I've tried searching the virus database which usually works for me, but I cannot find any documentation on this issue at all, which is a surprise!
On my computer has recently appeared a supposed official windows program called Antimalware.
I googled it and find it is a genuine fake
It prevents me from running Mcaffee Security center and the virus scan -which I would use to get rid of it! There are offers on the the internet for other programs that can get rid of it but they require payment -but since I have the full McAfee security Suite, I believe I should already have a program that should deal with this.
I've tried booting in safe mode but its still prevents McAfee running.
Basically what I need help with is how to get rid of it and get McAfee running again.
Any help would be much appreciated
This might be a bogus software which is trying to access your computer ; probably from a visit in any unknown website or any suspicious emails. The term Zero-Day Attack refers to new types of threats and malware that are released before any security software vendor is aware of them and has time to add detections and proactive protection. To protect you from a virus or other malware, your security software must recognize some piece of the code used to carry out the attack. Completely new threats circumvent this because they do not use code which can be detected by existing anti-virus definition files.
Download the Stinger tool from the link below:
Double-click Stinger and select Preferences.
Enable the Report Applications option.
Click Scan Now and allow the scan to complete.
NOTE: During the scan, you may receive a clean error during on certain .cab files. Ignore the error and allow the scan to complete. The files will be removed when the system is restarted.
Restart your computer.
Run Stinger again using the steps above.
Kindly report back if you have any issues running the tool
Thanks for your response. Unfortunately, the stinger program crashes before its completes the scan (now tried 4 times and crashes at a different point each time) and it does not seem to recognise the antimalware fake program. I suspect the Antimalware program is blocking it in the same way that it is blocking the McAfee security suite.
There are some websites out there which recommend methods of removing this program, unfortunately one of these McAfee site advisor says is dangerous. However the description fits with what I have on my computer!
Here is a link to one that doesn't flag up a danger sign from the McAfee site advisor for you to check out
I think the danger is if I simply try and uninstall it will activate some nasty payload....
Edit Here is another website which McAfee doesn't flag up and which not only has helpful info but a removal tool ...I am not sure I trust using the removal tool though..
This is clearly something important for Mcafee to solve because this program is capable of removing and keeping away the McAfee security suite.
I look forward to further help....
Message was edited by: CdeB on 12/20/09 1:24:28 PM CSTMessage was edited by: CdeB on 12/20/09 1:46:26 PM CST
There are a number of fake or "rogue" anti-malware, anti-spyware and anti-virus products floating around. You most likely have picked up one, and short of desperate actions, you may be able to remove it.
Go to Malwarebytes (www.malwarebytes.org) Malwarebytes.org , and download the free version of "Malwarebytes AntiMalware" (do not fret that it is also called "AntiMalware" ). Run this, and it should detect and then remove the nasties. If this turns up nothing, you may need to re-boot into "Safe Mode" and re-run it. Most of the "usual suspect" rogues are not that good to require "Safe Mode". As an additional safety move, I suggest that you re-boot after the Malwarebytes run.
Do remember that many of the more clever rogue malwares will preclude and/or block the installed anti-virus software.
Post back your results.
Thanks for the heads-up SeanMc98.
I will try this, but unfortunately other information I have managed to now get says that it takes out Malwares real Antimalware program too.
I tried to post this once already but it failed and I lost the link
This link below seems to be the most sane solution...but I would value somebody checking out whether it in itself is bogus!!
I really hope McAfee are able to quickly provide a fix against this program as judging by the dates on the reports it has grown in impact over the last 2 months.
Try installing, updating and running THIS application in "Safe Mode with Networking" (that gives network/internet access in Safe Mode and is reached by tapping F8 repeatedly while booting up and then selecting that item from the boot options menu). It will run in Safe Mode OK and let it clean everything it finds, reboot if asked to immediately.
Message was edited by: Ex_Brit on 21/12/09 9:11:51 EST AM
The link you provided gives a good explanation of the rogue "Antimalware". I did note that the linked site references Malwarebytes "AntiMalware" at the end, under the other tools. Try the solution I posted (and was subsequently echoed) before you try to manually disinfect your PC.
As to the possibility mentioned that the rogue precludes Malwarebytes, you can go to another CLEAN PC, download it, put it on a jump drive and run it from there. This takes a little effort, but it can be done. If the rogue front-ends and circumvents USB access, you might need to burn Malwarebytes onto a CD-RW or a DVD.
OK guys an interim report!
The bogus antimalware program does indeed block Malware's real program at all levels.
1. I decided no messing around and install straight from Safe Mode
2. It does not allow installation!
3. I try to outsmart it by renaming installation file -this works to a degree, the installation then runs but towards the end of the installation the installation locks without completing. Tried this a couple of times and same result.
Will now try other approach suggested -but I now see why one of the suggestions on the wider web include a barrage of different programs used in a specific sequence to get rid of this program!!
OK, I think I have just about got this sorted, but would value some follow up advice.
What I have now done and the results...
1. I retried twice installing the genuine Antimalware either under Safe or normal conditions (of course using the renamed installation file).
2. On the second attempt it very slowly installed.
3. I then shut computer down and booted up in Safe Mode with Networking
4. I was still unable to run the program even now it had installed
5. I renamed the exe file for the software from mbam.exe to gotu.exe (my sense of humour)
6. I ran the renamed program from Run command in start popup
7. It then ran (Hallejuah) and I then updated it (as suggested)
8. I did a complete scan and it found 14 trojans or other nasties
9. I ordered the deletion of the found files.
10. I rebooted still in Safe mode, wasn't sure in this mode it would implement changes so I rebooted normally.
11. Mcaffee icon appears back on bottom bar BUT original Fake Antimalware is still around both icon and program
12. Using My Computer I delete whole directory that contains Fake program.
13. At some point McAfee disappears again and I am prompted to verify my program -this does not work. (Unfortunately all this co-incides with annual payment for the program which did several days ago with my other working computer
14 I reboot computer in Safe Mode
15. I re-run genunine antimalware program with quick scan it find 2 trojans in registry (still) and one other elsewhere.
16. I delete bad files using program.
17. I reboot as prompted by program -this time in normal mode.
18. Mcafee verify subscription now works...
I hope this is the end, though I will now run a full scan with the now functioning and updated McAfee (followed by the genuine Antimalware program).
The remaining questions are:
I have a registry fixing program and am thinking of running it to make sure all is well there
I wonder about using System restore to take the computer back to a time before the original infection?
I also think this story need to be passed to those that are working on the continual update of the McAfee sofware as this is a clear vulnerability with the current version
Thanks again for you help
Message was edited by: CdeB on 23/12/09 03:09:36 CSTMessage was edited by: CdeB on 23/12/09 03:10:41 CST