Action Antivirus Virus
December 7, 2010 8:20 PM Subscribe
My girlfriends Windows 7 Laptop is infected with the Action Antivirus virus and I am trying to talk her through (we live in different states) the removal process - not working out. Please help.
She has a Kaspersky Antivirus CD from approx 2008 she tried to run but it did not work - she received a message that it was infected. She can not connect to the net and her desktop is flooded with warnings about viruses, which is apparently how Action Antivirus virus works.
I have advised her to purchase ESET Antivirus and Trend Micro Antispyware in the morning (we are in US EST) but am hoping someone might be able to help before then - this is her finals week and she is freaking out as she has papers due and can not access any files or folders on the Laptop.
She has a Kaspersky Antivirus CD from approx 2008 she tried to run but it did not work - she received a message that it was infected. She can not connect to the net and her desktop is flooded with warnings about viruses, which is apparently how Action Antivirus virus works.
I have advised her to purchase ESET Antivirus and Trend Micro Antispyware in the morning (we are in US EST) but am hoping someone might be able to help before then - this is her finals week and she is freaking out as she has papers due and can not access any files or folders on the Laptop.
And since she can't get out to the internet, download those things on a roommates or library computer and carry them on a thumb drive back to hers. Start the computer in safe mode with networking and the internet should start back up.
posted by deezil at 8:41 PM on December 7, 2010
posted by deezil at 8:41 PM on December 7, 2010
If not, check the proxy settings in control panel > internet options, connections tab, advanced button, and uncheck the proxy box there if checked
posted by deezil at 8:43 PM on December 7, 2010
posted by deezil at 8:43 PM on December 7, 2010
Best answer: I would advise against the trend micro product. We use that on our campus and it's caused nothing but problems (and I hear the consumer versions are even worse). Does she have access to another computer with internet access (that's not infected)? If so, I'd recommend the forums at bleepingcomputer.com. The people there really know what they're doing and can walk just about anybody through how to clean up a system.
Depending on her (and your) level of tech savvy, you might have better luck removing the virus by putting the computer into in Safe Mode. (instructions) It sounds like this is one of the fake antivirus programs that blocks anything that could be used to repair it. If you can get the computer loaded into Safe Mode it may bypass the virus so you can actually remove it...
Here's the standard set of tools I use to remove these things on student's computers (I work at a university... we see a lot of this):
Start the computer up in Safe Mode, and on every reboot make sure to put it into safe mode until you're done running all the scans and cleanup tools.
Run CCleaner with default options selected. This will clear out all of the internet cache files and other system temporary files that don't get cleaned up automatically.
Run Malwarebytes' Anti-Malware (aka MBAM) -- the free version works just fine. Make sure you update it after it's installed (via the Update tab in the program). The quick scan usually does a good job of getting rid of everything. If you want to be sure (or are still having issues after a quick scan and reboot), you can do a full scan, but keep in mind it might take a couple of hours. The quick scan usually only takes 10-20 mins.
Run TDSSKiller from Kaspersky Labs -- Just download and run it. Click Start Scan to get it going. Usually takes 2-5 mins to run.
Make sure you reboot (back into safe mode!) after each scan with MBAM and TDSSKiller.
--
I just realized I spend WAY too much time doing this at work. Message me if you want more details or anything, I'll be happy to help in any way I can. These fake AV programs suck. =/
posted by wxguychris at 8:49 PM on December 7, 2010 [1 favorite]
Depending on her (and your) level of tech savvy, you might have better luck removing the virus by putting the computer into in Safe Mode. (instructions) It sounds like this is one of the fake antivirus programs that blocks anything that could be used to repair it. If you can get the computer loaded into Safe Mode it may bypass the virus so you can actually remove it...
Here's the standard set of tools I use to remove these things on student's computers (I work at a university... we see a lot of this):
Start the computer up in Safe Mode, and on every reboot make sure to put it into safe mode until you're done running all the scans and cleanup tools.
Run CCleaner with default options selected. This will clear out all of the internet cache files and other system temporary files that don't get cleaned up automatically.
Run Malwarebytes' Anti-Malware (aka MBAM) -- the free version works just fine. Make sure you update it after it's installed (via the Update tab in the program). The quick scan usually does a good job of getting rid of everything. If you want to be sure (or are still having issues after a quick scan and reboot), you can do a full scan, but keep in mind it might take a couple of hours. The quick scan usually only takes 10-20 mins.
Run TDSSKiller from Kaspersky Labs -- Just download and run it. Click Start Scan to get it going. Usually takes 2-5 mins to run.
Make sure you reboot (back into safe mode!) after each scan with MBAM and TDSSKiller.
--
I just realized I spend WAY too much time doing this at work. Message me if you want more details or anything, I'll be happy to help in any way I can. These fake AV programs suck. =/
posted by wxguychris at 8:49 PM on December 7, 2010 [1 favorite]
Response by poster: deezil and wxguychris, thank you so much for the detailed and quick answers. I am turning my login info over to my girlfriend so she can respond in thread. She will be up for several hours but I have to go to work in a few.
posted by nautical-by-nature at 8:58 PM on December 7, 2010
posted by nautical-by-nature at 8:58 PM on December 7, 2010
Response by poster: Hi, it's girlfriend here. Thanks for your suggestions. I will definitely get my roommate's computer in the AM and follow instructions. A glimmer of hope - was ready to fire this computer out the window!
posted by nautical-by-nature at 9:18 PM on December 7, 2010
posted by nautical-by-nature at 9:18 PM on December 7, 2010
One tip that worked for me when I was trying to rescue my computer from a similar "buy this fake antivirus" virus was to *rename* the install file for MBAM before transferring it from my friend's laptop to mine - the virus may be aware of and resistant to mbam.exe but not changedthisname.exe
Another thing that might lower your anxiety as you're going through the process is to know that programs like this are not designed to nuke your computer, they are designed to steal your credit card info. The idea is for you to be scared and think the only way to be protected from scary scary viruses is to buy their antivirus. There might be a keylogger to, similarly, try and catch your credit card info that way. If you follow the prompts on a fake program like this, it very quickly asks you to buy the product. Don't do this and you will be fine :)
This video walks you through what the virus is doing - including things like opening viagra.com to make you afraid about porn/spam. This one walks you through removal (using the software people mention above) in plenty of detail in case that's helpful.
posted by heyforfour at 9:54 PM on December 7, 2010
Another thing that might lower your anxiety as you're going through the process is to know that programs like this are not designed to nuke your computer, they are designed to steal your credit card info. The idea is for you to be scared and think the only way to be protected from scary scary viruses is to buy their antivirus. There might be a keylogger to, similarly, try and catch your credit card info that way. If you follow the prompts on a fake program like this, it very quickly asks you to buy the product. Don't do this and you will be fine :)
This video walks you through what the virus is doing - including things like opening viagra.com to make you afraid about porn/spam. This one walks you through removal (using the software people mention above) in plenty of detail in case that's helpful.
posted by heyforfour at 9:54 PM on December 7, 2010
Response by poster: The follow-up I have is this:
When I tried to install the Eset and Trend antivirus software, it popped up with a message saying i may not have the appropriate permissions. Is this because it was just a free trial? Will the other antivirus software suggested present the same issues? Thanks.
posted by nautical-by-nature at 10:00 PM on December 7, 2010
When I tried to install the Eset and Trend antivirus software, it popped up with a message saying i may not have the appropriate permissions. Is this because it was just a free trial? Will the other antivirus software suggested present the same issues? Thanks.
posted by nautical-by-nature at 10:00 PM on December 7, 2010
I was able to clear this one out today from one of my machines by booting into Safe Mode and using Spybot S&D with the latest updates. I already had Spybot installed, however, so like Deezil said, there are additional steps to take if you need to get new software onto the affected box.
posted by treblemaker at 12:02 AM on December 8, 2010
posted by treblemaker at 12:02 AM on December 8, 2010
If her machine will boot and she can install programs, both of you install 'TeamViewer', at least you can then access her machine remotely. Oh and install Ubuntu next time your at her place ;)
posted by gallagho at 12:57 AM on December 8, 2010
posted by gallagho at 12:57 AM on December 8, 2010
Heh, just had to do this today. Following some links from deezil's profile, I found this uninstall guide at bleepingcomputer.com
After booting in safe mode, I used RKill to stop any processes associated with Action Anitvirus. Then I ran a full scan with Malwarebytes, which seems to have got rid of it.
posted by Miss Otis' Egrets at 1:38 AM on December 8, 2010
After booting in safe mode, I used RKill to stop any processes associated with Action Anitvirus. Then I ran a full scan with Malwarebytes, which seems to have got rid of it.
posted by Miss Otis' Egrets at 1:38 AM on December 8, 2010
Best answer: If it's not fixt just yet, I'd like to add my new favorite tool to the arsenal, Hitman Pro. Just yesterday I did some trials with it, and it outperformed Rkill+TDSS Killer+Malwarebytes+SuperAntiSpywarePortable to remove a TDL3 variant rootkit.
Took a couple reboots, but tres easier. Normally my cleanup on those runs into the hours waiting for scans, this one took maybe 45 mins total.
Safe Mode + Networking will generally let you use Mikogo, even when you can't use teamviewer. Mikogo will let you send files direct to desktop.
Feel free to hit me up if you don't get it sorted out.
posted by TomMelee at 6:43 AM on December 8, 2010 [2 favorites]
Took a couple reboots, but tres easier. Normally my cleanup on those runs into the hours waiting for scans, this one took maybe 45 mins total.
Safe Mode + Networking will generally let you use Mikogo, even when you can't use teamviewer. Mikogo will let you send files direct to desktop.
Feel free to hit me up if you don't get it sorted out.
posted by TomMelee at 6:43 AM on December 8, 2010 [2 favorites]
If you have the Win 7 cd that came with the laptop, boot the laptop to the cd, then run a startup repair or restore to a previous restore point. Uninstall Kaspersky (it is way to old to work on the newer stuff), install a free anti virus like AVG, update, then install Malware Bytes, update, scan with one, then scan with the other. When it is free and clear, create another restore point.
posted by santaslittlehelper at 1:07 PM on December 8, 2010
posted by santaslittlehelper at 1:07 PM on December 8, 2010
« Older How to buy a nice bottle of scotch? | christmas idea for my musically-inclined cousin? Newer »
This thread is closed to new comments.
posted by deezil at 8:36 PM on December 7, 2010 [2 favorites]