Symptoms and Reactions: You are browsing the internet, could be any site, suddenly a message appears warning you that you could possibly be infected by malicious software or a Virus. You first reaction is to close the window ASAP and as soon as you do, a virus scanner appears and begins scanning thru your files finding a huge list of malicious software. You try to close the program but it keeps coming back up telling you that your computer is infected. Next, you figure restarting your computer will make it go away, but now your desktop is gone, unable to open anything, and all hope is lost.
Good news is that hope is not lost. In reality you have just be had. The anti-virus program you see claiming that you are infected and then asks for you to purchase the full version to remove it all, is in fact the actual malicious software.
What not to do:
- Do not click on any window claiming that you are infected. If you see this window popup, immediately unplug your network (internet) cable from your PC right away and call Tech Support.
- Do not restart your computer.
- Do not buy the antivirus software that appears. This is fake software.
- Do not leave your computer connected to the Network or Internet
Here are some name examples of fake antivirus programs:
- Antivirus Vista 2010
- Antivirus Win7 2010
- Antivirus XP 2010
- Vista Antispyware 2010
- Vista Antivirus 2010
- Vista Antivirus Pro 2010
- Vista Defender 2010
- Vista Guardian 2010
- Vista Internet Security 2010
- Win7 Antispyware 2010
- Win7 Antivirus 2010
- Win7 Antivirus Pro 2010
- Win7 Defender 2010
- Win7 Guardian 2010
- Win7 Internet Security 2010
- XP Antispyware 2010
- XP Antivirus 2010
- XP Antivirus Pro 2010
- XP Guardian 2010
- XP Internet Security 2010
Here is an example of what a fake antivirus program might look like.
Removal:
Scenario #1 - If you have only received a window claiming that you are infected and have not clicked it yet. See Solution A
Scenario #2 – Your computer is completely infected and you are unable to use it completely. . See Solution B
Solution A
Go to http://download.cnet.com/ccleaner/ and down load the CCleaner Program.
Open the program and in the Cleaner section check off all that you see below under the Windows Tab.
Next in the Applications tab check off all the items listed below
Now restart your computer and the threat will be gone.
Solution B
From an uninfected computer, Download the following…
- Combofix -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Malwarebytes -> http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
- Windows Recovery Console -> http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124&displaylang=en
Save the files to a USB Flash drive with at least 100mb free.
Restart the infected machine and run Windows in Safe mode by doing the following:
- As the computer is booting, tap the “F8 key”.
- This will take you to the “Windows Advanced Options Menu” as shown below.
- Select Safe Mode and press the Enter key.
- Windows will now start in safe mode
| Windows Advanced Options Menu Please select an option: Safe Mode Safe Mode with Networking Safe Mode with Command Prompt Enable Boot Logging Enable VGA mode Last Known Good Configuration (your most recent settings that worked) Directory Services Restore Mode (Windows domain controllers only) Debugging Mode Start Windows Normally Reboot Return to OS Choices Menu Use the up and down arrow keys to move the highlight to your choice. |
Next copy the three files you downloaded from your USB Drive to the infected computer in a place where you can easily find it. Make sure no programs are open.
Here is the important part!!
Click, hold the file WindowsXP-KB310994-SP2-Pro-BootDisk-ENU and drag it on top of the file called ComboFix.exe and let go.
ComboFix will now run with the Windows Recovery Console attached to it.
You will now see the first ComboFix screen as shown below.
ComboFix is Preparing to Run
ComboFix is now preparing to run and when it has finished you will see a screen showing the authorized locations to download Combofix. On this screen please press the OK button and you will be shown the Disclaimer screen shown below.
ComboFix Disclaimer
Select Yes
ComboFix is backing up the Windows Registry
ComboFix Recovery Console Finished > click Yes
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
ComboFix is scanning the computer for infections
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
Stages of the ComboFix AutoScan
There about 50 stages as shown in the image below, so please be patient. The amount of stages will go up as time goes on, so if the amount of stages is different when you run it, please do not be concerned.
When ComboFix has finished running, your Computer will restart.
Start windows regularly as you normally would and logon.
ComboFix will now create a Log Report.
ComboFix is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. This can be seen in the image below.
ComboFix is almost done!
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you as shown below.
ComboFix Log File
You can just close the log file. No sense in reading it.
ComboFix is now finished removing the malware/virus.
But wait….! We now have to get rid of the leftovers or we’ll get it again the next time you restart the computer.
Install Malwarebytes
- Double-click on the icon on your desktop named mbam-setup.exe.
- Select all the original settings and click next
- Make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button.
Malwarebytes will now start.
On the Scanner tab, click the Perform full scan then click on the Scan button to start scanning your computer.
This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When Malwarebytes is scanning it will look like the image below.
When the scan is finished a message box will appear as shown in the image below.
Click OK button
Now click the Show Results button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
Click Remove Selected button to remove all the listed malware.
Malwarebytes will require a reboot in order to remove some of them. Restart if necessary.
A log file will now open, but you can just close it.
Now go back to the Scanner tab, choose Quick Scan and click Scan once more.
This is just to be safe. If it finds more infections just remove them in the same way as the Full Scan.
Now run Windows Updates and install all available updates.
Restart and you are back in business again.
Sources http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010 http://www.bleepingcomputer.com/combofix/how-to-use-combofix