Check Instantly Whether Your PC Is Infected By GameOverZeus


Last week, law enforcement agencies across the world, including the FBI, co-operated to shut down the servers behind the GameOverZeus trojan.  This particularly nasty piece of malware steals your passwords from a variety of web sites, including banks, in order to try to take your money.

Experts were warning that the criminals behind the servers, to which the malware sends details of the passwords it finds, will probably get them back up and running within 2 weeks, and urged everyone to ensure that their PC protection was up to date.  So if you haven't checked your antivirus software in a while, or if your subscription has expired, now might be a good time to do something about it.

F-Secure has set up a web site which, the company claims, can tell you whether your PC is infected by the GameOverZeus malware.  The malware works by intercepting your web browsing and, if you surf to any sites which contain the word Amazon, Ebay etc. inject some additional code into the page which captures your password and sends it to the hackers' server.  F-Secure have, therefore, set up a harmless page on their own web site, the address of which happens to contain the word "Amazon".  When your browser takes you to that page, their server checks whether the page you viewed has been altered to include the malware code.  If it has, it's a fair bet that your PC has the malware.

So to find out whether your computer is safe, just head to in your web browser and wait a couple of seconds.  The test is perfectly harmless, and will tell you instantly whether your PC is likely to be safe or not.



Please rate this article: 

Your rating: None
Average: 2.4 (12 votes)


I'm not passing judgement on F-Secure which I know nothing about but companies that offer to provide these quick online scans for malware are in a good position to do some nasty things themselves if they aren't ethical. If you have a good anti-virus program and spy/malware program and another layer or two of protection you probably don't need these quick scan services and should only use them once several other users have provided feedback on their experience with them.

"F-Secure has been listed twice, 2003 and 2006, on "Finland's best places to work" list". Been around for a long time and well respected inside the industry, and out. Seems their employees are pretty happy too. They also contribute to the cause of malware detection by sponsoring a course to encourage future analysts. MC - Site Manager.

The reason I and many others have made Gizmos our preferred choice for freeware software is that the staff does pretty thorough UNBIASED research before they make recommendations. Since they can't anticipate everyone's needs they offer the pros and cons of each product and that is especially helpful. Keep up the good work.

F-SecureOnlineScanner-HC.exe is a packed file containing the following files which are placed on your root drive C:\
cleanup_tool.exe 150,568 bytes
config.ini 75 bytes
fsdart.cfg 1,228 bytes
fssos.exe 2,698,28 bytes
fssos_admin_helper.exe 3,359,568 bytes

I don't know what they do, but they were surreptitiously placed there without my knowledge or permission and that in itself makes me suspicious for a piece of software that is supposed to check for hacks on my system.

I thought all online-scanners does that... Well they do...:D

What concerned me about this check was that it was over within a few seconds and there was no activity from my hard drive, which would seem to indicate to me that it only scanned the present memory.

On that basis, I would not trust such a scan.

I prefer to use the advice on the The National Crime Agency site.

Bit baffled why anyone would want to go any further than Rob actually suggested?

I've just followed the link he kindly provided, temporarily disabled NoScript, waited a few moments for the scan to finish, and now have on-screen an advisory reading: "MOST LIKELY NOT INFECTED. To ensure that your computer is clean of all infections, we strongly recommend that you run F-Secure Scanner now."

Well, doh. Of course F-Secure would "strongly recommend" that. The Ford salesman "strongly recommends" I do something of ultimate financial benefit to his employer every time my car goes in the shop for a service. So does my Internet provider ("strongly recommend" upgrading my package.) But the stronger they recommend, the less likely I take any notice: they're not medics advising on my personal health but commercial outfits looking to earn a few bucks out of stuff related to my computer's health.

I've no idea if an F-Secure scan has any merit at all, and until I have then the developer can "strongly recommend" as much as it wants and even increase yet further the size of the scanner link on what has to be one of the most godawful-looking web pages I've seen in a long while. Then again, I've no idea if the GameOverZeus scanner is anything more than a flashy hook to lure in the gullible. Seemed interesting enough to try though -- and then walk away. Thanks, Rob.

The rationale behind the instant scanner is here: They explain how and why it works, in quite enough detail to convince me that they're not trying anything except to be helpful. As said elsewhere here, F-secure are one of the most trusted names in the industry. No, of course they're not going to miss a chance to at least mention their commercial product but I've used their online scanner several times in the past and (a) never been charged for the privilege, and (b) never suffered as a result. (Of course YMMV!) In the last couple of decades or so, I've used most of the commercial AV tools and most of the decent free ones too and f-secure is the only one I've ever been confident enough in to recommend to my employer. Their main malware expert is a frequent speaker at security conferences, TED talks, all that stuff. No, their products aren't perfect -- but I have yet to meet one that is. (Full disclosure: currently using Comodo, as recommended here, and I have no relationship with F-Secure except for having previously been a customer, and keeping up with their Labs blog!)
You raise some good points MikeR. If you surf without an adblock you will see "scan your PC for errors" type invitations all over the place, but like this one they are not obligatory. I have no idea how effective the F-Secure scanner is but having been around for 25 years to become one of the most respected names in the industry, it's a fair bet they would not associate themselves with some sort of rogue Zeus trojan detector. What else they might be offering is up to individuals to assess for themselves. This, as MikeR states, is the target of the article. Similarly, if we point to a product download source we can't second guess what else on the page viewers might decide to click on. For our part, providing the product scans clean and the site is green rated by WOT (Web Of Trust) then we're happy to publish it. Choice is a wonderful thing to have. MC - Site Manager.

I do not know if this page is legit. Ideas and suggestions found on Gizmo's are rarely going to get one into trouble, but...

Having said that, I think this suggestion should be taken down. If the creators of this site had good intentions, I fail to see what they were.

I did not have a problem just going to the link, which is what Gizmo's said to do.

When you get there, however, it is total clutter, designed to get people (who trust Gizmo's) to use the scanner, which takes up about 30% of the page. Please do not go there. Do not use the scanner. Do not click the link.

Just a suggestion.

This is a tricky area, and I do try my hardest to warn people. But I also take care not to be over-cautious or patronising. Gizmo's readers are generally an intelligent bunch, and I try to reflect that. There are many times that I've written warnings at the end of stories, and then deleted them before posting because it sounded like I was underestimating our readers. It's hard to know where to draw the line. Do I warn people that, when you visit a specific site, don't click on the big "Download" button, because it's an advert, and you should click the smaller link instead? And if I write about backup utilities, do I have to warn everyone not to use them to infringe copyright? It's a hard line to tread, and I do my best to get things right. Mostly, I think it works. Sometimes, it won't. That's the web for you. F-Secure is a trustworthy company. If you don't like their products, don't use them. If you think they don't work, then you're welcome to that opinion. But I didn't, and still don't, think that they'd deliberately mislead people or cause damage to their computers. So I didn't add a warning. If it were a different company, which I'd not come across before, I'd have made a point of checking out the scanner and providing an opinion. But in this case, the story was about the trojan checker, and nothing else. Which I still think is a very useful offering.

You are correct. I do not have to go there if I do not like their "products". I trusted you, not them, and so I did go there. As you also said, knowledgeable patrons of Gizmos probably will not click on a link, and I didn't. but the only comment present on the page when I wrote the comment was from a Gizmo's patron who did click on the "Scanner" link. Much to their dismay, it sounded like to me.

Oh well. I had no proof whatsoever that the script that they claimed was present on that page really was. I assumed that you had checked it out, and I have a lot of faith in Gizmo's and it's many contributors. That is how I saw what was there. That is why I responded as I did. i only felt that another Gizmos patron had had a bad experience there, and I guess I had a knee-jerk reaction by saying I thought it should be removed.
I lost site of the importance of using any tool at our disposal to fight this slime-ware. I am thankful for having been able to use it, and I apologize if I offended you or any other Gizmo's patrons.

Be careful not to click the link further down the page labelled "F-SECURE ONLINE SCANNER". I did and now I regret it.

I downloaded and ran F-SecureOnlineScanner-HC.exe. After the scan finished, the scanner informed me that malware had been found and a reboot was required.

After I logged back in, the scanner ran a second time and reported fixing two items: Trojan:W32/Injector and a redirected HOSTS file.

I retrieved the previous version of my HOSTS file from the last system restore point and found the the entries removed had been originally placed there by WinPatrol ( No nasties there!

I was wondering what the trojan was and found that my licensed copy of Zemana AntiLogger had been removed. Grrr!

I found this note in the newly sanitised HOSTS file: "The original HOSTS file may be restored from the product's quarantine feature."

But I'd never been asked to confirm removal of any program and there was no quarantine.

I guess the moral of this story is to be careful running scanners that are cut-down versions of full anti-malware products; they may do more than you want with no warning or recourse.