My wife’s Acer Aspire laptop has acquired one incredibly viscous virus, Internet Security 2010. Her laptop is running Windows XP SP3 will all the latest updates, and Avast was running at the time of the infection, which occurred some time in the past 4 days. Internet Security 2010 is hostageware. It pretends to be an anti-virus program, and tries to extort $50 out of you for activation. Here is all the damage this virus has done:
-
It disabled the task manager. The task manager selection is grayed out from the taskbar menu. Attempting to select it produces the message “This application has been disabled by your administrator.”
-
I can’t run the task manager, regedit, or a command prompt from the Start menu Run field, or from clicking on their icons.
-
The background desktop image has been replaced with a large message “your system is infected.” The background cannot be changed from the Display Properties.
-
Avast is still running, but it appears to be compromised. Resident protection is set to Disabled. If I try to set it to High, it is forced back to Disabled. I suspect the virus is doing this.
-
Here’s a nasty one. It filters web access. I can go to Google, but access to anti-malware sites are selectively blocked. If I go to wikipedia, it says “Your computer is infected. Activate your antivirus software.”
-
If I attempt to boot in safe mode, the virus is still active.
-
If I run a full scan from Avast, it finds 209 corrupt files/registry entries. On reboot, the files are removed by Avast, and then reinstalled by the virus during startup.
-
If I try to install Malwarebytes, the virus freezes the install process.
After spending 6 hours fighting this beast directly on the laptop, I decided to bring out the big guns. I’ve set up a new sandbox computer for the sole purpose of nuking this virus. The system has a fresh install of XP with SP3, all updates, a fresh install of Avast with an up-to-date database and high security enabled, and Malwarebytes installed for good measure. As sophisticated as this virus is, I’m sure there’s a root-kit on the laptop drive. I’m going to connect it to the new computer as a D: drive, and have Avast attack it with a thorough scan on reboot. Then I’ll follow up with a Malwarebytes run.
Will Avast check registry entries on a drive if it isn’t the main boot drive? I need to make sure every trace of this rotter is gone before I put the drive back in the laptop. I’m also going to disconnect all internet access to the sandbox computer before doing the cleansing. Can anyone think of any other precautions I can take to protect the C: drive, or does this sound sufficient?