Win 7 Anti-Spyware Virus Manual Cleanup
HowTo: Manually cleanup the Win 7 AntiSpyware virus. These instructions have been tested on Windows 7
This article has been retired. See this up-to-date Keyliner article:
Keyliner - Virus Cleanup Steps
>Historical:
Once again I've had the pleasure of cleaning a new variant of the "Win 7 Anti-Spyware virus." This article describes how to manually de-infect the machine. These steps describe how to manually remove the virus and counting scans, it will take about 2 hours. I did not test cleaning the original virus with 3rd-party tools. As with all viruses of this type, they mutate frequently. These steps are current as-of 2011.03.26.
See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials
The Win7 Anti-Virus is by the same people who wrote the popular (Keyliner reviewed) Personal Security Virus. When infected it is surprisingly difficult to tell if this is a legitimate virus-warning message or if it is an actual virus. I understand why people get confused. Even for me, it took several minutes to decide this was a virus and sadly, (at the time) Microsoft Security Essentials MSE did not detect it. This virus specifically targets IE and Firefox users.
Symptoms:
This screen appears to be a real-time virus scan and it will find numerous viruses and other problems -- but none of the 'found' viruses are real. There is only one virus and it is the Win 7 Anti-Spyware.
Related is a convincing Microsoft Security Center that displays when the System Tray icon is opened. It appears to have replaced the regular virus scanner with its own name and it displays convincing errors, including "Win 7 Antispyware reports that it is turned off" along with a "Turn on now" button:
Clicking "Turn on now" takes you to their website where you can "register" the software, provide them with a credit card number and if you are lucky, they will disable the 'found' viruses and the scanner will continue to spy on you and will re-infect you later when they need more money.
What to Do
When presented with "scareware" such as this, do not click anything on the popup screens. Do not click Scan. Do not click "Turn on now." Do not give them a credit-card number. Ignore the popup windows; I don't even bother closing them.
Solution:
Important update: 2014.03.01:
Microsoft has a new bootable Virus scanner that I now recommend.
See this Keyliner article: Microsoft Standalone System Sweeper
Follow the steps in that article before doing the remaining steps here.
Manual Steps
I now consider these steps obsolete, replaced by the article above. However, these steps are still valid for manual removal.
1. Disconnect from the Internet
I recommend disconnecting the computer from the Internet during these first few steps. Many of these types of viruses install other viruses and the disconnect may help to keep this from happening.
If you use a wired connection, unplug the CAT-5 data cable. If wireless, disable the wireless card with a slider-switch on the side of the computer or some machines use a function-key.
2. Download Malware Bytes - but do not install
From another non-infected computer, download the following utility and burn the installation file to a CD (I do not recommend using a thumb-drive because of possible virus-re-infections). If another computer is not available, continue with the next steps and attempt to disable the virus manually before downloading the utility:
MalwareBytes Anti-Malware software
http://www.malwarebytes.org
This utility will be used to check your cleanup work and to look for other installed viruses.
3. Begin the Cleanup by Logging in:
Reboot the computer and choose one of the following methods to login:
a. If you have a secondary login account (a back-door such as Administrator or other person's account), reboot the computer and login with that account. Likely, those accounts are not infected. Important: Once logged in, do not launch the browser. If you do not have a backdoor account, you may be able to create one "on-the-fly", see followup notes at the end of this article (I did not test this idea).
b. Or, boot the computer into Safe-mode:
To boot into safe-mode, cold-boot the computer. Immediately after the hardware-BIOS screens, before the Windows Splash-screen, repeatedly press the F8 key (some laptops may need to press a function-key-F8). Insistently, repeatedly, but not frantically, press the F8 key until prompted for Safe mode. If it starts in normal mode, shut-down and begin again. Once in safe-mode, do not launch a browser session.
(Apparently newer versions of the virus block booting in Safe Mode. See reader comments below if you cannot boot into SafeMode. Leave a comment on your experiences.)
4. Set Windows Explorer to show File Extensions
By default, Windows Explorer does not show file-extensions. Expose them with these steps:
a. Launch Windows Explorer*
b. In the top-left, select Organize, Layout, Menu-Bar
c. Click top menu Tools, Folder Options
d. Click the View Tab
e. Scroll down the list and check:
Check: Show Hidden Files, Folders and Drives
Uncheck: Hide extensions for known file types
Uncheck: Hide protected operating system files
f. Click Apply
g. Click top-button "Apply to folders" and close the dialog
* Note: if you can't start Windows Explorer, do the following:
1. Press ctrl-alt-delete
2. Click Start Task Manager
3. Click the Applications tab
4. Click button "New Task", type "Explorer.exe"
5. End Process
If you are still logged in with the infected account, close all running programs, then end-task on the problem software, using the steps below. If you logged-in with a backdoor account *and* the virus is not running, skip this step.
a. Press Ctrl-Alt-Delete, start "Task Manager"
b. Click the [Processes] tab
c. Locate one of the files and "End Process":
AV.EXE
KUS.exe
MAQ.exe
YUM.exe
$R2B37DC.exe
y7v11.exe
datapw.exe
AVEngn
XP_Antispyware.exe
In my case, the file was called "KUS.exe". Your computer may a different name and the name may change from the list above. The key is this:
* You want to end-task on all tasks non-required tasks, leaving only the operating-system's tasks active. In the Task-Manager's Process-list, end all non-operating-system programs. The list below will help you decide which are required.
These are typical valid Windows Tasks - Leave running - End all others
crss.exe
dwm.exe
explorer.exe
ipoint.exe
mssecs.exe
nvvsvc.exe (Nvidia drivers)
nvXDSync.exe (Nvdidia drivers)
plugin-container.exe
Ravcpl64.exe (NVidia Control Panel)RoxioBurnLauncher.exe
ShwiconXP9106.exe
sidebar.exe
standby.exe
taskhost.exe
taskmgr.exe
winlogon.exe
In Task Manager's process-list, look for 'unusual' programs and end them, but do not end the tasks listed immediately above. Unfortunately, I can't list all important Windows processes because there may be some hardware drivers (such as ATI video, or older NVidia drivers), that I don't know about. It takes some skill to determine this but don't panic. If you stop some important Windows process, no harm is done -- simply reboot the computer and start over. Take your best guess.
As an aside, spelling is important. If you find a program running that is a slight variation on these names, it could be the virus trying to sneak past your keen observational skills. However, in my case, the name was a little more obvious: "Kus.exe". (Advanced users might consider using Microsoft's 'Process Explorer'.)
6. Delete these files
a. Once you have ended the task(s), use Windows Explorer to open this folder:
C:\Users\(your user account)\AppData\Local
In this folder, I recommend deleting any executable files -- those with .exe extensions -- especially if they have one of the following names. When deleting, press Shift-Delete to permanently delete the files, which keeps it out of the recycle bin. There will likely only be one file:
AV.EXE
KUS.exe
EYG.exe
MAQ.exe
YGX.exe
YUM.exe
$R2B37DC.exe
y7v11.exe
datapw.exe
pw.exe
MSASCui.exe
Filenames vary, but any .exe files found in the root of this location are suspect and should be deleted (or at the very least, renamed). Expect this list to change as the virus mutates.
If files are "in use" and cannot be deleted, return to the task manager and find it. If you are using this article to clean a different virus, be aware there are more sophisticated viruses. See the Keyliner articles listed at the end of these instructions for more robust steps you can take.
b. * In this same AppData\Local folder, look for a non-exe file named with a numeric GUID code (your filename may vary)
8a0bd7L1sd4h51.... (no extension).
This is an additional copy of the same virus. If found, delete.
By this stage, the virus should be more-or-less disabled, but you will be re-infected if you do not complete the remaining steps.
7. Additional File Deletes
Delete *all* files in the following locations (The virus leaves temp copies in various cache directories). Delete the files, leaving the folders. As before, when deleting, press Shift-Delete.
a. C:\Users\(your name)\AppData\Local\Temp\*.*
b. C:\Users\(your name)\AppData\Roaming\Microsoft\Windows\Templates\*.*
c. C:\Users\(your name)\AppData\Roaming\Microsoft\Windows\8a0bd7L1sd4h51.... (with no extension. The file may be named with other random numbers; it will be obvious.)
Continue deleting all member files in these folders (Shift-delete). These are simply cache files and they will rebuild when the operating system needs them:
d. C:\Windows\Prefetch\*.*
e. C:\Users\(your name)\AppData\LocalLow\Sun\Java\Deployment\Cache\6.0\24\*.*
(Your version number may vary).
Again, delete the files, leave the directories.
Unlikely: If you have re-directed your Windows TEMP folder to a different location than your profile, delete that Temp directory also. (See DOS, "SET" command).
8. Registry Cleanup Step 1
Author's note: Because I had a backdoor account ("admin"), I was able to launch Regedit without a barrage of scareware screens. If you are running on an infected account, you may have to plow through a lot of nag-screens. Do not close the screens, just toss them to the side and ignore them as you try to launch your software.
If you are on a non-infected account, you will only be able to clean the HKLM keys; you will not find any HKCurrent user values that are infected; this is to be expected. The next step resolves this problem.
Regardless of which account you are logged in as:
a. Start, Run, Regedit.exe
(To enable the Start, Run command, "other-mouse-click" the Start Menu, choose tab [Start Menu], Customize. [x] Check the "Run Command" box. Or press Ctrl-Alt-Delete, Task Manager and start the task as described in step 4.)
b. In Regedit, tunnel to
HKey-LocalMachine\Software\Clients\StartMenuInternet\
InternetExplorer.exe\Shell\Open\Command
Change the line from
"C:\users\(your name)\appdata\local\KUS.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Remove the italicized red-text, leaving only the green text. The name 'KUS.exe' may vary.
Click image for larger view; click right-x to return
c. If you use Firefox
Make similar changes in these 2 locations. Again, remove the front part of the command, leaving only the "C:..." statement:
HKey-LocalMachine\Software\Clients\StartMenuInternet\
Firefox.exe\Shell\Open\Command
HKey-LocalMachine\Software\Clients\StartMenuInternet\
Firefox.exe\Shell\SafeMode\Command
(leaving only a "C:\Program Files (x86)\Mozilla\Firefox\Firefox.exe" etc.)
9. Continue with these registry cleanups - Step 2
If you are logged into Windows with a backdoor account (administrator), now is the time to re-login as the infected user. Ideally, start in Safe-Mode. Once logged in, re-open RegEdit and make the following registry changes. (If you are familiar with Registry-merge files, skip these manual steps and run the optional step (z.), below; it is easier.)
a. Delete these registry Current-user registry keys (delete the folders). Again, you must be logged in as the infected user to delete these keys:
HKEY_Current_User\Software\Classes\.exe
HKEY_Current_User\Software\Classes\secfile
As an aside: If you have multiple Windows-login accounts, you may need to repeat each of the registry changes.
b. In the following registry key, change each of the detailed values (e.g. Default and IsolatedCommand). Note this is "exefile" without a dot and it is a *long-way* down in the registry:
HKEY_Classes_Root\exefile\shell\open\command
Change both values to "%1" %*
Include quotes. Type as quote, percent one, quote -- space, percent, asterisk.
Click Image for larger view; click right-x to return
c. Change this key:
HKey_Classes_Root\.exe
Change the (Default) value to "exefile" (no quotes)
Change "Content Type" to "application/x-msdownload" (no quotes)
z. Optionally, Merge a registry file:
You can automate the registry commands by doing these steps (do not do these steps if you manually edited the registry with the steps above):
- Copy the following text, paste into Notepad
- Save the file as "registryfix.reg" (quotes). Note which directory you saved the file.
-Before merging, confirm the file paths match where you installed Firefox. If you have not installed Firefox, delete those statements before merging. Merge steps, immediately below.
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\.exe]
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="\"C:\\Program Files (x86)\\Mozilla\\Firefox\\firefox.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode]
@="Firefox &Safe Mode"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="\"C:\\Program Files (x86)\\Mozilla\\Firefox\\firefox.exe\" -safe-mode"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\""
- Use Windows Explorer and locate the saved file (likely MyDocuments).
- Other-mouse-click and choose "merge"
10. Delete Other Cache Directories
By this stage, it should be safe to launch other programs. Continue with these last cleanup steps, while logged in as the infected user. Basically, you are cleaning other inert copies of the virus file, which can be found in these additional locations:
Launch Internet Explorer .
a. Other-mouse-click the tab-bar, choose "menu bar"
b. From IE's top-menu, select Tools, Internet Options.
c. In Browser History, click Delete, Delete. This may take a few moments.
If you use Firefox, Launch Firefox.
a. Tools, Clear Recent History (All)
(in the new Firefox 4, click top-orange menu)
Open the Control Panel, "Java"
a. in "Temporary Internet Files"
b. Click "Settings"
c. Click "Delete Files"
d. I also recommend changing the disk space to 150MB (not 1000MB)
11. Empty the Windows Recycle bin.
In case you forgot to click "shift-delete" in the steps above, empty your Recycle Bin (other mouse-click the desktop Recycle Bin, choose "empty").
12. Reconnect the computer to the Internet
13. Launch and install MalwareBytes (see download steps above).
Allow the program to update itself to the most current version.
If you were not able to download, it should be safe to download now.
Allow a full scan; it will take hour or longer. Consider disabling the Windows screen saver.
In reality, this may be anti-climatic - you have already killed the virus, but this program is a good at finding other things that may have slipped in and it will confirm your work.
14. Reboot
15. Re-install MSE?
If you are using Microsoft Security Essentials (MSE), you may need to un-install and re-install. Skip this step if you are using a different virus scanner.
Author's note: I was fooled by the fake Microsoft Security Center dialog and believed my MSE was damaged. In retrospect, it probably survived the virus attack, but I uninstalled/re-installed.
a. Click the System Tray and locate the (green) school-house icon.
If MSE does not launch, use the Control Panel to de-install. Then, go to Microsoft.com (security) and re-download.
b. Disable the Windows Screen Saver (Control Panel, "personalization", "Screen Saver", set to "none").
c. Start a Full-scan.
The virus should be cleaned.
Followup Notes:
The computer was nearly unusable while the virus was installed. Because I had a back-door account, I was able to perform most of the steps above, without resorting to safe-mode and was not plagued by hundreds of nag-screens. I did not test all of these steps while being nagged-to-death; I suspect you can still do all the changes suggested above.
For future attacks, you should make a secondary (backdoor) login account on all Windows 7 workstations. Only use this account in emergencies. Of course, this needs to be done before the emergency, but you may be able to build the account even while this virus is raging.
Do these steps on all workstations:
Start Menu, Control Panel
Change the View to "Small Icons" (not by Category)
Double-click "User Accounts"
Double-click "Create New Account"
Name the account "Admin"
On the newly-created account, click Change Password.
Be sure to type a password hint that will remind you
* If you are trying to build this account while infected, reboot prior to logging in with this account or it will be infected too. A minor drawback to this design is the account will permanently appear on all login screens.
See this related article: Securing Windows 7 from your Children
Backups
Viruses are always dangerous. Although this one was more annoying than most, it does not delete files. However, as I have always said, the data is more valuable than the computer. In my case, even while infected, I ran a quick backup of my most recently-changed files. I inserted a DVD and made a quick "click-and-drag" copy of my most important data files.
In the back of my mind, I knew I had a full-disk image (Acronis disk image) that was only a few weeks old. If the cleanup steps failed, I could have simply restored the image, and then dropped the manual backups and all would be well. Could you say the same thing on your computers?
Other Virus Information
This virus is also known as (alias):
Win32/FakeRean
Personal Security Virus
W32/FakeSec.B.gen!Eldorado
Mal/FakeAV-BT
Win32/Kryptik.DBC
Trojan.Win32.FraudPack.aovc
W32/FraudPack.fam!tr
Cryptic.BG
OScope.Trojan.0216
Win32:MalOb-AL
Win-Trojan/Xema.variant
Trojan.Win32.FakeAV!IK
Trojan.Fraudpack.Gen!Pac.5
Antispyware Vista (other)
Antispyware Win 7 (other)
Antispyware XP (other)
AntiSpyware XP 2009 (other)
Antivirus Pro 2010 (other)
Antivirus Vista (other)
Antivirus Vista 2010 (other)
Antivirus Win 7 (other)
Antivirus Win 7 2010 (other)
Antivirus XP (other)
Antivirus XP 2010 (other)
Desktop Defender 2010 (other)
Desktop Security 2010 (other)
Home Antivirus 2010 (other)
PC Antispyware 2010 (other)
PC Security 2009 (other)
Security Central (other)
Total PC Defender (other)
Total PC Defender 2010 (other)
Total Vista Security (other)
Total Win 7 Security (other)
Total XP Security (other)
Vista AntiMalware (other)
Vista AntiMalware 2010 (other)
Vista Antispyware 2010 (other)
Vista Antivirus (other)
Vista Antivirus 2010 (other)
Vista Antivirus Pro (other)
Vista Antivirus Pro 2010 (other)
Vista Defender (other)
Vista Defender 2010 (other)
Vista Defender Pro (other)
Vista Guardian (other)
Vista Guardian 2010 (other)
Vista Internet Security (other)
Vista Internet Security 2010 (other)
Vista Security (other)
Vista Security Tool (other)
Vista Security Tool 2010 (other)
Vista Smart Security (other)
Vista Smart Security 2010 (other)
Win 7 AntiMalware (other)
Win 7 AntiMalware 2010 (other)
Win 7 Antispyware 2010 (other)
Win 7 Antivirus (other)
Win 7 Antivirus 2010 (other)
Win 7 Antivirus Pro (other)
Win 7 Antivirus Pro 2010 (other)
Win 7 Defender (other)
Win 7 Defender 2010 (other)
Win 7 Defender Pro (other)
Win 7 Guardian (other)
Win 7 Guardian 2010 (other)
Win 7 Internet Security (other)
Win 7 Internet Security 2010 (other)
Win 7 Security (other)
Win 7 Security Tool (other)
Win 7 Security Tool 2010 (other)
Win 7 Smart Security (other)
Win 7 Smart Security 2010 (other)
XP AntiMalware (other)
XP AntiMalware 2010 (other)
XP AntiSpyware 2009 (other)
Antivirus Vista (other)
XP Antispyware 2010 (other)
XP Antivirus 2010 (other)
XP Antivirus Pro (other)
XP Antivirus Pro 2010 (other)
XP Defender (other)
XP Defender 2010 (other)
XP Defender Pro (other)
XP Guardian (other)
XP Guardian 2010 (other)
XP Internet Security (other)
XP Internet Security 2010 (other)
XP Police Antivirus (other)
XP Security (other)
XP Security Center (other)
XP Security Tool (other)
XP Security Tool 2010 (other)
XP Security Tool 2010 (other)
XP Smart Security (other)
XP Smart Security 2010 (other)
Smart Security 2010 (other)
Win 7 Security Center (other)
XP Defender Pro 2010 (other)
AntiVirus Studio 2010 (other)
Trojan:Win32/FakeRean (Microsoft)
Win32/FakeRean (Microsoft)
Spyware Protection (other)
Vista Antispyware 2011 (other)
Vista Antivirus 2011 (other)
Vista Home Security 2011 (other)
Vista Security 2011 (other)
Vista Total Security 2011 (other)
Win 7 Home Security 2011 (other)
Win 7 Total Security 2011 (other)
XP Antispyware 2011 (other)
XP Antivirus 2011 (other)
XP Home Security 2011 (other)
XP Security 2011 (other)
XP Total Security 2011 (other)
Vista Anti-Spyware (other)
Vista Anti-Spyware 2011 (other)
Vista Anti-Virus 2011 (other)
Vista Home Security (other)
Vista Internet Security 2011 (other)
Vista Total Security (other)
Win 7 Anti-Spyware (other)
Win 7 Anti-Spyware 2011 (other)
Win 7 Anti-Virus 2011 (other)
Win 7 Home Security (other)
Win 7 Internet Security 2011 (other)
Win 7 Security 2011 (other)
Win 7 Total Security (other)
XP Anti-Spyware (other)
XP Anti-Spyware 2011 (other)
XP Anti-Virus 2011 (other)
XP Home Security (other)
XP Total Security (other)
Microsoft has substantial MSE documentation, which you can read at this link. MSE was recently updated on 201.05.26 with better detection.
This virus is reportedly associated with these dangerous domain names, most of which are now off-line as the virus writers move from domain to domain:
antivirus-one-care2010.com
pc-livecare.com
pc-livecare2010.com
live-pccare.com
live-pc-care.com
one-care-antivirus.com
onecare-antivirus2010.com
securitypccare.com
win-live-care.com
windows-live-care.com
win-live-care2010.com
security-pccare.com
See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials
Leave an unregistered comment if this article helped you.
This article has been retired. See this up-to-date Keyliner article:
Keyliner - Virus Cleanup Steps
>Historical:
Once again I've had the pleasure of cleaning a new variant of the "Win 7 Anti-Spyware virus." This article describes how to manually de-infect the machine. These steps describe how to manually remove the virus and counting scans, it will take about 2 hours. I did not test cleaning the original virus with 3rd-party tools. As with all viruses of this type, they mutate frequently. These steps are current as-of 2011.03.26.
See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials
The Win7 Anti-Virus is by the same people who wrote the popular (Keyliner reviewed) Personal Security Virus. When infected it is surprisingly difficult to tell if this is a legitimate virus-warning message or if it is an actual virus. I understand why people get confused. Even for me, it took several minutes to decide this was a virus and sadly, (at the time) Microsoft Security Essentials MSE did not detect it. This virus specifically targets IE and Firefox users.
Symptoms:
- Anti-spyware AntiSpyware AntivirusWin 7 scare-ware with numerous fake "infection" warnings. Warnings occur when any program is launched.
- Internet Explorer and Firefox display fake messages when launched. Launching the browser will immediately re-infect the computer if the virus is not completely removed with the steps below.
- Microsoft Security Essentials (MSE) is disabled or appears disabled/hijacked
- The virus infects the currently-logged in user's profile; Other user-accounts are not infected (as long as they don't launch a browser session!).
This screen appears to be a real-time virus scan and it will find numerous viruses and other problems -- but none of the 'found' viruses are real. There is only one virus and it is the Win 7 Anti-Spyware.Related is a convincing Microsoft Security Center that displays when the System Tray icon is opened. It appears to have replaced the regular virus scanner with its own name and it displays convincing errors, including "Win 7 Antispyware reports that it is turned off" along with a "Turn on now" button:
Clicking "Turn on now" takes you to their website where you can "register" the software, provide them with a credit card number and if you are lucky, they will disable the 'found' viruses and the scanner will continue to spy on you and will re-infect you later when they need more money.What to Do
When presented with "scareware" such as this, do not click anything on the popup screens. Do not click Scan. Do not click "Turn on now." Do not give them a credit-card number. Ignore the popup windows; I don't even bother closing them.
Solution:
Important update: 2014.03.01:
Microsoft has a new bootable Virus scanner that I now recommend.
See this Keyliner article: Microsoft Standalone System Sweeper
Follow the steps in that article before doing the remaining steps here.
Manual Steps
I now consider these steps obsolete, replaced by the article above. However, these steps are still valid for manual removal.
1. Disconnect from the Internet
I recommend disconnecting the computer from the Internet during these first few steps. Many of these types of viruses install other viruses and the disconnect may help to keep this from happening.
If you use a wired connection, unplug the CAT-5 data cable. If wireless, disable the wireless card with a slider-switch on the side of the computer or some machines use a function-key.
2. Download Malware Bytes - but do not install
From another non-infected computer, download the following utility and burn the installation file to a CD (I do not recommend using a thumb-drive because of possible virus-re-infections). If another computer is not available, continue with the next steps and attempt to disable the virus manually before downloading the utility:
MalwareBytes Anti-Malware software
http://www.malwarebytes.org
This utility will be used to check your cleanup work and to look for other installed viruses.
3. Begin the Cleanup by Logging in:
Reboot the computer and choose one of the following methods to login:
a. If you have a secondary login account (a back-door such as Administrator or other person's account), reboot the computer and login with that account. Likely, those accounts are not infected. Important: Once logged in, do not launch the browser. If you do not have a backdoor account, you may be able to create one "on-the-fly", see followup notes at the end of this article (I did not test this idea).
b. Or, boot the computer into Safe-mode:
To boot into safe-mode, cold-boot the computer. Immediately after the hardware-BIOS screens, before the Windows Splash-screen, repeatedly press the F8 key (some laptops may need to press a function-key-F8). Insistently, repeatedly, but not frantically, press the F8 key until prompted for Safe mode. If it starts in normal mode, shut-down and begin again. Once in safe-mode, do not launch a browser session.
(Apparently newer versions of the virus block booting in Safe Mode. See reader comments below if you cannot boot into SafeMode. Leave a comment on your experiences.)
4. Set Windows Explorer to show File Extensions
By default, Windows Explorer does not show file-extensions. Expose them with these steps:
a. Launch Windows Explorer*
b. In the top-left, select Organize, Layout, Menu-Bar
c. Click top menu Tools, Folder Options
d. Click the View Tab
e. Scroll down the list and check:
Check: Show Hidden Files, Folders and Drives
Uncheck: Hide extensions for known file types
Uncheck: Hide protected operating system files
f. Click Apply
g. Click top-button "Apply to folders" and close the dialog
* Note: if you can't start Windows Explorer, do the following:
1. Press ctrl-alt-delete
2. Click Start Task Manager
3. Click the Applications tab
4. Click button "New Task", type "Explorer.exe"
5. End Process
If you are still logged in with the infected account, close all running programs, then end-task on the problem software, using the steps below. If you logged-in with a backdoor account *and* the virus is not running, skip this step.
a. Press Ctrl-Alt-Delete, start "Task Manager"
b. Click the [Processes] tab
c. Locate one of the files and "End Process":
AV.EXE
KUS.exe
MAQ.exe
YUM.exe
$R2B37DC.exe
y7v11.exe
datapw.exe
AVEngn
XP_Antispyware.exe
In my case, the file was called "KUS.exe". Your computer may a different name and the name may change from the list above. The key is this:
* You want to end-task on all tasks non-required tasks, leaving only the operating-system's tasks active. In the Task-Manager's Process-list, end all non-operating-system programs. The list below will help you decide which are required.
These are typical valid Windows Tasks - Leave running - End all others
crss.exe
dwm.exe
explorer.exe
ipoint.exe
mssecs.exe
nvvsvc.exe (Nvidia drivers)
nvXDSync.exe (Nvdidia drivers)
plugin-container.exe
Ravcpl64.exe (NVidia Control Panel)RoxioBurnLauncher.exe
ShwiconXP9106.exe
sidebar.exe
standby.exe
taskhost.exe
taskmgr.exe
winlogon.exe
In Task Manager's process-list, look for 'unusual' programs and end them, but do not end the tasks listed immediately above. Unfortunately, I can't list all important Windows processes because there may be some hardware drivers (such as ATI video, or older NVidia drivers), that I don't know about. It takes some skill to determine this but don't panic. If you stop some important Windows process, no harm is done -- simply reboot the computer and start over. Take your best guess.
As an aside, spelling is important. If you find a program running that is a slight variation on these names, it could be the virus trying to sneak past your keen observational skills. However, in my case, the name was a little more obvious: "Kus.exe". (Advanced users might consider using Microsoft's 'Process Explorer'.)
6. Delete these files
a. Once you have ended the task(s), use Windows Explorer to open this folder:
C:\Users\(your user account)\AppData\Local
In this folder, I recommend deleting any executable files -- those with .exe extensions -- especially if they have one of the following names. When deleting, press Shift-Delete to permanently delete the files, which keeps it out of the recycle bin. There will likely only be one file:
AV.EXE
KUS.exe
EYG.exe
MAQ.exe
YGX.exe
YUM.exe
$R2B37DC.exe
y7v11.exe
datapw.exe
pw.exe
MSASCui.exe
Filenames vary, but any .exe files found in the root of this location are suspect and should be deleted (or at the very least, renamed). Expect this list to change as the virus mutates.
If files are "in use" and cannot be deleted, return to the task manager and find it. If you are using this article to clean a different virus, be aware there are more sophisticated viruses. See the Keyliner articles listed at the end of these instructions for more robust steps you can take.
b. * In this same AppData\Local folder, look for a non-exe file named with a numeric GUID code (your filename may vary)
8a0bd7L1sd4h51.... (no extension).
This is an additional copy of the same virus. If found, delete.
By this stage, the virus should be more-or-less disabled, but you will be re-infected if you do not complete the remaining steps.
7. Additional File Deletes
Delete *all* files in the following locations (The virus leaves temp copies in various cache directories). Delete the files, leaving the folders. As before, when deleting, press Shift-Delete.
a. C:\Users\(your name)\AppData\Local\Temp\*.*
b. C:\Users\(your name)\AppData\Roaming\Microsoft\Windows\Templates\*.*
c. C:\Users\(your name)\AppData\Roaming\Microsoft\Windows\8a0bd7L1sd4h51.... (with no extension. The file may be named with other random numbers; it will be obvious.)
Continue deleting all member files in these folders (Shift-delete). These are simply cache files and they will rebuild when the operating system needs them:
d. C:\Windows\Prefetch\*.*
e. C:\Users\(your name)\AppData\LocalLow\Sun\Java\Deployment\Cache\6.0\24\*.*
(Your version number may vary).
Again, delete the files, leave the directories.
Unlikely: If you have re-directed your Windows TEMP folder to a different location than your profile, delete that Temp directory also. (See DOS, "SET" command).
8. Registry Cleanup Step 1
Author's note: Because I had a backdoor account ("admin"), I was able to launch Regedit without a barrage of scareware screens. If you are running on an infected account, you may have to plow through a lot of nag-screens. Do not close the screens, just toss them to the side and ignore them as you try to launch your software.
If you are on a non-infected account, you will only be able to clean the HKLM keys; you will not find any HKCurrent user values that are infected; this is to be expected. The next step resolves this problem.
Regardless of which account you are logged in as:
a. Start, Run, Regedit.exe
(To enable the Start, Run command, "other-mouse-click" the Start Menu, choose tab [Start Menu], Customize. [x] Check the "Run Command" box. Or press Ctrl-Alt-Delete, Task Manager and start the task as described in step 4.)
b. In Regedit, tunnel to
HKey-LocalMachine\Software\Clients\StartMenuInternet\
InternetExplorer.exe\Shell\Open\Command
Change the line from
"C:\users\(your name)\appdata\local\KUS.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Remove the italicized red-text, leaving only the green text. The name 'KUS.exe' may vary.
Click image for larger view; click right-x to returnc. If you use Firefox
Make similar changes in these 2 locations. Again, remove the front part of the command, leaving only the "C:..." statement:
HKey-LocalMachine\Software\Clients\StartMenuInternet\
Firefox.exe\Shell\Open\Command
HKey-LocalMachine\Software\Clients\StartMenuInternet\
Firefox.exe\Shell\SafeMode\Command
(leaving only a "C:\Program Files (x86)\Mozilla\Firefox\Firefox.exe" etc.)
9. Continue with these registry cleanups - Step 2
If you are logged into Windows with a backdoor account (administrator), now is the time to re-login as the infected user. Ideally, start in Safe-Mode. Once logged in, re-open RegEdit and make the following registry changes. (If you are familiar with Registry-merge files, skip these manual steps and run the optional step (z.), below; it is easier.)
a. Delete these registry Current-user registry keys (delete the folders). Again, you must be logged in as the infected user to delete these keys:
HKEY_Current_User\Software\Classes\.exe
HKEY_Current_User\Software\Classes\secfile
As an aside: If you have multiple Windows-login accounts, you may need to repeat each of the registry changes.
b. In the following registry key, change each of the detailed values (e.g. Default and IsolatedCommand). Note this is "exefile" without a dot and it is a *long-way* down in the registry:
HKEY_Classes_Root\exefile\shell\open\command
Change both values to "%1" %*
Include quotes. Type as quote, percent one, quote -- space, percent, asterisk.
Click Image for larger view; click right-x to returnc. Change this key:
HKey_Classes_Root\.exe
Change the (Default) value to "exefile" (no quotes)
Change "Content Type" to "application/x-msdownload" (no quotes)
z. Optionally, Merge a registry file:
You can automate the registry commands by doing these steps (do not do these steps if you manually edited the registry with the steps above):
- Copy the following text, paste into Notepad
- Save the file as "registryfix.reg" (quotes). Note which directory you saved the file.
-Before merging, confirm the file paths match where you installed Firefox. If you have not installed Firefox, delete those statements before merging. Merge steps, immediately below.
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\.exe]
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="\"C:\\Program Files (x86)\\Mozilla\\Firefox\\firefox.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode]
@="Firefox &Safe Mode"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="\"C:\\Program Files (x86)\\Mozilla\\Firefox\\firefox.exe\" -safe-mode"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\""
- Use Windows Explorer and locate the saved file (likely MyDocuments).
- Other-mouse-click and choose "merge"
10. Delete Other Cache Directories
By this stage, it should be safe to launch other programs. Continue with these last cleanup steps, while logged in as the infected user. Basically, you are cleaning other inert copies of the virus file, which can be found in these additional locations:
Launch Internet Explorer .
a. Other-mouse-click the tab-bar, choose "menu bar"
b. From IE's top-menu, select Tools, Internet Options.
c. In Browser History, click Delete, Delete. This may take a few moments.
If you use Firefox, Launch Firefox.
a. Tools, Clear Recent History (All)
(in the new Firefox 4, click top-orange menu)
Open the Control Panel, "Java"
a. in "Temporary Internet Files"
b. Click "Settings"
c. Click "Delete Files"
d. I also recommend changing the disk space to 150MB (not 1000MB)
11. Empty the Windows Recycle bin.
In case you forgot to click "shift-delete" in the steps above, empty your Recycle Bin (other mouse-click the desktop Recycle Bin, choose "empty").
12. Reconnect the computer to the Internet
13. Launch and install MalwareBytes (see download steps above).
Allow the program to update itself to the most current version.
If you were not able to download, it should be safe to download now.
Allow a full scan; it will take hour or longer. Consider disabling the Windows screen saver.
In reality, this may be anti-climatic - you have already killed the virus, but this program is a good at finding other things that may have slipped in and it will confirm your work.
14. Reboot
15. Re-install MSE?
If you are using Microsoft Security Essentials (MSE), you may need to un-install and re-install. Skip this step if you are using a different virus scanner.
Author's note: I was fooled by the fake Microsoft Security Center dialog and believed my MSE was damaged. In retrospect, it probably survived the virus attack, but I uninstalled/re-installed.
a. Click the System Tray and locate the (green) school-house icon.
If MSE does not launch, use the Control Panel to de-install. Then, go to Microsoft.com (security) and re-download.
b. Disable the Windows Screen Saver (Control Panel, "personalization", "Screen Saver", set to "none").
c. Start a Full-scan.
The virus should be cleaned.
Followup Notes:
The computer was nearly unusable while the virus was installed. Because I had a back-door account, I was able to perform most of the steps above, without resorting to safe-mode and was not plagued by hundreds of nag-screens. I did not test all of these steps while being nagged-to-death; I suspect you can still do all the changes suggested above.
For future attacks, you should make a secondary (backdoor) login account on all Windows 7 workstations. Only use this account in emergencies. Of course, this needs to be done before the emergency, but you may be able to build the account even while this virus is raging.
Do these steps on all workstations:
Start Menu, Control Panel
Change the View to "Small Icons" (not by Category)
Double-click "User Accounts"
Double-click "Create New Account"
Name the account "Admin"
On the newly-created account, click Change Password.
Be sure to type a password hint that will remind you
* If you are trying to build this account while infected, reboot prior to logging in with this account or it will be infected too. A minor drawback to this design is the account will permanently appear on all login screens.
See this related article: Securing Windows 7 from your Children
Backups
Viruses are always dangerous. Although this one was more annoying than most, it does not delete files. However, as I have always said, the data is more valuable than the computer. In my case, even while infected, I ran a quick backup of my most recently-changed files. I inserted a DVD and made a quick "click-and-drag" copy of my most important data files.
In the back of my mind, I knew I had a full-disk image (Acronis disk image) that was only a few weeks old. If the cleanup steps failed, I could have simply restored the image, and then dropped the manual backups and all would be well. Could you say the same thing on your computers?
Other Virus Information
This virus is also known as (alias):
Win32/FakeRean
Personal Security Virus
W32/FakeSec.B.gen!Eldorado
Mal/FakeAV-BT
Win32/Kryptik.DBC
Trojan.Win32.FraudPack.aovc
W32/FraudPack.fam!tr
Cryptic.BG
OScope.Trojan.0216
Win32:MalOb-AL
Win-Trojan/Xema.variant
Trojan.Win32.FakeAV!IK
Trojan.Fraudpack.Gen!Pac.5
Antispyware Vista (other)
Antispyware Win 7 (other)
Antispyware XP (other)
AntiSpyware XP 2009 (other)
Antivirus Pro 2010 (other)
Antivirus Vista (other)
Antivirus Vista 2010 (other)
Antivirus Win 7 (other)
Antivirus Win 7 2010 (other)
Antivirus XP (other)
Antivirus XP 2010 (other)
Desktop Defender 2010 (other)
Desktop Security 2010 (other)
Home Antivirus 2010 (other)
PC Antispyware 2010 (other)
PC Security 2009 (other)
Security Central (other)
Total PC Defender (other)
Total PC Defender 2010 (other)
Total Vista Security (other)
Total Win 7 Security (other)
Total XP Security (other)
Vista AntiMalware (other)
Vista AntiMalware 2010 (other)
Vista Antispyware 2010 (other)
Vista Antivirus (other)
Vista Antivirus 2010 (other)
Vista Antivirus Pro (other)
Vista Antivirus Pro 2010 (other)
Vista Defender (other)
Vista Defender 2010 (other)
Vista Defender Pro (other)
Vista Guardian (other)
Vista Guardian 2010 (other)
Vista Internet Security (other)
Vista Internet Security 2010 (other)
Vista Security (other)
Vista Security Tool (other)
Vista Security Tool 2010 (other)
Vista Smart Security (other)
Vista Smart Security 2010 (other)
Win 7 AntiMalware (other)
Win 7 AntiMalware 2010 (other)
Win 7 Antispyware 2010 (other)
Win 7 Antivirus (other)
Win 7 Antivirus 2010 (other)
Win 7 Antivirus Pro (other)
Win 7 Antivirus Pro 2010 (other)
Win 7 Defender (other)
Win 7 Defender 2010 (other)
Win 7 Defender Pro (other)
Win 7 Guardian (other)
Win 7 Guardian 2010 (other)
Win 7 Internet Security (other)
Win 7 Internet Security 2010 (other)
Win 7 Security (other)
Win 7 Security Tool (other)
Win 7 Security Tool 2010 (other)
Win 7 Smart Security (other)
Win 7 Smart Security 2010 (other)
XP AntiMalware (other)
XP AntiMalware 2010 (other)
XP AntiSpyware 2009 (other)
Antivirus Vista (other)
XP Antispyware 2010 (other)
XP Antivirus 2010 (other)
XP Antivirus Pro (other)
XP Antivirus Pro 2010 (other)
XP Defender (other)
XP Defender 2010 (other)
XP Defender Pro (other)
XP Guardian (other)
XP Guardian 2010 (other)
XP Internet Security (other)
XP Internet Security 2010 (other)
XP Police Antivirus (other)
XP Security (other)
XP Security Center (other)
XP Security Tool (other)
XP Security Tool 2010 (other)
XP Security Tool 2010 (other)
XP Smart Security (other)
XP Smart Security 2010 (other)
Smart Security 2010 (other)
Win 7 Security Center (other)
XP Defender Pro 2010 (other)
AntiVirus Studio 2010 (other)
Trojan:Win32/FakeRean (Microsoft)
Win32/FakeRean (Microsoft)
Spyware Protection (other)
Vista Antispyware 2011 (other)
Vista Antivirus 2011 (other)
Vista Home Security 2011 (other)
Vista Security 2011 (other)
Vista Total Security 2011 (other)
Win 7 Home Security 2011 (other)
Win 7 Total Security 2011 (other)
XP Antispyware 2011 (other)
XP Antivirus 2011 (other)
XP Home Security 2011 (other)
XP Security 2011 (other)
XP Total Security 2011 (other)
Vista Anti-Spyware (other)
Vista Anti-Spyware 2011 (other)
Vista Anti-Virus 2011 (other)
Vista Home Security (other)
Vista Internet Security 2011 (other)
Vista Total Security (other)
Win 7 Anti-Spyware (other)
Win 7 Anti-Spyware 2011 (other)
Win 7 Anti-Virus 2011 (other)
Win 7 Home Security (other)
Win 7 Internet Security 2011 (other)
Win 7 Security 2011 (other)
Win 7 Total Security (other)
XP Anti-Spyware (other)
XP Anti-Spyware 2011 (other)
XP Anti-Virus 2011 (other)
XP Home Security (other)
XP Total Security (other)
Microsoft has substantial MSE documentation, which you can read at this link. MSE was recently updated on 201.05.26 with better detection.
This virus is reportedly associated with these dangerous domain names, most of which are now off-line as the virus writers move from domain to domain:
antivirus-one-care2010.com
pc-livecare.com
pc-livecare2010.com
live-pccare.com
live-pc-care.com
one-care-antivirus.com
onecare-antivirus2010.com
securitypccare.com
win-live-care.com
windows-live-care.com
win-live-care2010.com
security-pccare.com
See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials
Leave an unregistered comment if this article helped you.
Win 7 Anti-Spyware Virus Manual Cleanup
Reviewed by Unknown
on
10:09 PM
Rating:
Reviewed by Unknown
on
10:09 PM
Rating:
No comments: