FakeAV makes a comeback
In 2008, across my clients I saw a lot of cases of Windows Antvirus Pro 2008 variants… Towards the end of the year and through most of 2009 I didn’t see a lot of infections. However, it looks like it has regrouped and come back in full force. I’m seeing an escalating number of FAKEAV infections with my clients. I’m still investigating on how the infections got there because the users stretch across a lot of different roles … developers, merchandisers and accountants. Unfortunately, Web history and Installed Application hasn’t been a help.
I do know however have a remediation plan.
Step 1. Download Combofix from a reputable source on a clean working workstation
Step 2. Copy the combofix executable to a USB drive.
Step 3. Reboot the workstation and load Windows in Safe Command Prompt Mode
Step 4. Run the Combofix Executable off the USB drive
Step 5. Let the Computer reboot and Combofix to complete.
Step 6. Use an Antivirus client other than TrendMicro (as it won’t see the virus… it’s useless I know) to complete a scan on the remdiated workstation. It should come up with an all clear.
Step 7. Return the workstation back to the enduser.
On the variant that is out right now this remediation path has been very successful for me. I hope it is for you..