Fuck you, Antivirus System Pro (PROBLEM SOLVED)

MinionOfCthulhu

I need help getting rid of this evil fake virus scanner. I'm not even sure how I picked it up, but it pops up and annoys me and is fucking with Internet Explorer. I don't use IE, but Steam and League of Legends use it, so the Store/Community tabs in Steam greet me with:

And League of Legends won't let me connect because it too thinks I'm not on the internet.

I've used this program found here called rkill to stop it from running but the next step (using Malawarebyte's Anti-Malware) doesn't work. I've looked on Google for other ways, but they involve fucking with my registry, which I haven't done much of. I did look for what they said in the registry though, and couldn't find the offending files. This shit has to be somewhere, right?

FrozenTempest

Go to computer, and click the uninstall or change program feature. If it not listed there, I'm not sure what you can do. You could try uninstalling internet explorer, but I don't think that possible.

Sir Red of the Manti

Rename the executable for malwarebytes from mbam.exe to something different then try launching it. Chances are that virus has the usual scanners blacklisted by filename.

TychoCelchuuu

Run Dr. Web's free anti-virus scanner, then try Malwarebytes. If those don't kill it you might need to run something from a boot disk, either from Linux (like FSecure, ClamAV, or BitDefender) or from a custom Windows boot disk (you can get them with things like MWB on there).

MinionOfCthulhu

Sir Red of the Manti wrote: »

Rename the executable for malwarebytes from mbam.exe to something different then try launching it. Chances are that virus has the usual scanners blacklisted by filename.

Tried this, no dice.

ED!

Yea, this one seems to be getting around. It seems to only occur (for me) on systems where I'm using Google Chrome, and I have no idea where it gets picked up. Running Ad-Aware seems to have taken care of it, but I think its borked my ability to connect to the internet, so looks like a reformat is in order (thankfully its a laptop only used for campus).

For running Malware, drag a copy of the executable to your desktop so it creates a shortcut, and when your computer boots double click on that first - it wont be able to terminate already running programs. Something else I tried, was setting computer to restart, and then killing the restart process. The Anti-Virus Pro will have been killed and you should be able to start programs as normal. This is if the above stuff isn't working. Sucks that theres no work around and that some of these anti-virus measures seem ill-equipped to detect and stop it.

Richard_Dastardly

I've had something like this once. I started off by downloading the program that supposedly stopped the fake-antivirus from working, and then I downloaded every single free antivirus program I could find and ran them all (some of them two or three times). It worked, but I forget how I managed to actually download the programs since I was constantly being redirected to the antiantivirus site.

I'm not the sort of guy who normally advocates vigilante justice, but I think summary execution in a man-sized microwave oven is an appropriate punishment for the people who make these programs.

bombardier

I have had to get rid of this twice on a user's PC. I did it without any tools.

Load up Task Manager. Kill any process that is not required for Windows to function. Basically everything not running under "system". There should be the process for the fake AV in there.

Then load up msconfig (start > run > msconfig) and you should see the entry for the .exe in there somewhere. It will be under Application Data for the user. Obviously uncheck the process (and any other questionable/garbage stuff in there while you're at it) and then navigate to that app data folder and delete the exe. Delete all IE cache and cookes while you're at it.

That should do it.

The guy got it just from visiting some website that looked legit, too. Both using IE6 and then IE8.

November Fifth

I installed avast! after getting a few of these type viruses, and I haven't been bothered by them since.

Of course avast itself will nag the hell out of you until you register it, so it's not a huge improvement.

ED!

bombardier wrote: »

I have had to get rid of this twice on a user's PC. I did it without any tools.

Load up Task Manager. Kill any process that is not required for Windows to function. Basically everything not running under "system". There should be the process for the fake AV in there.

Then load up msconfig (start > run > msconfig) and you should see the entry for the .exe in there somewhere. It will be under Application Data for the user. Obviously uncheck the process (and any other questionable/garbage stuff in there while you're at it) and then navigate to that app data folder and delete the exe. Delete all IE cache and cookes while you're at it.

That should do it.

The guy got it just from visiting some website that looked legit, too. Both using IE6 and then IE8.

The problem with this is that the malware will kill any attempt to run certain processes. It is hit or miss, but definitely it kills Task Manager.

bombardier

ED! wrote: »

bombardier wrote: »

I have had to get rid of this twice on a user's PC. I did it without any tools.

Load up Task Manager. Kill any process that is not required for Windows to function. Basically everything not running under "system". There should be the process for the fake AV in there.

Then load up msconfig (start > run > msconfig) and you should see the entry for the .exe in there somewhere. It will be under Application Data for the user. Obviously uncheck the process (and any other questionable/garbage stuff in there while you're at it) and then navigate to that app data folder and delete the exe. Delete all IE cache and cookes while you're at it.

That should do it.

The guy got it just from visiting some website that looked legit, too. Both using IE6 and then IE8.

The problem with this is that the malware will kill any attempt to run certain processes. It is hit or miss, but definitely it kills Task Manager.

Maybe I did the msconfig thing first. I remember it trying to kill task manager but I got around it somehow.

Chanus

ED! wrote: »

bombardier wrote: »

I have had to get rid of this twice on a user's PC. I did it without any tools.

Load up Task Manager. Kill any process that is not required for Windows to function. Basically everything not running under "system". There should be the process for the fake AV in there.

Then load up msconfig (start > run > msconfig) and you should see the entry for the .exe in there somewhere. It will be under Application Data for the user. Obviously uncheck the process (and any other questionable/garbage stuff in there while you're at it) and then navigate to that app data folder and delete the exe. Delete all IE cache and cookes while you're at it.

That should do it.

The guy got it just from visiting some website that looked legit, too. Both using IE6 and then IE8.

The problem with this is that the malware will kill any attempt to run certain processes. It is hit or miss, but definitely it kills Task Manager.

Try it from Safe Mode? I think that's how I got rid of it on a work computer once.

rfalias

Do it in safe mode?
Edit: Beated.

Almost all this stuff needs to be done in safe mode to have any lasting effect.

NikkiLav

To get rid of this on a user's laptop, I use a IDE to USB converter and scanned it using my hard drive. (Sophos, @ work) It still had some other Trojans left - but installing Malware Bytes cleaned up the rest.

MinionOfCthulhu

bombardier wrote: »

I have had to get rid of this twice on a user's PC. I did it without any tools.

Load up Task Manager. Kill any process that is not required for Windows to function. Basically everything not running under "system". There should be the process for the fake AV in there.

Then load up msconfig (start > run > msconfig) and you should see the entry for the .exe in there somewhere. It will be under Application Data for the user. Obviously uncheck the process (and any other questionable/garbage stuff in there while you're at it) and then navigate to that app data folder and delete the exe. Delete all IE cache and cookes while you're at it.

That should do it.

The guy got it just from visiting some website that looked legit, too. Both using IE6 and then IE8.

I killed the program using rkill (which stops shit from popping up until I restart but still borks Steam and LoL) but I can't find it in the System Configuration. Would it be safe to just uncheck everything except for Malware and restart?

Skeezicks

November Fifth wrote: »

I installed avast! after getting a few of these type viruses, and I haven't been bothered by them since.

Of course avast itself will nag the hell out of you until you register it, so it's not a huge improvement.

The registration is free for the home version and takes maybe five minutes to complete. I'd say it's a decent improvement.

Descendant X

Skeezicks wrote: »

November Fifth wrote: »

I installed avast! after getting a few of these type viruses, and I haven't been bothered by them since.

Of course avast itself will nag the hell out of you until you register it, so it's not a huge improvement.

The registration is free for the home version and takes maybe five minutes to complete. I'd say it's a decent improvement.

Or instead of Avast you could use Microsoft Security Essentials, because it is awesome and free (as in beer).

MinionOfCthulhu

Alright, I think I got it. At least, I can't see it running anymore, and when I restart the computer, it isn't the first thing that pops up and acts like an asshole.

Steam and League of Legends still don't recognize Internet Explorer though, which is weird. I even installed Internet Explorer 8.

MinionOfCthulhu

All fixed (thanks to a friend). IE works and now I can go back to losing at League of Legends and staring at the Steam store and wishing I had money to buy Dragon Age and whatnot.