Join 3,558 readers in helping fund MetaFilter (Hide)


How do I make an Antivirus Pro 2010/Protection System infection go away?
September 24, 2009 4:49 PM   Subscribe

How do I make an Antivirus Pro 2010/Protection System infection go away?

I got it bad. I cannot run any executible files. When I try to run a program I either get a rundll32.exe error, or I get the "Open With" dialog box. Regedit doesn't work, either. How can I make this go away short of formatting the HD? There are some files on the computer that I'd like to try to salvage if possible.
posted by momzilla to Computers & Internet (21 answers total)
 
Is the malware talked about in this what you currently have?

If it is, there are step by step instructions to remove it from your computer on the page.

Hope that helps.
posted by Gravitus at 5:16 PM on September 24, 2009


Use a livecd to boot the box up and get your files off onto a USB stick or something, then format the drive. And of course next time, keep backups and have better antivirus to prevent infection.
posted by jjb at 5:17 PM on September 24, 2009


Yes, that would be the virus. I already tried that but it won't run the executible file.
posted by momzilla at 5:21 PM on September 24, 2009


err I linked the wrong page also. Sorry.

You need to restart the comp and boot into safe mode.

Print off the regkey locations and files locations for reference.

Go in and manually remove that crap one line at a time.


Here are the entries that need to be deleted:

c:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
c:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

and registry keys to be removed:

HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Gamma Display"

I've done this to remove that crap from a few friends computers. Also get hijackthis and install it under safemode from a usb stick or something. That will help you terminate any running processes that are being stubborn.
posted by Gravitus at 5:31 PM on September 24, 2009


It's been my extended experience that when you are infected in such a way where executables won't launch, Regedit won't launch (and most likely Defrag won't launch).. then I would almost bet money that you are infected more deeply (probably a rootkit using hidden services,etc) than Gravitus describes in his comment above.

Here is what I would do:

1.) Disable Windows System Restore

2.) Download and install MalwareBytes (if you are not able to run the installer, rename it to something silly like "banana.exe" and it should install correctly)... If, after getting it installed, you can't run the actual program ("mbam.exe")... then you can also use the rename trick to get it to run.

3.) I would also try running GMER and ComboFix. GMER is a rootkit detecter tool that is quite good and will tell you if you (and let you right-click/delete) any hidden Registry services or .DLL's.

Typically at this point (after running the above 3 utilities)... you "should" be able to run EXE's, access the Registry normally and run Defrag.

4.) 2 more scans I would recommend doing are ESET's NOD32 online scanner (FREE) and Spybot Search and Destroy.


I typically fight 5 to 10 infections like this a week.. and It's been a long time since I've ever had to resort to rebooting the machine in SafeMode. In theory its good practice,.. but I've just found it to be no longer necessary to get back to a clean machine.

As you are scanning and rebooting, you'll want to watch the following folders for any strangely named files:

C:\Windows\system32
C:\Documents and Settings\--your-profilename-here--\Local Settings\Temp


MeMail me if you need help.. I'd be happy to
posted by jmnugent at 5:43 PM on September 24, 2009


Thanks to you both. Unfortunately I don't know how to get to those registry entries. Regedit won't work from Run or command prompt. Is there another trick to getting to the registry?

Also, when I boot in Safe Mode, the My Computer icon isn't there ... is there another way to disable system restore?

I did try renaming Malware's .exe file but it still didn't work ... I get the Open With dialog box.

Looks like we have a Charlie Foxtrot.
posted by momzilla at 6:05 PM on September 24, 2009


Control Panel -> System should be the same as right-clicking My Computer and selecting Properties.
posted by reptile at 6:14 PM on September 24, 2009


@reptile: Thanks; it says "Application not found". I cry now.
posted by momzilla at 6:16 PM on September 24, 2009


Trying to clean the Registry manually is an exercise in futility...... (it can be done, but as fubar'ed as your system is, the only way you'll be able to fight your way out of it is with automatic scanners/cleaners). Do GMER and Combofix run ?... (they are stand alone utilities that ( I believe) rely less on Registry hooks)

Can you get to Task Manager?.. (I'm gonna guess NO.. but had to ask)
posted by jmnugent at 6:23 PM on September 24, 2009


Oh, god. I so feel your pain. My boss managed to get this on his computer earlier this week by being careless, and I had to drop everything to deal with it. What a nightmare.

That said, I did find a good way to get rid of it. Once I found it, it only took about 40 minutes or so to fix.

My steps:
-Unhooked him from the internet and shut down his computer
-Printed the instructions
-Used my own (uninfected) computer to download OTM + copy the script from the instructions into a .txt file, plus to create the registry fix
-Downloaded the most recent version of Malwarebytes as well
-Copied the downloaded files to a thumb drive
-Restarted his computer in safe mode (without networking)
-Ran through the whole removal procedure as outlined in that link, starting by running OTM through the Run menu
-Restarted a few times as prompted
-Once I had followed the instructions to the end, I still re-ran OTM and the script to make sure that it couldn't find the files anywhere
-Ran Malwarebytes and Bitdefender deep scans over night
-Cleared out all traces of downloaded crap and anything sitting in quarantine using CCleaner.

(His computer is fine now. I chewed him out, though... WATCH OUT for video files your friends send you, asking to install missing codecs...)
posted by gemmy at 6:34 PM on September 24, 2009


Oh, scratch the reference to the registry fix. He had both Windows Police Pro, which required the registry fix, and the Antivirus Pro 2010 infection which did not.
posted by gemmy at 6:42 PM on September 24, 2009


Look at my profile for the mega instruction set.
posted by deezil at 6:48 PM on September 24, 2009 [1 favorite]


@jmnugent: Combofix won't run ... still get the Open With dialog box. Yes, I can get to task manager.

@gemmy: I did have Windows Police Pro also. I managed to delete most of those files already. I am going to try what you did and see what happens.
posted by momzilla at 6:52 PM on September 24, 2009


@deezil: Actually, I printed and tried your instructions before posting this question. Unfortunately I can't disable system restore and I can't get any exe files to run, so I didn't get far.
posted by momzilla at 6:56 PM on September 24, 2009


Oh. If you can't get OTM program to run, since the malware affects .exe files, you can try just renaming the file to otm.com and then double-click to run it. It works that way too.

(Just in case you didn't know, the "@" notation you used tends to be kind of frowned upon around here. Not so much here in Ask, but if you venture into the blue/gray at some point.)
posted by gemmy at 8:50 PM on September 24, 2009


Is there another trick to getting to the registry?

Regedit allows you to edit registry hive files from other Windows installations than the one you're running. So if you boot into a clean Windows environment via a BartPE CD-ROM (which you will need to prepare on some other, clean Windows computer if you don't already have it), then run Regedit from there, you can load the hives from your infected Windows installation that want modifying, modify them, and unload them.

You can load additional hives under HKEY_LOCAL_MACHINE or HKEY_USERS. To do that:
  1. Open Regedit.
  2. Click one of the above keys (it's conventional to pick HKEY_LOCAL_MACHINE if you're going to work with a SYSTEM or SOFTWARE hive, HKEY_USERS if you're going to work with a user hive).
  3. Choose Load Hive from the File menu.
  4. Browse to find the hive file. You will find SYSTEM and SOFTWARE hive files in C:\WINDOWS\system32\config, with those names (ignore the .log and any .sav versions). User hive files will be in C:\Documents and Settings\%user%\NTUSER.DAT (one for each user account in the Windows installation).
  5. You'll be asked to name the hive. I generally call the SYSTEM hive c-system, and the SOFTWARE hive c-software, and use the usernames to name the NTUSER.DAT hives (this works because Windows uses the SID, not the username, for user hives loaded for the current Windows session).
  6. Make the edits you want, modifying the registry key names appropriately. For example, to delete the "Windows Gamma Display" value from the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key in the loaded SOFTWARE hive, you'd actually delete it from HKEY_LOCAL_MACHINE\c-software\Microsoft\Windows\CurrentVersion\Run. If you're told to delete something from ControlSet001, delete the corresponding entry under ControlSet002 and ControlSet003 as well, if those exist; it's not in general predictable which ControlSetNNN key will end up being CurrentControlSet when Windows boots. Also, if you're told to delete something from under HKEY_CLASSES_ROOT, look for it in HKEY_LOCAL_MACHINE\c-system\Classes and in all the HKEY_USERS\%user%\Classes keys as well; HKEY_CLASSES_ROOT is a composite key that Windows builds dynamically by merging all of the above. Anything referring to HKEY_CURRENT_USER should be done repeatedly for each HKEY_USERS\%user% key.
  7. After you've made all your edits, for each hive you loaded: click it, then choose Unload Hive from the File menu.
Getting rid of trojans in general and these fake antivirus ones in particular is generally a lengthy, nitpicking, failure-prone process. I used to have the energy for it, but at some point I found that I'd done again on the same box once too often. These days, I encourage most of my customers to let me back their boxes up, nuke and pave with Linux, and restore all their documents. I install VirtualBox to make minimal Windows environments for the occasional vital Windows app (e.g. QuickBooks). If the household has teenagers, I set up a dual-boot Windows partition for them to run their Sims or whatever in, and put panel buttons to invoke little backup and revert scripts on the Ubuntu side so that when the teens drive the Windows side into the weeds (which they always do, eventually) then Windows can be restored to the last-backed-up state in minutes instead of hours. This is far more fun for me, and they end up with a computer they can actually use instead of one that's constantly vandalized by malware.
posted by flabdablet at 7:27 AM on September 25, 2009


flabdablet: Getting rid of trojans in general and these fake antivirus ones in particular is generally a lengthy, nitpicking, failure-prone process. I used to have the energy for it, but at some point I found that I'd done again on the same box once too often. These days, I encourage most of my customers to let me back their boxes up, nuke and pave with Linux, and restore all their documents. I install VirtualBox to make minimal Windows environments for the occasional vital Windows app (e.g. QuickBooks). If the household has teenagers, I set up a dual-boot Windows partition for them to run their Sims or whatever in, and put panel buttons to invoke little backup and revert scripts on the Ubuntu side so that when the teens drive the Windows side into the weeds (which they always do, eventually) then Windows can be restored to the last-backed-up state in minutes instead of hours. This is far more fun for me, and they end up with a computer they can actually use instead of one that's constantly vandalized by malware."

That sounds exactly like what I should do for the computers at our office. It seems so painfully obvious once you wrote it out but I never even thought about running the system that way. Awesome idea!!!!
posted by Gravitus at 8:59 AM on September 25, 2009


Thank you all for your assistance. I will work on this over the weekend and let you know how it went.

How this happened: son was playing on computer when he received the pop-up saying he had a virus, click here to fix it. So he followed the instructions. I have McAfee, Windows Defender and Malwarebytes on the PC, all of which are allegedly updated automatically. I feel so dirty now.

Gemmy, thanks for the tip. I don't get out much as you can see.
posted by momzilla at 9:11 AM on September 25, 2009


I have McAfee, Windows Defender and Malwarebytes on the PC, all of which are allegedly updated automatically.

In my experience, McAfee and Windows Defender both cause more problems than they prevent. Malwarebytes I've only ever used as a post-infection scanner, at which job it seems decent.

None of these things, though, will protect a computer against being stuffed up by a teenage sysadmin. Teenagers are not careful people, and if a teenager has access to an administrative account on your Windows box, it will be driven into the weeds again.

Give serious consideration to setting up a dual-boot environment, where you can continue to get your work done in Ubuntu regardless of what horrors are being perpetrated over in the Windows wasteland; leave your son with admin access to the Windows half, but desktop user only status on the Ubuntu half, and make it a rule that if Windows goes belly up you'll just revert it and everything that got put on it since you last backed it up is going to go away. The flip side of not being careful about what gets put on the PC seems to be not caring much what's kept on the PC, so this arrangement will probably suit both of you.
posted by flabdablet at 9:39 AM on September 25, 2009


I believe I was able to fix the problem. I was finally able to get into the Computer Management console to view running services. I stopped the "Antipol" service and changed the startup type to disabled. After that, I was able to run Combofix, which worked like a charm and open the registry editor.

Flabdablet, I am definitely going to try your dual-boot environment suggestion. Thanks to all for your help!
posted by momzilla at 8:36 PM on September 25, 2009


If you're going to use the backup and revert scripts I linked to earlier, you should modify the embedded pathnames for the Windows partition and the default backup file before you actually use them. If you want to do that but you're not comfortable with shell scripts, let me know.
posted by flabdablet at 6:01 PM on September 26, 2009


« Older What are the major obstacles o...   |  First time building a landscap... Newer »
This thread is closed to new comments.