platinumantivir *@%$%% is on my laptop and cant get past it!

zettler

Senior member
Nov 16, 1999
705
2
81
I am longtime member here and promote it to others but now I need some urgent help!

Last night my daughter "borrowed" my laptop in the middle of the night. Now, 24 hours later I go to use it and find all sorts of popups about, "Application cannot be executed. The file _______ is infected. Do you want to activate your antvirus software now?"

And if you click "No", then you get dozens and more of these saying the same, with other popups that say a virus is installed, and....well, you all get the picture. I cannot load any other program before another popup appears effectively preventing it from running. I went ahead and said "Yes" to activate but made sure the wireless modem was OFF to prevent any transfer of information.

Of course, not knowing what went on while I was sleeping she might have said "Yes" too and made the connection!

In the browser (IE of course), it goes to a reduced window that has the address, "http://platinumantivir.com____" which is about all I can see because it will not allow me to completley open the browser.

I have done a google search on another PC but all I get are links to web sites where they want you to downlaod their software to remove the threat which I cannot do with the wireless connection disabled. And if I let it sit there, those popups keep growing with all sorts of warnings till I have to close the laptop in order to not throw it against the wall!!!!

I have tried to use my AVG ANTIVIR software (which I downloaded from here) but it will not allow you to do a complete scan. In fact, the only thing I could try and do is to do a "select file(s)" scan and I can tell you it is not doing so for it quits after 10 seconds and my C-drive is full!!!

It has been awhile since I backed up my files and would hate to lose them but I need to get in there and get rid of this CRAP!

Here it is almost Christmas Eve and I have presents to wrap (single male parent of two) and I do not have time to do everything and NOW I HAVE THIS PROBLEM!

I will appreciate any and all counsel. In addition, if anyone has a lead on the individuals who perpetrate this crap, I have a posse of guys who would love to pay them a visit.............

I am not illiterate and have built a dozen or so PC's for my family AND maintain a tight control on what I download or go to - PLUS, I use Spybot-Search and Destroy, Spyware Blaster, Ad-Aware, etc., and keep them up-to-date as best I can but this one sure has got me and I am really frustrated, mad and taken aback by its timing.

So, CAN ANYONE ASSIST ME???

Thank you so very much and for all of you who are not invloved in malicious acts like the aforementioned, I wish you a Merry Christmas.
 

Chiefcrowe

Diamond Member
Sep 15, 2008
5,044
184
116
I'd recommend booting up with an antivirus cd such as Antivir's and scanning your system from outside windows.
 

Jodell88

Diamond Member
Jan 29, 2007
8,762
30
91
Bit_Defender
Kaspersky
Avira

1. Download either one of them and burn on a cd or dvd.
2. Insert into dvd/cd drive and reboot the laptop.
3. I would attach the computer to the Internet via cable so it can update.
4. Good luck!
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
How would I create one as all my AV software are free downloads?

Thanks!

Go to this link and download the Avira AntiVir Rescue System in .ISO format. Burn it to a CD, then boot the computer from the CD. This CD will have up-to-date virus definitions included as part of the download. If you don't have a software that burns .ISOs to CD, you can use the .EXE version which will burn the CD for you.

After running the scan from the CD, see if you can boot up and install Microsoft Security Essentials (uninstall any other antiviruses first), and scan with that. Also scan with SuperAntiSpyware and MalwareBytes.

Sorry to hear about your issues. If you need some security suggestions, I have a page with a pretty solid security strategy here.
 

VirtualLarry

No Lifer
Aug 25, 2001
56,542
10,167
126
Dont forget the trick of renaming your AV software to "winlogin.exe" (or is it "winlogon.exe"?). That's an executable that is required to run in order for the OS to operate, so malware allows that file to execute, even if other applications are blocked from execution.
I've heard (though not tested, since I haven't been in that situation yet), that renaming the malwarebytes installer, and then renaming the installed app, will allow you to run it on a system thus infected.
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
You'll almost certainly save time by copying any important files elsewhere, re-installing your OS and applications, and copying back your data. It's very unlikely that cleanup will be easy and a fairly good chance that Windows will be wrecked in the process. At best, you will likely be in for hours of scans, with no guarantee of success in the end.

Since it's a laptop, it may well have a manufacturer's System Recovery partition that will restore it to the factory software configuration in a few minutes. If that hasn't been wrecked by the malware.

Once you get everything restored, check into keeping system backups so next time you can get your system back the way you had it.
 
Last edited:

Dr.Pants

Junior Member
Dec 19, 2009
4
0
0
You'll almost certainly save time by copying any important files elsewhere, re-installing your OS and applications, and copying back your data. It's very unlikely that cleanup will be easy and a fairly good chance that Windows will be wrecked in the process. At best, you will likely be in for hours of scans, with no guarantee of success in the end.

^This

In fact, what I'd do is only backup data that you absolutely need. Do a wipe of the hard drive (or two) before reinstalling the OS. Scan the frak out of the files you saved before putting them back on.

Beforehand, try checking all of your browser's histories to find out what sites were visited and what files were downloaded. Then block those sites.
 

zettler

Senior member
Nov 16, 1999
705
2
81
God's Bless you all. I am still posting from my DROID until I can make time to use all your suggestions. With regard to backups, I have done so but was past due to update....

And now, I can't even do one as the popups prevent me...

In any case, you all are a great group and I deeply appreciate your support. Have a Merry Christmas! !!
 

SirGeeO

Member
Dec 22, 2009
51
0
0
yeah, I had a problem similar, and I just went ahead saved all my important work and did a fresh re-install of the OS. It saved me the head-ache of trying to locate exactly where the malware was executing...hope all is well
 

zettler

Senior member
Nov 16, 1999
705
2
81
yeah, I had a problem similar, and I just went ahead saved all my important work and did a fresh re-install of the OS. It saved me the head-ache of trying to locate exactly where the malware was executing...hope all is well

How were you able to save anything with that dam popup preventing any further events to open?
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
How were you able to save anything with that dam popup preventing any further events to open?
The best way is to pull the hard drive and attach it to another PC and copy the data. There are $20 adapters to do this via USB.
 

zettler

Senior member
Nov 16, 1999
705
2
81
The best way is to pull the hard drive and attach it to another PC and copy the data. There are $20 adapters to do this via USB.

I hadn't thought of that! However, wont that infect the other PC's hard drive?

I do have a box or two where I could install the infected Hard Drive and run it as an external drive but again won't that infect the other PC???

Thanks again you all and have a very Merry Christmas and a safe New Year!
 

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
I hadn't thought of that! However, wont that infect the other PC's hard drive?

I do have a box or two where I could install the infected Hard Drive and run it as an external drive but again won't that infect the other PC???

Thanks again you all and have a very Merry Christmas and a safe New Year!


Before connecting the drive to another pc. If it is a windows pc disable autoplay.
 

SirGeeO

Member
Dec 22, 2009
51
0
0
You can go the quick route of purchasing the cable to copy data...
OR
you can put up a nice wall of AV's, Malware Progs., etc to catch the problem.
Why don't you try Run > msconfig / or services.msc > and turning off certain services to see if the pop-ups are being executed from a service you have started / starting. If you have to get down to your basic core of MS functions then try that (<---to see if you can prevent the pop-ups)
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Before connecting the drive to another pc. If it is a windows pc disable autoplay.
Yeah. Make sure Windows is fully updated, make sure you've got ALL autoplay disabled (search Microsoft's site for directions on double-checking) and, just in case, make sure you've got the host's AV autoprotect turned on and AV is up-to-date.
 

zettler

Senior member
Nov 16, 1999
705
2
81
The depth and number of replies are overwhelming and on Christmas Even no less. Right now I am watching my movies (Christmas Vacation, Scrooge's and my all time favorite, Christmas Carole with Alistair Sims) and will work on it as soon as the celebration is over.

All my best and Merry Christmas!
 

balloonshark

Diamond Member
Jun 5, 2008
6,546
3,011
136
There isn't much info on platinumantivir. Everything I'm finding looks as if it's new. I seem some manual removal procedures but wouldn't recommend them unless your comfortable doing so. There are removal tools on the same page but I'm not familiar with the sites so I can't recommend using the tools. I also just checked the sites rep and it's not good.

Can you get in task manager on the infected machine? If so you might be able to kill the process in order to stop the pop-ups and save your data. Just by looking at the manual removal, look for a process called [random]sysguard.exe and kill it if you can. [random] would be random numbers or letters.

There may be other random .exe's also but there is no telling if they are bad or not. If you can kill the process and it works just remember that when you reboot it will be back.

Here is safer info: It confirms the [random]sysguard.exe mentioned above.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavalp.html?_log_from=rss#table3

P.S. I'm not an expert, just trying to help and give you some ideas. It can be fun killing a malware process :).
 

zettler

Senior member
Nov 16, 1999
705
2
81
Again, thank you all and very Merry Christmas!

I will report back IF and WHEN I get it done...

All my best,

Bob
 

Dreamweaver69SS

Junior Member
Dec 27, 2009
5
0
0
I got the same virus (see this thread - http://forums.anandtech.com/showthread.php?p=29113848&posted=1#post29113848)

You sound like you know a lot more about how to clean this up than I do but, if this helps, what I did was go into the bios, change the clock back to a date previous to when the attack occurred and that, at least for now, got rid of the popups and allows me to go into the system. Now, if only I knew what to do when I get into the system :( :)
 

SirGeeO

Member
Dec 22, 2009
51
0
0
Both of you need to do research of finding the registry keys, by booting into Safe Mode, delete them, make sure you look over services.msc, msconfig, Control Panel > Administrative ??? > , and make sure you don't see this service running. (or could it hide itself as the regular AV you have ????). After those daunting tasks (I know virus' are a pain rite?), and no resolution, I can only think of doing a Restore To Factory image. I don't think wiping the drive clean here would be ness., but then again maybe it is, depends on the severeity.
 

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Both of you need to do research of finding the registry keys, by booting into Safe Mode, delete them, make sure you look over services.msc, msconfig, Control Panel > Administrative ??? > , and make sure you don't see this service running. (or could it hide itself as the regular AV you have ????). After those daunting tasks (I know virus' are a pain rite?), and no resolution, I can only think of doing a Restore To Factory image. I don't think wiping the drive clean here would be ness., but then again maybe it is, depends on the severeity.

The simple virus you can remove by closing the process and removing registry keys. The harder ones install themselves as root kits that will hide any settings they use in the registry even from administrator, hides the files on the drive, and hides them in the process list. The sad thing is these things are easily stopped by MS but MS put the ability to do these things into the OS as 'features' for legitimate programs with the only prevention being UAC or antivirus. UAC is like putting a padlock on a chest of money in the middle of nowhere. Once they get past the lock they are home free. The rest of the OS has next to no protection.
 

ernest_hemingway

Junior Member
Dec 27, 2009
1
0
0
My Mom's laptop was affected with this Trojan. I deleted the below corrupt files and registry entries and everything ran smooth. For the registry entries, just search them out one by one and delete. To find the registry entries go to Start > Run > type "regedit" > and delete as necessary.

How to remove Platinumantivir.com hijacker manually:
To perform manual removal of Platinumantivir.com hijacker and related rogue trialware, you should do the following:
Delete Platinumantivir.com hijacker corrupt files:


  • %UserProfile%\Local Settings\Application Data\[random]\
  • %UserProfile%\Local Settings\Application Data\[random]\[random]sysguard.exe
Remove Platinumantivir.com hijacker registry entries:

  • HKEY_CURRENT_USER\Software\AvScan
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1&#8243;
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555&#8243;
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1&#8243;
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]“
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random]“