I’ve got a trojan on my computer than I managed to find using SpyHunter from http://www.enigmasoftware.com/ called av.exe, but when I run avast! Free nothing is detected. The trojan continually (at least once every three minutes) comes up with messages such as “Stealth Intrusion! Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perfom a security scan and deletion now.” This “security scan” comes up with 31 infected files every time, always the same, in programs lik Flash FX, OpenOffice, etc. The false security scan starts every time I restart my computer, as well as the first time I try to open an internet browser after a restart. Any time I try to open an internet browser, it comes up with a message saying that the browser is infected with Trojan-BNK.Win32.Keylogger.gen and asks me to active Antivirus Vista 2010. Clicking on anything that says it will attempt to “remove” threats or “activate” the antivirus software takes me to a website that looks very much like a Windows website, where it wants me to “register” my Vista 2010 Antivirus software for $50.
Can someone please help me get this off my computer, or update avast so that it will detect this trojan? SpyHunter requires me to pay $40 to remove anything it detects, and I really don’t have that kind of money.
Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:
•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010
When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.
The one variant I saw that Avast cleaned did kill the associated keys. In fact the user downloaded it on my recommendation after I cleaned him, he promptly visited another bad site but a boot scan killed it dead
