Monday, November 12, 2007

AntiVirGear System Alert

AntiVirGear is a rogue Anti-Spyware tool that claims to remove spyware and viruses but doesn't to do so. It's relatively easy to kill, most Anti Spyware tools (like Ad-Ware or Spybot Search&Destroy) can remove it.

However, it also drops a file to the \system32 folder that will display the following fake security alert notice:

The bad thing about this message is that it is loaded by Explorer.exe so there is no EXE file you can kill to get rid of this message. Also, neither Spybot nor Ad-Ware seem to be able to remove it.

To remove it yourself, do the following:

  1. Open a Command Prompt (Cmd.exe) and make sure that the command "taskkkill" is available: simply type "taskkill" and see if you get and command not found error.
    If you don't have this command, download PSKill from Microsoft and place the files inside the ZIP archive in C:\WINDOWS\SYSTEM32
  2. Start RegEdit.exe and move to the folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  3. Inside this folder there are by default two entries:
    ->Browseui preloader
    -> Component Categories cache daemon
    if you are infected with AntiVirGear there will be three and the bad entry is the one not mentioned above.
  4. Switch to the Command shell and execute:
    taskkill /IM explorer.exe /F
    or (if taskkill does not exist on your system)
    pskill explorer.exe
  5. This will end explorer.exe and thus you do not have any "Shell" anymore, means no start menu, taskbar or clock.
  6. Using ALT+TAB change to RegEdit and remove the entry from the registry but before copy the Name entry (the entry inside the { }) to the clipboard with CTRL+C
  7. Change to the Command prompt again and enter "Explorer", this will bring back the shell.
  8. The fake system message should be gone
  9. Change to RegEdit again and go to HKEY_CLASSES_ROOT and use the "Find" function. Press CTRL+V to paste the Name value (the entry surrounded by { and }) from AntiVirGear
  10. When RegEdit has found the value, open it and move to the folder "InProcServer32". Inside this folder you will see a path like "C:\WINDOWS\SYSTEM32\DAAPO.DLL".
  11. Delete this file.

No comments:

Post a Comment