I ran into a interesting virus today at work. It was another one of those “buy this to get rid of this” type programs which are pretty common but this was one I hadn’t seen before. It was particularly nasty to get rid of so I thought I would make a short post in case any one else has this issue
Here’s a picture of the offending program:
I tried multiple Anti-Virus scanners both free and commercial but none of them even pretended to get rid of it. After some investigation Google style I came up with the correct registry entries to remove to get rid of this nasty virus.
Stop and remove XP Antispyware 2010 processes with the windows task manager:
Keep the task manager open though because it will keep restarting it self and we may need to kill it again.
Locate and delete the folllowing XP registry entries using regedit:
- HKEY_CURRENT_USER\\Software\\Classes\\.exe\\shell\\open\\command "(Default)" = "av.exe" /START "%1? %*"
- HKEY_CURRENT_USER\\Software\\Classes\\secfile\\shell\\open\\command "(Default)" = "av.exe" /START "%1? %*"
- HKEY_CLASSES_ROOT\\.exe\\shell\\open\\command "(Default)" = "av.exe" /START "%1? %*"
- HKEY_CLASSES_ROOT\\secfile\\shell\\open\\command "(Default)" = "av.exe" /START "%1? %*"
- HKEY_LOCAL_MACHINE\\SOFTWARE\\Clients\\StartMenuInternet\\FIREFOX.EXE\\shell\\open\\command "(Default)" = "av.exe" /START "firefox.exe"
- HKEY_LOCAL_MACHINE\\SOFTWARE\\Clients\\StartMenuInternet\\FIREFOX.EXE\\shell\\safemode\\command "(Default)" = "av.exe" /START "firefox.exe" -safe-mode
- HKEY_LOCAL_MACHINE\\SOFTWARE\\Clients\\StartMenuInternet\\IEXPLORE.EXE\\shell\\open\\command "(Default)" = "av.exe" /START "iexplore.exe"
- HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center "AntiVirusOverride" = "1"
- HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center "FirewallOverride" = "1"
If you do not feel comfortable editing your registry you might want to take your computer to a professional but if you are feeling adventurous you can reach the windows registry by typing “regedit” in the run dialog from the start menu.
Obviously if you are not using Firefox you can omit that key.
Delete other XP Antispyware 2010 files:
I used the windows search bar to find the following 2 files and delete them.
After doing these steps I rebooted and XP Antispyware was gone.
I wish I could say it was that easy but I had one more problem to solve. It seems when I removed the shell .exe registry keys I disabled .exe files completely. I am sure there is a way not to do this but since I had the experience I will share it, in case anyone else makes the same mistake.
So, after I rebooted I tried to run Malware bytes in order to clean up any loose ends and to my dismay I got the following error.
This file does not have a program associated with it for performing this act
If this happens to you never fear its not quite as bad as it sounds.
- Press Start>Run and type cmd in the box and press OK:
- At the command prompt type cd c:\windows and press return:
- Type copy regedit.exe regedit.com and press return:
- Type regedit.com and press return:
- Navigate to the following key:
- Double-click the (Default) value in the right hand pane and delete the current value data, and then type:
“%1” %* exactly as shown including the quotes and asterisk.
- Navigate to the following key:
- In the right-hand pane, set (default) to exefile:
- Exit the Registry Editor:
Thats it! You .exe files should be back to normal now and you should run a tool like Malware bytes to make sure you don’t have any more infections or left over files from XP Antispyware 2010.