Computer Repair and PC Support across the UK

As Featured in the Guardian

Free Computer Support Forum

Virus Spy Ware Removal

Topic:

antievire 2008

Posted by: johanna k.      2 Aug 2008 @ 08:26
antievire 2008

Hi ,a message popping up on my screen telling me i have got virus on my laptop its from antivir2008 ,i cant get rid of it ,it keeps scanning my laptop and telling me to install to remove these virus ,there is a charge to install it ,i dont know if i have a virus ,i would be very gratefull for your help
Thank you J Kealy

Reply by: Alan B. PCIQ IT ProfessionalIT Professional in Cambridge, CB22      2 Aug 2008 @ 09:00
RE: antievire 2008

What you have is something that is sometimes called "scamware". It's a scam! Its purpose is to scare you into paying money for some useless software.

This type of malware can be very difficult to get rid of as most antivirus and antispyware programs are ineffective. This may be a job for a PCIQ IT Professional as they can get rid of this problem and make sure your computer is secure to minimise the risk of future problems. Your best hope of getting rid of it yourself is to download and run a program called SuperAntiSpyware http://www.superantispyware.com/ which is free to home users.

1 of 1 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Jon S. PCIQ IT ProfessionalIT Professional in Morecambe, LA3      2 Aug 2008 @ 09:41
RE: antievire 2008

to give a scale of this problem, one of these recently took me eight hours to remove, including a marathon registry hack after booting from BARTPE CD.
It was a horrible job and in reality I would have been better off backing up the data and then reloading it.

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Richard B. PCIQ IT ProfessionalIT Professional in Manchester, M16      2 Aug 2008 @ 09:55
RE: antievire 2008

Do a google search for superantispyware, download it, install and run.

It should find and get rid of it.

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Jon S. PCIQ IT ProfessionalIT Professional in Morecambe, LA3      2 Aug 2008 @ 10:46
RE: antievire 2008

it will some variants, not others. The one I found had disabled numerous AV programs, registry tools and even the "run" command. I had to get that sorted before I could even begin to run cleanup tools. When I did I started with SuperAntiSpyware, but still had to run several tools after that. No one cleaner tool works on its own - you have to use a blended attack on the problem

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Richard B. PCIQ IT ProfessionalIT Professional in Edinburgh, EH1      2 Aug 2008 @ 11:40
RE: antievire 2008

Very true Jon, I forgot that bit!

From my own arsenal, superantispyware then smitfraud and then combofix.... preferably all run in safe mode.

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Jon S. PCIQ IT ProfessionalIT Professional in Morecambe, LA3      3 Aug 2008 @ 19:14
RE: antievire 2008

OK, if we're in a competition of "who's got the biggest AV aresenal", this is what I had to do to get rid of the beast
This took a long time and I did it to see just what was needed to remove it. Note this was the worst of a number of Antivirus 2008 infections I was asked to sort over several days.
Each one was slightly different. Wiping the machine is probably the better option in most cases

1) Boot with a BARTPE disk and delete the following
a. The contents of c:windows emp
b. The contents of c:windowsdownloaded program files
c. The contents of c:windowsjava
d. Temporary internet files for all accounts
e. Temp files for all accounts
f. C: emp
g. C:program filesantivirus (or antivirus 2008)
h. C:program files andom nonsense name

2) Load up the BARTPE remote registry editor tool and edit in turn for EVERY USER ACCOUNT on the machine (five in
this case)
a. HKCUControl PanelInternationalsTimeFormat - delete the words “Virus Alert”
b. HKCUSoftwarePoliciesMicrosoftInternet Explorer - delete ALL here
c. HKCUSoftwareMicrosoftWindowsCurrent VersionRun - delete anything which looks wrong. ALSO delete the
corresponding executables. You need to be very sure of what you are doing at this point.
d. HKCUSoftwareMicrosoftWindowsCurrent VersionPoliciesExplorer -delete ALL except “NoDriveTypeAutoRun”
e. HKCUSoftwareMicrosoftWindowsCurrent VersionPoliciesSystem -delete ALL
f. HKLMSoftwareWindowsNTCurrentVersionWinlogonNotify -there will be a subkey with a random string here. Delete
the subkey
g. HKLMSoftwareWindowsNTWindows - if the subkey “run” appears here, delete it
h. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSystem"="" - delete anything after “system”

3) Reboot the machine to safe mode into one of the Admin accounts. You should now have registry tools back, and
should be able to see all the system drives.
a. Install and run KAZAAbegone. Every one of these infections I’ve seen has KAZAA on it.
b. Download and run “Rogueremover” - this should take out several executables and a number of registry keys
c. My Computer>Properties>Advanced>Performance>Settings>DEP put the dot in the “turn on DEP for "all progams except those I select” and then DELETE all listed. Then put the dot back into “Turn on DEPfor essentil programs only” - this seems to reset the problems the virus generates
d. Copy HijackThis2 to the hard drive AND RENAME the executable. Run it and use it to remove anything wrong. If
prompted to reboot DON’T- just leave the program open. Use windows explorer to delete any files it finds (and any folders
if they are obviously wrong). If you can’t delete the files, try renaming them - eg xxx.dll to xxx.bad) Most will be in
c:windowssystem32, some may be in c:windows or c:windowssystem. You also need to search for and delete every
registry key which relates to these files. At least one will have infected the networking protocols.
e. Copy Smitfraudfix to the hard drive and again RENAME it (the infection otherwise blocks the program from
running). Run through the options and clean the machine.
f. Run CCleaner to remove detritus files and clean the registry.
g. Run WinsockfixXP and allow to reboot when complete Up to this point HijackThis2 may still be pending a reboot
h. If you were unable to delete all the files in (2c) above, boot again with BARTPE and delete the remaining files.
i. Boot again into safe mode and claim back the desktop. Right click the “start” button and configure the start menu
properly (a lot of icons would have been missing, you can now rest them). Right click the desktop and select the Windows
default theme to get rid of the “virus warning” desktop. In some case you get a white HTML page which you can’t shift as
desktop. In this case Display Properties>Desktop>Customise Desktop>Web - untick anything there and delete all entries.
THEN set the Windows default theme. THIS NEEDS TO BE DONE FOR EVERY ACCOUNT.
j. Boot back again into safe and install an anti-rootkit program. My favourite is still the AVG one even though its
been withdrawn. Delete everything it finds. You may have to replace these files from another clean machine: a system last
week infected userinit.exe (controls windows logon), the one today clb.dll (which controls registry tools)

4) Nearly there. Time to install the AV and antimalware software. I suggest you assume that all existing AV software
is corrupt and should be removed. (after al l- it didn’t work…). My preference is to install at this point the Windows Mal
Software tool, Windows Defender, Malwarebytes antimalware, Spybot, Spyware Blaster, SuperAntispyware and AVG AV and do
full scans with each. If AVG was aleady on the machine I’d assume that was compromised and scan with Avast! Instead. Note that in my experience no single program removes all traces - you need to use ALL of these to clean the machine from a bad infection.

5) If you managed to get this far without giving up and reloading the machine, its time to make sure automatic
updates are turned on and then download them

6) If you’ve got the downloads installed you’re finished. And - hopefully - the machine is clean

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Jon S. PCIQ IT ProfessionalIT Professional in Morecambe, LA3      3 Aug 2008 @ 19:16
RE: antievire 2008

somehow copying and pasting the text resulted in the file and registry paths getting corrupted, but I think you get the jist of what I had to do

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Richard B. PCIQ IT ProfessionalIT Professional in Edinburgh, EH1      3 Aug 2008 @ 23:30
RE: antievire 2008

or use format c: /u !

(Don't try this at home kids, get a grownup to help you...)

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Jon S. PCIQ IT ProfessionalIT Professional in Morecambe, LA3      4 Aug 2008 @ 00:43
RE: antievire 2008

yeah. The better option would have been to boot with a BARTPE CD (or better a Linux Live CD like Knoppix which would give write access to the DVD drive), back up all data and then reformat/reload the machine. Would have been quicker, simpler and at least then you'd be certain the infection had gone. And note this was a WindowsXP machine: with Vista half these tools (including BARTPE) would not work properly. VistaPE may work in place of BARTPE but I've yet to try in in anger
At present I'm assuming the tools to recover a Vista machine from Antivirus 2008 without reloading don't exist

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post
Reply by: Richard B. PCIQ IT ProfessionalIT Professional in Edinburgh, EH1      4 Aug 2008 @ 01:07
RE: antievire 2008

The easiest and simplest to prevent any infection is to unplug your ethernet cable.... ;-)

0 of 0 people found the above post helpful
Was this post helpful?  I thought this post was helpful  I thought this post was not helpful
Report this post

Do you need computer support?