Ran into this one yesterday, and Avast 5 Home Edition didn’t flinch, it allows the process to run and
infect my system! Thank goodness I had Sygate firewall running to prompt me that :

C:\Documents and Settings[i]user[/i]\Local Settings\Application Data\av.exe

Was trying to get out to the net.

(I was up to date with the latest program and virus defs for Avast btw)

After disconnecting my system from the network, I did a Full scan with Avast, still nothing.
Avast stated “your clean” while the Antivirus 2010 loomed in the background and its bogus
shield still sat in my systray.

Researching on a clean machine, I was able to remove it:

http://www.myantispyware.com/2010/01/28/how-to-remove-xp-internet-security-2010-xp-guardian-antivirus-xp-2010/

Make sure to run Malware Bytes a few times until everything is cleaned. Also bring in Super AntiSpyware
(SAS) and run a few times. Its always a good idea to run the two to allow a “second pair of eyes” to assure things are clean.

Malwarebytes:
http://www.malwarebytes.org

Super AntiSpyware (SAS)
http://www.superantispyware.com

Meanwhile…

Avast Staff,

This infection (Rogue Anti virusg) is pretty hot now, you may want to consider looking into
how to prevent it from launching and or removing it. And get it into the next batch of
updates ASAP for all your flavors of Avast.

Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

No can do…my domain provider detected the threat in email would not allow me to send it.

How can your domain provider scan a password protected zip file?

If you didn’t zip & password protect the sample it could be scanned or your ISP isn’t scanning but blocking based on file type.

In which case you can send the sample from the chest, if it isn’t there you need to add it to the chest and send to avast, it isn’t emailed but uploaded on the next update.

incidentally, we’ve disinfected this one today on a testing machine… there’s a exe association redirected to the fake AV binary - that’s a way how it controls which executables are about to run… we’ll improve the detection soon

Yep if you kill the file without fixing the registry - actually in the HKCU and HKU hives - then you can not open any exe files
There are two files associated with it MSASCui.exe and Av.exe

< HKEY_CURRENT_USER\Software\Classes.exe /s > →
\shell\open\command\“” → C:\Documents and Settings*\Local Settings\Application Data\MSASCui.exe ["C:\Documents and Settings*\Local Settings\Application Data\MSASCui.exe" /START “%1” %]

HKEY_USERS\S-1-5-21-527237240-507921405-839522115-1004\SOFTWARE\Classes<extension>]
.exe [@ = secfile] – C:\Documents and Settings\Advantage\Local Settings\Application Data\av.exe File not found