A Tech tip that could save your sanity…and maybe your computer, too!

I have several online friends who may not recognize a cleverly disguised computer virus threat when they see one. It’s not because they’re stupid, but because the people coming up with the viruses today are getting so sneaky!

Because of a recent encounter with a horrible virus that it took about an hour for me to even recognize as a virus and then figure out how to get rid of, I am posting this blog in the hopes that it might help someone else who wouldn’t recognize the virus as a virus.

*** If you don’t read any further, let me just say that if something comes from your Windows Security Center (where your Firewall, Antivirus and Automatic Updates are located, the symbol looks like this: ) you should NEVER be asked to “pay” anything in order for it to keep working. You pay for that stuff when you buy the computer, so if it takes you to a page where you’re being asked to buy anything or ‘activate’ by purchasing something, chances are good that it’s one of the versions of the virus below. Keep your credit card and banking information SAFE online, and don’t fall for it. This is how I finally recognized that it was, indeed, a virus and not a legitimate Security Center issue. ***

The name of the virus varies, depending on the Operating System you’re using. So far, it only seems to attack Windows-based Operating Systems (as usual, Mac users have no need to fear it…and I say that because Macs are notoriously better as far as Operating System security). Okay, so it affects Windows Operating Systems. It’s been called a “Chameleon” rogue, because it can take so many different names.

Here’s a list of the known names (so far) that it can disguise itself as:

Antivirus Vista 2010
Vista Antispyware 2010
Vista Guardian
Vista Guardian 2010
Vista Antivirus Pro
Vista Internet Security
Vista Internet Security 2010
XP Guardian
XP Guardian 2010 (this is the one which got on my machine)
XP Antivirus Pro
XP AntiSpyware 2010
XP Internet Security
XP Internet Security 2010
Antivirus XP 2010
Antivirus Win 7 2010
Win 7 Guardian
Win 7 Guardian 2010
Win 7 Antivirus Pro
Win 7 AntiSpyware 2010
Win 7 Internet Security
Win 7 Internet Security 2010

Yeah, that’s a lot of different names for the same virus, huh? Sneaky! The thing is, it LOOKS legitimate when it starts affecting your computer, because it looks like it’s coming from your Security Center! It gives you several pop-up warnings that say things like:

Tracking software found!
Your PC activity is being monitored. Possible spy-ware infection. Your data security may be compromised. Sensitive data can be stolen. Prevent damage now by completing security scan.

XP Internet Security 2010 Firewall Alert!

XP Internet Security 2010 has blocked a program from accessing the Internet.

Internet Explorer is infected with Trojan-BNK.Win32-Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.

Your computer is being Hijacked!

Stealth Intrusion Alert!

And any other number of “fake” security warnings. If you’re still able to get onto the internet at this point (I recommend using Mozilla Firefox as a browser because it’s more secure), Google whatever the name of the offender is (in my case, it was XP Guardian 2010). There should be several links that come up about “How to Remove _____” or “Removing ______”. The one I used was from Bleeping Computer.com . It has step by step instructions for how to get rid of this nasty virus.

In the event that you can’t find that page or one like it, though, I am going to put the information here on this blog, so at least you have some recourse on how to fix it.

The main screen of it looks something like this:

Automated Removal Instructions for XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 using Malwarebytes’ Anti-Malware:

For the first part of this removal guide you will need to use a different computer than the infected one. This is also a tricky rogue to remove, so please follow the instructions carefully. If you are concerned about whether or not you can do this, do not be, as I have made these instructions easy to follow for people of any computer expertise.

From another computer, please download Malwarebytes’ Anti-Malware, or MBAM, and save it to an external media such as an external hard drive or a USB flash drive. We will then use the external drive or flash drive to to transfer these files to your infected computer. If you do not own a USB flash drive, you can get one from any local or online computer store for a small price. An example of a good and cheap one can be found at Newegg. The files that you should download onto this device are:

Malwarebytes Anti-Malware – Everyone should download this.

Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected your computer so it can access them.

On the infected computer make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.

First, you need to remove the registry entries.

To repair “running of .exe files”:

Click Start, Run.
Type command and press Enter.
Type notepad and press Enter.
Notepad opens.
Copy all the bold text below into Notepad:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER..Software..Classes……
[-HKEY_CURRENT_USER..Software..Classes..s…
[-HKEY_CLASSES_ROOT..secfile]
[-HKEY_CLASSES_ROOT…exe..shell..open..co…

[HKEY_CLASSES_ROOT…exe]
@=”exefile”
“Content Type”=”application/x-msdownload”

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.

Now open the drive that corresponds to the removable media that you copied the programs from step 2 onto. You should be able to run the mbam-setup.exe file that you saved on your removable media in step 2. Double-click on this file to install MalwareBytes’ on to your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If you already have MalwareBytes’ installed, simply launch it now and continue to step 8.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

On the Scanner tab, make sure the Perform full scan option is selected and then click on the Scan button to start scanning your computer for XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 related files.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 removal process.

You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.

You can now exit the MBAM program.

Your computer should now be free of the XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 programs. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

Good luck, all! I hope this helps someone.

Advertisements

About dragonkatet

Regarding the blog name, Dragon’s Dreams ~ The name comes from my love-affairs with both Dragons and Dreams (capital Ds). It’s another extension of who I am, a facet for expression; a place and way to reach other like-minded, creative individuals. I post poetry and images that fascinate or move me, because that’s my favorite way to view the world. I post about things important to me and the world in which we live, try to champion extra important political, societal and environmental issues, etc. Sometimes I wax philosophical, because it’s also a place where I always seem to learn about myself, too, by interacting with some of the brightest minds, souls and hearts out there. It’s all about ‘connection(s)’ and I don’t mean “net-working” with people for personal gain, but rather, the expansion of the 4 L’s: Light, Love, Laughter, Learning.
This entry was posted in Computer Stuff and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s