Fake anti-virus malware - need help

[Agent360]

Hi Friends,

My wife's computer is infected with "Advanced Virus Remover". I have followed directions to get rid of it and none has worked.

This is a fake program that runs a fake scan. It looks like AVG. It locks you out of regedit, taskmanager, and prevents a boot to safe mode. It replaces your desktop background image with a blue screen that sais "your computer is infected....". It also disables your desktop settings.

It disables exe files and a few other types.

The offending file is named "PAVRM.exe". The desktop background image is named "critical_warning.html".
I used mscofig to disable startup and security task manager to kill the process PAVRM.exe. I gained access to regdit by copying know good file to this computer and renaming it with a "cmd" extension.

I managed to delete all the registry changes, delete the exe file and reset the back ground. I updated windows as well. I thought I had it beat but when I turned back on the start up programs it came back. There is a file I am missing not listed in my removal instructions

Windows genuine advantage tries to run each boot up. The only think I enabled was a program called "winupdate". I think this is infected but I cant seem to get it deleted.

Here is a link to the removal instructions I am using.
http://www.2-spyware.com/remove-advanced-virus-remover.html

I must have a new variant because it can defeat the known manual methods of gaining access to the task manager.

Has anyone heard of this or run into it? I AM NOT going to re install the system.

There has to be a way to get rid of it.

[crazyivan]

.

[JB88]

dude, i just had to finally succumb to that damned thing. 

thought i had it worked out but it came back with a vengence.

tried everything. 

came two nights before i had to put up a show of my work and i am lucky to have gotten it all up in time. 

the thing is like an open door to other virus attacks.  pure hell.  just got worse and worse.

best advice that i can give you is back everything the hell up and reformat.

(which i finally did)

how life treating you bro?  haven't seen you in a while.

[Anaxogoras]

Wish I could help, but what kind of anti-virus software was your wife using?  I'd hate to fall victim to the same thing.

[SPKmes]

You could give this one ago....


http://www.bleepingcomputer.com/virus-removal/remove-advanced-virus-remover

I'm not sure if this helps, but the times I have got nasties I feel that disconnecting from the net whilst removing them helped.

[Tac]

www.eset.com use its 30 day trial . its a good antivirus.. not the best but not the worst.

run malware bytes as well.

[morfiend]

Agent,

 check bullgard,free trial and support,they will ask you to run hijack this.

 I'm not saying it will work,but it's saved afew guys I know... better than a reformat..

 worth a try!

   

[1pLUs44]

Had the exact same thing last week. Had to go to best buy and spend 200 bucks to get it fixed.

[ChickenHawk]

I haven't dealt with this particular one yet but I've had better luck with spyware removers than anti-virus software in similar situations.

Try booting in Safe Mode With Networking and run a couple spyware apps, like Malwarebytes and Ad-Aware.

http://www.malwarebytes.org/mbam.php
http://www.lavasoft.com/products/ad_aware_free.php

[Ack-Ack]

Hi Friends,

My wife's computer is infected with "Advanced Virus Remover". I have followed directions to get rid of it and none has worked.

This is a fake program that runs a fake scan. It looks like AVG. It locks you out of regedit, taskmanager, and prevents a boot to safe mode. It replaces your desktop background image with a blue screen that sais "your computer is infected....". It also disables your desktop settings.

It disables exe files and a few other types.

The offending file is named "PAVRM.exe". The desktop background image is named "critical_warning.html".
I used mscofig to disable startup and security task manager to kill the process PAVRM.exe. I gained access to regdit by copying know good file to this computer and renaming it with a "cmd" extension.

I managed to delete all the registry changes, delete the exe file and reset the back ground. I updated windows as well. I thought I had it beat but when I turned back on the start up programs it came back. There is a file I am missing not listed in my removal instructions

Windows genuine advantage tries to run each boot up. The only think I enabled was a program called "winupdate". I think this is infected but I cant seem to get it deleted.

Here is a link to the removal instructions I am using.
http://www.2-spyware.com/remove-advanced-virus-remover.html

I must have a new variant because it can defeat the known manual methods of gaining access to the task manager.

Has anyone heard of this or run into it? I AM NOT going to re install the system.

There has to be a way to get rid of it.

Use Malware Bytes to remove it.  That has been the only program that has been reliably able to remove this trojan in all of its ugly versions.


ack-ack

[JB88]

I haven't dealt with this particular one yet but I've had better luck with spyware removers than anti-virus software in similar situations.

Try booting in Safe Mode With Networking and run a couple spyware apps, like Malwarebytes and Ad-Aware.

http://www.malwarebytes.org/mbam.php
http://www.lavasoft.com/products/ad_aware_free.php

in my case, it would not allow me to boot into safe mode.  it also killed my browsers unless i stopped the processes responsible.  finally got IE to work, but was never able to get firefox to launch.  this thing was a squeak.  the final straw ended in a blue screen of death and i finally just had enough.  backed up my files on another system and reformated.  thank god i am finished with the god awful thing.  terrible terrible virus.  ugh.

hope its going well agent.  keep the faith.

[Agent360]

Thanks for the responses fellas.

My main concern now is to find a solution to manually remove it. I was hoping we had some players here who know about malware/virus removal. I really want to know more about HOW this thing works. Any tech info about this is greatly appreciated.

Further research on this reveals that this variant and the others like it are a major scam. They attempt to fake you into buying their removal tools. Even the legit malware removal tools know about this yet they provide NO comprehensive write up or tools to find it or how to remove it.

Here is the scam. Please tell EVERYONE you can about this stuff. This is the only way we can fight it.

Fake application installs. You know its fake. So you start searching for removal tools. If you do a Google or yahoo search on this you will get many hits on tools to remove this. They ARE ALL part of the scam. I found over 20 (no exagerating) sites who claim to remove this application. They ask for money of course.

I turns out that they are all part of the scam. The site that orginally infected you gets a cut of any money if you buy there tools.

There are many fake antivirus sites out there offering incomplete info about it. They appear to be aware of it and offer a free version but then say to remove this ONE you have to pay.

I also found many sites with fake information about. From other reliable sources I discovered that there even more tech forums who are in on this. They post related info about it to get indexed in the search engines.

I was nearly tricked several times by downloading the removal tools. In reality these tools only further infect your system and then allow more malware to be installed.

I read one story about a older woman who gave a site who purchased online with credit card and got hit with a $8,000 charge 2 weeks later.

Fellas, this is a very serious scam. I can not trust ANY sites with info about this. There are so many that are fake...they all have very slick sites that appera legit....even with forum posts...all of it...and it is all fake.

My conspiracy theory: Most of this comes from the Chinese and north Koreans. But also now I believe the various terrorists groups are involved. Where do you think all this money they get is going...??? And if you don't fall for it you end up paying hundreds of dollars to computer tech's to remove it. I have spent over 15 hours on this so far. Imagine the economic impact this has on our economy. It is pure techno terrorism. The next great terrorist attack on the USA will no be a bomb or bio attack. It will be against our internet infrastructure.

One news report on this variant said over 3 million users have been infected by this particular type

The way it spreads is through legitimate web site with affiliate ads. If you click the ad you get infected. There are many free games as well like old arcade games or new ones like pinko etc. When you download them they infect your computer. The virus lays dormant for some time often months. Then activates so you are not aware of how you got it. Often you pay small amounts like 2 or 3 dollars for these games.

My 9 y/o son was searching for cheat codes for his ps2 games. He went to "gamefaq.com" clicked through a few links for the game he wanted. There was a simple text link in the cheat codes that said "click here for secrets". He clicked and immediately got multiple pop ups. He tried to close them but when he clicked the FAKE "CLOSE" button that executed the exe file and installed the app.

[trigger2]

Hey there,
Here's a couple of FREE anti-virus bits of software I've found, love, and use rather than ones I gotta pay for. They work better IMHO. If you need me to e-mail the .zip to you, let me know, but here's the links for them.

MalwareBytes
http://www.malwarebytes.org/

And SmitFraudFix (apparently, use at your own discretion. Seen things saying how it can tweak your registry(all antiviruses can), but never had it happen to me...)
http://siri.geekstogo.com/SmitfraudFix.php

Best of luck to you, Sir, and if you need anything, lemme know.

[A8TOOL]

Thanks for the responses fellas.




My 9 y/o son was searching for cheat codes for his ps2 games. He went to "gamefaq.com" clicked through a few links for the game he wanted. There was a simple text link in the cheat codes that said "click here for secrets". He clicked and immediately got multiple pop ups. He tried to close them but when he clicked the FAKE "CLOSE" button that executed the exe file and installed the app.

As soon as I see that happen I immediately close Firefox down instead of trying to x out of them.

I could make a lot of money threatening life and limb if i only knew where to look for these types of guys.

[MORAY37]

combofix.exe has thrown me a rope when all seems lost.  Only use it as a last straw though, with everything backed up that's important.  It is VERY powerful.