SEARCH

How-To Geek

How To Remove Advanced Virus Remover and Other Rogue/Fake Antivirus Malware

If you have a PC infected with Advanced Virus Remover, you’ll probably find that this is a tough one to get rid of. Thankfully we’ve got the instructions to help you defeat this terrible virus.

Advanced Virus Remover is one of many fake antivirus applications like Antivirus Live or Internet Security 2010, which are really just rogue viruses that hold your computer hostage until you pay the ransom money. They tell you that your PC is infected with loads of viruses, even though it’s the only virus on your computer. The biggest problem with these things is that they block you from doing almost everything—you can’t use task manager, Safe Mode, or even install a real malware removal tool.

Advanced Virus Remover is Terrible!

This thing just covers your PC with messages about viruses that they claim you have…

image 

There are popups, messages, and just dozens of windows that open…

virus2

Their goal, of course, is to get you to pay them.

image 

Advanced Virus Remover is tricky… if you open an application more than once, it’ll block you from opening it again, preventing you from installing any anti-malware tools (I tried both SUPERAntiSpyware installed edition and MalwareBytes, no luck) Note that it also changes your wallpaper. 

 image

Advanced Virus Remover also prohibits you from heading into Safe Mode, where you at least might have a better chance of getting rid of it.

Removing Rogue Fake Antivirus Infections (General Guide)

There’s a couple of steps that you can generally follow to get rid of the majority of rogue antivirus infections, and actually most malware or spyware infections of any type. Here’s the quick steps:

Those are the rules that normally work. Note that there are some malware infections that not only block safe mode, but also prevent you from doing anything at all. We’ll cover those in another article soon, so make sure to subscribe to How-To Geek for updates (top of the page).

So, Let’s Remove Advanced Virus Remover!

Turns out that the answer to getting rid of this virus is really simple—you’ll just need to grab the free, Portable edition of SUPERAntiSpyware, which we’ve featured as our favorite must-have spyware removal tool, and put it on a flash drive (from another computer).

Then open it up on the PC, making sure to run the scan immediately. Don’t close it and re-open it, or Advanced Virus Remover will figure out what you’re doing and block you!

image 

Once it’s all done, it’ll get rid of the bad stuff.

image

Then you’ll be prompted to reboot, which you should probably do.

If Advanced Virus Remover Blocks SUPERAntiSpyware

If you have an issue running SUPERAntiSpyware, you can try and use the following technique. Open up the Windows Run box with the Win+R shortcut key, or through the start menu. Then type in the following commands, hitting enter after each one.

taskkill /f /im winupdate86.exe

taskkill /f /im winlogon86.exe

Note that this may or may not help… the goal is to try and shut down the processes that are blocking you, and malware changes filenames all the time. You can also open up Windows Explorer, head into the Windows\System32 folder, and try and locate the bad processes there (hit the properties screen on some recent, odd-looking files), then use the taskkill command to get rid of them. This technique is how I usually figure out what the virus is hiding under, so I can easily kill it with just a few keystrokes.

Cleanup the Leftovers!

Since I never like to fully trust a single anti-malware tool, I usually run multiple passes from multiple malware removal tools. I highly recommend running a second pass with the free edition of Malwarebytes Anti-Malware. (see our previous article on how to use it).

image

You might notice some more messages popping up from the virus—in this case, my SUPERAntiSpyware definitions were out of date (because I wrote this article before the official portable version came out, so I was using my own hack to create a portable edition).

Just ignore any messages, and continue with the scan, letting Malwarebytes remove everything else.

image

At this point you’ll want to reboot your system, and then install Microsoft Security Essentials and run another full scan. Can’t hurt to be too cautious! We also highly recommend Microsoft Security Essentials for real-time protection against these types of things.

Note: If you used a thumb drive at any point during this process, you should make sure and scan that as well—I’ve had viruses hop over to the thumb drive, ready to infect the next machine.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 01/20/10

Comments (32)

  1. Bill

    I actually had to remote into a PC to get rid of this yesterday. Internet Security 2010 it was called.

    Couldnt run smitfraudfix or combofix. Was able to install mbam by renaming it, installed it ran it found about 100 items. Rebooted with a quick scan and found a few more things left over. Another reboot and a clean bill of health.

    All and all, about an hour process. Thanks for the writeup, I just grabbed the portable SAS. Great app.

  2. Bailey

    Thanks again for all your help on this. It worked like a charm. The computer is, from what my co-worker tells me, “working lightning fast for the first time in a long time.” We both thank you. Take care.

  3. Bill Bird

    Good advice. If your still able to install applications, I like to install and CCleaner, and at work I delete any domain profiles, to make the scans run faster (fewer files to scan). I also started using rkill, that you can download from bleepingcomputer.com. rkill stops processes from known malware.

  4. Matt

    You would think their credit card processer would shut them down. Visa , MC, etc all have this capability.

  5. gyffes

    If you can (install and/or run it), I find Process Explorer more useful than the generic task manager for finding and killing the rogue processes, especially the “kill process tree” feature.

    Spent several days recently fighting with a “Malware Defender” infection. Nothing was seeing the files ’til Combofix (run off USB flash drive). Even Combofix didn’t work ’til I gave in, reconnected to the ‘net and allowed CF to update. Once updated and full-powered, Combofix worked as advertised.

    Note, too, that a lot of these malware/trojans/whatnots are stashing themselves in the recovery files and in the /drivers directory; wipe them out with one pass and the bloody OS merely rebuilds them. While I hate this cat and mouse game, you have to admire the ingenuity that’s waging this war against us.

  6. nakul

    i think last week while i was fixing computers at work one of them had this and it was giving me tough luck. it also redirects any website to some other fake websites. whenever i tried to open a site it takes me to some other so was not able to download the latest tools. i used msconfig to disable everything and the website redirection was fixed and then downloaded latest tools, scanned in safe mode and got rid of it.
    i also recommend you try kaspersky virus removal tool, it is portable too and updated daily i believe. just google for it and get the one at softpedia.

  7. The Geek

    @Matt

    Yeah, no kidding! I really don’t understand why the government or at least the credit card companies don’t instantly shut these people down, and report them to the feds.

  8. Nolan

    For the past couple months it has been very common for these types of viruses to infect/replace storage drivers. So make sure you’re checking/replacing atapi.sys, iaStor.sys, and nvstor.sys (depending on what your system uses) with a good copy. Or if you find that you’re getting 0x7B BSODs after running removals, the scanner probably deleted the infected copy, but didn’t replace it with a clean copy.

  9. Gene

    Thanks for an excellent article, I’ve copied and saved it for future reference. Having wrestled with this virus on my own pc and others, I was glad to see I was not alone. It seems to me the people who create this type of viral malware are just comman thieves or worse. They waste tremendus amounts of time and resources (money) just to try and force you to their “product”. And our congress tries to regulate the volumn of television advertisments. Voice your concerns to your representatives to end this-no wait on second thought keep the government out of the web we’ve all seen them in action!!

  10. TurraTech

    Had tried all the above methods this week on a machine nothing worked, no Safe Mode, 2 USB thumb drives infected nothing would work, finally had to give up and reinstall. This is getting to be a pain, hurry with the next article I have 2 more machines with PC Security Tool on them that need fixing.

  11. Brian Anthony

    The best program to use to get rid of malware/virus/trojans is A-Squared, it finds things MBAM and others do not, I’ve tried almost every AV software out there, A-Squared is by far the best

  12. josil

    We had a horribly infected Dell that was, after much work, finally clean. But, it took a number of steps where some worked and others did not. The source used to kill the infection was “help” from the Malwarebytes web site. They said they run into this affliction again and again, and so they have a lot of experience in what works and, when it doesn’t, what to do next.

  13. Robert

    Good article, yes. However, there is one little trick that you missed, that I mentioned on a different post that was similar to this one. When it pops up with the error message saying; “Application cannot be executed. File is infected.” ..etc… Simply *MOVE* that message box to the corner of the screen, and you can install SuperAntiSpyware just fine.

    There appears to only be one instance of that “error message” that will run at any given time. You will get multiple errors, you won’t get that obnoxious sound that computer makes when it tells you that you can’t do that…. Now, if you hit “OK” you’re just asking for a headache.

    On another note…I just got done cleaning a friends laptop; he had one of these rogue AV nasties on it. It never gave me the “file is infected and cannot be ran” error, but it was a paint none the less. I managed to run SuperAntiSpyware first thing, after I went to reboot the computer – per the instructions of SAS, I was not able to log back into the computer. Everytime I’d punch in the password and hit enter, it would attempt to log into Windows – but in about 1sec or less it would be logging me off. Well, it turned out that the virus hacked the registry and changed the entry that points to the userinit.exe file to point to winlogin32.exe (or something like that). Well, SAS didn’t correct the registry entry, and I was up creek without a paddle. Eventually I found instructions how to boot the computer up using BartPE and hacking the registry back to normal using its tools. Anyway, this was a new one for me, so I thought I’d share – I spent quite a few hours trying to figure out why I couldn’t get logged back in, and for that matter how I was going to boot the computer so I could edit the registry. Oh yea! I didn’t know the Administrator accounts password, so no, I couldn’t use a Windows install CD and boot into the recovery console. …and no, I tried using Ophcrack to pull the admin password – but it failed to do so. Anyway, that was my passed couple of nights :)

  14. Techie

    Good tutorial! I worked on an XP computer last week that had the virus Bill mentioned above, Internet Security 2010. Very nasty! It had similar popups everywhere, the wallpaper shown above, it disabled all executables, the task manager, and when you tried to boot to safe mode, all you got was a STOP error blue-screen. I was able to remove the main infected files using a bootable AV CD, and then clean it further using Malwarebytes and SAS. I wasn’t aware of a portable version of SAS, but that’s good to know about. The bleepingcomputer.com site was helpful for the IS 2010 virus and has screen shots of the popups for that particular virus.

    Thanks for this How-to article!

  15. The Geek

    @Robert

    That’s really interesting, I will have to check that out!

  16. Billy

    You Guy’s, Gals are the best. I visit this site daily because it is so full of good information. My system consists of Malwarebytes and AVG and I have yet to have any problems. I have however had to run Malwarebytes on my mothers PC and found many problems. I have also helped two friends with the same Scareware and have eliminated them from their PC’s. Great articles here and great information. Keep up the good work!

  17. joel

    Revo Uninstaller worked for me on hunter mode

  18. Dave

    I found another rougue antivirus called “personal antivirus”.
    It would not allow Malware bytes to install or run. But you can run it by renaming it:
    Renamed mbam-setup.exe to something like 1bam-setup.exe.
    And mbam.exe, must be renamed to something totally different, such as “ex.exe”.
    (using “1bam.exe”, it was still blocked).
    Then you can run it and remove the virus.
    And then rename mbam.exe, back to mbam.exe
    Then it’s good to run a few more thorough scans, to make sure the machine is clean.

  19. Techie

    This was helpful for the Windows logon loop Robert mentioned above. I used to give up and re-do the computer when I ran into that, but I used a modified version of this solution for the last two virus-ridden computers, and it it worked to get back into Windows: http://www.troublefixers.com/windows-logs-off-automatically-while-login/. (I’m not sure if links are allowed in the comments, but this was really a life saver for me.) They recommend going into the registry over the network, but I used a bootable CD tool instead to access the registry and fix the userinit.exe value.

  20. 1fastbullet

    I spent yesterday evening removing a variation of this trojan from a machine. Nothing would install and nothing would run from a thumb drive. At last I noticed that the pop-ups didn’t start immediately when XP loaded and I was able to use that 30 or 40 seconds to iniate a MWB scan. Upon completion of MWB I rebooted and ran SAS. Once the scans were in progress, the infections were powerless to iterrupt them.
    Ultimately, I ran a few more tools and got the machine clean. But it seemed essential to initiate the scans as quickly as possible after XP loaded and before the trojan had.

  21. rahman

    Just wondering… couldn’t I run SuperAntispyware from a DVD? That would surely prevent the viruses from hopping over.

    And of course, common sense is the best antivirus you can have. Without it, even the world’s best antivirus is useless.
    I would suggest MSE/Avira + Threatfire. Together with common sense, you would rarely have to worry about viruses.

    For the not-too-savvy ones, Linux is the way to go.

  22. David

    I have the Security Tool virus and everything that was suggested I tried but didn’t work. I have Windows 7 and it wont let me boot into safe mode. It won’t let me do anything.

  23. Armel Atina

    I do a lot of software-based troubleshooting. Only a few geeks understand that there are types of malware that once removed from the system, their “damage” remains. A lot of such are still in the wild. I’ll give you a metaphorical example: you were pricked by a pin. You remove the pin, and thank heavens – there’s no pin now. But yes, the wound is still there, as well as the pain. How long will it last would of course depend on the size of the wound and the mitigations you applied. This is true with computer systems too…
    I suggest that once there is a massive (or deeply-rooted) infection, a reformat is still indespensable. And by the way, why don’t you folks give a try on some portable tools offered by LeeluSoft (creator of the cool and very portable Windows7LittleTweaker)?

  24. Ben

    @Robert

    that’s happening to me right now. it’s logging me off immediately after i log on. can you show me exactly where you found the instructions on how to fix this?

    thanks.

  25. kiwi

    urgh!
    I can’t get mine to work. Every time I go on the Internet, the “file is infected” box pops up. What to I do? I can’t even access the Internet, Microsoft Word or almost any other program. Help?

  26. Erik Cameron

    GREAT THREAD.

    Armel,

    NO DOUBT. I operate similarly, but S!RI SmitFraudFix is one example, even if used in the absolutely proper way, that damage can be done wen infections are taken care of.

    sfc /scannow is a lovely thing, post-XP, but it only does so much.

    Microsoft has yet to sell, develop or even try to match DJLizard’s freeware utility Dial-A-Fix for WindowsXP; such brilliance is definitely missed and that little thing could do a LOT of good.

    GeeksToGo.com (OldTimerUtilities) is a good spot to grab some goodies, but I’m personally leery about some of the more worldly stuff, as-in the multiple background process-laden programs. BitDefender was considered a scam for a while in the A/V circle. F-Secure (what is that, after all?) is mercurial; Panda’s online scanner doesn’t let you truly fix unless you pay, etc.

    I firmly believe in advanced removal utilties like the aforementioned one (even if it can cause damage or, worse yet, leave irrepairable damage that can go undetected, no matter how many AiO apps are launched, full scans completed or how many manual keys/files/archives deleted) WORK.

    The potion, though?

    1.) SUPERAntiSpyware Portable
    2.) SUPERAntiSpyware Professional Licensed (run portable, check for updates, and buy the 1-day only
    $9.95 license!)
    3.) Malwarebyte’s Anti-Malware. $22.99 RETAIL BOXED LIFETIME (CheapAntiVirus.com)
    4.) Avira AntiVir Premium Security Suite (Intensely sensitive;) $22.99 1PC 1YR (Versus $54.99+ elsewhere; They offer Avira AntiVir Personal, similar, forever if you want.)
    5.) (SysInternals) (Microsoft) AutoRuns
    6.) TIS TrendMicro HijackThis 2.0.2 + CWS (CoolWebSearch Shredder)

    – One Can’t Go Wrong With This —

    I refer clients and their respective notebooks/PC’s to a shop (in the event it’s not hardware-ONLY related, but so far beyond my scope, they need professional diagnostic equipment to peek-in, or data extraction utilities,) whose employees all swore by that. I tried it and have only had successful recoveries! I hope someone takes from that.

    I personally am working on a PC now loaded up with a highly corrupted, mangled Ubuntu setup (best described as-if it’s trying to act like an Open SuSe Linux?!) and can’t get the PC to simply boot from CD to reformat with Windows. I can’t even run Hiren’s BootCD 12.0 successfully. I can surely get into MiniXP and run the Recovery Utilities, but they do nothing. There’s a “master password” imposed on BIOS/CMOS that seems to be unable to be cracked. Lots of virii and malware. This is a meeting of the minds, so I figured I’d take a leep and ask outright. Can anyone offer-up some advice on how to tackle this? PS – It’s a Dell Dimension 3000, so it’s not exactly handing over oodles of virtual memory or HDD space.

  27. Erik Cameron

    Revising to remark that I just saw this belongs on a request forum. Noted, before anyone snips at me :)

  28. Blake barnett

    I have tried to run the scanner in both safe mode and regular mode but after running the scanner for a few seconds, I get the blue screen of death and it says iastor.sys which I believe is from the virus. What do you suggest I do now?

  29. Blake barnett

    Nevermind the post right above me I got the scanner to run, but it did not find the virus after a full scan and after a reboot I still got the same error where I get the blue screen of death and the error is iastor.sys what should I do? ( I’m not sure if I’m supposed to post this in this forum if I’m not supposed to could you direct me to a forum where I could?)

  30. Eva

    does SUPERAntiSpyware works for fake “Windows antispyware system” too?
    telling I am desperate is an understatement…

  31. OG

    Thank you for this post, it helped tremendously on my friend’s laptop.

  32. bill phillips

    In my shop when a customer brings in an infected computer I remove the drive and install it on another computer using a USB adapter making it an external drive and then scan and remove the virus with BOTH Malwarebytes and SAS. Works everytime.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!