Tag Archives | Dr Web

New Video: Cleaning The Client

In this video I take you behind the scenes as I clean a real clients infested computer:

Tools used in this video:

  • UBCD4Win Bootable Windows Disc
  • Dr. Web’s CureIT (in the bootable environment)
  • Malwarebytes (free)
Continue Reading · 44

Removing AntiVir Solution Pro Fake Anti-virus

The only rogue I’ve been seeing this month (over and over again) is the AntiVir Solution Pro (a.k.a – Antivir Security Suite).  This rogue (fake) Anti-Virus installs itself instantly and then:

  • prevents the user from using the internet.
  • loads generic porn sites.
  • tells the user that a “key logger” may have been installed or their credit card information is being stolen or that they have dozens of viruses on their PC.
  • prevents any other .exe from opening saying that “.exe is infected”.
  • sets proxy server settings to 127.0.0.1 (localhost) and a random port which the rogue listens on.  This is so it can redirect you to a random porn site or to the rogue’s “buy me now” page.Antivir-Solution-Pro-Rogue
  • may or may not come with a “pack” of other infections such other downloaders or a rootkit (if this is a 32-bit  OS).  64-Bit OS’s may see an increase in downloaders in c:\Users\*

How To Remove AntiVir Solution Pro:

  1. Download Dr. Web’s Live CD and burn the ISO to disc.
  2. Boot from the Dr. Web Live CD.
  3. Scan the following directories (if they exist) – c:\users or c:\documents and settings and c:\windows\.  This may take about an hour to complete.  Dis-infect (cure) anything that it finds.
  4. Reboot into safemode with networking by tapping the F8 key.
  5. Now that you’re inside safemode with networking we need to turn off the proxy server settings.  Refer to this article on how to turn off proxy server settings.
  6. Download CCleaner.
  7. Run it and clean all the temporary data for the user logged on (you have to do this for each account on your computer).
  8. It’s time to load Malwarebytes.   Download the latest copy of Malwarebytes and update it.
  9. Run a Full scan with Malwarebytes (if you have the time, if not, quick scans are usually enough).  Remove anything Malwarebytes finds and reboot into normal mode.
  10. You should be all clean now.

Look for my next post which will show you how to block rogues like AntiVir Solution Pro.

Continue Reading · 26

OS Specific Rogues – Vista Smart Security 2010

I was hammered with a new (sort of) rogue called Vista Smart Security 2010 this week.   As far as I know this an OS specific rogue because I only saw it on Vista boxes.   This rogue is easy to delete, however it comes with an agent that suppresses commercial anti-malware.

Vista Smart Security 2010

Vista Smart Security 2010

Here is the MBAM log (from my UBCD4WIN):

Scan type: Quick scan
Objects scanned: 109550
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjwpbgsg (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pjrevdjn (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\omtgiuok (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leccnidu (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jfneaspr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\SYSTEM32 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\SYSTEM32\DRIVERS (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\SYSTEM32\DRIVERS\rtl8187.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\SYSTEM32\DRIVERS\rtl8187B.sys (Trojan.Agent) -> Quarantined and deleted successfully.

If you don’t know how to build an UBCD4WIN you can download the free Dr. Web live CD which get’s rid of this rogue and it’s agent easily.

Continue Reading · 2