The harmful program: As described on Bleeping Computer (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010) "XP Internet Security 2010" .

The program masquerades as an update from Microsoft. In fact, it is scareware (http://en.wikipedia.org/wiki/Scareware). Pretending to be an anti-virus product, it runs a bogus 'scan' and falsely reports that your computer is infected by a couple of different things. In fact, it is ITSELF a trojan horse.

How it got there: I assume I accidentally clicked on a popup banner for the product -- I certainly never wanted it! Also, be advised; When you come upon such a window , many times the 'cancel' or 'X' in the upper right hand corner is actually wired to the 'accept' code. So the only sure way to get rid of such a thing is to nuke it from the Task Manager.


Fun removing the thing: This product defends itself aggressively. It will block any attempt via Firefox or Explorer to access an anti-viral site or download anti-viral software. Accessing anti-virus software on your own computer is re-directed to the trojan. Killing it requires not only killing the program (av.exe) in memory, but also registry entries for it in the windows registry, otherwise it will simply be re-started. The program , of course, is a hidden file so it's not particularly easy to delete.

How I finally killed the darn thing:
A) Killed the process av.exe in memory.
B) following manual instructions, cleared several registry entries so it wouldn't re-start.
C) On a different computer, on my sysadmin's recommendation, downloaded
Anti-malware from Malware bytes (http://www.malwarebytes.org/mbam.php)
D) Killed internet explorer, then ran the cleaning program. Here is the log of that interaction:



Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\<profile>\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.



I could probably have done this manually. However, given that editing the windows registry is a perilous undertaking, I prefer to do so using a program from a trusted source.

And it's a good thing my faith forbids it; otherwise the authors would be receiving visitors from Cthonic entities to take their sanity. :(

Respectfully,

Brian P.

I got hit by that last week, though my infection was even nastier, it hijacked my internet browser and refused to let me visit any website except the one where I could 'purchase' the 'full version' of the 'software'.

I had to borrow a friend's computer to look up how to get rid of it, found a huge and complicated instruction string - then did a system restore from three days prior. It worked like a charm, as far as I can tell, and hasn't come back. Probably going to do a malware check with that download anyways.

You know it would be easier just to restart your computer in safe mode with networking. This should allow you access to the internet and keep the malware from running upon boot-up.

Then download the following:
Spyware search and destroy
Malwarebytes
Avast

Run full scans, one right after the other, starting at the top until everything is dead.

Rogue software seems to be becoming ridiculously common itp - I'm not sure what real statistics will show, but there have been at least ten or twelve threads about it already (in fact, the first six months of 2009 apparently saw a 583% increase according to the wikipedia article you linked).

Most rogue software relies on either social engineering or security holes in order to distribute - this is part of the reason why we aren't allowed to use svg images or HTML on the boards.

Be wary, you may not have gotten all of it. I've had it come back spontaneously, myself.

If you want to avoid the hassle of having to go to a different pc to view instructions and download fixes, also note that Google Chrome seems to be immune to the program's browser-blocking effects. I think it only affects FF and IE, actually - at least that seemed to be the case for the version I caught.

I used Malwarebytes Anti-Malware to good effect as well, after doing the registry fix in the instructions.

I used Malwarebytes Anti-Malware to good effect as well, after doing the registry fix in the instructions.

Love that program, It's sorted my computer out shipshape and Bristol fashion several times now.

I caught something like that a while back, like two months ago. The thing trashed my RAM, I had to buy some new sticks of it.

The harmful program: ... "XP Internet Security 2010"

Obviously it's Windows telling you to upgrade your OS. [/joke ignoring the fact that there's versions for Vista and 7]

Love that program, It's sorted my computer out shipshape and Bristol fashion several times now.

But... but... computers don't care about the tides. And they don't have any masts either.

The phrase is believed to refer to the various practices used in Bristol to prevent ships being damaged when they beached, not to Bristolians being badass.