Antivirus Pro scamware

Just knocked this one out myself (anti-virus SW didn’t find it), but I didn’t find much helpful info out there on the variant that affected my laptop. Likely became installed somehow from accessing a web site. Slightly embarrassed to note that I had 49 pending (high priority) Windows updates to apply when this happened… As described elsewhere, this malware repeatedly generates false alerts stating that your files are infected with a virus. Attempts to run task manager or any other programs are thwarted while it is running (new window opens then closes immediately followed by yet another alert).

In my case, logging out of the Windows session and logging back in provided a brief interval in which I could launch other applications before the offending process (rkbisysguard.exe) kicked off. Terminating the process stops the flow of alerts.

I run a limited access user configuration, and logging in as another user (administrative) did not trigger the app. I eventually determined that the application installed itself as

(user dir)\local settings\application data\(random name?)\rkbisysguard.exe

and was launched using this registry setting:

HKEY_LOCAL_USER\software\microsoft\windows\run

I simply deleted this registry setting and the corresponding executable.

Leave a Reply

Your email address will not be published.