Home Company Services Portfolio Contact us nav spacer

A Rogue Antivirus called Internet Security 2010

by Izak Burger posted on Jan 30, 2010 11:35 PM last modified Jan 30, 2010 11:44 PM —

I don't use Windows. This is a religious conviction. As a rule I don't fix other people's Windows PC's either, because once you've done that anything that goes wrong is your fault. But every once in a while a really good friend asks you to help and you take pity on him.

The PC boots up and immediately goes bezerk, telling you there is spyware on the machine and you had better run a full scan pronto. Then this rather official looking program pops up and tells you you have about two dozen files infected by as many root kits, trojans and virii. It will remove those at a cost of $50. Internet posts suggests you might be charged arbitrary amounts ranging in the hundreds for this little favour.

This is the story of a Rogue aka fake Antivirus program. It is incredibly sneaky. First things first, it does this to your registry: 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskManager = 1

This makes it impossible to get into the task manager and kill anything. In addition, trying to start anything, be it taskmgr, regedit or a web browser, results in a popup telling you that the application is infected and cannot run. It completely killed off the two other antivirus programs on the machine, McAfee and AVG, and stopped Adobe Flash from updating itself. This is of course an attempt to stop you from using any kind of tool that might get you out of this situation, under the guise that doing anything at this point other than running a full scan (which will cost you a random amount) is too dangerous.

But the programmer made a small mistake that is helpful here. By the time you read this, it might no longer work. When the dialog box pops up, don't click OK. Leave it there. In this position, the rogue app is blocked and does not kill apps that you start. Now run regedit and fix your registry (just delete the above key), then hit ctrl+alt+del and start the task manager. Not that it is going to help much, but it feels sort of good.

It doesn't help because this irritating piece of buffalo dung has taken over what is supposedly a valid windows binary called wscntfy.exe, and it cannot be killed. This is a surprise to me, since I have often lamented the crazy KillProcess stuff that does not use signals that can be caught. Something must be supervising this and messing us around.

If you delete wscntfy.exe, it will be replaced. You cannot overwrite it, for windows does not allow files to be modified while they are open. You could boot into your favourite linux-on-cd rescue system and work away at it, but in my case this machine had sufficiently weird hardware that Linux could not find it's root filesystem after switching to protected mode. Nice.

So I took the easy way out. Download Malwarebyte's anti-malware program. Run it and let it clean up. Do not interact with any of the dialog boxes of the rogue program.

Why do I write this? Because I know this blog is syndicated in at least one place where a couple of readers might still run windows. Because it is interesting in the way it would be interesting to Doctor Gregory House. Because there needs to be more good search engine findable links to a solution. And because I wasted the better part of an afternoon on this.

Normal programming, the kind that never speaks a kind word about a certain Os from Redmond, will resume shortly.

Document Actions
Add comment

You can add a comment by filling out the form below. Plain text formatting.

(Required)
Tell us your name.
(Required)
Enter your e-mail address.
(Required)
(Required)