Hey Guys,
There's a real nasty one going around that seems to have AV software figured out. Here's some notes as to how to remove it.
What it looks like:
1. Restart Your Machine
2. Press F8 to get boot menu
3. Boot in safe mode with networking
4. Cntr+Alt+Delete stop av.exe
5. Click Start Menu
6. Click Run...
7. Enter "regedit"
Remove the Following:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\secfile\shell
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | @ = “â€%AppData%\av.exe†/START “%1″ %*â€
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | IsolatedCommand = “â€%1″ %*â€
HKEY_CURRENT_USER\Software\Classes\.exe | @ = “secfileâ€
HKEY_CURRENT_USER\Software\Classes\.exe | Content Type = “application/x-msdownloadâ€
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | @ = “â€%AppData%\av.exe†/START “%1″ %*â€
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | IsolatedCommand = “â€%1″ %*â€
What To Change
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
Change this to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
Change this to 0
Files to Delete:
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\WRblt8464P
Now that it's injection mechanism is removed
Download MalwareBytes and run a full disk scan
Once I know it's 100% gone from my machine I'll update this post. So far these are the steps i've run. This virus disables your AV, Firewall, and pretends to be the Windows Security center. It also rewrites your browser aliases to point at the virus exe so that when you try to launch IE or Firefox it injects you. It will also try to load itself while in safe mode. It's a cleaver little bastard but I've seen smarter destro. It's tough but it isn't axewoof or anything. Between my father and I we have cleaned 6 computers in the past 7 days of this. I suspect a lot more will suffer before the AV companies get a fix for it.
Ben's Tip of the Day: Download MalwareBytes, Update it and Run a full disk scan. Get this software on you machine ASAP before you have to run through the above just to be able to download it. So far this is one of the only apps the recognizes the infection and can remove it 100%. Good luck guys.
» Edited on: 2010-03-05 12:41:25