Popular guest writer Mark Schneider, walks you through a computer recovery operation, following an infection by a rogue security program, XP Antivirus.
I hate rogue antivirus programs. They seem to be getting more numerous and harder to get rid of all the time. Case in point: At work, I noticed a shared computer suddenly popped up a Window announcing it was doing a scan, and that I was infected with over 4,000 Trojans and other forms of malware.
Nice try I thought, so I used Control Alt Delete to start task manager, and I closed Internet Explorer and all running processes involved. Fortunately, it was a limited user account that was infected, and that turned out to be a important factor in removing it.
I immediately ran Malwarebytes from that user and found a number of infections including the rogue antivirus product I was afflicted with. These cretins that come up with this crap can’t even come up with something creative – we’ve seen XP Antivirus for a few years now; each year they just tack on a year to make it look current.
Sad thing is, I’m sure somewhere out there is someone who renews this crap every year. Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee, but don’t get me started.
Well back to the task at hand: I rebooted the machine and logged into an administrator account, updated Malwarebytes and ran it again… and found more junk, actually the same junk. Malwarebytes found it, but could not kill it.
Next, I downloaded Superantispyware, a great application that I always run at home but it wasn’t on the work machine. The first thing I do now after I download a anti-malware application is rename the installer. I do this because I often find the malware knows how to prevent anti-malware from installing – these guys aren’t creative, but they’re getting smarter.
To rename a file, right click on the file and select rename and type anything.exe and install the program. Superantispyware did its thing and found a ton of additional files. I removed the infected files and rebooted again, and ran both my programs again. I still found junk!
I repeated the sequence two more times until nothing was found. I then ran a scan in all user accounts to confirm “the kill”. So far so good, until I went into the user account where the infection had started, now whenever I tried to launch any program from the desktop I’d get the “Choose what Program you want to use to Open this File” message. This means I had to fix file associations and a great site with XP file association fixes is here. I used the .exe file association fix and it worked great.
The last thing I did was to run Process Explorer, and Autoruns from Syinternals. These utilities give a great in-depth look at what is currently running and starting on your machine at boot-up. Finding nothing suspicious I deemed the computer clean, for now.
So a few lessons I learned on this one: Don’t use IE – this was caused by a flaw in Internet Explorer I believed it was just fixed this week. Second, running as a limited user is still far safer than running as an administrator, even though its trivial to elevate to administrator level, most malware seldom does, and this makes cleaning an infected PC much easier.
Next, running your cleanup tools multiple times and rebooting after each scan is the only way to give the anti-malware tools a chance against the bad guys.
This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.
Bill Mullins' Weblog - Tech Thoughts 
“Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee”
That gave me a good chuckle, it could also be called norton 🙂
I ran into this version of AV 2010 a few months back, they didn’t used to mess up the exe file associations, first time I ran into this newer version that does was a treat.
Also don’t know if your aware, but there is a “portable” version of Super Antispyware available, requires no installation and is saved as a randomly generated file name every time you download it.
http://www.superantispyware.com/portablescanner.html
Hey Dave,
I had to laugh when I so that too.
Looks like we all have our major dislikes when it comes to AVs.
Bill
Bill,
Mark made an excellent point, which I had never thought of, was to rename the anti-malware app that you download to fix the problem and to “maybe” trick the malware. I like that…
Rick
Hey Rick,
An old trick, but a definite “must do” just to have half a chance at disinfecting.
Bill
I enjoyed the read.
Bryan
Hey Bill,
Excellent article, I like the advice not to use IE, because I never do. Primarily because it logs keystrokes. I never knew this until I installed Zemana, and I was surprised at the least.
Cheers
Hey Mal,
Happy to hear you’re finding Zemana worthwhile.
Bill
Bill and All,
“Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee”
Funny this gets posted the day after McAfee mangaed to hose a huge number of computers worldwide with their update debacle.
Too Dave: I’m pretty sure the associations were damaged during the clean-up, I’ve seen that many times before.
Thanks for all the interest and comments and to Bill for kindly running it.
Mark
Hey Mark,
It’s always a pleasure posting your articles – they’re always interesting and informative.
Unbelievable that McAfee would go after Windows files, but….
I did a cleanup for my local convenience store owner last week on a new rogue as a favor, and for a bit of fun, using Avira Rescue Disk (one of your earlier articles Mark). After booting from Avira and letting it do its thing, it was dead simple cleaning out the leftovers with Malwarebytes and SuperAntiSpware.
Bill
Great piece! I agree paying yearly to be infected= Norton 🙂 I never use IE thank goodness.
Hi Rose,
Mark has a nice informative way of putting together a story. His stuff is always a popular read.
Good to hear from you. Kinda wondered where you’d been.
Bill
What do you think about Norton?
[url=http://www.sanantoniocomputerrepair.net]San Antonio Computer Repair[/url]
Hey Brian,
Just a quote from PC Mag – “Norton Internet Security 2010 is PCMags current Editors Choice for security suite, and Norton AntiVirus 2010 is a great choice for standalone antivirus”. It’s pretty hard to argue with that.
Bill
What about norton?
San Antonio Computer Repair
Hey Brian,
Dave runs a shop, like yours, up in New Hampshire. I don’t think he’s a big fan of Norton.
Thanks for dropping by.
Bill
Hi Bill,
Prevx 3.0+MBAM Pro+SAS Pro+Winpatrol Plus+A-Squared 4.5 Free+JavaCool SpywareBlaster 4.3 +SpyBot Search and Destroy+Shadow Defender or Sandboxie free
Works for me very well.
Let me know what do you think.
Hi Bill
I guess I’m either stupid, or lucky, or both as I’ve been using McAfee ever since I started with computers ten years ago. Then again, I’m not a “techie”, so probably don’t know any better.
All I know is I’ve tried many others over the years but always come back to McAfee. It’s not perfect, nothing is; That’s why we need layered security. It works for me though.
I guess that’s why some people vote for one political party and some for another (we’re in the middle of a general election campaign here in the UK).
Kind regards
John
Hey John,
I think your statement “It’s not perfect, nothing is”, really sums it up. Having a choice is really the issue.
I do know though, that a bad experience with a particular AV, can lend itself to a lifelong ban. Human nature I guess.
Bill