Is the malware talked about in this what you currently have?

If it is, there are step by step instructions to remove it from your computer on the page.

Hope that helps.
posted by Gravitus at 5:16 PM on September 24, 2009

Use a livecd to boot the box up and get your files off onto a USB stick or something, then format the drive. And of course next time, keep backups and have better antivirus to prevent infection.
posted by jjb at 5:17 PM on September 24, 2009

err I linked the wrong page also. Sorry.

You need to restart the comp and boot into safe mode.

Print off the regkey locations and files locations for reference.

Go in and manually remove that crap one line at a time.


Here are the entries that need to be deleted:

c:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
c:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

and registry keys to be removed:

HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Gamma Display"

I've done this to remove that crap from a few friends computers. Also get hijackthis and install it under safemode from a usb stick or something. That will help you terminate any running processes that are being stubborn.
posted by Gravitus at 5:31 PM on September 24, 2009

It's been my extended experience that when you are infected in such a way where executables won't launch, Regedit won't launch (and most likely Defrag won't launch).. then I would almost bet money that you are infected more deeply (probably a rootkit using hidden services,etc) than Gravitus describes in his comment above.

Here is what I would do:

1.) Disable Windows System Restore

2.) Download and install MalwareBytes (if you are not able to run the installer, rename it to something silly like "banana.exe" and it should install correctly)... If, after getting it installed, you can't run the actual program ("mbam.exe")... then you can also use the rename trick to get it to run.

3.) I would also try running GMER and ComboFix. GMER is a rootkit detecter tool that is quite good and will tell you if you (and let you right-click/delete) any hidden Registry services or .DLL's.

Typically at this point (after running the above 3 utilities)... you "should" be able to run EXE's, access the Registry normally and run Defrag.

4.) 2 more scans I would recommend doing are ESET's NOD32 online scanner (FREE) and Spybot Search and Destroy.


I typically fight 5 to 10 infections like this a week.. and It's been a long time since I've ever had to resort to rebooting the machine in SafeMode. In theory its good practice,.. but I've just found it to be no longer necessary to get back to a clean machine.

As you are scanning and rebooting, you'll want to watch the following folders for any strangely named files:

C:\Windows\system32
C:\Documents and Settings\--your-profilename-here--\Local Settings\Temp


MeMail me if you need help.. I'd be happy to
posted by jmnugent at 5:43 PM on September 24, 2009

Control Panel -> System should be the same as right-clicking My Computer and selecting Properties.
posted by reptile at 6:14 PM on September 24, 2009

Trying to clean the Registry manually is an exercise in futility...... (it can be done, but as fubar'ed as your system is, the only way you'll be able to fight your way out of it is with automatic scanners/cleaners). Do GMER and Combofix run ?... (they are stand alone utilities that ( I believe) rely less on Registry hooks)

Can you get to Task Manager?.. (I'm gonna guess NO.. but had to ask)
posted by jmnugent at 6:23 PM on September 24, 2009

Oh, god. I so feel your pain. My boss managed to get this on his computer earlier this week by being careless, and I had to drop everything to deal with it. What a nightmare.

That said, I did find a good way to get rid of it. Once I found it, it only took about 40 minutes or so to fix.

My steps:
-Unhooked him from the internet and shut down his computer
-Printed the instructions
-Used my own (uninfected) computer to download OTM + copy the script from the instructions into a .txt file, plus to create the registry fix
-Downloaded the most recent version of Malwarebytes as well
-Copied the downloaded files to a thumb drive
-Restarted his computer in safe mode (without networking)
-Ran through the whole removal procedure as outlined in that link, starting by running OTM through the Run menu
-Restarted a few times as prompted
-Once I had followed the instructions to the end, I still re-ran OTM and the script to make sure that it couldn't find the files anywhere
-Ran Malwarebytes and Bitdefender deep scans over night
-Cleared out all traces of downloaded crap and anything sitting in quarantine using CCleaner.

(His computer is fine now. I chewed him out, though... WATCH OUT for video files your friends send you, asking to install missing codecs...)
posted by gemmy at 6:34 PM on September 24, 2009

Oh, scratch the reference to the registry fix. He had both Windows Police Pro, which required the registry fix, and the Antivirus Pro 2010 infection which did not.
posted by gemmy at 6:42 PM on September 24, 2009

Look at my profile for the mega instruction set.
posted by deezil at 6:48 PM on September 24, 2009 [1 favorite]

Oh. If you can't get OTM program to run, since the malware affects .exe files, you can try just renaming the file to otm.com and then double-click to run it. It works that way too.

(Just in case you didn't know, the "@" notation you used tends to be kind of frowned upon around here. Not so much here in Ask, but if you venture into the blue/gray at some point.)
posted by gemmy at 8:50 PM on September 24, 2009

flabdablet: Getting rid of trojans in general and these fake antivirus ones in particular is generally a lengthy, nitpicking, failure-prone process. I used to have the energy for it, but at some point I found that I'd done again on the same box once too often. These days, I encourage most of my customers to let me back their boxes up, nuke and pave with Linux, and restore all their documents. I install VirtualBox to make minimal Windows environments for the occasional vital Windows app (e.g. QuickBooks). If the household has teenagers, I set up a dual-boot Windows partition for them to run their Sims or whatever in, and put panel buttons to invoke little backup and revert scripts on the Ubuntu side so that when the teens drive the Windows side into the weeds (which they always do, eventually) then Windows can be restored to the last-backed-up state in minutes instead of hours. This is far more fun for me, and they end up with a computer they can actually use instead of one that's constantly vandalized by malware."

That sounds exactly like what I should do for the computers at our office. It seems so painfully obvious once you wrote it out but I never even thought about running the system that way. Awesome idea!!!!
posted by Gravitus at 8:59 AM on September 25, 2009

I have McAfee, Windows Defender and Malwarebytes on the PC, all of which are allegedly updated automatically.

In my experience, McAfee and Windows Defender both cause more problems than they prevent. Malwarebytes I've only ever used as a post-infection scanner, at which job it seems decent.

None of these things, though, will protect a computer against being stuffed up by a teenage sysadmin. Teenagers are not careful people, and if a teenager has access to an administrative account on your Windows box, it will be driven into the weeds again.

Give serious consideration to setting up a dual-boot environment, where you can continue to get your work done in Ubuntu regardless of what horrors are being perpetrated over in the Windows wasteland; leave your son with admin access to the Windows half, but desktop user only status on the Ubuntu half, and make it a rule that if Windows goes belly up you'll just revert it and everything that got put on it since you last backed it up is going to go away. The flip side of not being careful about what gets put on the PC seems to be not caring much what's kept on the PC, so this arrangement will probably suit both of you.
posted by flabdablet at 9:39 AM on September 25, 2009

If you're going to use the backup and revert scripts I linked to earlier, you should modify the embedded pathnames for the Windows partition and the default backup file before you actually use them. If you want to do that but you're not comfortable with shell scripts, let me know.
posted by flabdablet at 6:01 PM on September 26, 2009

This thread is closed to new comments.