Thursday, February 24, 2011

Fake Anti-virus: AntiVira AV

Well, not more than three days after my last post, I am dealing with another fake antivirus program, the culprit this time – AntiVira AV. Customer called and said he was getting a popup that said the computer was infected, and the antivirus program had to be renewed. Interestingly the internet did not work, so time to look up this anti-virus program; even more interesting, it’s on Wikipedia’s list of fake anti-virus programs. And a quick Bing (sorry Google) search reveals similar results.
Antivira Av
Once I got my hands on the computer things got interesting. The computer has Microsoft Security Essentials on it; however, it was disabled, definitely not a good sign. In addition, lots of annoying popups about how the computer is infected by a zillion viruses and how the program is blocking these constant online threats. So, time to start trying things:
  • First off, try uninstalling the program (Start >> Control Panel >> Add or Remove Programs). Nope, cannot open Add or Remove Programs. Not a big surprise, but worth a try!
  • Next, Task Manager, hmmm. Virus Alert??? Nope I don’t believe that’ll work.
  • How about Internet? Nope nice message about how I need renew my anti-virus software and how my computer is infected. Oh, wait it’s redirecting, yes the internet does work, now let me see what pills do I want – Viagra anyone?
  • MSConfig – no go.
  • Try my USB flash drive with some handy utilities. Interesting according to an AntiVira AV popup message all my .exe’s on my flash drive are corrupt!
  • Attempt scanning the hard drive on another computer with Norton Antivirus. Nothing found! Now that is bad.
  • Time to give Safe Mode a try! Surprisingly it actually works! So far so good, no AntiVira AV shutting everything down. Time install some real AV programs!
  • Hmm, restarted computer and now computer Blue Screens when trying to logon to the desktop. Definitely not good. I think my AV program is having a conflict with the fake AV program.
  • OK, back to Safe Mode, this time I’m using Safe Mode with Networking. The program I’m using is called UnHackMe http://greatis.com/unhackme/, which also comes with a Live CD that you can run if your computer is in really bad shape. A Live CD is an operating system that can run off an optical disk, no hard drive or installation required.
  • Time to update the virus definitions and let UnHackMe run a virus scan. After running the scan, UnHackMe found 1 threat and 20 potential threats; of the potential threats about half of them were legitimate programs/services.
  • Reboot computer again, UnHackMe finishes the cleaning process and loads the desktop. No AntiVira AV to be found and Microsoft Security Essentials is working again!
  • Internet still is not working, but a quick trip to Internet Options >> Connections tab >> LAN Settings >> and uncheck the option to use a proxy server.
  • Finally finish up the cleanup job with a full system scan from Microsoft Security Essentials, Norton Antivirus, and Spybot Search & Destroy. A couple more minor nasty's were found and cleaned!

No comments:

Post a Comment