A friend of mine at Adventure Crossing brought me a computer from a friend of theirs that reportedly had a virus. On boot I ran into something I've literally never seen before... running on startup was a Personal AntiVirus application that had the exact same layout and GUI elements of Grisoft's Free AVG anti-virus application. The computer did have AVG 8.0 installed, but any calls made to the AVG application were re-directed to the Personal Anti Virus application. The new PAV app would find and detect multiple virus's, then refuse to remove those virus's without an expensive licensing key.
What happened was this: Internet Explorer had been infected by a malicious ActiveX control. The malicious ActiveX control appearently contains a list a number of legitimate sites, such as Microsoft's Windows Update, and upon visiting these sites users are given an IE-style information bar saying the page is infected with malicious software. The user is directed to install the faux copy of AVG, which uses the gaping security hole that is ActiveX to take over system functions.
While such problems can be prevented primarily by NOT USING INTERNET EXPLORER AT ALL, much less using Windows at all, my fix was pretty simple.
I dropped to safe mode and installed an updated version of SpyBot Search and Destroy which let me elminate the Personal Anti Virus from the start up menu, and trash the ActiveX components. Also in safe mode I deleted the PAV folder from Program Files and cleared out the start menu entries under C:/documents and settings.
Once the system was back up, installed and ran AVAST. Recently I've tended to prefer AVAST for Windows AV needs. AVG has gained quite a bit of bloat in recent versions, and while it is still a fairly competent malicious software solution, much more than competitors from Symnatec or McAfee, it's moving out of the light-weight system-resource light market.
Also, if you have a matching good Windows Xp disc, I'd suggest running a sfc scannow to check system components. In my case, several files had to be replaced from the disc, though I don't know how much of that was due to the particular problem the computer was brought to me for.
No comments:
Post a Comment