1 2 Previous Next 10 Replies Latest reply on Feb 22, 2011 12:17 PM by newjack

    Cannot remove "AntiVira AV"

      My (other) laptop has been hit with this AntiVira AV virus, and I am having a heck of a time removing it.  Here is what I've tried:

       

      1) Run McAfee (both in Normal mode and in Safe mode) -- did not detect the virus

      2) Downloaded and ran PC Tools Spyware Doctor (in Safe mode) -- detected several hundred "tracking cookies," all of which were labeled as a "low threat."  Could not delete them without purchasing the full version of Spyware Doctor, and I'm trying as many free solutions first.

      3) Followed these instructions to the T (Safe mode, run RKill, run Malwarebytes Anti-Malware) -- detected two trojan viruses and deleted them.  Yay!  The log report is attached to this post

       

      But...when I re-started my computer after this, the AntiVira AV is still there, and still as aggressive as before.

       

      Can anybody help me get rid of this thing?  Thank you in advance!

        • 1. Re: Cannot remove "AntiVira AV"
          ConorD62

          Hi Edik415,

           

          Can you please post the log, instead of attaching it?

           

          Thanks.

           

           

          • 2. Re: Cannot remove "AntiVira AV"

            What is new way to post the log?

            • 3. Re: Cannot remove "AntiVira AV"
              ConorD62

              Hi,

               

              Copy and paste.

               

               

              • 4. Cannot remove "AntiVira AV"

                Here it is!  (In fact, I was an idiot and attached the wrong file anyway...)

                ---

                Malwarebytes' Anti-Malware 1.50.1.1100

                www.malwarebytes.org

                 

                Database version: 5783

                 

                Windows 6.0.6002 Service Pack 2 (Safe Mode)

                Internet Explorer 8.0.6001.19019

                 

                2/17/2011 8:56:13 AM

                mbam-log-2011-02-17 (08-56-13).txt

                 

                Scan type: Full scan (C:\|)

                Objects scanned: 366746

                Time elapsed: 1 hour(s), 10 minute(s), 24 second(s)

                 

                Memory Processes Infected: 0

                Memory Modules Infected: 0

                Registry Keys Infected: 1

                Registry Values Infected: 0

                Registry Data Items Infected: 0

                Folders Infected: 0

                Files Infected: 1

                 

                Memory Processes Infected:

                (No malicious items detected)

                 

                Memory Modules Infected:

                (No malicious items detected)

                 

                Registry Keys Infected:

                HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully.

                 

                Registry Values Infected:

                (No malicious items detected)

                 

                Registry Data Items Infected:

                (No malicious items detected)

                 

                Folders Infected:

                (No malicious items detected)

                 

                Files Infected:

                c:\Windows\Temp\tmp00000001eb6fb4d9eef4b7b8 (Trojan.Dropper) -> Quarantined and deleted successfully.

                • 5. Re: Cannot remove "AntiVira AV"
                  ConorD62

                  Hi,

                   

                  Please do the following:

                   

                  Start > Run > Msconfig.

                   

                  Please tell me if you see anything suspicious there, before we can continue.

                   

                  Thanks.

                   

                   

                  • 6. Cannot remove "AntiVira AV"

                    Sorry it took so long for me to check this -- had a late dinner!

                     

                    I'm not sure if this is everything, but one of the items listed under "Startup" (in System Configuration) is "fbveaibb" from an unknown manufacturer.  The command listed is "C:\Users\Edik\AppData\Local\Temp\dddplahjy\uvyirivsikk.exe"

                     

                    That one looks pretty suspicious.  It has a check mark next to it, to run at startup.  Should I uncheck this?

                    • 7. Cannot remove "AntiVira AV"

                      Ok!  I unchecked that goofy-looking file, so that it would not boot up on startup (operating under the assumption that, if it screws up something important, I can always go back in and re-check it). 

                       

                      Good news -- the AntiVira AV program does NOT boot up when I restart the machine.  I do get a weird error that says "Windows has blocked some startup programs," which refers to MalwareBytes.  Not sure why that was blocked (or what blocked it), but AntiVira AV does not run.

                       

                      Less good news -- I haven't actually REMOVED that file, just kept it from booting when the machine starts up.  I don't know if I can just go to that temporary directory, delete the file, and be back in business or not.  It seems like it should be more complicated than that...

                       

                      Any thoughts?

                      • 8. Cannot remove "AntiVira AV"

                        I think I might have done it!

                         

                        Once I disabled that [random letters].exe file from startup, I updated my MalwareBytes, ran it again, and it located THAT .exe file as a Trojan of sorts, along with two others (this is in addition to the two that I deleted earlier).  I had MWB delete those, and it APPEARS to be gone.

                         

                        I'm holding off on a major celebration, just in case it re-appears.  But I've restarted several times now since then, and it seems ok.  Going to run another full McAfee scan to be sure...

                         

                        Does it sound like I'm in the clear?

                        Thanks for your help!!

                        • 9. Cannot remove "AntiVira AV"
                          Hayton

                          You may be okay now. I tried earlier to post to say that Malwarebytes should be run in normal mode rather than in Safe Mode, but got caught by the System Outage.

                           

                          Avira AV is a rogue program, so if you delete the executable most of the problem goes away. What's left is a mess of registry changes and temp files, which a program like CCleaner will be able to deal with. One thing to be wary of is that these programs are getting more sophisticated, so the just-delete-the-program approach may not work for ever. But for now, you should be okay (let's hope so).

                           

                          To be on the safe side you might want to run a second anti-malware program, such as SuperAntiSpyware or Microsoft's Windows Defender. Both of these are compatible with McAfee (the paid-for version of Malwarebytes isn't, since the two programs will conflict).

                          1 2 Previous Next