Over the last few months, and years actually, I have been removing those annoying pesky Scareware programs that pop up when your computer starts telling you that you have all these infections and offering to remove them if you purchase their software. Most of the time these programs look like and attempt to represent an Microsoft branded program. Occasionally they try and represent a legitimate antivirus company such as Norton. Once in awhile I’ve seen one trying to follow trending topics such as the Eco friendly “Green AV”. Then there are the ones that just look like a very crappy designed program with a horrible UI. The point i’m trying to get at is these things sneak by AV programs such as Norton, McAfee, AVG, etc., without being detected the slightest bit. My question is why. Most everyone of these Scareware .exe’s do the same thing. They are almost always an single .exe file hiding in either the programs folder, or the users ApplicationData folder. No big problem there. They are easy to find. My issue is that they all have been disabling the regedit.exe, cmd.exe, msconfig utility, and task manager. This is done by adding a couple of registry keys to the HKLM or HKCU hives. Thats pretty straight forward to fix. Find the Scareware .exe, delete it, remove it from the registry, then edit the registry to turn back on all of the preceding utilities. My question is why the big name AV programs can’t right a signature to find the one file .exe’s that are editing the registry and starting in the users shell or replacing the userinit.exe startup. Just curious. Thats all.

This entry was posted on Friday, January 29th, 2010 at 3:27 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.