• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

Security Centre reports multiple anti-virus programs.

I have a computer that was infected by the scam av program Internet Security Suite. I'm pretty sure that I have killed it and a TDSS rootkit using various tools but Window's Security Center continues to report that it is installed .
The question is this:
Where does windows get the information it display in the security center.I've scanned the registy but could't get any matches on this name. Any suggestions?
0
Peter_Knox
Asked:
Peter_Knox
1 Solution
 
ProtechCTCommented:
Virus may still be alive  Have you tried ComboFix on the workstation in question?

http://www.bleepingcomputer.com/download/anti-virus/combofix
0
 
zeshanazizCommented:

Source: http://www.precisesecurity.com/rogue/internet-security-suite/

Fake Internet Security Suite Removal Procedures
Manual Removal:
1. Stop Internet Security Suite process by pressing Ctrl+Alt+Del. Windows Task Manager will open. Look for the following process:
ISS(random characters).exe

2. Update your installed anti-virus program.
3. Run a full system scan and clean/delete all detected infected file(s). A manual removal of virus-related files should also be performed.
4. Edit Windows registry and delete Internet Security Suite entries as shown below. [how to edit registry]
5. Exit registry editor.
6. Remove Internet Security Suite start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. System Configuration Utility will open. Go to Startup tab and uncheck the following Startup item(s):
ISS(random characters).exe

7. Click Apply and restart the computer.

Internet Security Suite Removal Tool:
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.

Online Virus Scanner:

Another way to remove a virus from a computer without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate computer security provider.

0
 
Sudeep SharmaTechnical DesignerCommented:
Check this article from rpggamergirl and remove any AV listed under Security Center.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2088-Can%27t-Install-an-Antivirus-Windows-Security-Center-still-detects-previous-AV.html

I hope that would help

Sudeep
0
 
Peter_KnoxAuthor Commented:
Thanks for the replies everyone. I should have provided a bit more detail in the original question as to the steps I had already taken to remove this scam. Yes, I used combofix and malwarebytes, and they found and removed a number of items, but the security center continued to advise that Internet Security Suite was installed and up to date. I took the drive out of the machine and scanned it with Kaspersky AV on another system. That identified and removed a number of trojans. I used GMER and the Kaspersky TDSS Killer to remove the rootkit. I scanned with Superantispyware and HJT and also used the Panda, Nod32 and Bitdefender online scans. I even gave Spybot S & D a run against it. After all that the SC was still reporting that this thing was installed and up to date!  
There have been no other indications that the program was still active so, at this stage, I'm assuming that it is dead. Sudeep's response  answered my question about where the SC gets its information. Using the link in the response I was able to delete the references to the antivirus (and to a firewall from the same source.) The only additional information I could find in The WMI test was a reference to AVP inc as the maker.
Points and thanks to Sudeep
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now