Aces High Bulletin Board
General Forums => The O' Club => Topic started by: Agent360 on August 13, 2009, 04:19:52 PM
-
Hi Friends,
My wife's computer is infected with "Advanced Virus Remover". I have followed directions to get rid of it and none has worked.
This is a fake program that runs a fake scan. It looks like AVG. It locks you out of regedit, taskmanager, and prevents a boot to safe mode. It replaces your desktop background image with a blue screen that sais "your computer is infected....". It also disables your desktop settings.
It disables exe files and a few other types.
The offending file is named "PAVRM.exe". The desktop background image is named "critical_warning.html".
I used mscofig to disable startup and security task manager to kill the process PAVRM.exe. I gained access to regdit by copying know good file to this computer and renaming it with a "cmd" extension.
I managed to delete all the registry changes, delete the exe file and reset the back ground. I updated windows as well. I thought I had it beat but when I turned back on the start up programs it came back. There is a file I am missing not listed in my removal instructions
Windows genuine advantage tries to run each boot up. The only think I enabled was a program called "winupdate". I think this is infected but I cant seem to get it deleted.
Here is a link to the removal instructions I am using.
http://www.2-spyware.com/remove-advanced-virus-remover.html
I must have a new variant because it can defeat the known manual methods of gaining access to the task manager.
Has anyone heard of this or run into it? I AM NOT going to re install the system.
There has to be a way to get rid of it.
-
.
-
dude, i just had to finally succumb to that damned thing.
thought i had it worked out but it came back with a vengence.
tried everything.
came two nights before i had to put up a show of my work and i am lucky to have gotten it all up in time.
the thing is like an open door to other virus attacks. pure hell. just got worse and worse.
best advice that i can give you is back everything the hell up and reformat.
(which i finally did)
how life treating you bro? haven't seen you in a while.
-
Wish I could help, but what kind of anti-virus software was your wife using? I'd hate to fall victim to the same thing.
-
You could give this one ago....
http://www.bleepingcomputer.com/virus-removal/remove-advanced-virus-remover
I'm not sure if this helps, but the times I have got nasties I feel that disconnecting from the net whilst removing them helped.
-
www.eset.com use its 30 day trial . its a good antivirus.. not the best but not the worst.
run malware bytes as well.
-
Agent,
check bullgard,free trial and support,they will ask you to run hijack this.
I'm not saying it will work,but it's saved afew guys I know... better than a reformat..
worth a try!
:salute
-
Had the exact same thing last week. Had to go to best buy and spend 200 bucks to get it fixed.
-
I haven't dealt with this particular one yet but I've had better luck with spyware removers than anti-virus software in similar situations.
Try booting in Safe Mode With Networking and run a couple spyware apps, like Malwarebytes and Ad-Aware.
http://www.malwarebytes.org/mbam.php
http://www.lavasoft.com/products/ad_aware_free.php
-
Hi Friends,
My wife's computer is infected with "Advanced Virus Remover". I have followed directions to get rid of it and none has worked.
This is a fake program that runs a fake scan. It looks like AVG. It locks you out of regedit, taskmanager, and prevents a boot to safe mode. It replaces your desktop background image with a blue screen that sais "your computer is infected....". It also disables your desktop settings.
It disables exe files and a few other types.
The offending file is named "PAVRM.exe". The desktop background image is named "critical_warning.html".
I used mscofig to disable startup and security task manager to kill the process PAVRM.exe. I gained access to regdit by copying know good file to this computer and renaming it with a "cmd" extension.
I managed to delete all the registry changes, delete the exe file and reset the back ground. I updated windows as well. I thought I had it beat but when I turned back on the start up programs it came back. There is a file I am missing not listed in my removal instructions
Windows genuine advantage tries to run each boot up. The only think I enabled was a program called "winupdate". I think this is infected but I cant seem to get it deleted.
Here is a link to the removal instructions I am using.
http://www.2-spyware.com/remove-advanced-virus-remover.html
I must have a new variant because it can defeat the known manual methods of gaining access to the task manager.
Has anyone heard of this or run into it? I AM NOT going to re install the system.
There has to be a way to get rid of it.
Use Malware Bytes to remove it. That has been the only program that has been reliably able to remove this trojan in all of its ugly versions.
ack-ack
-
I haven't dealt with this particular one yet but I've had better luck with spyware removers than anti-virus software in similar situations.
Try booting in Safe Mode With Networking and run a couple spyware apps, like Malwarebytes and Ad-Aware.
http://www.malwarebytes.org/mbam.php
http://www.lavasoft.com/products/ad_aware_free.php
in my case, it would not allow me to boot into safe mode. it also killed my browsers unless i stopped the processes responsible. finally got IE to work, but was never able to get firefox to launch. this thing was a squeak. the final straw ended in a blue screen of death and i finally just had enough. backed up my files on another system and reformated. thank god i am finished with the god awful thing. terrible terrible virus. ugh.
hope its going well agent. keep the faith.
-
Thanks for the responses fellas.
My main concern now is to find a solution to manually remove it. I was hoping we had some players here who know about malware/virus removal. I really want to know more about HOW this thing works. Any tech info about this is greatly appreciated.
Further research on this reveals that this variant and the others like it are a major scam. They attempt to fake you into buying their removal tools. Even the legit malware removal tools know about this yet they provide NO comprehensive write up or tools to find it or how to remove it.
Here is the scam. Please tell EVERYONE you can about this stuff. This is the only way we can fight it.
Fake application installs. You know its fake. So you start searching for removal tools. If you do a Google or yahoo search on this you will get many hits on tools to remove this. They ARE ALL part of the scam. I found over 20 (no exagerating) sites who claim to remove this application. They ask for money of course.
I turns out that they are all part of the scam. The site that orginally infected you gets a cut of any money if you buy there tools.
There are many fake antivirus sites out there offering incomplete info about it. They appear to be aware of it and offer a free version but then say to remove this ONE you have to pay.
I also found many sites with fake information about. From other reliable sources I discovered that there even more tech forums who are in on this. They post related info about it to get indexed in the search engines.
I was nearly tricked several times by downloading the removal tools. In reality these tools only further infect your system and then allow more malware to be installed.
I read one story about a older woman who gave a site who purchased online with credit card and got hit with a $8,000 charge 2 weeks later.
Fellas, this is a very serious scam. I can not trust ANY sites with info about this. There are so many that are fake...they all have very slick sites that appera legit....even with forum posts...all of it...and it is all fake.
My conspiracy theory: Most of this comes from the Chinese and north Koreans. But also now I believe the various terrorists groups are involved. Where do you think all this money they get is going...??? And if you don't fall for it you end up paying hundreds of dollars to computer tech's to remove it. I have spent over 15 hours on this so far. Imagine the economic impact this has on our economy. It is pure techno terrorism. The next great terrorist attack on the USA will no be a bomb or bio attack. It will be against our internet infrastructure.
One news report on this variant said over 3 million users have been infected by this particular type
The way it spreads is through legitimate web site with affiliate ads. If you click the ad you get infected. There are many free games as well like old arcade games or new ones like pinko etc. When you download them they infect your computer. The virus lays dormant for some time often months. Then activates so you are not aware of how you got it. Often you pay small amounts like 2 or 3 dollars for these games.
My 9 y/o son was searching for cheat codes for his ps2 games. He went to "gamefaq.com" clicked through a few links for the game he wanted. There was a simple text link in the cheat codes that said "click here for secrets". He clicked and immediately got multiple pop ups. He tried to close them but when he clicked the FAKE "CLOSE" button that executed the exe file and installed the app.
-
Hey there,
Here's a couple of FREE anti-virus bits of software I've found, love, and use rather than ones I gotta pay for. They work better IMHO. If you need me to e-mail the .zip to you, let me know, but here's the links for them.
MalwareBytes
http://www.malwarebytes.org/
And SmitFraudFix (apparently, use at your own discretion. Seen things saying how it can tweak your registry(all antiviruses can), but never had it happen to me...)
http://siri.geekstogo.com/SmitfraudFix.php
Best of luck to you, Sir, and if you need anything, lemme know.
-
Thanks for the responses fellas.
My 9 y/o son was searching for cheat codes for his ps2 games. He went to "gamefaq.com" clicked through a few links for the game he wanted. There was a simple text link in the cheat codes that said "click here for secrets". He clicked and immediately got multiple pop ups. He tried to close them but when he clicked the FAKE "CLOSE" button that executed the exe file and installed the app.
As soon as I see that happen I immediately close Firefox down instead of trying to x out of them.
I could make a lot of money threatening life and limb if i only knew where to look for these types of guys.
-
combofix.exe has thrown me a rope when all seems lost. Only use it as a last straw though, with everything backed up that's important. It is VERY powerful.
-
combofix.exe has thrown me a rope when all seems lost. Only use it as a last straw though, with everything backed up that's important. It is VERY powerful.
QFT
-
Thanks guys. I am now building an arsenal of tools. I will NEVER NEVER have this happen again.
I managed to get free AVG 8.x installed on the computer and was able to update the virus definitions. Weird because I expected this one to disable running virus software. I found out after questioning my wife under hot lights with scary tools that she had disabled it and further she had not updated windows in over a year......OMG. Not even service pack 3 was installed. I thought she was doing that....OH MAN did I give her some grief about that.
AVG found all the suspect files plus a few others. I was able to re boot to a clean system.
But AVG didn't fix a few things the virus did to the system. Here is my post on the AVG forum. Its about how to fix the access to regedit, taskmanager and the desktop settings.
Enable task manager
run regedit (start > run > regedit)
find - HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
Delete the value "disabletaskmgr"
find - HKEY_LOCAL_MACHINE\software\microsoft\currentversion\windows\policies\system
Delete the value "disabletaskmgr" (THIS KEY WAS NOT PRESENT BUT MAY BE ON OTHERS)
Fix desktop background.
find - HKEY_CURRENT_USER\software\microsoft\internetexplorer\desktop\general
delete the value - Wallpaper %systemroot%\system32\Critical_Warning.html
Aslo in the registry.
HKEY_CURRENT_USER\software\AVR
Delete the key "AVR" and all subkeys
Check
HKEY_CURRENT_USER\software\microsoft\internetexplorer\international
Delete key "CpMRU" (AVG may get this so if not there its been deleted already)
Goto - C:\windows\system32\
find - Critical_Warning.html and delete. (if not there search for it)
Delete
probram files/advancedvirusremover
Search for
Advanced Virus Remover.lnk
Delete these
-
There is a VERY easy way to get rid of it. Format, reinstall and be done with it.
If you have data on the harddrive that you absolutely must save, get a new harddrive for the OS and copy the stuff from the old harddrive. Or you could do a complete OS reinstall over the old one but that's not guaranteed to remove the infection.
With all the things you deleted you can't know if you still have a rootkit hiding somewhere and whatnot.
-
yeah. that was my thought.
i awas worrried that there would probably be something hiding in there no matter what i did, so i just reformated and saved myself the headache.
that thing was hell.
i'd love to see the responsible party dragged out on the lawn and bashed with a blunt club.
-
i second the malwarebytes. my company uses it to remove 99.99% of all malware problems. i recommend the 24.99 lifetime license to prevent further problems too
-
people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.
-
people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.
Too quick. Wing em first.
-
Enditall2 is a must have tool. Use it to shut down everything on
your pc, review what's running again and then manually choose to
shut down anything it did not get the first time.
Then run Malwarebytes. Anytime I work on a relative's pc it is the
first thing I put on there and Malwarebytes is the second. The third
action is usually to remove the out of date and expired AVI software
(whatever usually came with the pc when they bought it) and I
replace it with AVAST.
But this SOP has worked at least 99/100 times.
Good luck
-
people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.
Let's make the punishment fit the crime... Death by bludgeoning with computer mice :aok
-
I clean out this stuff 6 days a week.
The tools I recommend in no particular order:
Malwarebytes
RootRepeal
Avenger (search under google using 'avenger antimalware')
SDFix
Those are all good starting tools for cleaning this stuff.
-
That "nagware" type of virus can and will destroy your system32 directory if you're not careful in the removal process...and few anti-virus programs can or will stop the auto-execute installer...shutting down you web browser immediately is the first step...use task manager if you have to...30 seconds and you're infected.
As a general rule, on Windows XP, set a minimum 8 character (alpha/numeric/special character) password on the built in administrator account. Disable the guest and help assistant accounts.
To protect your system I use a number of products:
Keyscrambler - free version works pretty well to prevent keyloggers from getting your passwords.
Malwarebytes - blocks a lot of malware and has a very thorough scanning system
Spybot Search and Destroy - does a good job immunizing your system from malware infested websites and can stop anything from installing via your web browser.
Regassasin - has the ability to remove most virus locked registry keys.
Avast anti-virus - freeware version is very powerful...pro version is even better.
CWshredder - removes coolwebsearch and others like it.
IObit system optimizer - has a very good spyware scanner/remover.
Of course nothing works unless you keep it up to date.
If you have Norton/Symantec or McAffee products get rid of them...they are very poor at stopping malware.
-
people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.
no,they should be hung up by their feet alive,have all layers of skin peeled off of them,and salt thrown on them every 5mins or so,then poke needles in thier eyes and under the fingernails.imo :devil
-
no,they should be hung up by their feet alive,have all layers of skin peeled off of them,and salt thrown on them every 5mins or so,then poke needles in thier eyes and under the fingernails.imo :devil
Fire ants... Don't forget the fire ants!
-
If you have Norton/Symantec or McAffee products get rid of them...they are very poor at stopping malware.
I often hear people say that about Norton. Have have been using Norton for years, currently Norton 360 3.0 with no problems. We even browse the internet with Explorer. However, we make sure to keep everything updated. We do have a faily hot machine with plenty of memory (as I've heard past versions of Norton can be a hawg).
I run malwarebytes and spyboth s&d every couple of weeks with no problems found. Spybot usually picks up on a few extra cookies.
We use an ongoing online backup as well as an external hard drive that I do a backup on about every two weeks.
Norton has worked for us and its automatic options seemed to have done the trick because often I am gone for one to two weeks at a time for work.
This computer is used mainly by mother-in-law, wife and 11 year old daughter and she plays kid games online.
-
Well, yeah Norton 360 can work ok...but from experience...in the past week I have had to reload 2 systems that had the full Norton 360 on them...would you like a link to a website that I know will shut your Norton active protection off and install some nice malware on your system?
I have a test system at home with an enterprise version of Norton anti-virus that I use to "play" with various malware...just so I know how to fix it when someone brings me their computer.
Safe users have nothing to worry about when using Symantec and McAffee products...it's the risky activity people who have to watch out.
-
I got hit with this last fall. I reformatted. Then, the very next thing I did was disable Active X and require Explorer to prompt me before I run any Active X controls. From what I understand, this thing hits your computer as an Active X control. Regardless, since I've changed my Active X settings, I have had zero issues--zero. And, I don't run anti-virus at all, merely CCleaner every two weeks.
-
Hi Friends,
My wife's computer is infected with "Advanced Virus Remover". I have followed directions to get rid of it and none has worked.
This is a fake program that runs a fake scan. It looks like AVG. It locks you out of regedit, taskmanager, and prevents a boot to safe mode. It replaces your desktop background image with a blue screen that sais "your computer is infected....". It also disables your desktop settings.
It disables exe files and a few other types.
The offending file is named "PAVRM.exe". The desktop background image is named "critical_warning.html".
I used mscofig to disable startup and security task manager to kill the process PAVRM.exe. I gained access to regdit by copying know good file to this computer and renaming it with a "cmd" extension.
I managed to delete all the registry changes, delete the exe file and reset the back ground. I updated windows as well. I thought I had it beat but when I turned back on the start up programs it came back. There is a file I am missing not listed in my removal instructions
Windows genuine advantage tries to run each boot up. The only think I enabled was a program called "winupdate". I think this is infected but I cant seem to get it deleted.
Here is a link to the removal instructions I am using.
http://www.2-spyware.com/remove-advanced-virus-remover.html
I must have a new variant because it can defeat the known manual methods of gaining access to the task manager.
Has anyone heard of this or run into it? I AM NOT going to re install the system.
There has to be a way to get rid of it.
is there any chance that doing a system restore might help?
also, isn;t there something you're supposed to turn off when you're deleting these files? i tghink it might be system restore, as supposedly some files can hide in there?
almost forgot......malewarebytes as some others have suggested, and superantispyware.
finally.......did ya talk to tildeath?
-
also, isn;t there something you're supposed to turn off when you're deleting these files? i tghink it might be system restore, as supposedly some files can hide in there?
Yes, you should disable your system restore "auto-save" times as some can auto-revert to a time where the computer was infected.
Still say SmitFraudFix is by far the best program.
-
On my pc, I use super anti-spyware. It finds everything that Norton and AVG miss. I've had some really nasty viruses and it's cleared them all.
-
people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.
They're in Russia, it's never gonna happen.
ack-ack
-
What is the most important lesson one can take from this thread? Only visit reputable porn sites! :aok
ack-ack
-
Well, yeah Norton 360 can work ok...but from experience...in the past week I have had to reload 2 systems that had the full Norton 360 on them...would you like a link to a website that I know will shut your Norton active protection off and install some nice malware on your system?
I have a test system at home with an enterprise version of Norton anti-virus that I use to "play" with various malware...just so I know how to fix it when someone brings me their computer.
Safe users have nothing to worry about when using Symantec and McAffee products...it's the risky activity people who have to watch out.
I'd like to give it a whirl. Please send evil website(s) to imagineu812@yahoo.com
Yeah that is a correct address.
(http://uneasysilence.com/media/2007/02/rabbits.gif)
-
God, this one is a doosey. My sister's got hit. Found out it was dual-booting a stripped-down linux kernel, likely doing all manner of nefarious deeds. Just reformatted.
I always say; the best antivirus is a backup server. With the way malware is today, it's almost futile to use an on-board scanner. Better to use a thumb drive scanner once a month, and make regular backups.
-
I am still working on cleaning the system.
Wife was at site about "soap" tv shows. She has gone there lots. Its a reputable site. But during here browser session the browser suddenly terminated. She then had an IE process on task bar called "virus remover" and a pop up warning. I think AVG or spy protector shut the browser down before infection occured. Later she got a detected threat from AVG. But there is no log of the event in AVG so I am not sure.
Now she is getting random browser shut downs.
I still can not boot to safe mode.
I think there may be a rootkit problem and I am pretty sure the system32 folder is hosed.
I am just not going to do a reformat. I am going find every dam spec of this crap if it takes me another 6 months.
After i fix the safe boot problem and scan the rootkits and take a few other actions I will do a Windows repair/reinstall.
-
sounds like you got it light.
when it happened to me, i couldn't open my browser unless i terminated the process and opened up i.e. quickly enough.
couldn't safe mode either.
finally came to a blue screen of death.
dude, you are never gonna know if everything this thing brings is off of there.
maybe back up your stuff, buy a new drive and then use that one as a hobby.
i cannot stress how much i would like to see the creator of this crap buried up to their necks and kicked until dead.
bunch of good for nothing arsewipes.
grrrrrr...
-
This guy can help you.
http://forums.techguy.org/54-malware-removal-hijackthis-logs/
-
If you don't format and try to troubleshoot for 6 months you not only waste your time for nothing, you let your computer spread the spam / malware to others.
So unless you get a new HD to bootup clean, disconnect your computer from the internet untill you fix it.
-
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
TRY COMBOFIX!!!!!!!!
Introduction
ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.
You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.
Please note that this guide is the only authorized guide for the use of ComboFix and cannot be copied without permission from BleepingComputer.com and sUBs. It is also understood that the use of ComboFix is done at your own risk.
For those who wish to help finance the author's work, he is accepting contributions via Paypal. You can contribute by clicking on the following image:
-
Another tool I forgot to mention. A universal boot CD. Boots to GUI windows off of the CD.
http://www.ubcd4win.com/
-
Agent360,
My previous computer got pwned by a similar problem that you encountered. It was a program called "Spyware Protect 2009". At first, I had thought that this "antivirus" program would fix the viruses in my computer. But to my pleasant surprise, it was a vicious trojan virus that managed to open up all my ports and send in a hoard of other viruses and spyware in my computer.
I tried to save the old computer and did a reformat to the hard drive. Somehow the reformat failed to work and my drivers wouldnt install correctly. The virus must have gotten into the BIOS and boot/startup settings and scrambled everything up. Fortunately, I built my own system and I know now not to trust anything from the internet.
My only suggestion is to reformat your hard drive and start all over again- assuming that you cant get rid of this program.
-
IO ALMOST JUST GTOT IT.
on my information site...and got the window right in front.....i ht the reset button, and yanked the cable out........running spybot now.......
-
NOTHING WORKS ON THAT ONE........
YOU MUST REFORMAT.
Not only that but you need to do the low-level, write all zero's, type of format.