Antivirus 2012, Win 7 Antivirus 2011, Win 7 Total Security 2011, XP Security 2011, BitDefender 2011 Antivirus (some of these viruses use the same names as legitimate programs) and many other variants of these names are fake antivirus scanners that you get from visiting poisoned websites. They pop up alarming messages on your screen saying that your computer is infected. These warnings are fake, they are attempting to get you to pay money for phony software to remove the infection. Some of these viruses will alter your system to hide your data folders so it looks like an ‘infection’ has deleted all of your files. They can also block access to programs and websites, and prevent you from running or downloading a real anti malware program to remove the virus. Getting rid of these is not easy, because you have to defeat their programming that is trying to block you.
Virus like these morph and change features constantly. Check the website Bleepingcomputer.com for the latest news and removal instructions.
NOTE: Following are general instructions for removing most viruses of this type. Although these steps may be overkill, they are comprehensive and will also take care of 99% of all viruses. There is a class of virus called rootkits which can be resistant to detection, see the post here.
First download the latest versions of the following tools on another, clean machine and burn to CD or copy to a USB memory stick
- Malwarebytes: http://www.malwarebytes.org/mbam.php
- ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- FixExec: http://www.bleepingcomputer.com/download/fixexec/
- RKill http://www.bleepingcomputer.com/download/anti-virus/rkill – this page has a variety of different filenames to download to fool the virus, which will try to block RKill from running. Remember the filename of the version you downloaded.
- CCleaner (cleans out caches) http://www.ccleaner.com
- Avast! 4 Home Antivirus: http://www.avast.com/eng/download-avast-home.html
- Minitoolbox (cleans out bad Internet and proxy settings) http://www.bleepingcomputer.com/download/minitoolbox/
Copy these to your desktop and before running them, then change the names of the malwarebyte and combofix files to:
Malwarebytes: mblah.scr
ComboFix: comfix.exe
NOTE: ComboFix is powerful software and if you run it when it is not needed, it could possibly damage your data. Running ComboFix is optional, you could try it first without ComboFix, and if it doesn’t clear the infection, run through this list again with ComboFix. If you don’t know for sure if you have a virus, then don’t run ComboFix.
Now, restart the machine in Safe Mode (Shut it down, start it up, and hit the F8 function key as the machine boots up and before the Windows screen comes on, and choose Safe mode from the list.)
Follow these steps in order:
Turn off System Restore on your machine, but only until you get this fixed – many of these trojans get copied into the System Restore files, which anti-virus programs aren’t allowed to touch and the viruses could reinstall themselves from there. Turning off System Restore allows the antivirus tool to access the saved Restore files.
My Computer > Properties > System Restore.
The malware actively blocks programs and tools, so before you can start cleaning, you need to get the malware entries out of the registry, and stop the malware’s current processes from running.
Double-click FixExec to run it to clean the registry
Now double click the RKill file (whatever name you downloaded it as) to run it. Wait for it, it could take a while. If the fake antivirus program throws a warning on the screen and blocks RKill, leave the warning up on the screen and run RKill again.
Do not reboot your computer If you reboot it will just load the malware in again.
Now run CCleaner (it’ll make scanning faster because it will delete a bunch of temp files and save you from having to scan those.) If the virus blocks CCleaner from running, proceed to the next step.
Now run Malwarebytes (mblah), and clean everything it says.
OPTIONAL: Run ComboFix (comfix), and clean everything it says. If it tells you to reboot your machine during the process, do so immediately. Do not run ComboFix if you are not sure you have a virus.
Now install and run Avast AV – tell Avast to do a boot-scan – click on “schedule boot-scan” – and restart the computer
Let it start and do the Avast AV boot scan and fix whatever it says
Then do a final Malwarebytes scan in normal boot mode
If you have odd problems with web browser or internet behaviour, there may still be some bad entries in the internet settings. Run Minitoolbox to clear those out.
Then turn System Restore back on.
Now install the antivirus program of your choice to do continuous scanning, and make sure you keep it up to date. If you have your own antivirus, uninstall Avast now.
Comparison of antivirus programs http://www.av-comparatives.org/
Free and commercial AV reviews http://www.pcworld.com/products/software/antivirus_and_security.html
Free AV reviews from PCWorld
List of free antivirus from CNet
Always keep your Windows, web browser, Flash and Adobe software and Java software up to date – frequent patches are released to plug security holes.
http://www.pcworld.com/article/149298/10_quick_fixes_for_the_worst_security_nightmares.html
http://www.pcworld.com/article/254369/10_commandments_of_windows_security.html
If you absolutely cannot boot even in Safe mode, then you may have to configure a universal boot CD or “Rescue Disk”,
Downloadable Rescue Disks
http://dl.antivir.de/down/vdf/rescuecd/rescuecd.iso
BitDefender http://download.bitdefender.com/rescue_cd/
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
or Universal Boot Cd http://www.ultimatebootcd.com/
or BART CD http://www.nu2.nu/pebuilder/
If you have a Rootkit virus, you may have to take additional measures, check this link:
If you have a Google Redirect rootkit, check here
Information on DNSChanger and problems with Internet browsing after July 9 2012
Spyware Blaster blocks the URLs of known malware sites from your browser
http://www.pcworld.com/downloads/file/fid,23106/description.html
McAfee Site Advisor flags websites security risks as you browse: http://www.pcworld.com/downloads/file/fid,62594-order,1-page,1/description.html