Saturday, March 03, 2012

Windows 8 Consumer Preview - Windows Smart Partner (FakeAV) - 03.03.2012 - Analysis and Removal

This is the new Metro UI in Windows 8

I figured I should start experimenting with Windows 8. What better way to learn Windows 8 than infecting the OS with a Fake Antivirus and then removing it? :-D

I did disable Windows Defender before I was able to get infected. Windows Defender was actually blocking my previous attempts to get infected :-) So far I am impressed with the new Windows Defender considering these were some of the latest droppers I could find.

Here is the main GUI of Windows Smart Partner. It is in the same family as Windows Telemetry Center and Windows Functionality Checker
It creates hundreds (700+) of bad entries in the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options

I did try to turn on Windows Defender after I had gotten infected but it simply did not open. I did not receive any error message at all.
Keep in mind, that this type of infection prevents you from using Task Manager. The only Task Manager you will be able to launch is the FakeAV's version of Task Manager, at least until its process is stopped.
I didn't have any tools handy but noticed I was able to launch Command Prompt even while the FakeAV was present.

From here I was able to find out which processes were running and kill the malicious one. In this case, it was Protector-bst.exe.

The taskkill command is still present in Windows 8 and works the same way as in previous versions of Windows.
So the process is stopped therefore I have some control over the OS again. Now I can find and delete Protector-bst.exe. The last 3 letters of the file name (Protector-bst.exe) are randomized.
For purposes of showing you what Explorer looks like in Windows 8, I hunted it down using Explorer.
You will be able to delete it as long as the process is stopped beforehand.
Note: result.db is also related to this infection and ones similar to it. Therefore, it should be deleted.
A new feature in Windows 8 is that when you press the Delete key now, you are no longer prompted with the "Are you sure you want to delete the selected item?" message. Pressing Delete now sends the item directly to the Recycle Bin without any warning prompt.


Registry Keys Detected: 753
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe (Security.Hijack) -> Quarantined and deleted successfully.
Hundreds more...

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Inspector (Trojan.FakeAlert) -> Data: C:\Users\thisisudax\AppData\Roaming\Protector-bst.exe -> Quarantined and deleted successfully.

Files Detected: 2
C:\Users\thisisudax\AppData\Local\Temp\RarSFX0\temp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Smart Partner.lnk (Rogue.WindowsSmartPartner) -> Quarantined and deleted successfully.

Full log here:


  1. Thanks for this, makes for interesting reading - I wonder wha3t (if anything) Windows 8 will do to a) prevent FakeAV attacks and b) help people revover settings changed by the Fake AV.

  2. Thank you for your comment.
    Only time will tell what Windows 8 will be capable versus the latest malware infections.