SEARCH

How-To Geek

Here’s a Super Simple Trick to Defeating Fake Anti-Virus Malware

image

You might be wondering why we have a screenshot of what appears to be AVG Anti-Virus, but is in fact a fake anti-virus malware that holds your computer hostage until you pay them. Here’s a really simple tip to defeating these types of malware, and a quick review of other options.

Not sure what we’re talking about? Be sure to check out our previous articles on cleaning up fake antivirus infections.

So what’s the problem? Can’t you just run a anti-virus scan? Well… it’s not quite that simple. What actually happens is that these pieces of malware block you from running almost anything on your PC, and often prevent you from running apps from a Flash drive, with an error like this:

image

Once you encounter this error, there’s a couple things you can do. The first one is almost stupidly simple, and works some of the time:

Move the Dialog, and Try Again!

Yeah, that’s right—reader Robert wrote in to tell us that you can often just move that error to the side of the screen, and then try to run your anti-malware or anti-spyware application again. Turns out that some of the errors will only run once… and then you can get your favorite application running.

image

If that doesn’t work, then here’s the next great tip…

Rename Your Anti-Malware App to Explorer.exe

Since most of the fake anti-virus malware needs you to be able to slightly use your PC, the one executable that it won’t ever block is “explorer.exe”, since they want you to be able to get online and go to their site and pay them—not so easy if you have no Start Menu.

So just rename your favorite anti-malware application to explorer.exe, and you should be able to use it.

image

Thanks to reader Jeffrey for writing in with this tip.

General Guide to Defeating Fake Anti-Virus Infections

There’s a couple of steps that you can generally follow to get rid of the majority of rogue antivirus infections, and actually most malware or spyware infections of any type. Here’s the quick steps:

These steps generally work.

Can’t Even Boot Anymore? Here’s Your Solution

image

All you have to do is use a repair disk from one of the anti-virus manufacturers, who have each created downloadable ISO images that you can burn to a CD, or install onto a USB flash drive. Boot from it, run a scan, and then your PC will be clean.

We prefer using the BitDefender CD, since it’s automated and simple, but it couldn’t hurt to use more than one if necessary… so why not combine a bunch of recovery tools together? Here’s how:

How to Combine Rescue Disks to Create the Ultimate Windows Repair Disk

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 02/10/11

Comments (95)

  1. lupus

    or just download “Remove Fake anti virus” ;)

  2. Lee

    Add/remove worked for me. I just uninstalled the fake anti-virus, rebooted, installed avg free, and I was good to go.

  3. JohnMc

    And people wonder why I use Linux. If I had to go thru these mechanics to use my pc, just to remove the offending software I would have already tossed the hardware out the window long ago.

    A good article about a losing proposition.

  4. Richard

    Worth noting that once you’ve managed to get your PC successfully working again, the first thing you should do is backup all documents, videos, music and pictures and then re-format/re-install your operating system.

    Yes it sounds overkill, but this is the only 100% guaranteed way to know that you managed to get completely rid of the pest. The last thing you want is for it (or something else) to come back.

  5. Joe

    What about regular backups. Get an virus, just restore the backup to a point where you did not have the infection. Simple, straightforward, and it has worked everyt time for me.

  6. Torengo

    When deal with these kinds of malware, the first thing I do when I boot into Windows is to launch the Task Manager and find the process running with the weirdest name and taking the most resources. That’s usually the culprit. Write the name down somewhere, kill the process then search for it.

  7. Bobro

    @ JohnMc

    granted these stupid windows attacks are a pain but in the long run windows is quicker and eaiser, and you can still get hassled by these things in Linux… I even see the fake ‘scanning your C:\’ which is made up to look like windows XP on my iPhone as well as in Ubuntu!!!! silly Scamware!

    there is somthing kalled, Rkill

    I used it on a mates machine, once run will kill all processes not needed for windows which then allows you to download any resorces or run any programms… it worked for me :)

  8. GoodBytes

    Ooohhh these are fake anti-virus!
    I used to get the latest update for my A/V software at virus.com… I was wondering why every month I had to enter my credit card information and social security number.

    I am not going to remove it, still. They offer me great specials on Rolex watches via my e-mail! 95% discount. What a deal!

  9. John R.

    This is a long complicated way to deal with this sort of problem. You can boot into Windows safe mode, Command Prompt, and, at the prompt type RSTRUI.EXE . Wait a few minutes and the System Restore GUI will appear. Use a restore point prior to the malware attack to restore your computer to a previous state.

    The best advice is not to click fake “free” scans or fall for the tricks which are more than obvious. No legit software is going to popup a warning that your computer is infected from a web page. And even though it may appear to be coming from your own PC, there are many ways to tell that it is not.

    It never ceases to amaze me how many “tips” like this one appear on respected sites. These kinds of tips do little but confuse those who don’t understand computers very well – and those are exactly the kinds of folks who are most likely to be affected by these malware scams.

    John R.

  10. rgsmile

    I have found that when the first box comes up that shows the fake-anti-virus, I hit the control/alt/delete and close it from there. It is stubborn, and creates multi entries in the apllication area, and IE may, or may not close, but eve3ntually it is gone. Then later I will run Malwarebytes, or Superantispyware, and/or Microsoft Security Essentials.

    This has never failed to work.

  11. DrPaul

    Another option is to download Ultimate Boot CD 4 Windows (www.ubcd4win.com) and use it to build a bootable CD/DVD containing a range of freeware utilities.

    Boot your PC from that disc and you can run A-V scans knowing that the malware on your hard drive is effectively inert.

  12. Erik

    @GOODBYTES – ROFLMAO

  13. Deezul

    ….and what anti-malware do you recommend?

  14. Sparky

    I uninstalled AVG Free, IOBIT Freeware, CCleaner, Spybot, ran ESET free to ensure that I was clean.
    I have discovered ESET free does not get in the way.
    Then I installed Microsoft Security Essentials (MSSE).
    6 months later, I am still clean and free of trouble.
    MSSE runs automatically and effortlessly, for free!
    I have a Dell Studio 15 with Vista and a home Sony Vaio with XP both running Firefox and troublefree!
    MSSE Rocks!

  15. grayhoose

    i’ve taught the family that its cheaper to kill the browser and run a virus scan after the fake attack than for me to charge them $20 to do it.

  16. michael

    I do this professionally and your procedures are exactly what I do and use. This rogue stuff is getting more and more prevalent. It is great to have a plan. If you run windows you are going to get one of these.

  17. Sebastian

    The best way yet:

    del user

    xD

    (For those who don’t get it…. it’s a joke…. take away the user since this is in 99% of the cases the cause of the problem ;-)

  18. Andrew

    @ Lee: There are plenty of fake antiviruses that won’t let you run Control Panel or Add or Remove.
    @ JohnMc: It is easier to do than it seems when you read the article.
    @ Richard: Not a bad idea, but mostly unnecessary, as my own experience has demonstrated many times.
    @ John R: What if the malware won’t let you run cmd? It happens.

  19. miguel

    Wow; well done; very helpful. You are one of the better help websites

  20. david

    I work at my colleges student it dept. I find the quickest, yet a little dirty way, to get rid of them is to simply boot into safe mode with network. from there, i use the start menu shortcut to locate the program (right-click properties) and then delete it manually. from there i just load up whatever antivirus and update/scan. sometimes the internet is set to proxy, but thats just a quick swap in the internet options.

  21. NON-GEEK

    GOTO SAFE MODE——->RUN SYSTEM RESTORE SET A DAY OR TWO PRIOR———>PROBLEM SOLVED…

  22. Lao

    I have found in the past, that simply switching the PC off by holding down the power button helps in many cases.
    Doing so takes the machine back to the last system check. However, it doesn’t always work. When it doesn’t, SAS Portable is a great tool.

  23. Marty Kaye

    When a virus attacked my son’s laptop, I soon discovered that all the popular search engines (Google, Bing, Yahoo, etc.) redirected my searches for help to the strangest and most harmful sites on the web. I eventually discovered Yippy search which is apparently “cloud based” and this worked just fine. I was able to find all the necessary tools to effectively eliminate the virus and return the computer to it’s prior pristine malware free state.

  24. Ralph

    The key to reducing your chance of becoming infected with one of these viruses is to patch 3rd party software on your PC, like Adobe Reader, Flash…Then you need to form better surfing habits. Stop going to websites where you are not sure of the content.

  25. Rafi

    The way I got it done was, rebooted, entered safe mode w/networking, installed spybot search and destroy, ran it got it killed it, removed AVG and In stalled Microsoft Security Essentials, and while add it got Microsoft Defender, and Mal-ware bytes. took, maybe 5 minutes? about that, no renaming anything, no hving to learn command prompt, just simple to the point

  26. -Rb

    Is anything being done to stop the people behind these schemes? If they are asking for money, there must be a trail to catch them.

    Thanks for your great articles!

  27. Hatryst

    Hey, is that screenshot real? You installed the fake antivirus just to see how it is to be removed? Now that;s pure Geekness ;)
    (or maybe its a VM !)

  28. toz

    Easiest way to get rid of it is to boot into Safe Mode with Networking, run MBAM, update, and scan.

  29. Charles Bucolicowski

    Even simpler tip: get Ubuntu.

  30. Bluto

    MSSE is a great tool but has anyone found that it runs chunky and is a bit of a resource hog?

  31. Col

    Do people still use microsoft windows?

  32. Philip Kane

    Why do the Linux trolls keep popping up like malware with their boringly repetitive comments on what is very obviously a Windows forum?

  33. Silas

    @Col – only about 90% of the population. The other 10% are Linux users who think they are so cutting edge and unique that they feel they must populate discussion boards with saying how cutting edge and unique they are because they use Linux.

  34. Squirles

    This may have been stated already but I have all the people that I work with just pull the electrical plug an than restart the computer. Hold the F8 button down and boot to last known good configuration that works good every time providing that the user did not power down the with shut down button. I have used a lot of the other suggestions here in the post and they also work.

  35. Mudslinger

    My rescue remedy: (and yes it does involve linux) and I apply this to all my computers that get an infection.
    Using a version of linux that runs off a liveCD/DVD (most common ones are ok – knoppix is a pretty good one for this).
    Start the computer up with the linux LiveCD/DVD – perform a backup of the files that are still readable/copyable. With a LiveCD running this will make sure the virus/malware can’t actively interfere with your attempt to backup files and modify the system.

    Either using the linux disk partitioning tools or by using the windows setup discs afterwards – reformat the hard drive so the previous drive data is wiped.
    Install a clean setup of windows. (setup two types of users – one administrator – the other a limited account – use the limited account for all daily tasks)
    If possible – keep the windows install offline and manually add all the service packs for it. Slap on an official copy of your antivirus and anti-malware applications.
    go online and get all remaining updates for windows & your security applications.
    Restore your data & run virus scans over your data in the process to check if any infected files found their way into the backups.

    It’s a bit of a procedure but I find this my most effective way to clean up an infection. I can’t be stuffed dicking about with just trying to remove the infected bits – as the malware these days are so stubborn to remove and/or detect once they are actively running. – Save yourself the headaches and just backup/wipe/reinstall/restore.

    The choice of operating system you choose to install after doing the data backup is a choice I leave up to you (after all you’re gonna be the one putting up with it!).

  36. Akshay

    The best tip you can offer to this is: Switch to Linux or buy a Mac.

  37. Rizla

    @Silas That cheered me right up, i literally lol’d, nice 1 thx :D

  38. Rizla

    I found that opening task manager and killing your browser works everytime, then run some scan’s to be sure but i have never had any trouble doing it that way

  39. Sebastian

    @ Marty Kate: don’t forget checking the hosts file.

    To complement my earlier response, good article! Especially the the tip about renaming the executable of the cleaning tool: simple yet brilliant! I know my way around computers very well but this is a new (the tip) one for me :)

  40. TheGift73

    You can always try renaming the .exe to .com Malware writers can be pretty lazy when it comes to code and they sometimes forget about the other ways of executing a file.

  41. TheGift73

    As in renaming Malwarebytes.exe to Malwarebytes.com Sorry, should have made that clearer, but you know what I meant.

  42. C_3PO

    AVG Rescue Disk saves the day for me on many occasions! Having cleaned most of the Malware out I then proceed to use Malwarebytes followed closely by the excellent Super anti spyware! MSE is in my book the best out there, no hassle 100% protection, any prats give credit card details out still DOH!

  43. Poetstorm

    I had one of these hit me on 64 bit Windows 7. I downloaded a program called “rkill” which when run killed the processes for the fake AV, and then I was able to run MBAM, full scan, and all good. From what I hear some of these come in with rootkits tied to them which means even if you get rid of the fake AV, you could still have a rootkit or some sort of worm. So just to be safe, I ran MBAM every night for a few months and watched my processes, CPU and mem usage very carefully to see if anything else suspicious was happening. I got lucky though.

  44. Paul

    Depending on the male ware your pc is infected with safe mode and system restore may not be of any use. A trick I like to use is pop in a Linux live cd and boot from cd. Most of the Linux distros mount your c:\ drive by default. You can go clicking away and clear out *most* remnants of the male ware. Keeping one of these handy is also useful in recovering your data if Windows crashes and refuses to boot.

    Also, when searching Google for AVG pay close attention to the url you select. I’ve noticed the top few are often not AVG. If in doubt download it from Cnet (download.cnet.com)

    Cheers

  45. wbrown

    We’ve used MBAM and spybot S&D at work to remove these from several users’ pc’s. Spybot has a nasty habit of cleaning the infection and corrupting the .bat file leaving you with a no-boot situation. PITA to edit or replace if you happen to be at a remote location and away from your stash of disks and/or files.This article may well make it into our ‘self help’ archives for off-hours users and wanna-be’s. :)

  46. John Chorley

    I would stick with using Microsoft Security essentials. Avoid AVAST at all costs, last time I used AVAST it said that my wirless internet adapater, and its drivers were viruses and disbaled them, it took about 5 restarts to get it working again.

  47. delukze

    omg! i lost my last laptop cuz of those fake virus popping all over tha place, i didn’t know what to do. I just bought a new laptop.

  48. Dominic

    the best way to deal with this is to buy a real time malware program like Superantispy, Malewarebytes, and Ad-aware. that way you’ll never get it. its like wearing a condom, duh!

  49. w29

    Use Linux.

  50. turbogoose

    Safe Mode with networking is often disabled by the rogue antivirus programs ~ a computer will begin to boot into safe mode, then restart and take you back into normal Windows. As another workaround, I have discovered that many rogue antivirus programs only “take over” on the specific profile they started in. If you have multiple users on a computer, you can often log into one of the other user accounts (as long as they’re admin), get to IE, run a legit antivirus, MBAM, etc., and get the rogue program cleaned off.

  51. kevalin

    @akshay: Can’t speak for Linux, but if you persist in believing that buying a Mac is going to keep you safe from viruses, you’re going to wake up someday to a very nasty surprise.

  52. Francois

    Go to Start/Run type in msconfig. Go to Startup and untick the offender from the list. Restart PC and it should not bug you again.(place a tick in configuration utility window when it pop up to stop it doing that every time you restart) You can now scan for spyware with SpyBot S&D or Malwareblaster to get rid of it.

  53. ryan

    The easiest way to avoid these malware netjackers is to limit your main user account as a non-administrative account, after setting up a 2nd password protected Administrator user. If the malware needs to install, and your user doesn’t have admin rights, the most it can do is prompt you to put in your admin user name and password. If you are shopping the latest gizmo and you get that prompt, you’ll know something is trying to jack your system. This does mean that when you DO want to make a system change on purpose, it will take you 5 seconds longer than you are used to, but takes much less time than searching the net for how to remove the virus once you are infected. (Mac and Linux require you to put in an administrative password to modify the system by default, even when logged in as the admin user)

  54. Meghan

    It’s not 100% correct to say “Boot from it, run a scan, and then your PC will be clean”. There’s no guarantee that the scan *will* clean your PC. It might, but it might not. I personally would be planning on a reinstall. And that’s one reason that cloud storage and/or backups are so important.

  55. Mercman5_0

    On a lot of these fake anti-virus malware programs they put a shortcut on the desktop. I open the file location from the shortcut and find the file. I then go to security and then to advanced. This will allow you to make advanced changes to the user rights for that file. Click on change permissions then edit for each user listed. Check deny on traverse folder/execute file. At the end you should have twice as many entries showing up as before. Make certain that you are setting the permission on the file and not the folder and that you only click deny for traverse folder/execute file. Once you have done that you can just reboot and the virus won’t be able to run. You can then delete the file and run malware-bytes or something similar to clean up anything left behind.

  56. erin

    love the goons saying that you can just remove it with add/remove programs…. do you REALLY think it’ll go that easily? No… these fake AV programs leave stuff behind and keep running in the background. Add/Remove programs is going to do nothing for you, sorry…

    Do it the right way.

  57. daneil

    @JohnMc

    “And people wonder why I use Linux. If I had to go thru these mechanics to use my pc, just to remove the offending software I would have already tossed the hardware out the window long ago.”

    Linux is not immune. Linux is such a small portion of the computer market that most virus developers won’t/don’t target them. For their schemes to work, they need to target the OS’s people are likely to use.

  58. JerryR

    My kids used to get issues like these… they learned to stop however, as the fix I always applied was to blow away the drives and do a full reinstall of the OS. Putting the programs back on was up to them. Stuff not backed up? Sorry. Lost all your saved games? Pity.
    I haven’t dealt with a virus on their PCs in 2 years now.

  59. Alice

    1 – it can be proven that even touching that kind of popup causes the actual execution of the code. That’s why it goes away: it has already executed its malware. It may not block what it SAYS it will block, but it has done damage all the same. It may simply have written itself in the exceptions list of your AV software!!!

    2 – Renaming anything to Explorer.exe is not a wise choice. The concept may be good: that malware doesn’t want to kill explorer.exe – but the ramifications of having two “explorer.exe”s on the system could cause other foul-ups with a good AV software. Remember, there is a registry involved!

    Additionally – consider that renaming an antivirus program – or any program – to avoid malware, does not resolve the malware issue. It only covers it up.

  60. Doc

    @Lupus: If the infection blocks DNS to send any site you visit to *its* site, you can’t download anything, duh. Nor could you run Remove Fake Antivirus to remove it.

    Best fix: Load Windows into Safe Mode, then use an app like CCleaner, Regedit, or Startup Control Panel to check for new entries in the Startup section. Most of these will auto-load their garbage into a fake “Windows Security Alert” icon in the tray you can’t shut off (because you can no longer load Task Manager), and removing the startup item (it likely links to an unlikely EXE, like one in the user’s Temporary Files folder), will prevent it from loading again.

  61. Eileen

    I received something similar on my computer and it went under my HP prompts that let you know when an update is needed so I didn’t think for a minute it was something corrupt. It held my computer hostage and completely took over my anti-virus. (Microsoft Essentials) I didn’t have time that morning to do anything and it wouldn’t let me get into my anti-virus so I just shut down the computer. When I came back to it later that afternoon, a Microsoft Essentials message had appeared and advised me to do a scan and it took care of the problem. I love Microsoft Essentials and especially because it is free. Yeaaaaa!!!!!!

  62. rebul

    You’re supposed to turn off system restore. That’s the very first step if you can get to it.

  63. Jerec

    I don’t recommend Microsoft Security Essentials at all. One of their last updates doesn’t work well at all! if you are using a motherboard with nvidia chipsets. It will make the whole system completely unstable.

    I personally like avast.

  64. Just Joe

    I hate when people write in comments like “Add/Remove worked for me!” Or things like, “Well, gee, you should just run Microsoft Security Essentials, & it will clear things up!”

    The reason this article exists, is because sometimes users cannot use add remove, nor ccleaner, nor any antimalware or antivirus application because the malware BLOCKS it!

    Additionally, hosts file & registry redirects can block searches, redirect all searches to google.com (in dutch), & don’t forget about BHO, Running Tasks (on startup) etc.

    Malware can even load with safemode by modifying winlogon.exe & injecting themselves into legitimate processes such as userinit.exe, explorer.exe etc.

    People, don’t diss the help here. It is free, it is simple, & it works (most of the time).
    I was appalled at the high number of people here who think simply running an uninstaller “works”. As if you can trust a fake malware to really uninstall! These are the people who are highly at risk for having backdoor trojans, or rootkits such as Alureon deeply hidden on their PC.

    As for the user who suggested running a separate user account with reduced permissions, that don’t always work either! The reason is because ANY process that you give full permission to run can be set to give all the other OCX/DLL/EXE processes associated WITH that program full permission to run also.

    I have seen 1 executable unload up to 17 malware processes (in testing). Do not tell me that setting permissions is a “great way to stop malware dead!”

    First, that requires the user to be smart enough to know not to let “Hey, AVG 2011 is attempting to install on your computer to protect you from viruses (fake version). Let it run? YES!”

    Additionally, it also doesn’t take into consideration that once you give 1 file permission, EVERY file associated WITH that program can also run in elevation depending on how they are coded & integrated.

    So if your one of those hoping to post how you can just end it all with task manager, or run some process to kill all the malware, DON’T! With major malware, task manager is blocked from running, as is registry editing, as it other areas of the computer.

    The man who wrote the info above likely encountered things like this, & is a little wiser than some of you give him credit for. I decided to clear up some of the confusion here & get things straight. I was definitely appalled at the so called “Computer Experts” trying to give advice here!

    Hope you all have a nice day, & do be sure to take the man’s advice. He seems pretty smart!

  65. Pmheart6

    Oh all this cutting edge linux users. I was a linux user back in 1993/4 with kernel .99f or so…

  66. Haas

    I recently had this problem, all my virus scanners where “infected” and Microsoft anti-virus was just blocked. It overlayed my windows 7 hud so I couldn’t do anything except what the virus wanted me to do.
    Safe-boot was disabled, but my rescue was Directory Service Restore Mode this was not disabled so I booted into this, did a full scan with like all free anti-virus programs.
    That didn’t work. End then I did combo fix and after that again anti-virus/mallware scans. And finally it was cleaned.
    Virus came from a game Dungeons, that I wanted to buy but test first since the demo crashed. And I read very bad review of that game.

  67. eax

    I hade a fake antivirus whitch closed all programs except the explorer.
    In the fake antivirus i took something like “get full version” or something ( i can’t remember) where it ask for a email adress and credit card number soo i put a fake mail adress and some numbers for credit card and the program blockates so i could run task manager… hahaha
    that worked for me.

    sorry for typing errors
    greeting

  68. Jimmy

    Use Linux and all your problems will be solved. Simple.

  69. spoko

    Use Linux and your problems are just beginning. Obvious.

  70. Brian

    My daughter’s notebook had AVG2011 on it (the fake anti-virus malware mentioned above). I downloaded the then-current “Dr. Web” ISO image and booted her notebook with that. It found and fixed 14 problems. I then booted into Windoze, uninstalled a variety of anti-malware programs which had been installed, then apparently deactivated on her machine (local computer shop who apparently didn’t know what they were doing), then installed MS Security Essentials which found and fixed another 2 issues in its quick scan – including identifying AVG2011 as the culprit. A full scan followed just to make sure all was well, and voila, her notebook was as good as new.

  71. edmenje

    I’ve done the SAS/MBAM duo on other people’s computers, and my own in the past, but if I do manage to get a drive-by infection now I will simply pop in my Macrium Reflect image restore CD and simply restore the most recent image from my D: drive…easy peasy. Did this once so far, and it is a lot faster than all of the steps I have to go through otherwise. My “Documents” folder is on a seperate partition, and I also back up my files to an external drive and/or Dropbox on the regular.

    If I’m planning any risky browsing I will usually run my browser in a Virtual Box install of Xubuntu or XP so if it does indeed catch and infection I can just remove the virtual machine and make a new one. Sometimes I will be actively seeking viruses so I can set up a demonstration for computer classes I will soon be giving (the demos WILL be done on a VM).

  72. pwltho

    I successfully get rid those ****ing malware using combofix on several windows PCs

  73. Piotr Krzyzek

    I must say, well written chap! probably one of the best written how to remove crapware articles I’ve ever read.

    Now that I think about it, I should go run all the above applications on both of my parents computers just in case anyway. Who knows what kind of `stuff’ they’ve accumulated on their after a while :)

    Are there any programs to run from a linux live cd?

  74. thomas

    when all else fails use hirens boot cd .it has everything you need on it and it even boots into mini xp mode.

  75. Ryan

    I had an issue like this a couple weeks ago. It force closed any programs I opened and believe it or not, still ran in safe mode. The trick (I didnt know about or try the explorer.exe thing): Since explorer still ran, I was able to go to Control Panel and create a new administrator account. When logging into that account, the virus did not start correctly and I was able to run spybot and MSE. Spybot quickly found the directory with the virus and I manually deleted the enitre contents of the directory (it was in Temp). After that, all scans turned up clean and I deleted the extra account.

  76. Mark

    I quickly reboot the machine, open up Task Manager immediately and then kill the process that is running the fake AV. It’s usually listed as a 9-character process that just doesnt look right. Then I scan. Done!!!

  77. dancingman

    My laptop locked up with “Black screen of Death”. Could not get to boot sector, just a black screen with cursor. No mouse no anything. I found and old 2004 entry someplace that said do a “Hard Boot”. I may have the name wrong as I am not a Geek. Just a wantabee. I hard killed the computer by holding the power button for 15 seconds and unplugged the power cord and all peripherals. Then removed the battery and again held down the power button for 15 seconds so as to shut down any hidden programs running in the background. I then reinstalled battery only and when I restarted my computer I was able to hit F2, F12, F8, Whatever I needed. I am now running a full system scan and hope to find problem.
    Hope this helps someone. Bye, Dancingman

  78. Dutch70

    Beginners should always try Malwarebytes Anti-Malware before running Combofix.
    If you don’t know what you’re doing with Combofix, you can really mess something up.

  79. WR41TH

    @JUST JOE : THANX..the best advice/comments yet from all of the above..appreciated.

  80. BBM

    At present we don’t have 100% assurance from any AV product that they can provide protection against numerous threats that come up every day. The threat impact can be reduced only by cautious usage of the system. I would just like to summarize the guidelines which have been advised by few of you for safer usage.

    1. Always run your system with non Privileged (NON ADMIN) Accounts.
    2. Do not install any untrusted software’s from the internet. If you need to install any software ensure that it is legitimate by submitting it to Online scanners like (www.virustotal.com)
    3. Password protect your admin Accounts.
    4. Protect your system from accessing malicious sites. use siteadvisor or WOT which can advise about the sites rating.
    5 If possible always browse from sandboxie. (http://www.sandboxie.com/). This allows isolation of activities due to browsing. No history, no cookies, no trace saved on the system.
    6. Do not open external devices by double clicking on them. Always use explore folder tree option.
    7. Scan the External devices before opening it. Always keep your AV up to date. Including the Patches.
    8. If there is enough resources available use a virtual system by running vmware player or Microsoft virtual system. you can just pay around in it and revert back to any stage you have previously saved.

    Thanks.

    BBM

  81. RaZgRiZ

    Well, assuming you are a sane user with a few brain cells intact and you’re careful where you browse and what you execute, there is a big chance you’ll stay safe even with no protection software installed. Personally though, one bad hit will be enough for something to start installing without prompt, and on the next boot you’ll be getting all those things described in the guide, and more. Disinfection techniques for rogue protection shovelware mostly depend on the type of fraud though, so its best to see online what is advised in each case.

    For any advanced users out there, give COMODO a go. One of the best free choices in the market, and with possibly the best security guarantee, for those who can handle it. It’s not a program for the average user, yet it’s not something hard to master. The firewall does an astounding job and the Shield+ is basically an all around protection layer which will notify you of any suspicious activity in the system, depending on the settings. The AV can be used as a standalone scanner, in any case, and i might say that its also fast, though i haven’t been even “simply” infected with any kind of malware in the past 2 years to give my personal opinion on its effectiveness.

    RaZgRiZ out, surf safe.

  82. jed

    Wow all of these suggestions sound complicated , here is my easy fix , start your computer in safe mode and un install all the avg programs , next go to microsoft website and find their malware removal tool , download it and hit run and then it removes the malware from your computer and then restart your computer the way you normally would do and all malware will be gone, it took me about 1 hour or so the complete this , and then next do not go to avg at all for antivirus needs , use micorsoft security essentials , its free and works great and updates each day

  83. charlie

    I highly suggest switching to linux especially ubuntu. it is getting more and more user friendly and there is a thriving linux community to help you out when you need it. i recommend going to ubuntu.com and make the switch today. no viruses can ce written for it.

  84. Louis Payton

    My best success has been to use the Restore function. An additional comment for the users that suggest switching to Linux, Ubuntu or Mac. There are reasons why the vast majority of users use windows based OS. It is a winning balance between cost and need fulfilment for the majority of users.

  85. Scot

    One of the first things that I always do when I see an infection is boot into safe mode and open the registry. I then go to HKEY_LOCAL_MACHINE\software\microsoft\windows\current version\run and I look for anything that might be set to look into a profile. Find the location that is pointing to and delete the file. Usually these things run off of one executable file. Afterward I install Malwarebytes an run a full scan.

  86. Jack

    Yes, I am a Linux geek, but as superior as many Linux geeks want to think they are, they are just annoying if they flaunt it to non-geeks.

    If they want to think they are superior, so be it. But they need to remember, Windows is a WONDERFUL billing opportunity. :) …

    Still I would not want Windows to run my life support system, or pacemaker. It does make me a bit nervous seeing ATM machines with BSOD or Windows login screens staring out to the public.

    I don’t downplay the importance of Windows to customers that are M$ bound, but those that are open to different solutions, I suggest Mac if they are $$ flush and not geek oriented. If they have any technical computer interests, or if their use is especially applicable, I do suggest Linux. Typically UBUNTU, but it is starting to get almost as bloated as the M$ systems, so I am looking for another distribution that is a good desktop solution. … But that is on a different tract.

    Back to the issue at hand, getting rid of Malware on M$ systems. … It doesn’t always work, but powering off the machine as it keeps trying to install more, then reboot into one of the myriad of restore/recovery disks listed above, or going t a previous restore point (sometimes a long time ago). I spend a couple of days running all kinds of malware removal and antivirus software, and in the end leave one or two, plus install M$ Security software (free and runs real-time checking, and scans). I also install all the M$ updates that have normally not been done, update Acrobat reader, Flash/Shockwave and other softwares the customer already has. Cleaning up the disk in various ways, working on swap/page files, defragging, and scandisk, often several times. This takes quiet a while.

    On any scanners if it can send email if something is found, I have the email sent to me, not the machine owner (with the owner’s permission). This way I know if they are having issues.

    Normally I work for the ‘LOL’ in the area (little old ladies, and men too, but mainly anyone that needs help). When they ask, I tell them I charge nothing for non-out of pocket expenses, but do take donations to help keep my geek stuff updated. A typical donation is more than I would feel good asking for, but still way below my consulting rate if I was to charge them. Some of the LOL are on fixed income, so if I get nothing that is OK. Sometimes donations are nice casserole or home made bread, sometimes cash. … But I NEVER count the donation in front of the customer, so I don’t give them any hint as to my reaction, but I do thank them for whatever they donate. … In many ways this is my way to give back to the community for a good life and career.

    Sometimes I must suggest more memory and/or disk space, and install it for them and get it working. On rare occasion, I do suggest getting a new machine and moving to it, but it has to be very seriously out of horsepower before I do that. I try to talk folks into giving up AOL if possible, but with some of our LOL that is what they know and want, so I just try to make it run as well as it can.

    Once that is all done, if they have a laptop I suggest we install Prey (preyproject.org), backups using crashplan.org to an external drive or better another machine they own that they leave on with an external drive (bigger the drive the better) :) … and just backup ‘user data’, and don’t worry about the system or programs. If they have multiple computers I suggest we install dropbox.com (or ubuntu one if they are Linux users too, … ubuntu one’s windows client isn’t ready for prime time .. yet :)

    At our house, we backup all machines to a Tb drive on a linux box that stays on.

    I hope this helps someone. …

    Linux geeks, don’t dis-the windows folks. You don’t have to run it, and it is their preference, just not yours.

  87. Novice Man

    Well said JACK!!!!!

  88. janet

    Just wanted to stop by and say thanks for this site and forum. Had a fake antivirus that blocked the internet access and was demanding my money to by their product. I got the best advice here and got the SuperAntiSpy Ware and it is the best. I also use Malwarebites and it all worked.
    Many Thanks

  89. Charles

    Please note that even with extreme vigilance, you can get hit by these fake antivirus malwares.

    This includes having Active-X and Java scripting disabled, Firewall in safe mode and anti-virus active resident shield on, SpyBot fully immunised hosts file, and browser safe scanning toolbars enabled.

    You don’t have to click on anything, just visiting a normal site that is infected is enough to infect your computer.

    The people who generate these malwares spend a lot of time working to circumvent all known security measures. You can make it more difficult for them to work, but the latest variants can usually get past anything.

    Malware Doctor wrecked my XP Sp3. I tried to clean it with latest MalwareBytes database, and it simply wouldn’t reboot, causing an OS re-install, or in my case replacing XP with Win 7.

    Next time it happens to someone else or you, don’t try and blame them or yourself. It’s probably not their fault, and it might well not be your fault in any way either.

    The best is to hit the reboot button as quickly as possible, turn the PC off without rebooting and run eg a Bit Defender fix CD, hopefully fairly up-to-date!

    Time was when I have fixed some of these manually either with a Linux Live DVD, Bart PE or ERD Commander, but the amount of damage they cause to the registry/essential OS files and added hidden files and processes these days needs a professional and preferably automated repair!

    And keep your OS install disk/ serial number handy just in case the worse comes to the worst and you have to (or get someone else to) reinstall your OS!

  90. janet

    I recently started looking for another search engine and like what I found on AOL. Big mistake, Since my last experience with the fake anti virus malware, I’ve gotten in the habit of running the SuperAntiSpyWare program regularly and I used caution because I didn’t know AOL’s reputation. Everday or every other day I ran the SuperAntiSpyware scan I would have an outrageous 400 plus tracking cookies and then I got this sneaky virus attack that I’ve never seen. But it was similiar to the other attacks and I used the process I used before that is very simple. Not alerting the virus(by clicking on it) I tried to start my SuperAntiSpyWare but it was disarmed and so I switched users only to find my SuperAntispyWare and my Malwarebytes were gone. I was able to quickly download them and while running the SuperAntiSpyWare a small box with a exe. pop up saying that the file was damaged an it casted a fake cloudy screen saying the program quit working and said do i want to stop the program. I clicked the x at the top of the box and the the fake screen went away and the SuperAntiSpyWare was working just fine. I was also downloading Malwarebytes at the same time and ran the two programs together and the Malwarebytes had qurantine 9 trojan infections. So I believe this is a fairly new thing. Just aheads up. I am not computer savvy but I learn about these products on this site(and the tip to swiitch users) I hope this may help someone.

  91. Jenny

    I’ll tell you, anyone who went through the trouble of creating a malware program for windows is not going to package the program with an uninstaller. Add/remove programs does not work with illegitimate programs like malware. What it will do, if such a fake uninstaller file actually exists is give you the illusion of an uninstall when in reality it’s merely moved elsewhere, likely with an entirely different name and a much deeper infection. The most obvious parts of it may even lie dormant for a little while to continue the illusion. Good luck finding it then.

    The best thing if you suspect an infection is disconnect the infected computer from any network it’s connected too, to include the internet, to avoid rebooting, if possible, and use a separate computer to get a decent anti-virus installed, and create some kind of scan disk and/or boot disk.

    I personally had to literally use an entirely separate hard drive, install it into my computer, disconnect my infected hard drives, install windows on my new hard drive, install my anti-virus program on the new hard-drive along with the never-ending windows updates and several reboots, then reconnect my infected hard-drives, boot from the new hard drive and scan the infected hard drives, and even after all of that, the windows installation on my original hard-drives was irreparably damaged, but it would still boot up, which I thought was rather amazing. So because I have a Dell, I had to find out how to re-activate the dell boot record so that I could use the Dell partition to reset my window back to original factory condition. Oh, and my original installation of windows was installed to a raid 0 configuration, which also added to the complication, but fortunately I was able to get sufficient raid drivers to detect the hard drives properly so that I could scan them.

    In short, if your machine is infected, and you’re current anti-malware program cannot find or clean it, then you’re likely going to need outside help that is gotten from a system/hard-drive that is not infected.

  92. Alex

    Help !!!
    Why are people like Jenny going to so much trouble “trying” to clean infections up? I say “trying” because you can never be sure it’s gone.
    much better to install a free disk imaging program such as Paragon Free or Macrium Reflect Free and make an image of a clean system and when disaster strikes just put that image on to clean ALL infections, guaranteed ! If you are too late then reinstall and BEFORE hitting the Net do that backup.
    Alex

  93. Dale

    If you get one of these infections and you can boot to safe mode with command prompt, Malwarebytes can be install in vista from the command prompt and then run from there also. At least as of the last time I had tried and that was january of this year, on a dell inspiron 1530 running vista home.

  94. Windows User

    I use an old PC that has a clean windows install on it and installed Malwarebytes, Spybot S&D, Superantispyware, Emsisoft Antimalware, Ad-Aware, PC Tools Threatfire, AVG, (All of these are free or have free versions that allow the use of their scan and remove features) and Winpatrol, which monitors your critical systems and notifies you when changes are made (also has a free version). I boot this computer once a day to update these programs, then shut it back down. This usually takes no more than 15 minutes and I do it while I’m waiting on my coffee to brew and checking my email on my main PC in the morning.

    At the first sign of one of these Fake AV Infections, (which is usually Scotty the Windows Watchdog from **Winpatrol telling me that a program is trying to make changes to a critical system resource), I turn off the infected computer, remove the infected drive, put it in my old computer as a slave drive and scan with each program. Even if the first scan finds threats, I still run the rest of them anyways. I then put the drive back in my main computer and run all the scans again as well as my Anti-Virus software.

    If the infection does somehow transfer itself to my scanning computer, (which has not happened to me yet) I only have Windows and a few programs to reinstall.

    While I agree with the above posts that state no system is 100% secure, you can never be sure that it’s gone and they can cause irreparable damage to your windows installation, I have used this method dozens of times on various computers with no permanent damage and without the Malware recurring. Like many of the above posts state, initially the Malware wants to keep your system in a usable state. It’s usually only when it is tampered with (uninstall, end process, ie) that it digs deeper and starts causing permanent damage. While this is not always true and some can destroy your system even without provocation, there are many that do not. By scanning it on a slave drive, you can decrease the chances of the Malware retaliating.

    **If you don’t have Winpatrol, I would highly recommend getting at least the free version. Scotty always notifies me even before Comodo Firewall does and even catches things that Comodo misses.

    Note= I am not a expert. I’m just a guy that searched through site after site after site following expert advice with no success and not wanting lose months of data by reinstalling Windows, I came up with my own fix.

    I am in no way however, saying that the solutions presented in this article are wrong or will not work. I’m just stating the method I have used that has worked for me. This article was not around when I first encountered this sort of thing so I have never tried or even heard of these methods. In fact, I’d like to thank the author for sharing these simple solutions to try before having to resort to the extremes I just talked about.

    And to anyone that’s going to post comments saying that using a slave drive is too complicated for the average user, quit underestimating people. People are smarter than you think. Anyone that’s smart enough to use Google to find this site is surely smart enough to use Google to find a simple tutorial on slave drives.

  95. Sai

    Any one tell me how to restrict to track me using explorer.exe

    Thanks

Enter Your Email Here to Get Access for Free:

Go check your email!