Tag Archives | Microsoft Vista

OS Specific Rogues – Vista Smart Security 2010

I was hammered with a new (sort of) rogue called Vista Smart Security 2010 this week.   As far as I know this an OS specific rogue because I only saw it on Vista boxes.   This rogue is easy to delete, however it comes with an agent that suppresses commercial anti-malware.

Vista Smart Security 2010

Vista Smart Security 2010

Here is the MBAM log (from my UBCD4WIN):

Scan type: Quick scan
Objects scanned: 109550
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjwpbgsg (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pjrevdjn (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\omtgiuok (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leccnidu (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jfneaspr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\SYSTEM32 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\SYSTEM32\DRIVERS (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\SYSTEM32\DRIVERS\rtl8187.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\SYSTEM32\DRIVERS\rtl8187B.sys (Trojan.Agent) -> Quarantined and deleted successfully.

If you don’t know how to build an UBCD4WIN you can download the free Dr. Web live CD which get’s rid of this rogue and it’s agent easily.

Continue Reading · 2

How To Manually Find, Terminate and Remove Rogue Antivirus

Rogue Anti-Virus is the #1 piece of malware that I see on a weekly basis.  While they’re easy for me to remove they are not so easy of the casual user to remove.  There of course many applications that find and remove rogue anti-virus applications however there are times where you might need to manually remove the rogue.  Here’s how I’ve been doing it.

Terminating the process:

  1. I verify that a Rogue is present.  This isn’t hard, since it’s usually popping up just about every few seconds.
  2. Click CTRL-ALT-DELETE (if it’s available)
  3. Click Task Manager
  4. Click Processes
  5. Find a process that usually contain all numbers.  For example 2342342.exe.  If you do not see all numbers then your rogue has a name like…SystemSecurityPro.exe or GreenAV.exe…etc.
  6. Select that process and click end process.
  7. At this point the rogue process has been terminated.

Removing Rogue Anti-virus that is named with random numbers.

  1. Click Start
  2. Click Run (or for Vista type in the start search box)
  3. For windows xp type:  C:\documents and settings\all users\Application Data and click OK.  A window will open containing a folder with about 8 numbers.  Your Rogue is in there.  Delete that folder.
  4. For Windows Vista type C:\users\all users in the “start search” box and click enter.  Your  randomly named folder with about 8 digits should be in there.  Delete it.

Removing Rogue Anti-Virus that has a name like System Guard Pro, AV2010, etc

  1. Open Windows Explorer.
  2. Open your C:\ drive.
  3. Open Program Files
  4. Find the Rogue and Delete the folder.

If you have your own way of manually finding and removing Rogue Anti-Virus please share it with us.

Continue Reading · 14

64 Bit Reviews on the way

I’ve got plenty of new reviews on the way, however I’m setting up a 64 bit PC for them this weekend.  With this new PC I’ll be able to test 64 bit software like Vista and Windows 7.  I’ll also be keeping the old 32 bit box around as well.

Continue Reading · 20