Phony AV Program Locks Up Everything

Topic

New Reply

I’m trying to help an elderly lady with her computer problem. I’ve seen several of these phony AV programs that get dlownloaded and block normal OS functions until you agree to pay to have the “virus’s” removed. However, this one tops them all. It is called Internet Security 2010, and here are the symptoms.

1. Upon starting up normally the desktop background changes and a message is displayed warning about an infection. If you proceed it will want to scan your computer and then “fix” the problem (for a charge, of course). So far this was a rather typical case. BUT
2. It has completed blocked any attempt to get rid of it. Ib blocks access to the Control Panel Add/Remove Programs and Task Manager is greyed out. Unfortunately the lady did not have restore points enabled, so I couldn’t go that route. SO
3. I booted to Safe Mode. It gets part way through a typical Safe Mode startup and then reboots itself. Everything else I try results in a reboot, so I can never get to the basic XP functions.

I suppose the next option is to bood from an XP CD, but, of course, the lady doesn’t have hers. I believe I have one I can use.
Any suggestions as to how to proceed in this case?

Reply | Quote

Replies

There are many links at remove “internet security 2010” – Bing to threads which detail how to remove this pest.

Joe

--Joe

Reply | Quote

Thanks for the suggestion — however, most of them require you to go to Safe Mode and download, install and run MalwareBytes. But this computer keeps rebooting before it finishes starting up Safe Mode. It may be possible to do a normal startup and then try to load MalwareBytes from a thumb drive and run it. I’ll give that a try next time I get the opportunity.

Reply | Quote

if she has an up to date antivirus program, and you can open windows explorer, try right-clicking the C: drive, and then choose “scan for viruses”. that worked for me, when I couldn’t get any of the AV programs to run. Also, you say task manager is greyed out, have you tried opening it with ctrl-alt-delete then clicking on it?

Reply | Quote

Chuck Tucker,

The next time the machine reboots, start pressing the F8 key until you get the boot option screen and choose the option to disable automatic reboot on error (or something to that effect) to see if the rebooting calms down. Then try again to get into Safe Mode with networking so you can download, install the tools you want and run scans.

Reply | Quote

I have removed that particular rogue virus several times and each time it took a different approach. There are three things I do and on each occasion different ones helped. Here is what I do and which ones will be best in your case is anyones guess. 1. Avast antivirus version 5 (http://www.avast.com) removed most of the last occurance… had to run it in a boot scan. 2. gmer from http://www.gmer.net it’s a little confusing but when you first start it pay close attention to comments about a modified file (the file it mentions is the reason you cannot boot in safe mode. Any red lines need to be fixed. 3. Download ‘rescue disk’ from http://www.avira.com.. go to downloads and then tools and download the iso file for rescue disk. After you download it double click on the downloaded file name and let your cd writer program write it to disk. Boot the disk and click on the british flag in the bottom left corner… then go to options and set options to ‘rename file if can not repair. Good luck it can be rough to fix… when done with rogue removal search on your system for the modified file from above… you will probably find an extra copy in one of the spx update folders. copy it to the system32/drivers folder( where the modified one is)

Reply | Quote

My brother and I recently cleared Windows Security Suite (one of the more pernicious malware) off our mother’s PC. Here’s how we did it.

1. She downloaded the setup file for the free version of MalwareBytes (mbam-setup.exe) from the MalwareBytes site and saved it to her desktop. The malware (hereafter “WSS”) actually prevents that program from running unless you rename it. Renamed to just tup.exe, it successfully installed MalwareBytes (ALMOST).

2. Except — oops — if WSS didn’t wait until the installation was finished and then somehow delete the main .exe file (mbam.exe) from the relevant Program Files directory. Fortunately, however, it appears that was the only sabotage WSS performed on the installation. (It even left the shortcut to the deleted mbam.exe on the desktop.) And so —

3. My brother installed MalwareBytes on his own PC, renamed mbam.exe to some new name, and then e-mailed my mother the renamed file. She ran it (directly from the e-mail, I believe) and it cleared out the bad guys.

Reply | Quote

Sounds like a great idea. I think I’ll try running mbam.exe from a thumb drive and see if that works.

Reply | Quote

Sounds like a great idea. I think I’ll try running mbam.exe from a thumb drive and see if that works.

Don’t forget that, in our case, mbam.exe was run on a PC where mbam-setup had successfully installed all the other files as well (and that only mbam.exe had been deleted). For example, there were three other .exe files in the folder where mbam.exe was supposed to be, and other files as well. If you just try to run mbam.exe by itself, without the other files installed, it may not be able to run (or run effectively).

Reply | Quote

Well guys, I am a novice pc user, self taught, and very careful to avoid situations where i could be infected. Till i joined myspace. somehow got this phony AV program on and it totally locked me out of opening anything ,control pnl,nothing would open. It put an icon in my task bar of a green cup like javas and was named soft something , I was so freaked out not knowing what to do, I can’t remember the name. So, I shut down with the power button,got out my windows XP “inside out” book and studied. Logged into safe mode and ran av scan,it reported all files as locked. Last resort, in safemode I did a system restore, it worked! So I logged back on and then ran avscan and malwarebytes , which found trojan horse Fake Alert.pc and got rid of it.

Reply | Quote

In my work, I have to remove programs like this every week. Most of them, disable all .exe programs from running, just preventing any anti-virus program from running. What I have found in most cases, is the primary infection, being the fake anti-virus, appears as a normal program, being unprotected, and listed in Program Files or the user’s App Data folders. What you have to do is mount the infected drive into another computer, as a secondary drive, or boot from a “PE” type boot disk. These options allow you to view the contents of the drive, without the OS being activated. You can then usually manual remove the primary fake anti-virus by looking at the Program Files, or App Data folders of the user. Also you can manually delete all temp files, when they sometimes hide. Then you can look at the system32 folder, and sort by date. Remove any .dll files that have gibberish as the names and recent file creation dates (like the day the infection started). On reboot, you should then be able to go into Safemode and install on of the better anti-virus/malware programs and do a scan. This will remove the additional virus/trojan horse programs that the fake anti-virus usually bring with them.

The trick is to boot the computer or drive from a different OS to perform the first cleaning, or complete, depending on your situation. This is one feature that desktops have an advantage over laptops, because you can mount additional drives in the system and not boot from them.

Reply | Quote

In the end they had to scribe the HD and reinstall the OS. Drastic, but it solved the problem. One big thing that led to the problem was that they didn’t have an anti-virus program on the machine — a very bad mistake. Now it is fully protected.

Reply | Quote

Sorry I was so late to respond to this. I, too, have had to remove this from several machines. I found that the phony AV did NOT disable MS Antivirus and was able to use the Software Explorer tool to disable the initial load of the phony exec file for one reboot. This allowed me to run the Malewarebytes program which then completed the removal.

Perhaps this wil make it easier for others….

Reply | Quote