Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove "Antivirus Plus"


  • Please log in to reply
4 replies to this topic

#1 Howard Winter

Howard Winter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 24 January 2009 - 12:31 PM

I am trying to clean a machine belonging to someone else of "Antivirus Plus" - a pop-up, very convincing-looking fake malware scanner. I don't know the history but the current state is that it appears within a couple of minutes of a normal boot (3 windows, which can't be closed), and Internet Explorer is unusable. In fact the whole machine is virtually unusable when not in Safe mode.

If I boot into SAFE Mode AV+ doesn't appear.

The machine is a Packard Bell laptop, running XP Home SP2. It did have Norton anti-virus installed, but its subscription expired some time ago so I have no idea how old it is.

I've freshly-downloaded various scanners/cleaners on another machine and copied them to CD to transfer onto the victim machine.

I've run the Norman Malware Cleaner (found a number of viruses and removed them) in Safe and ordinary mode, but AV+ is still there.
I've run Trend's online "House call" scanner in Safe mode - it found a few things and removed them, but AV+ is still there.
I've run NVT_Rogue_Software_Remover but it found nothing to remove (to be fair it doesn't list AV+ in its targetted malware)
I've tried to run MBAM, but when I try to execute it, it asks for the language to use, and then when I select English, nothing else happens.

I saw Spyhunter, but it will scan for free but wants money to clean - this seems rather like AV+ itself, so I don't trust it as being genuine. The last thing I need to do is spend money and make things worse!

Where do I go from here? I am an IT professional, but I'm not an expert in malware removal! :-)

Cheers,

Howard

BC AdBot (Login to Remove)

 


#2 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 24 January 2009 - 10:03 PM

Since MBAM seems to be recommended here a lot, I thought I'd concentrate on running that - no go!

To recap, when I double-click on the downloded file on the desktop, I get a window asking to select the language, and when I <OK> it I get either nothing at all, or a flash of a window which disappears before I can read it. This is in SAFE Mode. I tried renaming the file as I've seen suggested, but with no improvement.

By running it on another machine, I see that the window is the first in the install of MBAM (it installs fine on another machine).

Having installed it on another machine I thought I'd copy over the directory and its contents to the victim machine, but this didn't work either (none of the .exe files would run).

How can a machine in SAFE mode be blocking execution of the file?

How can I get it to run MBAM - or something else that will wipe out Antivirus Plus?

Cheers,

Howard

#3 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 27 January 2009 - 05:32 AM

For some reason nobody seems to want to help with this one - that's rather disappointing!

Ah well, I'll try something a bit more drastic - I'm going to remove the drive and connect it to another machine vis USB, and see if this allows MBAM or one of the others to remove the problem. I'm a bit pessimistic because presumably it won't touch the registry on a non-booted drive, but we'll see!

Cheers,

Howard

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:02 PM

Posted 27 January 2009 - 11:35 AM

Hello, I feel bad that it took this long to get to you ,but it a busy place and all are volunteers here.

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..


***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.



If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.

Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 01 February 2009 - 07:54 PM

Thanks for the suggestions, but nothing seems to work!

I tried all of the renaming and alternate running suggestions below (the install still won't run past the quick flash of the window) then I tried setting up an MBAM install on another machine, then copying the installed directory to CD and then onto the victim machine - it won't run from that either (the program never starts - at least visibly).

Then I tried removing the disk and installing it as a second drive on another machine, and running MBAM on both drives - it found a couple of copies of Trojan.Agent and quarantined them, and I ran several other scanners against the disk repeatedly, some of which found other things, until nothing was showing as being found. I even ran the copy of MBAM that's on the victim disk, and it ran OK and didn't find anything further. I even tried blanking out the free space, in case it was hiding there, and rewriting the Master Boot Record (using DFSee).

But when I moved the disk back and booted it in Safe mode, it still wouldn't run MBAM itself or its install, and booting it in normal mode the "Antivirus Plus" popped up again, and virtually nothing else would work. Wherever it's hiding, none of the virus scanners seem to be able to find it.

I'm at the point of being resigned to reinstalling Windows XP, but this is a Packard Bell with a recovery partition (no Windows CDs) and I can't find how to activate the recovery process - <F2> is shown as changing BIOS settings (but very few of them), and <F8> as changing the boot order, but I can't find the magic key to activate Recovery - I've tried all the <Fx> keys, <Del> and <Esc> - they either do nothing or start an attempt at a PXE boot from the network.

Any suggestions on how I can proceed further?

Cheers,

Howard


Hello, I feel bad that it took this long to get to you ,but it a busy place and all are volunteers here.

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..


***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.



If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.

Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users