…if you can’t get your computer to work in normal mode.
Okay, I’m a geek. An amateur geek. I enjoy taking a computer that is gasping its last breaths, and restoring it to a smoothly-running state.
To date, I’ve done this dozens of times, and I’ve had malware defeat me only once — not, mind you, because I couldn’t remove it, but because it had damaged the master boot record. Being a Vista machine cobbled together by another friend of the computer’s owner, it had no Vista disk (and I suspect it may have been pirated anyway). I downloaded the Vista Recovery Disk supplied by Microsoft, but this was able to do only so much. I needed to reinstall Vista. But I couldn’t find anyone with a Vista disk. With no disk, I could go no further. I did, however, do the one thing the owner of the computer wanted me to do — I rescued all of her pictures and videos from the computer and burned them to CDs, with the help of UBCD4WIN, a very useful bootable Windows environment loaded with useful diagnostic tools.
But I digress. I had not heard of Antivirus Studio 2010 before Friday night, but I immediately knew what it was. This is because I had dealt with programs like it several times before. Some sites politely classify Antivirus Studio 2010 as a “rogue antivirus”. That gives the impression that it actually is an antivirus; maybe it’s just unconventional, and that’s why it’s “rogue”.
Don’t you believe it. It’s every bit as malicious as viruses can be. The Vista computer described above was done in by a so-called rogue antivirus.
So when a friend of mine called me last night about a window that had appeared on her computer screen, I knew what this program was capable of. Thankfully, after a brush with one of these before (no, not the computer mentioned above), she knew it was fake.
I quickly looked up how best to remove the thing. An excellent guide is this one: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-studio-2010 . Unfortunately, it didn’t work for me, because the computer would not do anything in normal mode but throw up fake scare messages about viruses and trojans it had supposedly found, about how her computer was spamming, etc., etc., etc.
Alright, so I figured we’d just try it in safe mode. So she had to turn her computer off at the button and then turn it on again to get into safe mode, into her account.
Unfortunately, Malwarebytes (an excellent anti-malware program) doesn’t always run in safe mode. And it wasn’t running at all for her. Online Armor doesn’t run in safe mode, either, so I couldn’t have her go into it and edit program permissions to block Antivirus Studio 2010. Opened the Task Manager, but no processes for it were showing. Opened the Services, but there were no associated services showing. Ack! How were we going to get this thing off?
What we finally resorted to was a long process of search and destroy. I had her set her file permissions to show hidden files and folders, and system files and folders. Then I had her perform a search with advanced options checked to search in hidden and system folders.
First, she searched for “Antivirus Studio 2010″. A few files and folders appeared, and she deleted the ones that it would let her delete. It wouldn’t let her delete the folders, but she was able to go into the folders and delete the files. She searched for “studio”, and that brought up a bunch of files, a few of which were related, and she deleted those. She searched for “antivirus”, and it came up with 10 files, three of which were Avast files, six of which were Antivirus Studio 2010 files, and one of which was named simply “antivirus.evt”. She deleted the six, and was about to delete the one, but I finally found a note someone had posted that said this file seemed to be found on computers with Avast on them. So she didn’t delete it.
I then had her click Start, then Run, and had her type “%temp%” (without quotes) in the box and hit Enter. This brought up her temp folder, and we used the list of files associated with Antivirus Studio 2010 that is on that page linked above at bleepingcomputer to delete the malicious files from her computer. Most of them had gibberish names, but one was interesting — it started with “backd”. As in, “backdoor”. Far from protecting her computer, this “rogue antivirus” was opening her computer up — leaving a “back door” open for other viruses, trojan horses, and worms to download and infect her computer. How nice!
Don’t people have better things to do besides creating programs like this? They do it, though, so they can get your money (“Look at all the fake viruses I found! Now you have to pay $40 for the full version of the program to remove them! Click here now!”) and your information (passwords, credit card numbers, and whatever else, with all those trojan horses it downloads).
At any rate, once she deleted all those files, there were a few more left that looked similar. One had a vulgar name, and I looked it up and found it was malware, so she deleted it. A few others had file extensions like others she deleted. They had been mostly .exe files, but there were a few .exxe and .exex in there. A few of those were left over, so I looked them up, and we deleted those as well. Then we reset the folder options to hide system files again.
There was one more thing to do before rebooting. You have to make sure the thing is GONE. Some malicious programs will reinstall themselves if there is enough of them left when you reboot. Limewire does this. You uninstall, reboot, and… it’s baaaaaaack.
So I had her run CCleaner. This is something you have to have on there already, or you need to download it to a flash drive or CD so you can install it while you are in safe mode. I had her bring up CCleaner and then click on “run cleaner” in the bottom right corner. This deletes the stuff in the Recycle Bin, and lots of temporary files. Then I had her click on “Registry” on the left. She clicked “scan for issues” and then “fix issues”, backing up her registry when it asked her if she wanted to. This looks through the registry for keys that are no longer associated with programs (like for programs you uninstalled), among other things.
Now, the registry isn’t something to play with lightly, BUT I have never, ever had CCleaner harm a computer. EVER. And I’ve used it like this a couple hundred times now, on dozens of computers.
So with several registry keys related to Antivirus Studio 2010 found and deleted, it was time to reboot into normal mode and see if it was gone. It was.
Malwarebytes was damaged, though, so we uninstalled it and installed a fresh copy. After updating it, I had her run a complete scan. It found and removed four viruses and trojans, probably downloaded by the rogue antivirus we had just removed. Now she had a clean machine.
So… how did she manage to get this infection in the first place? After all, she had learned a lot about web safety (no more Limewire!), and I had replaced her McAfee (I have never liked or trusted McAfee) with Avast and Online Armor. Avast is an excellent antivirus that is free for personal home use, and Online Armor is an excellent firewall which has a free version and a paid version, and the free version is so good that I just go with it. There are some convenience and customization features available with the paid version that the free version doesn’t have, and a little additional security.
I learned that she got the first Antivirus Studio 2010 window when she visited a coupon site, so apparently the site was infected. Online Armor was in Learning Mode for some reason at the time, probably set that way when she installed something and then she forgot to set it back. In Learning Mode, Online Armor just automatically creates permissions for programs, and displays no warnings. So that’s how it got by Online Armor. And Avast? Well, these rogue antiviruses are difficult for real antiviruses to detect, because they don’t act like malware, so the behavior detection is fooled. Then (with some of these programs) another detection is fooled when Avast tries to match the checksum of the program to checksums of known malware, because the checksum will change to avoid a match. Pretty sneaky.
Lessons to take away from this? Well… first, know what security software you have, and how it acts, so, when something pops up, you know whether it’s your software talking to you or not. Make sure you have good security software. McAfee isn’t it. I don’t think it ever was. Norton/Symantec used to be, but isn’t anymore. Now it’s a bloated, invasive sieve. There are several excellent antiviruses out there, and several excellent firewalls, too, and many of them are free.
Another thing is, surf safely. My friend visited a coupon site, and I have heard that these aren’t always safe. When she visited it, she got what is called a drive-by download or foistware, which is a program that downloads and installs itself without you knowing, and without your permission. Sites like those for lyrics, online gaming, porn, computer security (except the few real ones), file sharing, and so on, are favorites for spreading infections and foistware. Go to sites that are trustworthy, and avoid those you aren’t sure about. If you really want to visit a site that you don’t know about, then do a search on it first and see if anybody mentions it being a scam or infected.
Another tip: if you have a window pop up that says your computer is infected and you should let such-and-such program scan your computer, DON’T CLICK. Not even on “Cancel”, “No Thanks”, or even the red “X”. To many of these programs, no means yes, cancel means yes, and so does the red X. To get out of it, if it will let you out, press Alt-Ctrl-Del and bring up the Task Manager. Select it under the Applications tab and click “End Task”. Get MalwareBytes and scan your computer to see if anything has installed. If you can’t get out of it, turn the computer off. It’s better to have your computer scold you for not shutting it down properly than to install malware that may prevent it from booting again.
If you cannot get the Task Manager to come up, or MalwareBytes, then it probably is installed, and you may have to go through a procedure like we did. It may not be the recommended way to get rid of malware, but, when you have no alternative, at least you might be able to do that. It must be done very carefully, so you don’t delete system files. If in doubt, look the file up before deleting! It may be better to take the computer to a professional to have it cleaned, really, and I cannot be responsible for anyone crashing their computer because of what I have written here. I am just trying to add to the options of rescuing a computer that is infested with this “rogue antivirus“, so that people doing a search on it can find some additional help.
Avast antivirus: http://www.avast.com/index
Online Armor firewall: http://www.online-armor.com/
Comodo firewall (a little geekier than Online Armor): http://www.comodo.com/home/internet-security/firewall.php
CCleaner (while you’re at it, check out Defraggler!): http://www.piriform.com/
Where to go for help with malware: http://forums.majorgeeks.com/forumdisplay.php?f=35 ***Make sure to read the Sticky threads, especially read and do the READ AND RUN ME FIRST thread, before posting anything. Also, remember the person who will help you is a volunteer, and it may take a couple of days for them to pick up your case. They have jobs, or are students. It will not help to bump your thread; in fact, it will make it look like you’re already being helped.***
I could have used UBCD4WIN to remove this rogue antivirus. But I’m 5 hours away from the affected computer, and I would never expect someone who is not at least as geeky as I am (preferably more geeky than I) to use that. I could have had her run the cleaning processes at MajorGeeks, and posted her logs, but she uses this computer for her home business, and I couldn’t wait for a response in this case.
I wrote this because, while there are several guides out there to help remove Antivirus Studio 2010, they all assumed you could do things in normal mode. That was impossible in this case.
Careful surfing, people!!