I was originally introduced to this by co-worker who wanted me to look at someone’s netbook and wrote about it here. The malware-scareware program had already been removed from the system, but the damaged it done had been left behind. Cleaning it up manually, though, would not be too difficult. As pointed out, its counters the user attempt to stop it by taking advantage of a built in process that Windows uses for debugging applications by pointing the Task Manager and Regedit to its own fake anti-virus process. Further, it also counters anti-malware utilities and virus security suites by creating reg keys and using the same Debugger string to point to svchost.exe, which is not able to run other executables. The key to getting access to the registry and the task manager directly was to use AutoRuns.

As it happened, a couple days ago the wife starts complaining that she keeps getting persistent firewall popups. I told her to click allow and let me sleep. Then she mentioned another popup that she says is scanning the system and finding virus. This sounds like classic scareware and when I take a look I see this: