Vista Antimalware 2011 Fix
Posted on December 1, 2010
I happened to come across a machine that had the dreaded Vista Antimalware 2011 infection.
Of course the first thing I do is to Google it and found some great tips on the removal of Vista Antimalware 2010. I like to do these types of thing manually. If you can edit the registry manually you can make sure you do not get any unwanted malware, spyware or viruses when use those “free” fixes. I have found that free software is rarely free. If you can not figure out where they make their money, be very cautious!
The first thing is to do is backup your registry. Never attempt to do any registry edits without having a backup. I opened up regedit the windows tool for editing the registry made a backup and searched for the first entry I needed to remove. It was not there, then the second, not there and the third, not there. So that lead me to believe the Vista Antimalware 2011 has changed since the 2010 version. Therefore none of the 2010 fixes would work.
The next step I took was to open up the task manager and watch for the executable to start running. I found it as vz.exe. I killed and started to look for it on the C drive. I was surprised that could not find it. After a few minutes of looking, I decided to boot the machine in to Fedora 13 Live CD. It took a few a minute or two to find the vz.exe. It was located in the C:/user/owner/vz.exe The strange part about this is that I used explorer to look in the directory but could not see. While in linux I renamed the file to vz.DELETE.exe so I would know this is the file to delete once I made sure that it would not break windows.
Next was to reboot the computer in to Windows. Once the system came up there was no Vista Antimalware pop on the screen, but any executable I tried to run failed. It appeared that renaming the file changed the way Windows handled .dll files. Which just about every program needs to run. So that left the machine almost dead. I thought I would try one more thing before formatting the drive and that was the Windows Restore. I do not put much faith in Windows Restore, since a virus can corrupt the restore files. It took a few minute but it finally came up. I noticed there was a restore point just about the time the machine was infected. So I chose the restore point just before it.
Windows rattled around for a few minutes then rebooted, and much to my surprise, it was fixed. Given that Windows restore does not delete user files, the executable was still in the user directory. So I went to remove it, but could not see it. I knew it was there, but even with the Display Hidden Files option on, the files where not there. This was somewhat puzzling, so I pulled up a DOS window and did a DIR /ASH to show system files with the hidden attributes and found it and deleted it. So the files are stored as system hidden files, which can only be seen in DOS or Linux.
Next was to make sure the Anti-virus program was up to date and ran a full scan. Yeah, it came up clean.
Based on what I found the System Restore points are not effected by the malware. Which means Vista AntiMalware 2011 is not impossible to fix. All you have to do is disable it so you can restore the computer to an earlier point.