Fake Anti-virus cant remove

[cclloyd9785]

My brother accidently installed a fake antivirus. It wont let him get on the internet, run basically any program (even taskmgr) or do much anything unless he "activates the antivirus" by buying it.

Iv tried running Remove Fake Antivirus 1.72, full system scans with Spy Sweeper and MSE. Nothing has worked. Any ideas?

 

[Sardonicus]

Have you tried removing it in the safe mode or doing a system restore?

 

[cclloyd9785]

Not a system restore because he doesnt have any backups.

And yes I was doing that all in safe mode.

 

[DocBrown]

Do a search for a program talked about 9 or 10 months ago in the System Security forum

It is called Rkill. It got one of the toughest, nastiest, spyware, fake virus programs I had ever seen.

 

[CanIHaz]

you can download malwarebytes and remove those rogues.

 

[marsmimar]

RKill was developed by BleepingComputer.com and can be downloaded from their website:

RKill - What it does and What it Doesn't - A brief introduction to the program

It may be necessary to download from another (uninfected) computer to USB stick. Also, pay attention to the warning: Since RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice.

 

[EzioAuditore]

Ya, run rkill and then mbam from an external usb stick. You should also like to dload the other versions of rkill such as rkill.com, rkill.scr in case if it blocks exe files. If none of the above works, try running the renamed version of rkill available at bleeping computer's site.

 

[Borg 386]

What is the name of this fake AV? Some companies have fake AV removers specifically targeted for certain fake AV's. Try Googling the name of it +removal tool and see what you can find.

Another option is Norton Power Eraser which you can run from a USB:

http://security.symantec.com/nbrt/npe.asp?lcid=1033

Or a boot rescue disk, like AVG rescue disk. This will run at boot up before the system initializes and attempt to repair/delete the offending software

http://www.avg.com/us-en/avg-rescue-cd

 

[CanIHaz]

i forgot to add, you can also use hitman pro. if its blocking the executable, you can use breach mode on hitman pro by pressing and hold down the ctrl key while clicking hitman pro.

 

[cclloyd9785]

None worked. It wont let me run them, and the recovery CD didnt help.

 

[Borg 386]

First off, what is the name of this fake AV? I believe in this case it would really help everyone if we knew specifically what we were dealing with. Different fake AV's work in different ways, and as I stated in the 1st post, there is software that targets certain fake AV's.

I don't know how much internet access it's allowing you, but if you can go here, it will d/l it's own AV engine & run it in a sandbox. Try both links.

Free Virus Scan - Free Antivirus Software | Norton Security Scan

http://security.symantec.com/sscv6/...lfid=21&pkj=TGKQZQLZVVFEQGQMYGC&auth_status=0

If this thing is so stubborn that even a boot up rescue disk isn't helping, you may wish to just reinstall the entire OS (after wiping the disk), as even if you clean it out, there may be some remnants left that can cause instability down the road.

 

[cclloyd9785]

Nothing here worked, but somehow Windows Defender found it (funny huh). It was some backdoor, and a rootkit. Removed them both and was fine.

 

[marsmimar]

Glad to hear Windows Defender took care of the problem.
FWIW you might want to try scanning again with Malwarebytes, Hitman, etc just as a precaution. If you can't get those scans to work you might still have some malware on your machine.

 

[Jaxryley]

Did you get a name for the fake AV?

 

[Garreh]

There are quite a few Fake AV's floating around at the moment,

Some of these names include:

SecurityTool (Very easy to remove)
Anti-Virus Vista 2010 (Very hard to remove)
Anti-Virus Vista 2011(Very hard to remove)
rogue.systemdefragmenter (Malware Bytes detection name)

and so on.

Usually, these are really easy to remove unless they're the ones that contain rootkits and backdoor droppers like Anti-Virus Vista.

 

[Jacee]

Nothing here worked, but somehow Windows Defender found it (funny huh). It was some backdoor, and a rootkit. Removed them both and was fine.

Rootkits are not that easy to get rid of. My suggestion is to wipe and do a clean install. You can't be sure the computer will ever be stable again, without doing so.

 

[Garreh]

Nothing here worked, but somehow Windows Defender found it (funny huh). It was some backdoor, and a rootkit. Removed them both and was fine.

Rootkits are not that easy to get rid of. My suggestion is to wipe and do a clean install. You can't be sure the computer will ever be stable again, without doing so.

Ah but if you know what your doing, you can completely clear the system of rootkits. Yes they are hard to remove, but the system can still be stable if removed properly...

 

[cclloyd9785]

After it got rid of it, I scanned in safe mode with Spy Sweeper, and MSE. they found nothing.

And it was somehting like System Security Scan or something like that.

 

[EzioAuditore]

I'd still insist on doing a wipe and install rather than scanning with some basic stuffs like MSE, Spysweeper.
You can never be sure how much damage the rootkit has done. They can install hooks at such low levels that can survive formats and scans. Moreover, they may also create hidden partitions or locations as you say, which acts as their backup and working area.
However, a wipe would very likely clean the remnants.

 

[cclloyd9785]

I always check partitions frequently on this computer as my brother often messes it up somehow. Glad to say that there is only 1 partition.

And I had him back up all the stuff he wants to keep, so that if it does give him trouble again, we will just wipe teh drive and reinstall the OS.