Security Warning
The file 'mspaint.exe" is infected. Running of applications is impossible
Please activate your antivirus software.
The Paint program appeared to open briefly then immediately close. The same thing happened with any other program I tried to run including the Task Manager.
The rogue antivirus software gave me the options of "repair files now" or "leave", but would not exit when I chose "leave". I clicked on a "purchase full version" link to see what would happen and was presented with a window where credit card information was requested. The cost was shown as $52 USD (a $49 USD transaction amount and a $3 USD transaction fee).
Using Ctrl-Alt-Del, I was able to access the option to Switch User and login as the administrator. I then ran task manager and looked at the running processes. I saw one with an image name of "AV Security 2012v121.exe *32".
I right-clicked on the process and chose Properties. I checked
the location for the file and found it was a 2.65 MB (2,783,232 bytes)
file at C:\Users\Jean\AppData\Roaming\PA00ucS2bD3
When I clicked on the Details tab, I saw what looked like
a Russian file description and the language listed for the file was
Russian. The "original filename" was docprop2.dll.
When I looked in the C:\Users\Jean\AppData\Roaming\PA00ucS2bD3
folder, I saw just one file, AV Security 2012v121.exe.
C:\Users\Administrator>dir C:\Users\Jean\AppData\Roaming\PA00ucS2bD3
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
Directory of C:\Users\Jean\AppData\Roaming\PA00ucS2bD3
11/15/2011 12:56 PM <DIR> .
11/15/2011 12:56 PM <DIR> ..
11/15/2011 12:56 PM 2,783,232 AV Security 2012v121.exe
1 File(s) 2,783,232 bytes
2 Dir(s) 257,322,262,528 bytes freeI uploaded the file to Virustotal a site that scans uploaded files for malware using multiple antivirus products. Six of the forty-two antivirus product with which Virustotal scanned the file reported it as containing malware. The others reported it as uninfected.
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| AntiVir | 7.11.17.176 | 2011.11.15 | TR/Crypt.XPACK.Gen |
| ByteHero | 1.0.0.1 | 2011.11.14 | Trojan.Malware.Obscu.Gen.002 |
| Kaspersky | 9.0.0.837 | 2011.11.16 | Trojan.Win32.Jorik.Gbot.rsf |
| McAfee | 5.400.0.1158 | 2011.11.16 | Artemis!42AAA2FD8006 |
| McAfee-GW-Edition | 2010.1D | 2011.11.15 | Artemis!42AAA2FD8006 |
| Symantec | 20111.2.0.82 | 2011.11.16 | Suspicious.Cloud.5 |
Virustotal report for AV Security 2012v121.exe
Since Virustotal reported the AVG antivirus software did not report the file as infected, I submitted the file to AVG using their virus sample submission page at Sample scanning.
Update: when I checked the Virustotal report generated on 2011-11-15, which was the date I submitted the file, again on 2011-11-16, I saw the following:
There is a more up-to-date report (7/42) for this file.
Panda was now also reporting the file as infected with virus definitions from the prior day.
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| Panda | 10.0.3.5 | 2011.11.15 | Suspicious file |
I also submitted the file for analysis to Jotti's malware scan, another site that will scan submitted files with multiple antivirus programs. Only two of the nineteen antivirus programs it used reported the file as infrected. Those were AntiVir and Kaspkersky.
Jotti's malware scan report for AV Security 2012v121.exe
I also submitted the file to VirSCAN.org, another site that uses multiple antivirus programs, for analysis. Two out of the thrity-seven antivirus programs it used detected the file as malware. They were AntiVir and Kaspersky.
VirSCAN.org report for AV Security 2012v121.exe
Since the free version of
Malwarebytes' Anti-Malware was on the system, I updated its
virus definitions and performed a full scan of the system using that
software. Version 1.51.2.1300 was on the system. The free version
performs on-demand rather than real-time scanning, so would not
have been able to detect the presence of the rogue antivirus product
until I scanned the system manually. I killed the AV Security
2012v121.exe process using the Task Manager while the
scan was running.
The Malwarebytes' Anti-Malware scan reported the following when it completed.
The scan completed successfully.
Objects scanned: 378712
Objects infected: 28
Scan type: Full scan (C:\|)
Time elapsed: 31 minute(s), 27 second(s)
Malwarebytes' Anti-Malware Log File
I analyzed the AV Security 2012v121.exe file with
FileAlyzer to determine its exact creation time down to the
second. I found it was created at Tuesday, November 15, 2011 12:56:04 PM.
IEHistoryView
was on the system so I used it to check the last visited website
prior to AV Security 2012v121.exe appearing on the
system. I found the following site accessed immediately prior to
it appearing:
| URL | Title | Modified Date |
|---|---|---|
| meviomusicvideos.mevio.com | 11/15/2011 12:56:01 |
I had Malwarebyte's Anti-Malware remove what it
found and reboot, but I found it didn't actually
remove the file AV Security 2012v121.exe.
When the system first rebooted, I logged into the user's account
and saw the same issues as when I initially checked
the system. So I removed it and its containing directory manually
by switching to the administrator account, using
Task Manager to kill the running
AV Security 2012v121.exe process and then
deleting the file and the directory within which I
found it. I then switched back to the user's
account and used regedit to
remove the following registry keys from
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
"MouseOnlineService"="rundll32.exe \"C:\\ProgramData\\MouseOnlineService.dll\",DllRegisterServer" "dZqjjCCkIVrO8234A"="C:\\Users\\Jean\AppData\\Roaming\\PA00ucS2bD3\\AV Security 2012v121.exe" "C6F.exe"="C:\\Users\\Jean\AppData\\Roaming\\Microsoft\\DDFD\\C6F.exe"
Created: Monday, November 15, 2011