Another Day in the Trenches: Killing XP Antivirus 2010

Popular guest writer Mark Schneider, walks you through a computer recovery operation, following an infection by a rogue security program, XP Antivirus.

I hate rogue antivirus programs. They seem to be getting more numerous and harder to get rid of all the time. Case in point: At work, I noticed a shared computer suddenly popped up a Window announcing it was doing a scan, and that I was infected with over 4,000 Trojans and other forms of malware.

Nice try I thought, so I used Control Alt Delete to start task manager, and I closed Internet Explorer and all running processes involved. Fortunately, it was a limited user account that was infected, and that turned out to be a important factor in removing it.

I immediately ran Malwarebytes from that user and found a number of infections including the rogue antivirus product I was afflicted with. These cretins that come up with this crap can’t even come up with something creative – we’ve seen XP Antivirus for a few years now; each year they just tack on a year to make it look current.

image

image

Sad thing is, I’m sure somewhere out there is someone who renews this crap every year. Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee, but don’t get me started.

Well back to the task at hand: I rebooted the machine and logged into an administrator account, updated Malwarebytes and ran it again… and found more junk, actually the same junk. Malwarebytes found it, but could not kill it.

Next, I downloaded Superantispyware, a great application that I always run at home but it wasn’t on the work machine. The first thing I do now after I download a anti-malware application is rename the installer. I do this because I often find the malware knows how to prevent anti-malware from installing – these guys aren’t creative, but they’re getting smarter.

To rename a file, right click on the file and select rename and type anything.exe and install the program. Superantispyware did its thing and found a ton of additional files. I removed the infected files and rebooted again, and ran both my programs again. I still found junk!

I repeated the sequence two more times until nothing was found. I then ran a scan in all user accounts to confirm “the kill”. So far so good, until I went into the user account where the infection had started, now whenever I tried to launch any program from the desktop I’d get the “Choose what Program you want to use to Open this File” message. This means I had to fix file associations and a great site with XP file association fixes is here. I used the .exe file association fix and it worked great.

The last thing I did was to run Process Explorer, and Autoruns from Syinternals. These utilities give a great in-depth look at what is currently running and starting on your machine at boot-up. Finding nothing suspicious I deemed the computer clean, for now.

So a few lessons I learned on this one: Don’t use IE – this was caused by a flaw in Internet Explorer I believed it was just fixed this week. Second, running as a limited user is still far safer than running as an administrator, even though its trivial to elevate to administrator level, most malware seldom does, and this makes cleaning an infected PC much easier.

Next, running your cleanup tools multiple times and rebooting after each scan is the only way to give the anti-malware tools a chance against the bad guys.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

18 Comments

Filed under Anti-Malware Tools, Don't Get Scammed, Don't Get Hacked, downloads, Free Anti-malware Software, Freeware, Guest Writers, Internet Security Alerts, Manual Malware Removal, Rogue Software Removal Tips, Scareware Removal Tips, Software, Windows Tips and Tools

18 responses to “Another Day in the Trenches: Killing XP Antivirus 2010

  1. “Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee”

    That gave me a good chuckle, it could also be called norton 🙂

    I ran into this version of AV 2010 a few months back, they didn’t used to mess up the exe file associations, first time I ran into this newer version that does was a treat.
    Also don’t know if your aware, but there is a “portable” version of Super Antispyware available, requires no installation and is saved as a randomly generated file name every time you download it.

    http://www.superantispyware.com/portablescanner.html

    • Bill Mullins

      Hey Dave,

      I had to laugh when I so that too.

      Looks like we all have our major dislikes when it comes to AVs.

      Bill

  2. Bill,

    Mark made an excellent point, which I had never thought of, was to rename the anti-malware app that you download to fix the problem and to “maybe” trick the malware. I like that…

    Rick

    • Bill Mullins

      Hey Rick,

      An old trick, but a definite “must do” just to have half a chance at disinfecting.

      Bill

  3. I enjoyed the read.

    Bryan

  4. Mal

    Hey Bill,

    Excellent article, I like the advice not to use IE, because I never do. Primarily because it logs keystrokes. I never knew this until I installed Zemana, and I was surprised at the least.

    Cheers

  5. mark

    Bill and All,
    “Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee”
    Funny this gets posted the day after McAfee mangaed to hose a huge number of computers worldwide with their update debacle.
    Too Dave: I’m pretty sure the associations were damaged during the clean-up, I’ve seen that many times before.
    Thanks for all the interest and comments and to Bill for kindly running it.
    Mark

    • Bill Mullins

      Hey Mark,

      It’s always a pleasure posting your articles – they’re always interesting and informative.

      Unbelievable that McAfee would go after Windows files, but….

      I did a cleanup for my local convenience store owner last week on a new rogue as a favor, and for a bit of fun, using Avira Rescue Disk (one of your earlier articles Mark). After booting from Avira and letting it do its thing, it was dead simple cleaning out the leftovers with Malwarebytes and SuperAntiSpware.

      Bill

  6. RoseD1st

    Great piece! I agree paying yearly to be infected= Norton 🙂 I never use IE thank goodness.

    • Bill Mullins

      Hi Rose,

      Mark has a nice informative way of putting together a story. His stuff is always a popular read.

      Good to hear from you. Kinda wondered where you’d been.

      Bill

  7. What do you think about Norton?

    [url=http://www.sanantoniocomputerrepair.net]San Antonio Computer Repair[/url]

    • Bill Mullins

      Hey Brian,

      Just a quote from PC Mag – “Norton Internet Security 2010 is PCMags current Editors Choice for security suite, and Norton AntiVirus 2010 is a great choice for standalone antivirus”. It’s pretty hard to argue with that.

      Bill

    • Bill Mullins

      Hey Brian,

      Dave runs a shop, like yours, up in New Hampshire. I don’t think he’s a big fan of Norton.

      Thanks for dropping by.

      Bill

  8. kingpin

    Hi Bill,
    Prevx 3.0+MBAM Pro+SAS Pro+Winpatrol Plus+A-Squared 4.5 Free+JavaCool SpywareBlaster 4.3 +SpyBot Search and Destroy+Shadow Defender or Sandboxie free

    Works for me very well.

    Let me know what do you think.

  9. John Bent

    Hi Bill

    I guess I’m either stupid, or lucky, or both as I’ve been using McAfee ever since I started with computers ten years ago. Then again, I’m not a “techie”, so probably don’t know any better.

    All I know is I’ve tried many others over the years but always come back to McAfee. It’s not perfect, nothing is; That’s why we need layered security. It works for me though.

    I guess that’s why some people vote for one political party and some for another (we’re in the middle of a general election campaign here in the UK).

    Kind regards

    John

    • Bill Mullins

      Hey John,

      I think your statement “It’s not perfect, nothing is”, really sums it up. Having a choice is really the issue.

      I do know though, that a bad experience with a particular AV, can lend itself to a lifelong ban. Human nature I guess.

      Bill