Rouge AV that I can't seem to kill

elcamino74ss

Senior member
Jun 6, 2005
215
0
0
with one that bad you might need to slave the drive into a clean box that you dont care if you lose.

Some of those are rather nasty. I'd start with some manual clean and check the hosts file and clean it out then check the typical autorun registry entries and remove what you can there.

Cleaning up these fake AV programs is rather time consuming and a royal pita.

If your data is backed up might also consider just wiping and do a clean install, patch, and install a good av
 

RadiclDreamer

Diamond Member
Aug 8, 2004
8,622
40
91
Looks like antivirus2009/2010 which is a fake AV. Malware bytes with the latest definitions will work, I've seen 2 different versions of this little ah heck and 1 is easily removed with just a malware bytes scan. The other will say pretty much anything you try to open is infected and needs you to run their "scan" to clean.

What I've found works if this is in fact the case is to boot normally and very quickly before everything else has a chance to open launch mbam and run the scan. Be SURE you have the updates, if you cant get them to auto update try using their manual update feature.
 

tcsenter

Lifer
Sep 7, 2001
18,338
253
126
Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.

Type the following command, and then press ENTER:

sfc /scannow

http://support.microsoft.com/kb/929833 (Vista and 7)

http://support.microsoft.com/kb/310747 (XP version)

http://support.microsoft.com/kb/897128 (relevant to XP Home Edition)

You'll need a Windows install disc, preferrably one that is patched to the same Service Pack level as the OS installation.

This will hopefully stop the rogue app from booting/loading with Windows but it won't remove the infection. To date, I've seen about a dozen variants of this rouge/fake security software and they are nasty. Even after I'm 100% certain there are no traces of the infection left, in most cases there was enough damage to system environment and/or registry to leave the system in some dysfunctional state or another. Of the few systems that seemed to function OK, I just couldn't be confident enough or bring myself to leave them in an unknown state.

IOW, I've always ended-up performing a clean install of the OS and all the apps.
 
Last edited:

raincityboy

Senior member
Dec 30, 2004
394
0
0
Here is what I do

Boot into external environment with access to your drive - UBCD4Win- another computer

Clean out the following files
-userprofile\local settings\application data\***random letters*** created recently
****** hint generally you do not need .exes here delete them. If you are unsure compress them with 7z (or your fav) with a password.

-%programfiles% for suspicious program names (again if unsure compress with password)
-%windir% check for recently created files (you must be carefull)
-%windir%\system32 again recent files (you must be carefull)
-%windir%\system32\drivers same applys here (you must be carefull)

From regedit
load your drives software hive (*yourdrive*:\windows\system32\config\software
check microsoft\windows\currentversion\run and runonce for known malicious files from %userprofile%\local settings\application data\- %programfiles% - %windir%- and anything else you know to be a "bad" entry.

-microsoft\windowsNT\currentversion\winlogon make sure userinit is pointed to %windir%\system32\userinit.exe

If you want you can load your user hive (%userprofile%\ntuser.dat) and check for these
-software\microsoft\windows\currentversion\polices\system\disabletskmgr delete or set to 0
-software\microsoft\windows\currentversion\internet settings\proxyenable set to 0

You can also use ezpcfix.exe (google) to speed this process up

Boot into your computer.
Install favorite av or update (I recommend Microsoft security essentials) don't scan yet
Install and scan with malwarebytes, superantispyware, spybot, then AV.

Very good chance problem is gone
 

tzdk

Member
May 30, 2009
152
0
0
Most of these infections are not that hard to remove but important to know what kind of damage/"mods" they do - or you risk running around in circles if not reinstalling.

Not sure this is Antivirus Software but could be http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft Find the one for you ;)

Here is another guide for same crap http://forums.malwarebytes.org/index.php?showtopic=39312 seems like yours. Identical alert window.

Removal tools not always 100% helpful so regardless of the heavy Malwarebytes marketing guides serve a purpose. This is a pretty new one according to date of guides so probably why Malwarebytes failed. Follow either one to the letter and it will be gone.
 
Last edited:

MadScientist

Platinum Member
Jul 15, 2001
2,153
44
91
I've seen this on 2 computers this week.
Run Combofix first, then MBAM and SuperAntiSpyware in Safe Mode, finish up with Microsoft Security Essentials, then HijackThis to make sure you got all of it. You can post your HijackThis log here, or in Bleepingcomputer's forum, or use this HijackThis log analyzer. http://www.hijackthis.de/

Download Combofix here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Great AV program, gets rid of those nasties that the others can't. Only downside is that there's no 64 bit version.
 
Last edited:

tzdk

Member
May 30, 2009
152
0
0
Well it is not a good idea to run ComboFix and then go to a removal forum and ask for help in understanding log file. Output from ComboFix is used for scripts to get rid of crap. So not really a removal tool like Malwarebytes. There is no or only little documentation for this = hint they don't want "normal" users who can't understand log-file to use it. Hijackthis auto-detector thingy will also not be approved of. Read and follow rules if posting at one of those forums.

Recently ComboFix was taken down because it deleted system file making computer non-bootable. Does not happen often but potentially a risky tool to use. Their warnings are hysteric but not without reason. Some can use it safely, others will get in trouble. Strange they even put up such a mini-guide then. Do NOT use unless guided by parent is what they are saying - and here is how, heh. Only partly how but still.
 

tcsenter

Lifer
Sep 7, 2001
18,338
253
126
Recently ComboFix was taken down because it deleted system file making computer non-bootable.
This is why the built-in System File Checker (sfc.exe) is recommended because it replaces (rather than deleting) potentially infected system files (both protected and non-protected) with copies from a known-good installation source (if one is provided).
 

tzdk

Member
May 30, 2009
152
0
0
SFC has nothing to do with ComboFix but is probably better in fixing corrupted system files if that is part of removal process. ComboFix deleting system flies was mentioned as an example of why "first thing you do is run ComboFix" can be a bit risky. Worst case and rare problem, fixed fast but tool is basically one giant batchfile so has potential :)
 
Last edited:

tzdk

Member
May 30, 2009
152
0
0
I don't see why - or why it is useful to bundle old versions of Combofix. Not really a wise move. Is updated on a daily basis and most should read info about the tool before use. Does not become a click, click tool just because some are hosting it on their own.
 

MadScientist

Platinum Member
Jul 15, 2001
2,153
44
91
I don't see why - or why it is useful to bundle old versions of Combofix. Not really a wise move. Is updated on a daily basis and most should read info about the tool before use. Does not become a click, click tool just because some are hosting it on their own.

Combofix is just like any other AV program. When you install and run it, it will update itself with its latest version and virus defs.
 
Last edited:

tzdk

Member
May 30, 2009
152
0
0
It will check for new version but latest, daily, version from those approved to host the tool should still be used. Not sure about Hitman Pro? Anyway, it is not for public distribution that is for sure. Obviously safe source you found but still. I would also follow official guide on how to run it properly, not the 2 line guide from Elitekiller. You sure his zip-file is meant to be used by anyone? Anyone up for manual/own removal who already know how-to perhaps - most will just go click and then what? Half the value of Combofix is log-file which is supposed to be read and used. 80% clean is not 100% so useful with guides targeting relevant infection.

I am aware ComboFix is great and does not share parenting advice from Bleepingcomputer. Why keep it public at all if so risky? Well, I can say that for myself, how to be sure anyone else never make mistake? ;)
 
Last edited:

MadScientist

Platinum Member
Jul 15, 2001
2,153
44
91
Don't let Bleepingcomputer scare you from using Combofix. I have used it many times to clean computers when all other AV programs have failed to do so, and have not had to re-install any system files after using it.

Before it cleans your computer, if not already installed, it will install the Microsoft repair console, create a restore point, and backup your registry. After it has cleaned your computer it generates a log file, just like Malawarebytes Anti-malware does, for you to read. You do not have to do anything else but reboot.

Combofix is not a cure-all. What I have found is that it is able to run when other AV programs can not install, even after changing their exec names and running in Safe Mode, and will find and delete those viruses causing this. You can then install other AV programs, like Malawarebytes Anti-malware, SuperAntiSpyware, Hit-man Pro, etc., to clean up those viruses that Combofix misses.

As Chiefcrowe suggested, you can also try the bootcd AV programs like the Avira AntiVir Rescue System. http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html
I have had limited success with these. They don't seem to dig deep enough, and only delete a fraction of the viruses on computers I have tried them on. That may be enough though to get your computer to boot up, or be able to install other AV programs.

And we are back to the question of whether the computer is 100% virus free, and should you do a complete re-install of the OS. I read a statistic that 80% of the computers in the US are infected. Are you 100% sure that the computer you are reading this on is virus free?
 
Last edited:

tzdk

Member
May 30, 2009
152
0
0
I am not scared but careful about what to suggest random people on the internet to use, that is all. Can say that about any scanner of course but Combofix spells it out. I know most can follow proven to work guides if determined to get rid of crap. Do this, do that or foolproof is preferred. There is noting foolproof about ComboFix, its log, how to move on from log! or getting out of ComboFix mistakes. Half of its features is not even documented, not public at least. Some can probably also run ComboFix without disabling whatever security tool they might have running - others can not and will be annoyed they did not read guide properly but went straight to download link or a zip file. There is risk involved for majority no matter some warnings are over the top for you personally. I have low expectations to the general interest for digging in to details when it comes do removal. If they don't see visual signs of crap all is fine...

Your numbers are probably correct, 80% do not care for or have a clue about security :)
 
Last edited:

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
One trick with viruses or malware is to use any program that will pause a process rather than terminating the process. I use process hacker but process explorer can do that as can process lasso.

The reason for pausing the process and not terminating it is that most of the malware has functions that monitor what the state and when a TERM signal is received automatically restart the virus. Pausing it basically puts it to sleep so you can modify or remove it without it interfering.
 

tzdk

Member
May 30, 2009
152
0
0
Did not know that. I wonder when malware will start to manipulate process tools then or protects them self against being put to sleep. Well it is about using right/best tool for the job that is for sure. Those boot-cds with no direct access to file system are also not perfect, but try fixing a computer with 100s of damaged exe-files, from Sality type of crap. Then problem is an advantage and they become best thing ever :)
 

Rifter

Lifer
Oct 9, 1999
11,522
751
126
Most of the time when my windows boxes get hosed like this i boot off a Linux live CD and running AV from there works great. If you know where the virus is and the file names then you will have no issues deleting it from a linux live CD either.
 

MadScientist

Platinum Member
Jul 15, 2001
2,153
44
91
You could try running RKILL. I generally download the .COM version, you might need to double click it a few times to get it to launch without the rogue AV killing it.

http://www.technibble.com/rkill-repair-tool-of-the-week/

It's a great tool. I've used it a few times, but it's not a malware removal tool. It stops the malware processes so you can install and run other AV programs, i.e., Malawarebytes Antimalware, to find and delete the malware files.
 

StormSide

Diamond Member
Oct 9, 1999
4,200
43
91
If you run Hitman Pro (build 88 or newer) from a USB stick and start its EXE while holding down the left Ctrl-key, then Hitman Pro will kill every non-essential process running under the user's context, including the rogue infection. You can then scan with HMP and any other on demand scanner.

Make sure you hold down the left ctrl key until Hitman Pro is running!

http://www.surfright.nl/en/hitmanpro

Video - http://www.youtube.com/watch?v=m6eRWTv2STk
__________________
 
Last edited: