Antivirus System Pro: how do I remove this BS?

durandal4532

So my girlfriend's computer is infected with Antivirus System Pro.


It won't allow her to open the task manager, or any other programs.

Every online source I've found has stated that you need to use the task manager to disable the currently running processes first. So what's up, is she fucked?

Edit: Ah, okay. Once the thing is actually here physically tomorrow, I'll try rebooting in safe mode. For now she's using a friend's computer.

Kipling

Not even in safe mode? That generally will disable most startup programs. The other option is a bootable CD based on XP. Like http://www.ubcd4win.com/ . There are others, based off Windows XP install discs.

There also the bootable CDs made by Antivirus program makers, but I'm not familiar with those. Maybe someone else here has more experience with those and can tell you if they also clean malware off a system.

TetraNitroCubane

If you can get into safe mode, you might try Process Explorer. It'll let you see all the dependent processes and dlls being used by that PoS scareware so you can kill (or at least identify) them all.

I would highly recommend a safe-mode scan with a fully updated MalwareBytes AnitMalware as soon as you're able. MBAM picks up and rips out a lot of these horrid things very well.

durandal4532

Thanks for the advice. She was worried about restarting in safe-mode in case she needed to download anything or keep talking on AIM, since it seemed to prevent programs from opening.

But once it's safely near another computer, we can actually get down to it.

Edit: I actually may try to set her up with a separate data partition or maybe even an external backup drive, so she can reformat more easily as a way of eliminating these things.

Dark Shroud

I would recommend Revo Uninstaller. Install it and then boot into safe mode and run it.

After you have the PC clean make sure to install Microsoft Security Essentials.

Daedalus

I would recommend backing up any important files and reformatting, or you'll never really trust the thing again.

Cronus

Daedalus wrote: »

I would recommend backing up any important files and reformatting, or you'll never really trust the thing again.

This. While it's not an attractive option, a reinstall is faster than ever with Win 7. And if you've got a spare harddrive or just a slave drive with enough space you can backup media files and such to that before the format. This really is the best option so that you know the system is safe.

SniperGuy

Oh god, you do pretty much need to format. Staff computers at work keep getting that, and due to me working in tech support, I keep getting them. It locks the FUCK out of that computer.

KiTA

Revo and Malwarebytes should take it out.

WingedWeasel

I am not sure if this is a derivative of the total security virus but the symptoms sound similar. To deal with the total security virus you need to go into c:\windows\system32 and rename the task manager file (taskmgr.exe) to iexplore.exe. The virus will then allow you to run task manager since it thinks that it is something else that it needs to run it's shenanigans. The process you need to kill will likely be named something like 30394876239 or something similarly ridiculous composed of all numbers. Once you do you will be able to run other stuff again, and as suggested generally malwarebytes will kill the offender.

Again I don't know without seeing it if it is in the same family of worms or not.

KiTA

Neat trick, renaming task manager. I'll have to remember that.

citizen059

These types of issues are why I keep these tools on hand:

http://www.ubcd4win.com/

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

GrimReaper

KiTA wrote: »

Neat trick, renaming task manager. I'll have to remember that.

That doesn't always work, with group policies viruses/spyware etc can disable task manager, registry editor etc from working regardless of name changes. The more advanced ones will end processes which query running processes like attempting to list running processes or listing the registry. Some will detect certain names of the program running in memory, so say you rename taskmgr.exe to iexplore.exe a virus will look at the name of the program from its window name and if it matches say "Task Manager", "Process Explorer" etc then it will end that program.

This is exactly why I use a custom bartpe cd, I have various programs on there that I use when removing viruses etc from pc's. (regeditpe, hijackthis etc)

Unknown

This content has been removed.

Ragnar Dragonfyre

Daedalus wrote: »

I would recommend backing up any important files and reformatting, or you'll never really trust the thing again.

My girlfriends computer got infected with this. It's fucking impossible to remove. I hear that Malwarebytes works if it was installed before you got infected. It will physically prevent you from installing the program after the fact.

Reformatting is really your only option.

shadydentist

Reformatting is the only safe option once a machine is this badly compromised.

KiTA

Ragnar Dragonfyre wrote: »

Daedalus wrote: »

I would recommend backing up any important files and reformatting, or you'll never really trust the thing again.

My girlfriends computer got infected with this. It's fucking impossible to remove. I hear that Malwarebytes works if it was installed before you got infected. It will physically prevent you from installing the program after the fact.

Reformatting is really your only option.

Nah, easy fix. Rename malwarebytes' installer and install to C:\abbadszag1

Or install it to a thumbdrive on another machine and bring it on over. Rename the main EXE after you do it.

fightinfilipino

i don't think the reformat is to kill the offending virus so much as to make sure that the virus/malware didn't open up other vulnerabilities on the machine that will just allow the whole infection to happen again.

i've worked on three really bad cases in my school's IT dept in the last month where it just saved more time to backup and rebuild the machines rather than run endless malwarebytes/spybot scans. one of the machines would even bluescreen going into safe mode but would work fine in regular Windows.

Yann

I just got this shit. Just restarted the computer and started the task manager before it started up. Killed the process and deleted the binary. Seems to have done the trick.

TetraNitroCubane

fightinfilipino wrote: »

i don't think the reformat is to kill the offending virus so much as to make sure that the virus/malware didn't open up other vulnerabilities on the machine that will just allow the whole infection to happen again.

i've worked on three really bad cases in my school's IT dept in the last month where it just saved more time to backup and rebuild the machines rather than run endless malwarebytes/spybot scans. one of the machines would even bluescreen going into safe mode but would work fine in regular Windows.

This. Very this. Here's a good read on the topic. The article may be old, but it's still very relevant. See here.

Basically, there's no way to be sure you removed everything once something's on there.

Stormwatcher

Yann wrote: »

I just got this shit. Just restarted the computer and started the task manager before it started up. Killed the process and deleted the binary. Seems to have done the trick.

You're really fooling yourself and setting your machine up to get fucked again.

CJTheran

I just arrived at my grand aunt's house to discover this waiting for me. Full reinstall wheee

Dark Shroud

CJTheran wrote: »

I just arrived at my grand aunt's house to discover this waiting for me. Full reinstall wheee

Well at least you have an excuse to update to Win7 if she doesn't already have it.

CJTheran

Dark Shroud wrote: »

CJTheran wrote: »

I just arrived at my grand aunt's house to discover this waiting for me. Full reinstall wheee

Well at least you have an excuse to update to Win7 if she doesn't already have it.

Her 5 year old laptop doesn't have sufficient memory to run it.

KiTA

CJTheran wrote: »

Dark Shroud wrote: »

CJTheran wrote: »

I just arrived at my grand aunt's house to discover this waiting for me. Full reinstall wheee

Well at least you have an excuse to update to Win7 if she doesn't already have it.

Her 5 year old laptop doesn't have sufficient memory to run it.

Debatable. I've heard Win7 will run on anything XP can run on. Not sure if I believe that, however.

Tofystedeth

KiTA wrote: »

Ragnar Dragonfyre wrote: »

Daedalus wrote: »

I would recommend backing up any important files and reformatting, or you'll never really trust the thing again.

My girlfriends computer got infected with this. It's fucking impossible to remove. I hear that Malwarebytes works if it was installed before you got infected. It will physically prevent you from installing the program after the fact.

Reformatting is really your only option.

Nah, easy fix. Rename malwarebytes' installer and install to C:\abbadszag1

Or install it to a thumbdrive on another machine and bring it on over. Rename the main EXE after you do it.

Won't work with some of the versions of this I've come across. It'll let you run the installer if you've renamed it, but it will delete the executable for MBAM as soon as the installer puts it there. Even if you install it in a non default directory. I eventually beat it by keeping that directory open in another window, and as soon as the executable appeared I renamed it before the virus found it.