Endpoint Protection

XP Internet Security 2010 rogue 

03-06-2010 12:18 PM

While searching the web for iPhones, a fake security malware infected my laptop. Although I use Firefox and Symantec Endpoint, the trojan slipped through my XP SP3 system. When I ran a full scan, the March 5 r of Symantec did not identify the problem.  After researching the web, I found a blog at "Bleepingcomputer.com," which fully described the problem and the solution. I used MalwareBytes' AntiMalware to remove the infected registries and files. Note that the rogue has other names, such as Vista Internet Security 2010, Win 7 Internet Security 2010, and several others.  This rogue must be disabled before it allows other executable files to run. I used FixExe.reg.

Variants of the files infected are as follows.

%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\AppData\Local\av.exe <In Antivirus Vista 2010 & Win 7 Antispyware 2010>
%UserProfile%\AppData\Local\WRblt8464P <In Antivirus Vista 2010 & Win 7 Antispyware 2010>

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

My system had the "av.exe" rogue and six infected registry files.

Any questions, please reference the article posted Jan 27, 2010 by Grinler on BleepingComputer.com "How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010."
I also found an older article at http://www.microsoft.com/security/antivirus/rogue.aspx


 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

12-29-2011 06:41 AM

I agree, that this is Java Exploit. Fun fact: This malware is now out for more than 2 years, it hasn't changed much, and still it can infect PCs with ease. One of mine was infected yesterday by drivebyfinfection while visting a site for horsebets.

All Windows 7 updates in, ESET Smart Security, Windows Defender on, fully updated Java for 64bit Windows, but -as i have seen afterwards- some problems with the second Java for 32bit internet browser.

I was updating both versions regulary, but I have always expierenced some problems while updating: Java for 64 bit could be updated with ease, Java for 32 bit always displayed errors and needed sometimes special care.

Next fun fact: ESET Smart Security detected the infection, but couldn't prevent it. Guys, this malware is basically the same for more than 2 years now. Not a pleasing fact for a company who wants money from me by promising that they will protect PCs.

I sent to ESET log files and describtion of the infection/malware, alongside with the question, why their software can't prevent infections like this.

Still I haven't got any answer.

I could easily remove the malware and repair registry, but I am increasingly wondering, what Anti-Virus companies are doing the whole day, and why they want money from me. The whole anti-malware scheme of the big well known Antivirus companies seems increasingly strange and more and more like big cash cow. Not a big suprise that big reaserch faculities like Carnegie Mellon Uni are explicitly recommending Malwarebyte's Malware.

12-29-2011 06:35 AM

ESET Smart Security at least deteced it.

02-01-2011 01:59 PM

I have on my computer an antivirus downloaded from Internet Security and I am happy with how it works put it on your computer and you will be protected by the all viruses.Try it and you'll never regret

11-23-2010 10:14 PM

V16,

Just wanted to say a huge thank you for posting info re above. I got Malwarebytes anti malware on to it and all sorted now. So thank you so much.

04-19-2010 09:31 PM

The other day, I clicked onto a site that immediately pops some warnings. I exit Firefox immediately, but I guess that's not soon enough. Now I have some nasty malware throwing popups all over the place telling me I have a virus and to activate some antivirus software I've never heard of.

I'm not that stupid, so I try to start a Norton scan, but this thing has Norton's number and won't let it start a scan. I try a reboot and still it's throwing fake popup virus messages, and still disallowing Norton.

So I restart in safe mode, and try again to run a scan... no such luck... Norton won't operate in safe mode. How freakin' handy is that?!?

So finally, I get wise and run a scan with Spybot-Search & Destroy. Guess what? Spybot finds and wipes the bad stuff out... first pass. If I'd been more diligent in keeping it updated, it probably wouldn't have allowed it into my system in the first place. I let those updates slide because I figured I was PROTECTED by Norton. Fat chance of that, eh?  

So my question is... why the %#$@! does Spybot (FREEWARE) protect me, while Norton ($$$$$) lets crap into my system, and then gets rendered helpless by it?!?

Will Someone PLEASE tell me... what the hell am I paying Norton for?

04-04-2010 02:02 PM


I'm sorry I bothed paying money to Symantec for Norton. It has done nothing besides find the occasional tracking cookie that I can find and clean just as easily with free programs. Now I have this Antivirus Vista virus tying up my computer, and Norton is utterly useless in both preventing it or detecting it.

03-11-2010 11:08 AM

Like most people. I'm beginning to doubt that End Point Protection is the man for the job. The number of times ******* ***** has done the job that Norton supposed to do over the last few years. It is making Symantec look like a cowboy company.

Our contract is up with Symantec very soon & like a few other people have said, we are looking at alternatives. I did phone Symantec a while ago & they did not seem interested. I even offered them the logs from the alternative software I used to clean the infection & I can't believe the reply I got from the person at the end of the phone.

I hope someone in Symantec does read this post & passes it on to the relevant people. You can't get away with the current attitude you have, there are now quite a few alternatives to End Point, ones that do the job...

^^ Just another frustrated IT Admin....

03-11-2010 07:39 AM

..and we have to spend time to repair infected computers every time with the same kind of viruses...

03-10-2010 04:39 PM

This Malware stuff is killing us and Symantec just isn't cutting it for us anymore..   I hate to say it but after more than 10 years with Symantec we're exploring other options.  Malwarebytes seems to work pretty well against most of the stuff we've encountered. 

03-09-2010 04:33 PM

Hi did you run any free online scanners.  One you can run is from Trend Micro called House call, link is below.  See if that cleans up the mess.
Good luck.
http://housecall.trendmicro.com/

03-08-2010 06:15 PM

Fixes as follows:
1. Ctrl-Alt-Del, kill {av.exe}

2. Run {rstrui.exe} RegEdit and correct the following:
[BAD]
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
[Good]
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
(Default) REG_SZ exefile
Content Type REG_SZ application/x-msdownload

[BAD]
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
[Good]
*Delete Key*

[BAD]
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
[Good]
HKEY_CLASSES_ROOT\.exe\shell\open\command
(Default) REG_SZ exefile
Content Type REG_SZ application/x-msdownload
+ Folder = HKEY_CLASSES_ROOT\.exe\PersistentHandler
   [correct key entry should be unaffected]

HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
[Good]
*Delete Key*

[BAD]
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
[Good]
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
(Default) REG_SZ C:\Program Files\Mozilla Firefox\firefox.exe

[BAD]
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
[Good]
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command
(Default) REG_SZ  "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode

[BAD]
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
[Good]
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
(Default) REG_SZ C:\Program Files\Internet Explorer\iexplore.exe

[BAD]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
[Good]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "0"

3. Restart, and IF possible RUN {rstrui.exe} System Restore and choose a day or two from the past to restore. If you installed an application AFTER the restore date then reinstall that application.

Good Luck!

03-08-2010 05:32 PM

I reported this along with the affected registry keys that were affected before this or the March 1, 2009 post.

PREVENTION: 1. Run Internet Explorer (Internet Options / Security / Internet [High] which is a pain <<or>> 2. Add the "Infected Site(s)" as [Restricted]
SITES AFFECTED: WhitePages.com & Superpages.com {Java code embedded in ads}
MISSED BY: NIS/NAV/N360

That said, my chief concern is Norton's unwillingness to listen. They wanted me to pay for a fix verses listen to my concerns & fix it.

FIX: Manually repair registry

{av.exe} "shows-up" as different "names" and in one form or another it has been around for quite sometime. This variant exploits Java to download, start up and rewrite registry keys  {av.exe}. The primary issue is the (2) rewritten [.EXE]  keys and StartMenuInternet keys for starter. You CANNOT simply RUN REGEDIT.EXE <<nor>> RUN rstrui.exe (System Restore), but must first CTRL-ALT-DEL (start Windows Task Manager), KILL AV.EXE, and manually repair the registry & restart; Running System Restore will corrupt your backups; also Safe-Mode is useless.

03-08-2010 05:22 PM

I couldn't agree more,

I have 2 users that became infected with this Malware in the past 24 hours. Malware bytes will detect and remove it, but you may have to boot into safe mode and your SAV may have been disabled by the virus. I would like to see Symantec come up with a solution. I rely on SAV for my corporate Anti-virus and Backup needs and I am very disappointed that they are so slow to respond to this growing threat.

A Concerned Network Administrator

03-08-2010 01:50 PM

This is ridiculous, 5 computers on my network already got hit. If I knew that Symantec was going to let things like this through I wouldn't have switched from McAfee, slow as it was I had way less viruses & malware to deal with. Symantec has had more than enough time to fix these...

03-08-2010 05:09 AM

 Fully agree with smshashi!

03-07-2010 06:19 PM

I had a bigger problem with this rogue malware on my Windows Vista (rogue called Antivirus Vista 2010!!). I recognised this as some kind of virus and immediately remove the regisry settings related to av.exe. Norton Internet Security software was unable to recognise this. Since I deleted the registry entries before running the MBAM as mentioned in the bleepingcomputer website, MBAM was unable to recognise this!! I restarted in safe mode couple of times and followed whats told in above website. Then it had already made lot of damage. next time I logged in, i was unable to click any exe, it used to open the folder containing the exe. After the next restart, I was unable to logn again!! My keyboard and mouse did not work!! I had to re-format & re-install windows vista!!

Really frustrating the way Windows and this virus/malware duo works. Being the top company in antivirus, Symantec should have already provided solution for this, instead of just mentioning about the rogue in their articles!! MBAM already provides solution for this. Really frustrating.

03-06-2010 02:40 PM

Hope to see this malware detected soon in SAV.

03-06-2010 12:40 PM

Symantec Endpoint Protection does not detect the fake virus malware, "XP Internet Security 2010." Hope this will be in the upcoming definition.

Related Entries and Links

No Related Resource entered.