Thursday, February 4, 2010

I killed "Antivirus Soft": Here's how...

January 2010 may have set a record for viruses, spyware & malware. At least I can say that for my office of 200+ XP PCs. One of the toughest that I've seen in a long time is "Antivirus Soft". One of the most annoying things about it is the fact that it was able to render exe files useless so I couldn't run AVG, Spybot Search & Destroy or Malwarebytes.

I discovered that if I clicked on an exe before "Antivirus Soft" was able to load (right as windows started) I was able to get AVG, Spybot Search & Destroy and Malwarebytes to run. All my favorite security softwares found many infections and problems. I cleaned them all and thought the the XP machine was clean.



The next day I was notified that "Antivirus Soft" had returned. Again I was forced to run AVG, Spybot Search & Destroy and Malwarebytes right as windows started up to avoid "Antivirus Soft". Unfortunately they all came up empty. Maybe CCleaner would clean up the registry so I could finally kill it but it didn't work. So finally, I backed up the registry and began to scour it for any traces of "Antivirus Soft".



There's also more than one graphical interface to this malware. I've seen 2 or maybe 3 different versions now. The 2 in the pics here are the one's that I was able to clean the PCs of this malware by rebooting in safemode (or regular boot if safemode doesn't work), starting regedit, deleting the registry keys and then scanning with AVG, Spybot and Malwarebytes.

Here's what I found and deleted in the registry (make sure to export the registry) to save the PC...

"Antivirus Soft" creates the following registry keys and values
HKEY_CURRENT_USER\Software\AvSoft (this could be a different name)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM]

Now it's all clean.