Our friends at InfoSec Institute have once again ever so kindly written another great blog post in regards to how to remove Windows Antivirus Adviser. Let's see what Kim Crawley (our guestwriter) have to say about this PUP and the step by step instruction on how to remove it.

Before I got into writing about information security full time, I worked in tier two remote tech support. From about 2009 until 2011, I removed malware from Windows clients constantly. Several tickets per day involved removing Windows malware.

Further into 2009, I noticed that a lot of the malware I had to remove were rogue antivirus programs, otherwise known as scareware. The scareware I faced never ceased. My colleagues dealt with the same. If there was no call on my headset, I could overhear what they were saying to customers. At least a couple of times per day, I could hear a colleague say something like this:

“No, that's not your real antivirus program. What you're looking at is the virus. No! Don't enter your credit card information, it's a scam. No! I know you want it to go away. I can make it go away. Just boot into safe mode, and I'll remote into your machine. No, don't give them money! No!”

Exasperatingly, I'd have to say the same thing at least a few times per week. “But I just want it to go away! I'm going to get my card out...” “No, Mr. Customer, I'll fix it for you. Please don't!”

Although I haven't done much consumer support since 2011, scareware has just gotten more and more frequent and widespread. The scareware problem started with Windows, but ever since, very similiar rogue antivirus scareware has been found for Mac OS X and Android.

Now it's 2015. And although there are rogue antivirus programs for multiple platforms now, it's still a huge problem in Windows. Windows AntiVirus Adviser illustrates that.

One of the first clues that Windows AntiVirus Adviser is malicious is the name of the program itself. “AntiVirus” is unusual syntax, and “Adviser” is spelled incorrectly. Legitimate antivirus software developers use correct spelling and proper syntax (“Antivirus,” not “AntiVirus”) in their products. Another clue is how generic the name is.

Like pretty much all other rogue antivirus programs, Windows AntiVirus Adviser mimics a UI design that should be familliar to Windows end users. Windows Security Center has been a component of Windows since Windows XP, and the Windows AntiVirus Adviser UI imitates the Windows Security Center UI that can be seen in XP, Vista, and 7.

To the uninitiated, Windows Security Center checks to make sure that an antivirus program is installed and running, Windows Firewall or a substitute OS firewall is installed and running, and that Automatic Updates (Windows OS patches) is enabled. In a properly configured and legitimate Windows installation, Windows Security Center and a legitimate antivirus program can be found. The UIs for each should be separate. Many legitimate Windows antivirus programs run based on subscriptions that a user or their employer pays for. If the subscription time period has expired, the antivirus program may stop installing antivirus signatures (“updates”), or stop operating, or both. Legitimate programs that operate like that may have a button in their UI to buy another subscription. But no such function exists in Windows Security Center. At most, you may be able to launch your antivirus program's UI from Windows Security Center.

Another suspicious detail I notice in Windows AntiVirus Adviser's UI is that although it says  “Windows AntiVirus Adviser” in the window title (top left), the main heading inside the window (blue bar) says “Windows Advanced Security Center.” Hmmm...

Like most other rogue antivirus programs, Windows AntiVirus Adviser does its best to prevent a user from launching any other application. So, how do you get infected with the damn thing?

Windows AntiVirus Adviser screenshot, courtesy of PCRisk.com

Reports have noted that users get infected via the web. There may be some websites that were designed to be a vector for Windows AntiVirus Adviser. But what happens a lot more frequently is that malware infects completely innocent webpages. There are vulnerabilities in Microsoft's IIS web server in particular that can be exploited to host malware distribution. If an Apache web server hasn't been properly configured, it can host malware as well. CMSes such as WordPress are used by most webpages these days. If their configuration, or the configuration of MySQL underneath it is insecure, that also makes a website much more vulnerable to infection.

Web developers need to make sure that their web server machines are properly security hardened, complete with antivirus scans that use daily signatures. Users need to make sure that they run frequently updated antivirus software as well. Zero day attacks can always happen, but the vast majority of scareware infections can be prevented with recent antivirus signatures.

Users who have reported Windows AntiVirus Adviser infections have noted that they've seen the following two screens before the scareware was installed.

Windows AntiVirus Adviser screenshot, courtesy of PCRisk.com

The first screen is a spoofed malware alert. Word to the wise -- there's no Windows component called “Windows Web Security.”

The second is a spoofed Microsoft Security Essentials screen. There is a legitimate antivirus application from Microsoft called Microsoft Security Essentials. But none of its screens look quite like that, and legitimate MSE would never identify regedit.exe as malware. Regedit.exe is a crucial Windows component that allows an administrator to make direct changes to the Windows Registry!

If a user clicks “Remove all” at the first screen, and “Scan Online” at the second, Windows AntiVirus Adviser will be installed. It's a bugger to remove, but I'll explain how.

First Removal Method

1. Boot into Windows Safe Mode by repeatedly hitting the F8 key as your machine boots up. Safe mode launches only some core Windows services, so it usually prevents malware from running.

2. Navigate to C:\Users\Your_Username\appdata\roaming\ either via the command prompt or the Windows Explorer file manager.

3. In that folder, you'll find the malicious Windows executable. It'll be named svc-four random characters.exe, such as svc-hqkl.exe. Rename the file to something memorable that doesn't duplicate another existing filename. I'd rename it to something like i_know_that_youre_malware_and_i_will_get_rid_of_you.exe, but you may give the file a different name if you'd like.

4. Because the malicious registry key that accompanies the malware looks for a file with its previous name to execute, renaming the file will prevent it from executing and preventing you from launching legitimate applications. Reboot your machine into normal Windows.

5. Launch your legitimate antivirus application, update its signatures, and run a scan of your C drive. Your antivirus application will quarantine any malware that it finds, for removal upon rebooting. If you don't already have a legitimate antivirus application or you're dissatisfied with the one you have (as you likely should be), download and install Lavasoft's Ad-Aware Free Antivirus+. It's freeware, and when set up properly, it'll always update with the latest signatures and give your Windows machine reliable antivirus protection. Additional security features can be enjoyed if you install Ad-Aware Personal Security, Ad-Aware Pro Security, or Ad-Aware Total Security. All of those security applications come with a free trial that you can download here. 

6. After your antivirus scan and quarantine, you may want to fix the possible damage that Windows AntiVirus Adviser has done to your Windows Registry. There are a lot of malicious applications out there that are advertised as being able to fix your registry. Don't be fooled. Install a legitimate registry fixer instead! Lavasoft's Registry Tuner is one of the best out there, and you can give it a free trial before you decide to purchase it. 

7. After you run a registry fix, reboot your machine normally. Everything should now be back to normal, and now you're much safer from nasty malware like Windows AntiVirus Adviser than you were before.

Second Removal Method

You may prefer to try this removal method instead.

1.    From an unaffected machine, you can download a helpful registry key that's been specifically written for fixing Windows machines that have been infected with Windows AntiVirus Adviser. Here's a link to it: http://download.bleepingcomputer.com/reg/RemVimes.reg If you don't have access to an unaffected PC, you can try downloading the file with a smartphone or tablet. Just make sure that you know how to mount your mobile device's filesystem to a Windows machine if you choose to do that. If you downloaded the file with a second PC, transfer the file to a USB stick, and make sure you know where it is.

2. Boot your Windows AntiVirus Adviser infected machine into Windows Safe Mode as explained in the first removal method. Mount your external media's filesystem, and launch the registry file you downloaded. When prompted to merge data, select accordingly to do so.

3. Eject or dismount your external filesystem, either the USB stick or your mobile device. Physically remove it from your Windows machine, then reboot your Windows machine normally.

4. Let the Windows AntiVirus Adviser launch. Go to its window, and click on the blue circle with the question mark inside. You should get a malicious registration pop-up that looks like this:

5. This time, thanks to the registry file you launched earlier, you get to do the spoofing this time! Enter this product key into that pop-up window, then hit enter: 0W000-000B0-00T00-E0021 (Why is the MSN logo in that window? That should be another clue that the program is malicious. What the heck does the Microsoft Network have to do with antivirus protection?)

6. Now, you've fooled the malware into thinking that you paid for their scam. So, it won't stop you from using legitimate antivirus software to get rid of it. Download and install Lavasoft Ad-Aware Free Antivirus+, Ad-Aware Personal Security, Ad-Aware Pro Security, or Ad-Aware Total Security. Alternatively, you can launch your previously installed antivirus application, if you still trust it. Make sure you've downloaded the latest antivirus updates, and run a scan of your C drive.

7. It'd be prudent to fix your registry before you reboot your machine. Install and run Lavasoft Registry Tuner. Then, reboot your Windows machine. Windows AntiVirus Adviser has been removed, your registry is fixed, and now you're probably running better antivirus software as well. Make sure that it's frequently updated, and you should be a lot less vulnerable to scareware than you were before.

Know what your legitimate antivirus software and Windows Security Center looks like, and make sure that other users are aware as well. When you see pop-ups while surfing the web similar to what you saw when you erroneously installed Windows AntiVirus Adviser, ignore them. Close the web browser tab it came from. Run another antivirus scan. Hopefully, if you're running good antivirus software, you won't see scareware very often if at all, but always be conscientious. Knowing is half the battle, and good antivirus software is most of the other half.

Kim Crawley is a Security Researcher for the InfoSec Institute and their newly launched site, Skillset.com, a free practice exam engine focusing on the CISSP and CEH certifications. 

References

Windows AntiVirus Adviser Removal Guide- Lawrence Abrams, BleepingComputer.com

http://www.bleepingcomputer.com/virus-removal/remove-windows-antivirus-adviser

Windows AntiVirus Adviser- Tomas Meskauskas, PCRisk.com

http://www.pcrisk.com/removal-guides/8410-windows-antivirus-adviser