# trying to get rid of fake antivirus



## InuAkiko (Jan 19, 2010)

running on windows xp professional and im grappling with "internet security 2010."  

i have found a good set of steps to try, but its now blocking me from accessing net, my docs, ect. so i cant get to what i need to get rid of this damn thing. i cant find any info on how to bypass it, so im asking here.
also i havent downloaded/accepted anything for it cause i knew it was fake, im just trying to get rid of the initial program.


----------



## Fokkewolf (Jan 19, 2010)

Try Malware BItes. Reboot to safe mode and then download.

I had troubles with Antivirus XP (same fake shit), and Smitfraudfix helped.


----------



## InuAkiko (Jan 19, 2010)

Fokkewolf said:


> Try Malware BItes. Reboot to safe mode and then download.
> 
> I had troubles with Antivirus XP (same fake shit), and Smitfraudfix helped.



see, im afraid to do that cause this happened on a previous comp, and when i tried to run safe mode it just kept rebooting over and over =/


----------



## ToeClaws (Jan 19, 2010)

InuAkiko said:


> see, im afraid to do that cause this happened on a previous comp, and when i tried to run safe mode it just kept rebooting over and over =/



But have you tried it on _this_ computer yet?  I would also suggest downloading the anti-malware stuff (as well as a rootkit scanner and new anti-virus program) on a separate system to a USB drive, then reboot in safe mode and install/run.

Here's a very handy link to said software:

http://www.majorgeeks.com/page.php?id=20


----------



## Lobar (Jan 19, 2010)

wait so how many times have you fallen for "LOLOLOLOL YOU'RE COMPUTER IS INFECTED CLICK OK TO RUN THIS .EXE NOW" before?


----------



## InuAkiko (Jan 19, 2010)

Lobar said:


> wait so how many times have you fallen for "LOLOLOLOL YOU'RE COMPUTER IS INFECTED CLICK OK TO RUN THIS .EXE NOW" before?



never. read the whole post and say something intelligent, please<3


----------



## AshleyAshes (Jan 19, 2010)

If you refuse to boot in safe mode, you should work on learning to live with the virus cause that's the only way you're gonna fight this thing.

...Well, you could also just format the entire computer and restart from scratch, but I'd say that'd be better as a last resort.


----------



## f94 (Jan 19, 2010)

I had a similar fake anti-virus install itself on my machine.  Maleware Bytes, Glary Utilities and Unhack Me took care of it right away.  I suggest running one of those free programs.


----------



## xcliber (Jan 19, 2010)

This happened to a family member of mine not too long ago. Removed it with Spybot Search & Destroy (google it) followed by a full virus scan with AVG Free.


----------



## InuAkiko (Jan 19, 2010)

thanks, everyone! i went ahead and ran malwarebytes in safe mode and so far so good, looks like its gone. tho that weird wallpaper it stuck on is still there, its rather odd. in any case, im gonna run avgfree to be safe.
while im here, is there any hope for my previous compy?


----------



## Trpdwarf (Jan 19, 2010)

It sounds as though your computer caught what my laptop did or at least something similar.

Only what ended up on my laptop I think, is that fake anti-virus 2009 version...and I'm going to try to go in safe-mode as a last ditch attempt to find the files and get rid of them.

It messed with my Avast so Avast isn't working, and I can't down-load AVG because it keeps blocking it. If I try to buy a program it wouldn't matter because it'd do the same thing. I got rid of the fake anti- Malware portion of it, but the rest of it went and hid itself and is not in the add or remove area. I'm not computer savy enough to go too deep into some of the more seemingly successful ways of getting rid of it.

EDIT: I'm going to try some of the things you guys linked once I get it up in safe mode.


----------



## AshleyAshes (Jan 19, 2010)

InuAkiko said:


> thanks, everyone! i went ahead and ran malwarebytes in safe mode and so far so good, looks like its gone. tho that weird wallpaper it stuck on is still there, its rather odd. in any case, im gonna run avgfree to be safe.
> while im here, is there any hope for my previous compy?


 
If you can't get a computer to boot in safe mode, it's safe to assume that it's fucked in all sorts of ways beyond 'I got some malicious software'. :/


----------



## InuAkiko (Jan 19, 2010)

AshleyAshes said:


> If you can't get a computer to boot in safe mode, it's safe to assume that it's fucked in all sorts of ways beyond 'I got some malicious software'. :/



bah, i feared as much. this is what happens when you have a 16 year old sister >[


----------



## AshleyAshes (Jan 19, 2010)

InuAkiko said:


> bah, i feared as much. this is what happens when you have a 16 year old sister >[


 
...I'd say fire it up and see if it REALLY won't go into safe mode.  Honesty, if the thing can't boot into safe mode, it shouldn't be able to boot Windows in any form. o.o


----------



## Ricky (Jan 19, 2010)

Copied from my response in another thread:

if you can't load the task manager, you should probably still be able to load tasklist from cmd or tasklist /SVC to load it with the services (sometimes dll's will be used via rundll32.exe as well and be listed as that). You can then use taskkill /f /PID to end the PID.  (go through these and google the process or service or dll that is being run by rundll32 to see if that's it)

Also, if half of the web is being blocked it probably corrupted your hosts file. Look in windows/system32/drivers/etc I think and you can open it with notepad. The only thing that should be mapped in there is localhost/127.0.0.1

I fucking hate Windows


----------



## Runefox (Jan 19, 2010)

Just as a little note, you don't need to jump through hoops to get programs running that are blocked from running - Just renaming them temporarily usually works fine enough.

I can't really add more to this since the automated tools I'd have recommended have already been mentioned and manual cleaning isn't exactly something the OP is familiar with. One bit of advice I do have is to grab Avast! Antivirus if you can. Install it (de-select the Web, Mail and Network shields) and let it do its bootup scan. This will occur before anything is really loaded (not even the GUI), and it should be able to pull stubborn infections off. Even if you don't plan on using it in the future, this is a fairly useful feature.

Though I have to add that more than likely, this infection includes a rootkit. GMER is a good program to get rid of that sort of thing, but it is a little on the dangerous side - It can nuke legitimate things as well. If you open it up and it finds something highlighted in *red*, then the best course of action is to do a Google search for whatever it is that it finds (though it's usually right in determining that red-highlighted entries are rootkits). If it turns out that it's actually a rootkit - blast it. In some cases, you'll need to disable it first, then reboot, then delete it afterwards, depending on how well-protected the rootkit is. In other words, if it's still there when you delete and reboot, then you'll need to do that.


----------



## Trpdwarf (Jan 19, 2010)

I just booted my computer up in normal mode and managed to get GMER to run on it. I'm waiting on it to finish scanning.


----------



## InuAkiko (Jan 19, 2010)

Oh wow, thanks for all the additional advice! I'm going to fire up GMER and see what happens. Then I'm going to go and take another crack at the old computer. 

Thanks for being patient, everyone. I'm hoping to go to school for tech stuff in the future, so it's great to learn all these tips and tricks.


----------



## Trpdwarf (Jan 19, 2010)

Just coming back to say that the Malwarebytes got rid of what it was that infected my computer.

So thanks to the person who brought that up.


----------



## Irreverent (Jan 20, 2010)

If you can't get a computer to boot up in safe mode,  you might be able to force it to on next restart by using the msconfig function.

Either via a Run box or by ctrl-shift-escape, start new task and type in msconfig and enter. What happens next is windows version dependent, so proceed with caution.


----------



## Paskiewicz (Jan 22, 2010)

Malwarebytes works on me.


----------



## yiffytimesnews (Jan 22, 2010)

All I can add is when all else fails wipe your hard drive and do a reinstall


----------



## InuAkiko (Feb 10, 2010)

its fucking back! and this  time its blocking everything out in safe mode, too!
wtf, i constantly scan and take care of this comp!

EDIT: used that registry trick to get malwarebytes to run. while im waitin on that, anyone want to recommend new antivirus to me? cause AVG obviously isnt doing jack for me.


----------



## Dragonicism (Feb 16, 2010)

Try using NOD32 in place of AVG or Norton, I've had bad experiences with those two. NOD32 has been stable on this and other machines (including a server box) for over two years (non-cumulatively); I installed it after something nuked Norton on my last box.

As for recovering your machine, try downloading and burning the Ultimate Boot CD for Windows and booting from it. It does NOT launch your Windows install when it runs, and allows for out-of-Windows scanning of Windows partitions with Windows-friendly antivirus apps. My only suggestion is to NOT use Avira, as it has a great many false positives. MalwareBytes should run under it and I do believe it is included. I use it as my Winblows rescue CD when my Linux LiveCD is not suited to the task.

As a utility CD, it also does repartitioning and formatting quite cleanly, plus it has a very extensive set of disk recovery utilities and other tools available for use. I do believe it includes a web browser for diagnostic use and looking up solutions while you're on the troubled machine. Enjoy it!


----------



## Runefox (Feb 16, 2010)

InuAkiko said:


> EDIT: used that registry trick to get malwarebytes to run. while im waitin on that, anyone want to recommend new antivirus to me? cause AVG obviously isnt doing jack for me.



I've been personally recommending the new version of Avast! Anti-Virus over AVG as of late. It's incredibly light-weight and has been pretty much completely reworked in the opposite direction of AVG in that regard. Its scanner's always been pretty good for me, though I couldn't tell you how the recent versions compare directly.

If you decide to install it, uncheck the Mail, Network and Web shields - They aren't really necessary and add a bit of bloat. The Resident shield should take care of it for you; The IM, P2P and Behavior shields are all part of the Resident shield, so you can keep those.

For my system, it's never actually taken up more than 10MB of RAM.

As for NOD32, I've had good experiences with it in the past, but it is fairly heavy as I recall. It'd be one of my primary picks (along with Kaspersky and Norton Anti-Virus 2009-2010 (*not* Internet Security or 360, they're still terrible)) for a paid antivirus app.


----------



## Scotty1700 (Feb 16, 2010)

I too have Avast antivirus. It's very simple, very reliable, very free, very awesome, and it references pirates!

Avast ye' scurvy dawg!


----------



## JMAA (Feb 17, 2010)

InuAkiko said:


> also i havent downloaded/accepted anything for it cause i knew it was fake, im just trying to get rid of the initial program.


Was it some sort of experiment, if I can be curious?
Just to know if it's a good purpose to install that thing.


----------



## SnowFox (Feb 17, 2010)

If you get viruses it's probably a good idea to change your user account to a limited one and create a separate administrator account that you only use when you have to for installing programs and stuff. If a virus can't write to program files or windows or most of the registry it limits the damage it can do (assuming it doesn't exploit some loophole).

One loophole is the task scheduler service, so disable that if you don't use it.
(enter *services.msc* in the run box)


----------



## Runefox (Feb 17, 2010)

SnowFox said:


> One loophole is the task scheduler service, so disable that if you don't use it.
> (enter *services.msc* in the run box)



While I do agree regarding the limited user bit (though most would disagree, mainly due to the fact that Windows places a lot of restrictions on limited users that, due to the OS's design, are very unwelcome), disabling Task Scheduler is a bad idea overall. Task Scheduler takes care of prefetch update and defrag tasks (among many other things not immediately visible to the user), and is overall pretty important in keeping system performance steady. I was under a similar impression a couple years ago, and with my system grinding to a veritable halt, I switched it back on and let it do its thing. Performance improved dramatically. It's much better to keep this enabled and simply remain vigilant and keep a good AV running if need be.


----------



## Ricky (Feb 17, 2010)

format c:


----------



## SnowFox (Feb 17, 2010)

Runefox said:


> While I do agree regarding the limited user bit (though most would disagree, mainly due to the fact that Windows places a lot of restrictions on limited users that, due to the OS's design, are very unwelcome), disabling Task Scheduler is a bad idea overall. Task Scheduler takes care of prefetch update and defrag tasks (among many other things not immediately visible to the user), and is overall pretty important in keeping system performance steady. I was under a similar impression a couple years ago, and with my system grinding to a veritable halt, I switched it back on and let it do its thing. Performance improved dramatically. It's much better to keep this enabled and simply remain vigilant and keep a good AV running if need be.



I didn't realise it did stuff of it's own accord even if you haven't set any scheduled tasks, or is this a Vista and above thing?


----------



## ker (Feb 17, 2010)

So far the best and most efficient way of killing 2010 and its variants, is to take the hard drive out, put it into another computer (that has its own os) instruct your drive to not boot, run avg/avast/microsoft security essentials/malwarebytes whatever you use do it alot, clear the temp folders, And run combofix afterwards to fix the registry values that the particular virus messes with  (get combofix from icrontic)   Back up your stuff too, you can copy your whole hard drive to your friends drive with xcopy a winxp CMD line  After you run the stuff reinstall your anti virus program becuase the virus changes it 
(be sure to scan/fix YOUR drive and not your friends) 

       Its annoying cause i have to remove this like 10 times a day and the above method seems to be the best at making sure it doesnt come back, also if you dont back up your stuff you could loose it all (combofix can be aggressive)


----------



## Runefox (Feb 17, 2010)

@ker: Unless you're using something special, tools like Combofix in particular target the *current* Windows environment (meaning the host OS for that infected drive and not the infected OS itself - In particular, Combofix, again, is meant to be run on the infected machine itself). I believe some apps do have the ability to run on and clean secondary drives (Spybot being one, IIRC), but most scanners will only find files, not registry keys. Of course, this alone will likely be enough, since the files aren't in use and thus can be removed easily enough - If it's detected, that is. If you know the inner workings of the Windows environment well enough, you could remove an infection manually via a Live environment (LiveCD, Recovery Console, etc) to save time waiting for scans and so on. It's still a good idea to run cleanup scans anyway, but the need to use riskier tools like Combofix can be avoided. Also a good idea to give it a going over with GMER once the system's booting normally.


----------



## Nollix (Feb 21, 2010)

Format. Also, welcome to the botnet.


----------



## jagdwolf (Feb 22, 2010)

My son got this av.exe virus, what a pita, when to dos, nuked it there, deltreed it, cleaned the registry, thought it was gone until he clicked on Firefox and welcome back boys.

So I installed Vista having it rename the prev. windows version .old, and then nuked that .old file.  Its working fine.   That anti virus sight that you pay for Malwarebytes, after doing some research seemed really fishy, but I wont go into detail.

Hun, you just might have to flush the toilet on this one and reinstall.


----------



## Runefox (Feb 22, 2010)

jagdwolf said:


> My son got this av.exe virus, what a pita, when to dos, nuked it there, deltreed it, cleaned the registry, thought it was gone until he clicked on Firefox and welcome back boys.



There's usually a rootkit component to malware infections in general these days; You nuke an infection and miss that, and eventually (usually after a somewhat random delay), it'll rebuild itself and start all over again. You basically need to pull some fancy tricks or clean from outside of Windows altogether (like with a LiveCD) in order to break some of these newer examples.


----------



## Dragoneer (Feb 23, 2010)

Runefox said:


> There's usually a rootkit component to malware infections in general these days; You nuke an infection and miss that, and eventually (usually after a somewhat random delay), it'll rebuild itself and start all over again. You basically need to pull some fancy tricks or clean from outside of Windows altogether (like with a LiveCD) in order to break some of these newer examples.


Malwarebytes + Microsoft Security Essentials. Actually, one hell of a great combo.

I know, I know... "ACK! A Microsoft Antivirus"? I find it works really well in conjunctions with Malwarebytes.


----------



## Runefox (Feb 23, 2010)

Dragoneer said:


> I know, I know... "ACK! A Microsoft Antivirus"? I find it works really well in conjunctions with Malwarebytes.



Yeah, it's actually pretty good. It's based on the work done with OneCare (discontinued), which itself wasn't all that great, but MSE's actually pretty fast and lightweight, if a little simple in terms of its UI. I ended up using it for about a week, but it did impact performance on my system pretty severely by the end of it. Combined with Windows Defender (built-in with Vista/7) and Malwarebytes' Anti-Malware as a removal tool, it's pretty good at stopping malware overall if it works well on your system.

I prefer Avast! to it, though, but mainly for the lower resource usage and the greater flexibility in setup and available options. For most home users (which is what MSE is targeted at), it should be entirely fine, and it's overall pretty easy to use.


----------



## Kairuk (Feb 28, 2010)

System restore. Easy. This happened to me last week ^^


----------



## Runefox (Feb 28, 2010)

Kairuk said:


> System restore. Easy. This happened to me last week ^^



You're very lucky if System Restore actually got rid of that.


----------



## Kairuk (Feb 28, 2010)

Runefox said:


> You're very lucky if System Restore actually got rid of that.


 Yea, well it was Some advance security 2010 thing... A rogue spyware.


----------



## TIM-ber-wolf (Mar 31, 2010)

Just to throw in some extra advice for anyone else who got the "XP Internet Security" (or its Vista counterpart), if you can't download MBAM from whichever computer you're viewing this on, try this method.

-Bring up Task Manager
-Try to launch a browser on the infected computer
-On TaskMgr, go to the 'Processes' tab
-When the virus activates, tell it to continue browsing anyways
-End the AV.exe process before the brower finishes starting

This should let you use your browser.


----------



## Runefox (Mar 31, 2010)

Well, maybe, but the newer variants (2010) typically come with a rootkit component. Depending on the variant, I don't think it's unheard of for it to disable Task Manager or not allow the process to die gracefully, and traditionally in the past it's also come bundled with DNS changer to prevent access to major security sites. That said, I haven't come across this kind of variant for the 2010 version just yet, but that doesn't mean that it doesn't exist. One common factor in the newer version is that it tends to latch onto the exefile CLASSES definition in the registry, which means that removal can and will nuke your ability to run executable files. Renaming programs temporarily from .exe to .com bypasses this, but in Vista and later, you can't rename regedit.exe under any circumstances, nor will it launch otherwise (copies won't work), which makes it a royal pain. It's absolutely a requirement to have a .reg file handy to restore the executable filetype in this situation.

Older variants were very succinctly destroyed by MBAM, but the newer variants seem to require a somewhat more in-depth touch, with even safe mode scans failing to completely remove it. GMER is one way to go to try to rid yourself of the rootkit component, and Autoruns can be indispensable insofar as trying to root the rest out manually goes.


----------



## Rai Toku (Mar 31, 2010)

Alright, my youngest brother downloaded a similar virus to his laptop about a month back, and my mother, the month before. Neither of them are really tech-savvy, but my mother at least recognized it as a virus, while my brother thought it was real, and it was only by luck I peeked at the laptop and noticed it. The bloody thing disabled going into computer profiles, anything tied to the control panel, really, and stopped task manager from starting. Unfortunately, I had no idea how to start them in safe mode, so I had to find other means.

If it creates a shortcut on the desktop, you can right-click, select properties, and find the source of the program, and kill that. It will stop half of the problem, as it doesn't really pull info from the .exe file (if it does, it's something you can close out by right-clicking the tab on the toolbar, then delete the .exe file). The rest can be found in C:\Documents and Settings\(Username)\Local Settings\Temp. You can safely delete all files in that folder -the files that you cannot delete are files in use from the .exe file you killed earlier, and will continue to attempt to hinder any attempts to save your comp. However, with the .exe file gone, when you reboot, the files leftover in Temp will not activate and are able to be deleted.

At least, that's how it worked for those two fake anti-viruses. Anyway, best of luck to you in getting your comps cleaned.


----------



## Slingblade_47 (Mar 31, 2010)

Bloody hell. I ran into this problem last year with the desktop I use for gaming, which at the time used a triple-boot setup of Windows ME, Windows XP Home, and Windows Vista Home Basic. I was duped into downloading a service pack for my installation of Office 2003 in Windows XP, but found myself saddled with Internet Security 2009. There was no way I could kill the process in that system, although using Vista I found a very large number of viruses in my system.

Eventually, I managed to find each program associated with that program and deleted them manually - although this left Windows XP almost unusable. Many programs wouldn't run, and Explorer.exe was hardly functioning at all. System Restore had been disabled right from the moment this program found its way in, so I couldn't use that, and I had no luck choosing the Last Known Good Configuration option when starting up. In the end I had to repartition and reformat the entire drive.

You might be able to get rid of that program, but to guarantee that there are no traces of it left behind, you're gonna have to back up your precious files, or if they're already infected with viruses, be prepared to lose them - and then reformat where the infected operating system was.


----------

