Fake anti-virus malware - need help

[Stoney]

I got hit with this last fall.  I reformatted.  Then, the very next thing I did was disable Active X and require Explorer to prompt me before I run any Active X controls.  From what I understand, this thing hits your computer as an Active X control.  Regardless, since I've changed my Active X settings, I have had zero issues--zero.  And, I don't run anti-virus at all, merely CCleaner every two weeks.

[CAP1]

Hi Friends,

My wife's computer is infected with "Advanced Virus Remover". I have followed directions to get rid of it and none has worked.

This is a fake program that runs a fake scan. It looks like AVG. It locks you out of regedit, taskmanager, and prevents a boot to safe mode. It replaces your desktop background image with a blue screen that sais "your computer is infected....". It also disables your desktop settings.

It disables exe files and a few other types.

The offending file is named "PAVRM.exe". The desktop background image is named "critical_warning.html".
I used mscofig to disable startup and security task manager to kill the process PAVRM.exe. I gained access to regdit by copying know good file to this computer and renaming it with a "cmd" extension.

I managed to delete all the registry changes, delete the exe file and reset the back ground. I updated windows as well. I thought I had it beat but when I turned back on the start up programs it came back. There is a file I am missing not listed in my removal instructions

Windows genuine advantage tries to run each boot up. The only think I enabled was a program called "winupdate". I think this is infected but I cant seem to get it deleted.

Here is a link to the removal instructions I am using.
http://www.2-spyware.com/remove-advanced-virus-remover.html

I must have a new variant because it can defeat the known manual methods of gaining access to the task manager.

Has anyone heard of this or run into it? I AM NOT going to re install the system.

There has to be a way to get rid of it.

is there any chance that doing a system restore might help?

 also, isn;t there something you're supposed to turn off when you're deleting these files? i tghink it might be system restore, as supposedly some files can hide in there?

almost forgot......malewarebytes as some others have suggested, and superantispyware.

finally.......did ya talk to tildeath?

[trigger2]

also, isn;t there something you're supposed to turn off when you're deleting these files? i tghink it might be system restore, as supposedly some files can hide in there?

Yes, you should disable your system restore "auto-save" times as some can auto-revert to a time where the computer was infected.

Still say SmitFraudFix is by far the best program.

[pokecheck]

On my pc, I use super anti-spyware. It finds everything that Norton and AVG miss. I've had some really nasty viruses and it's cleared them all.

[Ack-Ack]

people who create these things and put them out to do harm to the rest of us should be tried and if found guilty tied to a stake, blindfolded and shot repeatedly about the head and torso until dead.

They're in Russia, it's never gonna happen.

ack-ack

[Ack-Ack]

What is the most important lesson one can take from this thread?  Only visit reputable porn sites!   


ack-ack

[rogwar]

Well, yeah Norton 360 can work ok...but from experience...in the past week I have had to reload 2 systems that had the full Norton 360 on them...would you like a link to a website that I know will shut your Norton active protection off and install some nice malware on your system?
I have a test system at home with an enterprise version of Norton anti-virus that I use to "play" with various malware...just so I know how to fix it when someone brings me their computer.


Safe users have nothing to worry about when using Symantec and McAffee products...it's the risky activity people who have to watch out.

I'd like to give it a whirl. Please send evil website(s) to imagineu812@yahoo.com

Yeah that is a correct address.

[Kurtank]

God, this one is a doosey. My sister's got hit. Found out it was dual-booting a stripped-down linux kernel, likely doing all manner of nefarious deeds. Just reformatted.

I always say; the best antivirus is a backup server. With the way malware is today, it's almost futile to use an on-board scanner. Better to use a thumb drive scanner once a month, and make regular backups.

[Agent360]

I am still working on cleaning the system.

Wife was at site about "soap" tv shows. She has gone there lots. Its a reputable site. But during here browser session the browser suddenly terminated. She then had an IE process on task bar called "virus remover" and a pop up warning. I think AVG or spy protector shut the browser down before infection occured. Later she got a detected threat from AVG. But there is no log of the event in AVG so I am not sure.

Now she is getting random browser shut downs.

I still can not boot to safe mode.

I think there may be a rootkit problem and I am pretty sure the system32 folder is hosed.

I am just not going to do a reformat. I am going find every dam spec of this crap if it takes me another 6 months.

After i fix the safe boot problem and scan the rootkits and take a few other actions I will do a Windows repair/reinstall.

[JB88]

sounds like you got it light.

when it happened to me, i couldn't open my browser unless i terminated the process and opened up i.e. quickly enough.

couldn't safe mode either.

finally came to a blue screen of death.

dude, you are never gonna know if everything this thing brings is off of there. 

maybe back up your stuff, buy a new drive and then use that one as a hobby.

i cannot stress how much i would like to see the creator of this crap buried up to their necks and kicked until dead.

bunch of good for nothing arsewipes.

grrrrrr...

[Sandman]

This guy can help you.

http://forums.techguy.org/54-malware-removal-hijackthis-logs/

[MrRiplEy[H]]

If you don't format and try to troubleshoot for 6 months you not only waste your time for nothing, you let your computer spread the spam / malware to others.

So unless you get a new HD to bootup clean, disconnect your computer from the internet untill you fix it.

[MORAY37]

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

TRY COMBOFIX!!!!!!!!

Introduction

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Please note that this guide is the only authorized guide for the use of ComboFix and cannot be copied without permission from BleepingComputer.com and sUBs. It is also understood that the use of ComboFix is done at your own risk.

For those who wish to help finance the author's work, he is accepting contributions via Paypal. You can contribute by clicking on the following image:

[bcadoo]

Another tool I forgot to mention.  A universal boot CD.  Boots to GUI windows off of the CD.

http://www.ubcd4win.com/

[Plazus]

Agent360,

My previous computer got pwned by a similar problem that you encountered. It was a program called "Spyware Protect 2009". At first, I had thought that this "antivirus" program would fix the viruses in my computer. But to my pleasant surprise, it was a vicious trojan virus that managed to open up all my ports and send in a hoard of other viruses and spyware in my computer.

I tried to save the old computer and did a reformat to the hard drive. Somehow the reformat failed to work and my drivers wouldnt install correctly. The virus must have gotten into the BIOS and boot/startup settings and scrambled everything up. Fortunately, I built my own system and I know now not to trust anything from the internet.

My only suggestion is to reformat your hard drive and start all over again- assuming that you cant get rid of this program.