pendell
2010-03-01, 01:43 PM
The harmful program: As described on Bleeping Computer (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010) "XP Internet Security 2010" .
The program masquerades as an update from Microsoft. In fact, it is scareware (http://en.wikipedia.org/wiki/Scareware). Pretending to be an anti-virus product, it runs a bogus 'scan' and falsely reports that your computer is infected by a couple of different things. In fact, it is ITSELF a trojan horse.
How it got there: I assume I accidentally clicked on a popup banner for the product -- I certainly never wanted it! Also, be advised; When you come upon such a window , many times the 'cancel' or 'X' in the upper right hand corner is actually wired to the 'accept' code. So the only sure way to get rid of such a thing is to nuke it from the Task Manager.
Fun removing the thing: This product defends itself aggressively. It will block any attempt via Firefox or Explorer to access an anti-viral site or download anti-viral software. Accessing anti-virus software on your own computer is re-directed to the trojan. Killing it requires not only killing the program (av.exe) in memory, but also registry entries for it in the windows registry, otherwise it will simply be re-started. The program , of course, is a hidden file so it's not particularly easy to delete.
How I finally killed the darn thing:
A) Killed the process av.exe in memory.
B) following manual instructions, cleared several registry entries so it wouldn't re-start.
C) On a different computer, on my sysadmin's recommendation, downloaded
Anti-malware from Malware bytes (http://www.malwarebytes.org/mbam.php)
D) Killed internet explorer, then ran the cleaning program. Here is the log of that interaction:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\<profile>\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
I could probably have done this manually. However, given that editing the windows registry is a perilous undertaking, I prefer to do so using a program from a trusted source.
And it's a good thing my faith forbids it; otherwise the authors would be receiving visitors from Cthonic entities to take their sanity. :(
Respectfully,
Brian P.
The program masquerades as an update from Microsoft. In fact, it is scareware (http://en.wikipedia.org/wiki/Scareware). Pretending to be an anti-virus product, it runs a bogus 'scan' and falsely reports that your computer is infected by a couple of different things. In fact, it is ITSELF a trojan horse.
How it got there: I assume I accidentally clicked on a popup banner for the product -- I certainly never wanted it! Also, be advised; When you come upon such a window , many times the 'cancel' or 'X' in the upper right hand corner is actually wired to the 'accept' code. So the only sure way to get rid of such a thing is to nuke it from the Task Manager.
Fun removing the thing: This product defends itself aggressively. It will block any attempt via Firefox or Explorer to access an anti-viral site or download anti-viral software. Accessing anti-virus software on your own computer is re-directed to the trojan. Killing it requires not only killing the program (av.exe) in memory, but also registry entries for it in the windows registry, otherwise it will simply be re-started. The program , of course, is a hidden file so it's not particularly easy to delete.
How I finally killed the darn thing:
A) Killed the process av.exe in memory.
B) following manual instructions, cleared several registry entries so it wouldn't re-start.
C) On a different computer, on my sysadmin's recommendation, downloaded
Anti-malware from Malware bytes (http://www.malwarebytes.org/mbam.php)
D) Killed internet explorer, then ran the cleaning program. Here is the log of that interaction:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\<profile>\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
I could probably have done this manually. However, given that editing the windows registry is a perilous undertaking, I prefer to do so using a program from a trusted source.
And it's a good thing my faith forbids it; otherwise the authors would be receiving visitors from Cthonic entities to take their sanity. :(
Respectfully,
Brian P.