Alert: "Vista Security" malware is a more advanced version of "Anti Virus 2000"

My daughter's machine got hit with the "Vista Security" (related to "Total Vista Security") malware. Unlike "Anti Virus 2000" and earlier flavors in this strain, this one is active in safe mode. Curiously, it does allow you to run Task Manager, unlike the earlier strains. It also takes control of Firefox in addition to IE whereas the earlier strains just took over IE. They all redirect the ".exe" extension so they can prevent you from doing anything useful and they all pretend to be "virus alerts" but in reality just want you to fork over credit card information to get the non-existent "full version".

Don't click on anything.

With the earlier versions, rebooting in Safe Mode with networking would allow you to download and run AntiMalware (free version) from malwarebytes.org. THIS one isn't so nice. You can download it, but you can't run it. It just brings up more fake windows. The process is "ave.exe" (or "av.exe" for the one with "total" in the name). When I inserted a USB thumb drive, it put up a bunch of fake error messages but still mounted it.

Anyway, the fix I used was to put the file fix.reg (below) on a thumb drive and double-click it off of the thumb drive. That corrected the major problems with the registry. You have to reboot after that but you can reboot normally (not safe mode), at least with the flavor her machine was hit with. THEN you can run AntiMalware (use the quick scan). It may still leave a root kit (haven't checked yet), but at least the machine is back to "normal".

-----
Note: I know this works on Vista but I can't vouch for XP or Win 7. Still, use at your own risk. Different variations of the malware may require something more extreme. Before doing ANYTHING, try to copy as much that you care about as possible onto thumb drives or an external hard drive.

Create a text file called "fix.reg" and paste the following into it:

Windows Registry Editor Version 5.00

<-HKEY_CURRENT_USER\Software\Classes\.exe>
<-HKEY_CURRENT_USER\Software\Classes\secfile>
<-HKEY_CLASSES_ROOT\secfile>
<-HKEY_CLASSES_ROOT\.exe\shell\open\command>


@="\"%1\" %*"


@="exefile"
"Content Type"="application/x-msdownload"

If you can do it on the infected machine (as in it will let you open Notepad), save it to the desktop and double click on it.
If not, create it on another computer and save it to a thumb drive. Use that to access the file on the infected machine.

Either way, reboot after running it and then download and run AntiMalware from malwarebytes.org. Be sure to leave the "check for updates" box (or whatever it is called) checked so it will get the new signature files before the scan. The "quick scan" should find the problem files/registry entries. Make sure they are all selected and hit the "remove" button (might be called something different but similar - I don't have it running right now).

Bookmarked.

ETA: DUer JackintheGreen had a similar strain that called itself "XP Antivirus 2010" or something similar.Link: http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=242x30295. Some useful info was posted on that thread:

DU'er EvolveOrConvolve--downloadable batch files that fix associations: http://www.dougknox.com/xp/file_assoc.htm

DUer CK_John--several very useful ideas and links

Myself--FixExe.reg Download Link- http://download.bleepingcomputer.com/reg/antivirus-vista-2010/FixExe.reg

Besides, it is good to keep "fix.reg" on a thumb drive just in case.

Already done. :hi:

It has gone by many names over the years: WinFixer, WinAntiVirusPro, ErrorSafe, SystemDoctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, Windows Police Pro, Performance Optimizer, StorageProtector, PrivacyProtector, WinReanimator, DriveCleaner, WinspywareProtect, PCTurboPro, FreePCSecure, ErrorProtector, SysProtect, WinSoftware, XPAntivirus, Personal Antivirus, Home Antivirus 20xx, VirusDoctor, ECsecure, etc. etc. etc.

I am so sick of dealing with this one. Even though I'm a Linux user, I'm still the go-to IT guy for my Windows-using family and friends, which I don't mind so much, except that it seems that everyone I know has been bitten by this one. My nephew's machine was the most recent infection. My first suggestion (over the phone) was to boot into Windows safe mode and download MalwareBytes. Yet even in safe mode his system was still screwed up. Then we tried to recover a restore point without success. So it was time to pay a visit. We booted a Linux Live CD (Ubuntu 9.10) and it was a simple task to copy the contents of his documents and settings folder to an external hard disk which took about half an hour. While his files were being saved he was able to check his email which he had been unable to access for about a week. By the time his files were finished copying he was ready to switch to Linux. So we rebooted and this time we installed Ubuntu. He's been happy ever since. His needs are modest: He wants to surf the web, access his email and manage his iPod.

The hackers seem to be able to respond to every fix thrown at their malware and create new versions quickly. Those versions are propagated through already infected machines so that they quickly spread across the globe.

If the assholes creating these viruses were to expend the energy they put into their malicious scripts into something else, they could be very, very successful people.

Thanks for the info!

I have a system set up here that I pull the hard drive out of the infected computer, put it in my system as a secondary drive and run a full scan with Malwarebytes and my antivirus. That gets rid of it so you can put the drive back in and boot up and run full scans with everything else. The other thing this bastard does is set the IE settings to a proxy server which if you don't reset to the proper settings, it will go online and download itself all over again.