this so called VirusIsolator. I actually purchased it and was never able to install and kept trying to contact them thru email and phone which I never was able to speak to anyone! When I would email them, to request my refund, they just kept saying they would only refund the money if I was not able to install the antivirus, and I said well,”I have been trying to contact you guys to get that help and never hear from you,” then they would ask for a number to contact me, and just never did! I had an idea of what was going on by the time I contacted them for the 10th time and then just never heard from them again, until last time I tried emailing them again and had a response email saying that the email was not located. So I figured what happened, I just dont know if I will be able to find them to get my money back…
Do you think if this is a scam and I gave out my credit card information, they will keep charging stuff, and do you think there’s a way to find out how to get them and have my money back???