All Is Not Lost

How to fight about 80% of the scareware out there

At work, about 80% of the scareware we see looks like this:














However, this virus has dozens of different names, but in essence, they're the same thing just with variations based on what version of Windows you happen to have. The following method will clean out the following:

For XP:
AntiSpyware XP, AntiSpyware XP 2010, Antivirus XP, Antivirus XP 2010, Total XP Security, XP Antispyware 2010, XP Antivirus Pro, XP Guardian, XP Security Tool, XP Security Tool 2010, XP SMart Security, XP Smart Security 2010, XP AntiMalware, XP AntiMalware 2010, XP Antivirus Pro, XP Defender, XP Defender Pro, XP Security, XP Security 2010, XP Internet Security, XP Internet Security 2010.

For Vista:
AntiSpyware Vista, AntiSpyware Vista 2010, Antivirus Vista, Antivirus Vista 2010, Total Vista Security, Vista Guardian, Vista Security Tool, Vista Security Tool 2010, Vista Smart Security, Vista Smart Security 2010, Vista AntiMalware, Vista AntiMalware 2010, Vista AntiSpyware, Vista Antivirus Pro, Vista Defender, Vista Defender Pro, Vista Security, Vista Security 2010, Vista Internet Security, Vista Internet Security 2010.

For Windows 7:
AntiSpyware 7, AntiSpyware Win 7 2010, Antivirus Win 7, Antivirus Win 7 2010, Total Win 7 Security, Win 7 Antispyware 2010, Win 7 Antivirus Pro, Win 7 Guardian, Win 7 Security Tool, Win 7 Security Tool 2010, Win 7 Smart Security, Win 7 Smart Security 2010, Win 7 AntiMalware, Win 7 AntiMalware 2010, Win 7 Antivirus Pro, Win 7 Defender, Win 7 Defender Pro, Win 7 Security, Win 7 Security 2010, Win 7 Internet Security, Win 7 Internet Security 2010.

Note: Antivirus Soft is NOT part of this string of viruses, there are distinct differences for removal.

Removal:
Much of this removal process is from the good people at www.bleepingcomputer.com.

1) On another computer, download the install file for Malwarebytes (free version) onto a USB drive. Also download FixExe.reg, created and hosted by bleepingcomputer.
2) On the infected computer, trigger the fake antivirus program by opening an application or two. Once it is running, let it keep running during the entire guide.
3) Plug in the USB drive into the infected computer, double click FixExe.reg and say "Yes" when it prompts you for permission.
4) Install Malwarebytes from the USB drive and update it.
5) Run a full scan and let it do its thing. This may take up to a few hours so be patient or go ahead and do some other activity - or if you're like me, start fixing another computer.
6) Once the scan has finished, it will show this window:







Hit "okay", then click "Show Results" and then "Remove Selected" to remove all detected files and registry entries it has detected. Malwarebytes may require a reboot - if so allow it to, it's good for your computer.

At this point, your computer should be usable and free of the rouge antivirus that previously plagued your computer!

Congrats, you may now use the internet. However, if you want to be double check (like I always do at work)...

7) Reboot your computer into safe mode (F8 at start up) and do another full scan to make sure that no files are left behind.
8) Still in Safe Mode, search for the following files and delete them:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

Labels: scareware

posted by dagerm89 @ 7:04 PM