A few days ago, I was giving my machine a full scan with SuperAntiSpyware, and just as it was coming to the end of scanning the registry, prior to moving on to scanning files, the scan unexpectedly finished with the message, "Scanning is complete. No harmful software was detected!". I thought this a little strange, so started another full scan with the same result.
The file that was being scanned prior to its unexpected end was called %PROGRAMFILES%\WINDOWS ANTIVIRUS PRO. My virus checker gave my system a clean bill of health, and just scanning all files on my machine with SAS came up clean. I also checked out the symptoms of this scareware infection at bleepingcomputer.com, and none of the symptoms, registry entries or files associated with it existed on my machine. All startup loctations (HKLM\Software\Microsoft\Windows\CurrentVersion\Run AND Runservices) were also clean. In fact, the only reference I could find to the infection was the registry entry mentioned above when SAS bombed out. Searching the registry for 'ANTIVIRUS PRO' also drew a blank, which demands the question where the hell is %PROGRAMFILES%\ in the registry!? From what I gather, it's a pointer to the actual Program Files directory on your Hard Disk, and no such folder called Windows Antivirus Pro existed there!
Convinced that the only problem on my machine was a rogue reference to Windows Antivirus Pro somewhere in my registry, I simply reverted to a registry backup, after which SAS performed a full system scan successfully, reported nothing unusual.
This morning, I decided to scan the registry again with SAS, and pausing the scan just before it was due to end, I noticed that registry entries to other malware items were being displayed, although SAS wasn't flagging them as infections. The two I noticed (although I only saw these because of fortuitous random pauses to the scan!!) were:-
%CSIDL_PROFILE%\Start Menu\Programs\Antivirus Trigger 2.1
and a reference to Perfect Protection 2009, I forget the actual path, but it was encapsulated by %
Once again, I checked out the files, registry entries and symptoms associated with these pieces of malware, and nothing exists on my machine other than the fleeting names displayed when SAS was scanning the registry. My Virus checker also gives my machine and clean bill of health, as does SuperAntiSpyware.
So, what's going on?!! I can't find the links in the registry that SAS is displaying, and unless I pause the scan, they flash past too quickly to notice. And anyway, SAS gives me a clean bill of health! Could it be that these are actually files that SAS is scanning for, rather than actual registry entries on my machine?
I'm using SAS version 188.8.131.524, with the latest definitions. I'm also on of those dinosaur people still running Windows 98SE!
Thanks for any enlightenment anyone can shed on this matter!