Peter_Knox
asked on
Security Centre reports multiple anti-virus programs.
I have a computer that was infected by the scam av program Internet Security Suite. I'm pretty sure that I have killed it and a TDSS rootkit using various tools but Window's Security Center continues to report that it is installed .
The question is this:
Where does windows get the information it display in the security center.I've scanned the registy but could't get any matches on this name. Any suggestions?
The question is this:
Where does windows get the information it display in the security center.I've scanned the registy but could't get any matches on this name. Any suggestions?
Source: http://www.precisesecurity.com/rogue/internet-security-suite/
Fake Internet Security Suite Removal Procedures
Manual Removal:
1. Stop Internet Security Suite process by pressing Ctrl+Alt+Del. Windows Task Manager will open. Look for the following process:
ISS(random characters).exe
2. Update your installed anti-virus program.
3. Run a full system scan and clean/delete all detected infected file(s). A manual removal of virus-related files should also be performed.
4. Edit Windows registry and delete Internet Security Suite entries as shown below. [how to edit registry]
5. Exit registry editor.
6. Remove Internet Security Suite start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. System Configuration Utility will open. Go to Startup tab and uncheck the following Startup item(s):
ISS(random characters).exe
7. Click Apply and restart the computer.
Internet Security Suite Removal Tool:
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
Online Virus Scanner:
Another way to remove a virus from a computer without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate computer security provider.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the replies everyone. I should have provided a bit more detail in the original question as to the steps I had already taken to remove this scam. Yes, I used combofix and malwarebytes, and they found and removed a number of items, but the security center continued to advise that Internet Security Suite was installed and up to date. I took the drive out of the machine and scanned it with Kaspersky AV on another system. That identified and removed a number of trojans. I used GMER and the Kaspersky TDSS Killer to remove the rootkit. I scanned with Superantispyware and HJT and also used the Panda, Nod32 and Bitdefender online scans. I even gave Spybot S & D a run against it. After all that the SC was still reporting that this thing was installed and up to date!
There have been no other indications that the program was still active so, at this stage, I'm assuming that it is dead. Sudeep's response answered my question about where the SC gets its information. Using the link in the response I was able to delete the references to the antivirus (and to a firewall from the same source.) The only additional information I could find in The WMI test was a reference to AVP inc as the maker.
Points and thanks to Sudeep
There have been no other indications that the program was still active so, at this stage, I'm assuming that it is dead. Sudeep's response answered my question about where the SC gets its information. Using the link in the response I was able to delete the references to the antivirus (and to a firewall from the same source.) The only additional information I could find in The WMI test was a reference to AVP inc as the maker.
Points and thanks to Sudeep
http://www.bleepingcomputer.com/download/anti-virus/combofix