Search This Blog

Friday 29 April 2011

Fake Anti Virus Applications and how to remove them

I often get customers who have had a drive by download and end up with a fake Anti Virus application on their PC, this usually pops up windows all over the screen and we get a support call to get rid of it. The usual culprits are users who have to be administrators but it is not always the case, if its Windows XP then anyone is pretty much at risk.

So the key to these is to find the rogue task in Task Manager, you can usually spot it because it has a description that is poorly written, it will repeat the exe name or will have no description. Find the exe and terminate the process and the fake Anti Virus should close, now you know you have the right file.

Search the registry for this file name and you should find the two registry keys for Open Shell are listed with the exe location and path appended to the open command on any shell or exe.

•HKEY_CLASSES_ROOT\exefile\shell\open\command
•HKEY_CLASSES_ROOT\comfile\shell\open\command

The default value for each of these should be "%1" %*

If your value contains the malware exe path, reset the path here and then delete the exe file.

You should now find the fake Anti Virus malware is removed.

No comments:

Post a Comment