Last week, BleepingComputer.com reported on how to remove a new variant of an old scareware. This new nasty, known most commonly as Antivirus2010 or Anti-Virus-1, points you to spoofed versions of Download.com, ZDNet, PCMag.com, and other software sites, demanding that you download their program to clean your computer. Of course, it does nothing of the sort, merely perpetuating the infection.
However, the manner and methods Anti-Virus-1 uses to get you there are extremely clever. The infection part of the malware does whatever it's been designed to do, so you can see that you've been infected with malware. What you don't realize at this point is that it's hacked your hosts file, too, so that when you go to a software site you don't ever make it to the site you're trying to get to.
You wind up on a skinned Web site that looks like the site you're expecting, but isn't. With the Download.com spoof, you can see that they're using our old design, which CNET abandoned last summer. Clicking on any link besides the download button will take you to the same page that the legitimate site would've taken you to. Hit the download button, though, and you get their fake malware remover, which in fact does the opposite, perpetuating the infection.
Removing the infection is tricky because of the differences between the variants. Some people have complained that they get locked out of their Task Manager, for example, but not all reports include that complaint. The fix that I cited for Antivirus XP 2008 may work, but users who have Windows XP Home Edition don't have a gpedit.msc. Home Edition users will have to edit their Registry directly.
Malwarebytes' Anti-Malware has proven to be one of the few malware killers that can effectively remove Antivirus XP 2008 and its variants, and it should work against the latest ones, too. The First Look video of Malwarebytes' Anti-Malware on the right will help you get started with the program.
Keep in mind that there is no substitute for cautious browsing. Don't install every Facebook app that comes your way, don't click on ads on unfamiliar sites or sites that are known vectors for attacks, and don't install software from anybody that's not a vouchsafed source.
I've pasted below the entire list from BleepingComputer of changes to your hosts file for your edification. Be warned that it may change as variants are developed.
O1 - Hosts: 22.214.171.124 www.review.2009softwarereviews.com
O1 - Hosts: 126.96.36.199 review.2009softwarereviews.com
O1 - Hosts: 188.8.131.52 a1.review.zdnet.com
O1 - Hosts: 184.108.40.206 www.d1.reviews.cnet.com
O1 - Hosts: 220.127.116.11 www.reviews.toptenreviews.com
O1 - Hosts: 18.104.22.168 reviews.toptenreviews.com
O1 - Hosts: 22.214.171.124 www.reviews.download.com
O1 - Hosts: 126.96.36.199 reviews.download.com
O1 - Hosts: 188.8.131.52 www.reviews.pcadvisor.c.uk
O1 - Hosts: 184.108.40.206 reviews.pcadvisor.co.uk
O1 - Hosts: 220.127.116.11 www.reviews.pcmag.com
O1 - Hosts: 18.104.22.168 reviews.pcmag.com
O1 - Hosts: 22.214.171.124 www.reviews.pcpro.co.uk
O1 - Hosts: 126.96.36.199 reviews.pcpro.co.uk
O1 - Hosts: 188.8.131.52 www.reviews.reevoo.com
O1 - Hosts: 184.108.40.206 reviews.reevoo.com
O1 - Hosts: 220.127.116.11 www.reviews.riverstreams.co.uk
O1 - Hosts: 18.104.22.168 reviews.riverstreams.co.uk
O1 - Hosts: 22.214.171.124 www.reviews.techradar.com
O1 - Hosts: 126.96.36.199 reviews.techradar.com
(Via Ars Technica)