FacebookTwitterLinkedIn

Avoid infecting your device with malware via "ClickFix" scams

Also Known As: "ClickFix" scam
Damage level: Severe

What kind of scam is "ClickFix"?

"ClickFix" refers to malware-proliferating scams that trick users into executing malicious commands on their devices by claiming that it is a solution to an issue. These scams instruct victims to copy/paste the virulent scripts, stating that doing so will allow them to create/edit/share documents, join video conferences, fix website display problems, and so on.

This deceptive content is primarily endorsed on the Web, but we have also observed the scam facilitated through deceptive files distributed via email spam campaigns.

Example of a file facilitating the ClickFix scam

"ClickFix" scam overview

The goal of "ClickFix" scams is to infect victims' computers with malware. The mechanism through which this purpose is achieved involves getting users to copy certain content (in some instances, the activity is presented as pressing a button), then opening either the Run command or PowerShell and pasting it – thus triggering the execution of a malicious command intended to initiate malware download/installation.

For example, this process may appear as instructions to: "Click [button]" (e.g., "Copy", "Fix", "Verify", etc.) – this copies a command into the clipboard (copy-paste buffer), then "Press 'Windows key' and 'R' key combination on your keyboard" (Run command combo) or "Press 'Windows key' and run 'Windows PowerShell'", after that "Press 'Ctrl' and 'V' keys" (paste), followed by "Enter" (executing the command).

Various lures are used to get victims to carry out this activity, e.g., "fixes" for document access restriction, website display problems, online meeting joining issues, installing missing software, and so forth.

When the malicious PowerShell command is executed, the triggered infection can introduce just about any type of malware onto systems.

It could be a trojan, which may cause further infections, enable remote/access control over the device, record audio/video via microphones and cameras, extract data from systems and installed apps, record keystrokes, steal files, or perform other malicious activities.

Another potential infection is ransomware – this malware type encrypts files and demands payment for their decryption. Alternatively, a "ClickFix" scam could spread cryptominers, which abuse system resources (potentially to the point of causing hardware damage) in order to generate cryptocurrency.

To summarize, victims of "ClickFix" schemes can experience system infections, permanent data loss, serious privacy issues, financial losses, and identity theft.

If you suspect that your device is already infected – perform a full system scan with an anti-virus and eliminate all detected threats.

Threat Summary:
Name "ClickFix" scam
Threat Type Phishing, Scam, Social Engineering, Trojan, Malware
Symptoms Malware is designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Deceptive websites, email attachments, malicious online advertisements, social engineering.
Damage Stolen passwords and banking information, identity theft, the victim's computer added to a botnet.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

"ClickFix" scam examples

As previously mentioned, "ClickFix" schemes use a wide variety of lures. Websites and files facilitating these scams are often marked with the logos and other graphical details used by legitimate products or services (e.g., Windows OS, Microsoft Office, Google Chrome, Google Meet, CAPTCHA, etc.) – thus, they can appear genuine and harmless.

Some of our articles on "ClickFix" are "Verify You Are A Human (CAPTCHA)", "Please Install The Root Certificate", "Word Online Extension Is Not Installed", and "Something Went Wrong While Displaying This Webpage".

How did I encounter a "ClickFix" scam?

"ClickFix" scams are commonly hosted by deceptive sites. These webpages are primarily accessed via redirects generated by intrusive ads (malvertising), websites utilizing rogue advertising networks, spam browser notifications, misspelled URLs (typosquatting), and installed adware.

Files facilitating the "ClickFix" scheme have been distributed as attachments in spam emails. Keep in mind that other types of spam, such as PMs/DMs, spam/ forum posts, and other messages, could also be used for this purpose.

How to avoid installation of malware?

Caution is critical to device and user safety. Therefore, always be vigilant when browsing since fraudulent and dangerous content usually appears legitimate and innocuous. Approach incoming emails and other messages with care; do not open attachments or links found in dubious/irrelevant mail.

Download only from official and verified channels. Activate and update programs using genuine functions/tools, as illegal activation tools ("cracks") and third-party updaters can contain malware.

It is paramount to have a reputable anti-virus installed and kept updated. Security software must be used to perform regular system scans and to remove detected threats and issues. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Appearance of a malicious command copy-pasted through a "ClickFix" scam (GIF):

Malicious command copy-pasted through a ClickFix scam (GIF)

Screenshot of a spam email promoting (the above variant) "ClickFix" scam:

Spam email promoting a ClickFix scam via attachment

Text presented in this spam email

Subject: Important: Verification Needed for Notary Service Request


Greetings,


Recently, we received a inquiry for notary representation services allegedly from you. Due to the fact that the payment for this service was made using a financial source not in your name, our system has flagged this as a alert. Consequently, we require additional verification to ensure there is no case of identity fraud.


We sincerely apologize for any trouble this may cause if this request was indeed made by you. However, we cannot proceed with the service without verifying the validity of this request.


As per our protocol measures, we need to contact the requester through the details provided in verified channels, such as phone numbers or email addresses. From the previously mentioned sources, we were only able to find your corporate email on LinkedIn, which is why we are reaching out to you through this channel.


Attached to this email is all the information you provided. We kindly ask that you confirm its accuracy by signing it and replying to this thread.


Thank you for your understanding.


Kind regards,
Jonathan Olier
Risc Officer
White & Case LLP
j.olier@whitecase.com

Example of a "ClickFix" scam that uses a Google Meet lure (GIF):

ClickFix scam example (GIF)

Another example of a malicious ClickFix-type website:

ClickFix malware website (2024-10-04)

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

Malware process running in the Task Manager

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Autoruns application appearance

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Run Windows 7 or Windows XP in Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Run Windows 8 in Safe Mode with Networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Run Windows 10 in Safe Mode with Networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

manual malware removal step 3Extract the downloaded archive and run the Autoruns.exe file.

Extract Autoruns.zip archive and run Autoruns.exe application

manual malware removal step 4In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Refresh Autoruns application results

manual malware removal step 5Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

Delete malware in Autoruns

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Search for malware and delete it

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

What is the "ClickFix" scam?

"ClickFix" is a scam that deceives victims into executing malicious commands; the aim is to infect their devices with malware.

How did I encounter the "ClickFix" scam?

"ClickFix" type scams are facilitated through deceptive websites or files. The former may be accessed via redirects caused by sites using rogue advertising networks, intrusive advertisements, spam browser notifications, mistyped URLs, and installed adware. The latter can be distributed as attachments in spam emails or other messages.

What are the biggest issues that malware can cause?

The threats posed by an infection depend on the malware's capabilities and the cyber criminals' modus operandi. Generally, the greatest concerns are multiple system infections, permanent data loss, severe privacy issues, financial losses, and identity theft.

What is the purpose of malware?

Malware is primarily used to generate revenue. However, cyber criminals can also use malicious software to amuse themselves, realize personal grudges, disrupt processes (e.g., websites, services, companies, etc.), engage in hacktivism, and launch politically/geopolitically motivated attacks.

Will Combo Cleaner protect me from scams and the malware they proliferate?

Combo Cleaner is designed to eliminate all kinds of threats. It can scan visited websites for deceptive/malicious content and restrict all further access to such pages. It can detect and remove most of the known malware infections. Keep in mind that running a full system scan is key since sophisticated malicious programs typically hide deep within systems.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
ClickFix scam QR code
Scan this QR code to have an easy access removal guide of "ClickFix" scam on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.