Windows Antivirus 2010 - You likely will get this

Hey Guys,
There's a real nasty one going around that seems to have AV software figured out. Here's some notes as to how to remove it.

What it looks like:


1. Restart Your Machine
2. Press F8 to get boot menu
3. Boot in safe mode with networking
4. Cntr+Alt+Delete stop av.exe

5. Click Start Menu
6. Click Run...
7. Enter "regedit"

Remove the Following:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\secfile\shell
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | @ = “”%AppData%\av.exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | IsolatedCommand = “”%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe | @ = “secfile”
HKEY_CURRENT_USER\Software\Classes\.exe | Content Type = “application/x-msdownload”
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | @ = “”%AppData%\av.exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | IsolatedCommand = “”%1″ %*”

What To Change
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
Change this to 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
Change this to 0

Files to Delete:
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\WRblt8464P

Now that it's injection mechanism is removed
Download MalwareBytes and run a full disk scan

Once I know it's 100% gone from my machine I'll update this post. So far these are the steps i've run. This virus disables your AV, Firewall, and pretends to be the Windows Security center. It also rewrites your browser aliases to point at the virus exe so that when you try to launch IE or Firefox it injects you. It will also try to load itself while in safe mode. It's a cleaver little bastard but I've seen smarter destro. It's tough but it isn't axewoof or anything. Between my father and I we have cleaned 6 computers in the past 7 days of this. I suspect a lot more will suffer before the AV companies get a fix for it.

Ben's Tip of the Day: Download MalwareBytes, Update it and Run a full disk scan. Get this software on you machine ASAP before you have to run through the above just to be able to download it. So far this is one of the only apps the recognizes the infection and can remove it 100%. Good luck guys.

» Edited on: 2010-03-05 12:41:25

Thanks for posting this, Ben! A friend of mine has a laptop infected with this, and asked me to try to fix it for him. I'm certain you've saved me a ton of frustration and hair-pulling!

Get MalwareBytes on a flash drive before you go. I did run into 1 major hangup. My system no longer knows how to open a .exe file. Im working on finding the last piece of this puzzle.

After running malware bytes one more type my system is totally clean and operational. I will post the additional change I made as soon as my comp is done cleaning.