2010-02-25

Vista Guardian Trojan

The other day, my wife started seeing error messages popup on her computer saying that the computer was infected with a number of different viruses, worms, etc. All of these popups were coming from "Vista Guardian." She called me immediately, and I told her to shut the computer down because I never installed a virus scanner called Vista Guardian.

Vista Guardian is a fake virus/spyware scanner that shows these messages to make you think your computer is infected with other things. It seems to promote other online scanning tools that you must purchase in order to get these "infections" off of your machine.

Fortunately, I don't run anything as a privileged user, so it seemed to have been isolated to my wifes Windows profile. I was able to reboot into safe mode and run McAfee. It found a file called "av.exe" in the "%UserProfile%\AppData\Local\" folder. It quarantined this file.

After I restarted, I logged in as my wife, thinking that everything was good, only to find that I could not execute any applications. Every time I tried, I would receive error messages such as "What do you want to open this file with?"

After doing some research (and running the scan a couple more times), I found that the Vista Guardian trojan works by modifying the system registry to make it the "shell" to all .exe files. Unfortunately, McAfee only removed the av.exe file but left all of the registry entries. I ran regedit as Admin, but came across nothing. Several web pages mention that it puts entries in HKEY_CURRENT_USER, so I had to figure out how to run regedit in my wifes profile.

Fortunately, this appears to only affect .exe file execution and not .com or .bat files. This is what I did:
  • open "My Computer"
  • navigate to C:\Temp
  • right click, create new Text Document
    • You can name it whatever you want. For this example, I'll call it "exefix"
    • This creates a file called "exefix.txt"
  • double click the file. It will open in Notepad
  • enter the text: "regedit" without the quotes
  • Go to File -> Save As ...
    • This brings up a new dialog window to save the file.
    • Change the "Save as type" dropdown to "All Files"
    • Change the name to "exefix.bat" without the quotes
    • Click Save
  • Close Notepad
  • You should see in your folder two files called "exefix" One is the text file you started with and the other will be the batch script.
  • Double click the "exefix.bat" file (if it opens in Notepad, you double clicked the wrong one)
  • If you did this right, regedit opens up.
From here, I was able to search the registry for "av.exe" I think I found about 4 of them.

All of these entries had the value similar to:
“%UserProfile%\AppData\Local\av.exe” /START “%1″ %*

I changed these entries to: "%1" %*


No comments: