This Blog is a supplement to my website. Please also visit: www.DavidCocke.com

Sunday, April 10, 2011

Rogue antivirus still showing after removal

While in Spiceworks I noticed a computer that said it had two antivirus packages installed. One was legitimate (Symantec Endpoint) and the other was called "Personal Internet Security". After Googling I find this is malware; a fake antivirus package.

I found that once upon a time this machine had been infected with this. Somehow it had registered itself with Windows Security Center thus was still showing as an installed antivirus package. Funny thing too, it said it was current on its virus definitions.

To correct this I issued the following commands from a CMD prompt on that PC:

net stop winmgmt
cd /d %windir%\system32\wbem
ren repository repository.old
net start winmgmt

As I understand it, if you had an issue where no antivirus package was being found by Windows Security Center, the above commands might work for that too.

After issuing the above commands, I forced Spiceworks to rescan and it correctly identified that just Symantec Endpoint was installed.

2 comments:

  1. I see that you have mentioned spiceworks, how is that working for you? I have not spent much time with it. I am using LPI, and LapTech

    ReplyDelete
  2. Sorry for the long overdue response.

    We use a variety of tools. Our main tool for networking monitoring is PRTG (www.paessler.com). we absolutely love this product.

    As for SpiceWorks, when they came out with a version where you could have remote probes phoning the scan results back to a central database, that is when we embraced it. It is an awesome as a tool for tracking hardware and software inventory and producing reports about that inventory.

    It stinks when it comes to relying on it for real-time network monitoring. Since it is agentless, it might be hours before you would know about a problem. It also has a help desk ticketing component but we don’t use that either. The price of free makes it hard to resist too.

    ReplyDelete