2nd computer hit with FAKE AV...Process to clean it up?

[Jan Regnier]

Does anyone have the process for cleaning this up? 

I just got the 1st computer cleaned up today and now a 2nd computer got hit!  They aren't going anywhere (on the internet) they are not supposed to be so I can't get mad about it (I guess) - but I don't want to have to run the computer hospital with every machine that gets hit if there is a process to clean it up that I can do.  I don't mind the time it takes - I just want to have the process that works.

[Robin Deatherage]

Do you ever use ComboFix and Malwarebytes.  I've found that between the two I can usually get things cleaned up.  Sometimes have to start off running them in safe mode and then run them again normal.

[Jan Regnier]

I use Malwarebytes and I have used combofix - but haven't this time..I will go get it though.  I used Sophos to clean it up but after it does that it doesn't let you access programs!  I am in safe mode  - I'll keep trying for awhile...

[Orlando Alonzo]

Robin is correct both are very good tools.

Download Malwarebytes. Install and update it.  Disable System Restore. Reboot in safe mode. Scan with Malwarebytes.

[Bob]

I'm curious since you say they don't visit bad sites..  Are they getting notification of fake AV update and clicking.  Run  services.msc

Sort by name, go to messenger, disable service.   Also check startup and remove msmsgs.  Native network messenging tool but sometimes exploited to trick users.  No need for it so adds an extra level of caution disabling service.  On by default I believe.

Then it's teaching even management to know your products.  Everyone should know their AV product.  Educating will prevent clicking on spoof say update AntiVirus 2011 etc..

[Jeff Golas]

Update Acrobat Reader, Java, and Flash. Update your browsers if they're dated. That'll stop the infections. As for what to do with a fake virus infected computer - wipe it and start over. Easier and more guaranteed.

Jeff

[Jeff Zylstra]

My best luck comes when I remove the hard drive and attach it to another computer via a USB cable.  When you are not booting the computer from an infected hard drive, the malware doesn't get a chance to load first, so you have a much better chance of disinfecting it.  Just go right click on the START button in Windows, choose EXPLORE, and then right click on the infected hard drive and choose the "Run MalwareBytes" option.   HTH.


P.S.  I would be somewhat careful of Combofix, however.  I've bricked a computer with that utility before, so I'm a little bit leery of it now. 

I also had an issue with Clonezilla last week when I tried to re-image a Dell XP computer, so I'm leery of re-imaging now too!  It keeps saying that the target partition is smaller than the source partition.  It's not.  It's 4 times larger than the drive it was originally imaged from.  And it also borked the hard drive's MBR, so I couldn't fix the errant hard drive if I wanted to, so it got a fresh Windows install with updates, service packs and assorted software again.  That's way more work than I have time for. 

[Jan Regnier]

Bob--

The person today was on MSN and clicked on something on that website...  The fake Microsoft product came up and she didn't OPEN it but she did click on the "X" to cancel out of it.. 

I will continue for a while longer trying to beat this piece of "stuff" into submission...I don't like giving in to this stuff!! 

Jeff - everything does get updated - but I will confirm she on the most current..

Thanks, guys...

[Jeff Zylstra]

Update Acrobat Reader, Java, and Flash. Update your browsers if they're dated. That'll stop the infections. As for what to do with a fake virus infected computer - wipe it and start over. Easier and more guaranteed.

Jeff

Is it possible to keep Flash updated for more than 2 days?   They update more often than our AV product!

[Bob]

Bob--

The person today was on MSN and clicked on something on that website...  The fake Microsoft product came up and she didn't OPEN it but she did click on the "X" to cancel out of it.. 

I will continue for a while longer trying to beat this piece of "stuff" into submission...I don't like giving in to this stuff!! 

Jeff - everything does get updated - but I will confirm she on the most current..

Thanks, guys...

The X was an image map.  In other words a link.  Best way to close is ALT+F4, in future. 

[Robin Deatherage]

Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011

[Jan Regnier]

Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011

No, Robin, it wasn't that one!  It said "XP HOME Security"....

I can access programs as ADMIN but not as the STATXXX.

[Alice]

Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011

Robin - I must say you have links to the most colorfully named web sites I've ever seen. I know that's bad grammar but does describe it best. 

[Robin Deatherage]

Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011

Robin - I must say you have links to the most colorfully named web sites I've ever seen. I know that's bad grammar but does describe it best. 

LOL! Alice I wish I was that creative myself.  Wasn't, www.experts-exchange.com, at one time www.expertsexchange.com?   

[Alice]

LOL  I like the 2nd one better actually 

[Jeff Golas]

Update Acrobat Reader, Java, and Flash. Update your browsers if they're dated. That'll stop the infections. As for what to do with a fake virus infected computer - wipe it and start over. Easier and more guaranteed.

Jeff

Is it possible to keep Flash updated for more than 2 days?   They update more often than our AV product!

And you're lucky if you can find it, and install it in under 3 hours using MSI files.

Jeff

[Robin Deatherage]

No, Robin, it wasn't that one!  It said "XP HOME Security"....

I can access programs as ADMIN but not as the STATXXX.

Jan have you seen this?  http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011 removal instructions look similar to the other solution but references a registry fix tool you can download. I have not used that tool but have always had good luck with tools from this site.  Hope it helps. 

[Jan Regnier]

No, Robin, it wasn't that one!  It said "XP HOME Security"....

I can access programs as ADMIN but not as the STATXXX.

Jan have you seen this?  http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011 removal instructions look similar to the other solution but references a registry fix tool you can download. I have not used that tool but have always had good luck with tools from this site.  Hope it helps. 

Looks promising - will give it a try!  Thanks, Robin.

[Jan Regnier]

+1 for Robin today!!!

FINALLY got it....

Used "FixzNCR.reg"
Used "RKill"
Used Malwarebytes (which I was using anyway)

Another wasted day..... sorta....but I did learn something new....

[Robin Deatherage]

+1 for Robin today!!!

FINALLY got it....

Used "FixzNCR.reg"
Used "RKill"
Used Malwarebytes (which I was using anyway)

Another wasted day..... sorta....but I did learn something new....

Yea!!! Way to go Jan, glad it worked.  Sorry you had another wasted day but as you said you did learn something new.  And thanks for the karma.   

[Jeff Zylstra]

+1 to Robin for mentioning one of my favorite sites, BleepingComputer.Com.  Great site for delousing infected machines, as well as other utilities and problems solvers.

[Bloody Jack Kidd]

I recently came across a really excellent link that was a malware removal how-to listing all the good tools and how to employ them... gotta find that link.

[Jan Regnier]

OK - computer #3 got hit today.....used my new "handy-dandy FAKE AV Repel tool" and in a matter of a few minutes - cleaned up and back in business.  It never got loaded because--->

THANK GOODNESS I passed out the "What NOT to DO" document I put together to the staff yesterday!  It worked perfectly.

*DO NOT CLICK ON ANYTHING  -
*Use CTL/ALT/DEL and end processes for iexplorer (using IE)
*Control Panel /Internet-delete cookies/temp/history

I also went to Control Panel/System and turned off restore point, restarted computer and then reactivated restore point.

[Bloody Jack Kidd]

I guarantee this people are following links to images, videos etc. supposedly relating to Osama, SEAL, raid, etc.

[Jan Regnier]

I guarantee this people are following links to images, videos etc. supposedly relating to Osama, SEAL, raid, etc.

She was in TAM on a client but she had the internet open and minimized- she wasn't actually viewing the internet - and it popped up..

[Jeff Zylstra]

OK - computer #3 got hit today.....used my new "handy-dandy FAKE AV Repel tool" and in a matter of a few minutes - cleaned up and back in business.  It never got loaded because--->

THANK GOODNESS I passed out the "What NOT to DO" document I put together to the staff yesterday!  It worked perfectly.

-
*Use CTL/ALT/DEL and end processes for iexplorer (using IE)

I think I know your problem.  

[Jan Regnier]

OK - computer #3 got hit today.....used my new "handy-dandy FAKE AV Repel tool" and in a matter of a few minutes - cleaned up and back in business.  It never got loaded because--->

THANK GOODNESS I passed out the "What NOT to DO" document I put together to the staff yesterday!  It worked perfectly.

-
*Use CTL/ALT/DEL and end processes for iexplorer (using IE)

I think I know your problem.  

Yeah - I know!!!  I have FF on some of the machines - but since most company websites work with IE - we still keep it as the default.  I am loading FF on all and asking that other than CO websites they use FF.

[Jeff Zylstra]

OK - computer #3 got hit today.....used my new "handy-dandy FAKE AV Repel tool" and in a matter of a few minutes - cleaned up and back in business.  It never got loaded because--->

THANK GOODNESS I passed out the "What NOT to DO" document I put together to the staff yesterday!  It worked perfectly.

-
*Use CTL/ALT/DEL and end processes for iexplorer (using IE)

I think I know your problem.  

Yeah - I know!!!  I have FF on some of the machines - but since most company websites work with IE - we still keep it as the default.  I am loading FF on all and asking that other than CO websites they use FF.

I haven't used IETabs in Firefox lately, but I think that would get around many of the issues with company websites.  Sadly, there are some companies that force us to use plug ins for printing and display that will only work in IE.  I really have to question why these proprietary plug ins are necessary, and who they really benefit!