kmyousafzai — 2010-02-07T15:59:36-05:00 — #1
Hi guys i am receiving the msg that your system on risk and bla bla , and can not open any web site ;
how to delete this system file,
crazybanana — 2010-02-07T18:20:15-05:00 — #2
get [this and save it to disk, then get [URL="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe"]this](http://download.bleepingcomputer.com/reg/antivirus-vista-2010/FixExe.reg) and save it too, to disk.
then delete all temp files and make sure "vista internet security 2010" is running and doubleclick on "FixExe.reg" and choose yes to add data.
then install mbam-setup.exe -> run it -> update it -> scan -> remove.
get [ccleaner install it and run it. get [URL="http://free.antivirus.com/hijackthis"]hijackthis](http://www.ccleaner.com) and run it and see if there are any more files to be removed, but be carefull and do not remove any files you'll need.
if you're having trouble, try reboot into safe mode (f8), and do the removal process there.
the files this rogue malware creates is:
av.exe and WRblt8464P, and the regvalues it creates are:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %
HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “av.exe” /START “firefox.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = “av.exe” /START “firefox.exe” -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “av.exe” /START “iexplore.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “1?
but malwarebytes anti malware (mbam) should be able to take care of it's reg keys, if not - try from safe mode.
alexdawson — 2010-02-09T21:08:38-05:00 — #3
And that is why you don't install anything which you cannot vouch for. Even if you manage to fix all those steps, there is a chance it may not remove all the remnants. Fake security software is notoriously hard to remove, if I ever got infected by something like that I would hit the system restore button, if that wouldn't make it disappear, it would be a format. I would be too paranoid that it might be stealing personal information (as those kinds of products tend to do).
crazybanana — 2010-02-10T05:58:20-05:00 — #4
Yes, but these kind of malware can be very sneaky when it comes to the install process, especially to unexperienced users.
But of course i agree with you, one shall not install anything one do not know, is unsure about or cannot verify.