Gaiscioch Select Chapter
POPULAR ADVENTURES:



ACTIVE ADVENTURES:





ADVENTURES:
Palia
Caliber
Pirate101
Chrono Odyssey
Havenhold
Once Human
Camelot Unchained
ArcheAge Chronicles
Warborne Above Ashes
Deep Rock Galactic
Genshin Impact
- Full List -
CHAPTERS:
Chapter 8:
Conqueror's Blade (2019)
Chapter 7:
New World (2021)
Chapter 6:
World of Warcraft: Classic (2019)
Chapter 5:
Elder Scrolls Online (2014)
Chapter 4:
Guild Wars 2 (2012)
Chapter 3:
RIFT (2011)
Chapter 2:
Warhammer Online (2008)
Chapter 1:
Dark Age of Camelot (2001)
Community
Events
CHARITY:

LEGACY EVENTS:


Search Gaiscioch.com:
138 Tuatha Guilds:
9,308 Members:
13,933 Characters:
11,709 Items:
  • Views: 1,924
  • Replies: 3

Windows Antivirus 2010 - You likely will get this

Taoiseach de na Arach Glas
Foghladha
Taoiseach de na Arach Glas
  • GW2: Foghladha.2506
  • ESO: @Foley
Posted On: 03/05/2010 at 12:40 PM
  • Steam
  • PSN
  • XBOX
  • Twitch
  • Twitch
  • Twitter

Hey Guys,
There's a real nasty one going around that seems to have AV software figured out. Here's some notes as to how to remove it.

What it looks like:


1. Restart Your Machine
2. Press F8 to get boot menu
3. Boot in safe mode with networking
4. Cntr+Alt+Delete stop av.exe

5. Click Start Menu
6. Click Run...
7. Enter "regedit"

Remove the Following:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\secfile\shell
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | @ = “”%AppData%\av.exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | IsolatedCommand = “”%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe | @ = “secfile”
HKEY_CURRENT_USER\Software\Classes\.exe | Content Type = “application/x-msdownload”
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | @ = “”%AppData%\av.exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | IsolatedCommand = “”%1″ %*”

What To Change
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
Change this to 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
Change this to 0

Files to Delete:
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\WRblt8464P

Now that it's injection mechanism is removed
Download MalwareBytes and run a full disk scan

Once I know it's 100% gone from my machine I'll update this post. So far these are the steps i've run. This virus disables your AV, Firewall, and pretends to be the Windows Security center. It also rewrites your browser aliases to point at the virus exe so that when you try to launch IE or Firefox it injects you. It will also try to load itself while in safe mode. It's a cleaver little bastard but I've seen smarter destro. It's tough but it isn't axewoof or anything. Between my father and I we have cleaned 6 computers in the past 7 days of this. I suspect a lot more will suffer before the AV companies get a fix for it.

Ben's Tip of the Day: Download MalwareBytes, Update it and Run a full disk scan. Get this software on you machine ASAP before you have to run through the above just to be able to download it. So far this is one of the only apps the recognizes the infection and can remove it 100%. Good luck guys.

» Edited on: 2010-03-05 12:41:25

"It's not the loot and accolades you walk away with, it's the memories and friendships that you cherish forever." - Foghladha
Awards & Achievements
Devotion Rank 20Valor Rank 20Fellowship Rank 10Explorer Rank 12Scholar Rank 15Artisan Rank 8Social Rank 9Mentorship Rank 6

Response:

Seaimpin de na Aracos
Gordon
Seaimpin de na Aracos
Replied On: 03/05/2010 at 04:15 PM PST
  • Twitch

Thanks for posting this, Ben! A friend of mine has a laptop infected with this, and asked me to try to fix it for him. I'm certain you've saved me a ton of frustration and hair-pulling!

Awards & Achievements
Devotion Rank 20Fellowship Rank 11Scholar Rank 3Social Rank 1
Taoiseach de na Arach Glas
Foghladha
Taoiseach de na Arach Glas
  • GW2: Foghladha.2506
  • ESO: @Foley
Replied On: 03/05/2010 at 04:22 PM PST
  • Steam
  • PSN
  • XBOX
  • Twitch
  • Twitch
  • Twitter

Get MalwareBytes on a flash drive before you go. I did run into 1 major hangup. My system no longer knows how to open a .exe file. Im working on finding the last piece of this puzzle.

"It's not the loot and accolades you walk away with, it's the memories and friendships that you cherish forever." - Foghladha
Awards & Achievements
Devotion Rank 20Valor Rank 20Fellowship Rank 10Explorer Rank 12Scholar Rank 15Artisan Rank 8Social Rank 9Mentorship Rank 6
Taoiseach de na Arach Glas
Foghladha
Taoiseach de na Arach Glas
  • GW2: Foghladha.2506
  • ESO: @Foley
Replied On: 03/06/2010 at 10:25 AM PST
  • Steam
  • PSN
  • XBOX
  • Twitch
  • Twitch
  • Twitter

After running malware bytes one more type my system is totally clean and operational. I will post the additional change I made as soon as my comp is done cleaning.

"It's not the loot and accolades you walk away with, it's the memories and friendships that you cherish forever." - Foghladha
Awards & Achievements
Devotion Rank 20Valor Rank 20Fellowship Rank 10Explorer Rank 12Scholar Rank 15Artisan Rank 8Social Rank 9Mentorship Rank 6
[0.1777]