Fake anti-virus malware - need help

[klingan]

combofix.exe has thrown me a rope when all seems lost.  Only use it as a last straw though, with everything backed up that's important.  It is VERY powerful.

QFT

[Agent360]

Thanks guys. I am now building an arsenal of tools. I will NEVER NEVER have this happen again.

I managed to get free AVG 8.x installed on the computer and was able to update the virus definitions. Weird because I expected this one to disable running virus software. I found out after questioning my wife under hot lights with scary tools that she had disabled it and further she had not updated windows in over a year......OMG. Not even service pack 3 was installed. I thought she was doing that....OH MAN did I give her some grief about that.

AVG found all the suspect files plus a few others. I was able to re boot to a clean system.

But AVG didn't fix a few things the virus did to the system. Here is my post on the AVG forum. Its about how to fix the access to regedit, taskmanager and the desktop settings.

Enable task manager
run regedit (start > run > regedit)
find - HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
Delete the value "disabletaskmgr"

find - HKEY_LOCAL_MACHINE\software\microsoft\currentversion\windows\policies\system
Delete the value "disabletaskmgr" (THIS KEY WAS NOT PRESENT BUT MAY BE ON OTHERS)

Fix desktop background.
find - HKEY_CURRENT_USER\software\microsoft\internetexplorer\desktop\general
delete the value - Wallpaper %systemroot%\system32\Critical_Warning.html

Aslo in the registry.
HKEY_CURRENT_USER\software\AVR
Delete the key "AVR" and all subkeys

Check
HKEY_CURRENT_USER\software\microsoft\internetexplorer\international
Delete key "CpMRU" (AVG may get this so if not there its been deleted already)

Goto - C:\windows\system32\
find - Critical_Warning.html and delete. (if not there search for it)

Delete
probram files/advancedvirusremover

Search for
Advanced Virus Remover.lnk
Delete these

[MrRiplEy[H]]

There is a VERY easy way to get rid of it. Format, reinstall and be done with it.

If you have data on the harddrive that you absolutely must save, get a new harddrive for the OS and copy the stuff from the old harddrive. Or you could do a complete OS reinstall over the old one but that's not guaranteed to remove the infection.

With all the things you deleted you can't know if you still have a rootkit hiding somewhere and whatnot.

[JB88]

yeah.  that was my thought.

i awas worrried that there would probably be something hiding in there no matter what i did, so i just reformated and saved myself the headache.

that thing was hell.

i'd love to see the responsible party dragged out on the lawn and bashed with a blunt club.

[TheZohan]

i second the malwarebytes. my company uses it to remove 99.99% of all malware problems. i recommend the 24.99 lifetime license to prevent further problems too

[Yeager]

people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.

[Masherbrum]

people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.

Too quick.   Wing em first.

[Westy]

 Enditall2 is a must have tool. Use it to shut down everything on
your pc, review what's running again and then manually choose to
shut down anything it did not get the first time.
Then run Malwarebytes.  Anytime I work on a relative's pc it is the
first thing I put on there and Malwarebytes is the second. The third
action is usually to remove the out of date and expired AVI software
(whatever usually came with the pc when they bought it) and I
replace it with AVAST.

But this SOP has worked at least 99/100 times.

Good luck

[Vudak]

people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.

Let's make the punishment fit the crime...  Death by bludgeoning with computer mice

[bcadoo]

I clean out this stuff 6 days a week.

The tools I recommend in no particular order:

Malwarebytes
RootRepeal
Avenger (search under google using 'avenger antimalware')
SDFix

Those are all good starting tools for cleaning this stuff.

[gyrene81]

That "nagware" type of virus can and will destroy your system32 directory if you're not careful in the removal process...and few anti-virus programs can or will stop the auto-execute installer...shutting down you web browser immediately is the first step...use task manager if you have to...30 seconds and you're infected.

As a general rule, on Windows XP, set a minimum 8 character (alpha/numeric/special character) password on the built in administrator account. Disable the guest and help assistant accounts.


To protect your system I use a number of products:
Keyscrambler - free version works pretty well to prevent keyloggers from getting your passwords.
Malwarebytes - blocks a lot of malware and has a very thorough scanning system
Spybot Search and Destroy - does a good job immunizing your system from malware infested websites and can stop anything from installing via your web browser.
Regassasin - has the ability to remove most virus locked registry keys.
Avast anti-virus - freeware version is very powerful...pro version is even better.
CWshredder - removes coolwebsearch and others like it.
IObit system optimizer - has a very good spyware scanner/remover.

Of course nothing works unless you keep it up to date.



If you have Norton/Symantec or McAffee products get rid of them...they are very poor at stopping malware.

[danny37]

people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.

no,they should be hung up by their feet alive,have all layers of skin peeled off of them,and salt thrown on them every 5mins or so,then poke needles in thier eyes and under the fingernails.imo

[PFactorDave]

no,they should be hung up by their feet alive,have all layers of skin peeled off of them,and salt thrown on them every 5mins or so,then poke needles in thier eyes and under the fingernails.imo

Fire ants...  Don't forget the fire ants!

[rogwar]

If you have Norton/Symantec or McAffee products get rid of them...they are very poor at stopping malware.

I often hear people say that about Norton. Have have been using Norton for years, currently Norton 360 3.0 with no problems. We even browse the internet with Explorer. However, we make sure to keep everything updated. We do have a faily hot machine with plenty of memory (as I've heard past versions of Norton can be a hawg).

I run malwarebytes and spyboth s&d every couple of weeks with no problems found. Spybot usually picks up on a few extra cookies.

We use an ongoing online backup as well as an external hard drive that I do a backup on about every two weeks.

Norton has worked for us and its automatic options seemed to have done the trick because often I am gone for one to two weeks at a time for work.

This computer is used mainly by mother-in-law, wife and 11 year old daughter and she plays kid games online.

[gyrene81]

Well, yeah Norton 360 can work ok...but from experience...in the past week I have had to reload 2 systems that had the full Norton 360 on them...would you like a link to a website that I know will shut your Norton active protection off and install some nice malware on your system?
I have a test system at home with an enterprise version of Norton anti-virus that I use to "play" with various malware...just so I know how to fix it when someone brings me their computer.


Safe users have nothing to worry about when using Symantec and McAffee products...it's the risky activity people who have to watch out.