I had a virus on a machine in the shop today which is very similar to a few previous virus’s we wrote about called personal security and XP Antispyware. The removal process is pretty similar but I decided to write a new post detailing its removal. This virus gives a fake “windows” security alert and then suggests you run or download a product called Antivirus Soft. Of course the program is fake and they will steal your bank credentials and do all sorts of other nasty things to you if you decide to buy it. The interesting thing about this program is its always called some thing different so its a little tough to track down. Below I will outline what my particular virus was called and how I got rid of it , however chances are yours may be named something else so you may have to do a little trial and error with the task manager to figure it out.
The way to tell if you have this virus is if you get some alerts that look like these:
If you see this type of alert the next thing you will see is Antivirus soft:
The other symptom is you will not be able to run any system .exe files like cmd.exe or regedit.
The final symptom is that your web browser will be hijacked and will not be able to go any where. You can observer this behavior by looking in the lower left hand corner and seeing your browser try to proxy to 127.0.0.1 if you are using Internet Explorer.
Ok, so if you have determined that this is your problem here is how I solved it:
1. Reboot the computer and as soon as windows starts to boot press ctl-alt-delete to bring up the task manager. You have to be fast because there is only a short period of time before the virus disables the task manger.
2. Once the task manager is open, wait for all the fake security alerts to start popping up. The reason for this is because we want to see it disappear when we end the correct process.
3. Now here is the tricky part. The virus can be named anything at all but generally it has two characteristic’s. The first is that it is running as the current user and the second is that it will be a random string of letters or numbers. For example mine was called cjfyvbntssd.exe but yours could be anything. Make sure you write down each process’s name and then kill them one by one till you find the correct one. When the alert messages disappear you know you got the correct one. For the rest of this article I will refer to the offending virus as cjfyvbntssd.exe. Once you determine the name move on to the next step.
4. Now once you have killed the process you should be able to run regedit so we can make some changes to the registry. this will prevent the binary from rebuilding it self.
The following keys are affected and must be deleted:
- HKEY_CURRENT_USER\\Software\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments "SaveZoneInformation" = "1"
- HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
- HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations "LowRiskFileTypes" = ".exe"
- HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Download "RunInvalidSignatures" = "1"
- HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings "ProxyOverride" = ""
5. Delete all the keys I have listed by right clicking on the key and selecting delete for the dword value.
*NOTE Editing the registry wrong can definitely mess up your whole install so only do it if you feel comfortable.
6. Once you have deleted those keys then its time to run a file search of all files and folders for the offending cjfyvbntssd.exe. Delete whatever folder you find it in. Generally it will be located in:
%UserProfile%\Local Settings\Application Data\cjfyvbntssd
Windows Vista and Windows 7:
Or whatever the random string associated with your virus is.
7. Finally check the program files folder for anything associated with the virus. For example I had a folder called Avsoft which held the program Antivirus Soft. Once I had removed every thing else this folder deleted easily.
8. Reboot your computer and you should be free of the Antivirus Soft Malware