how to remove that rogue
antivirus program
Which leads us to a top tip. If your computer, whilst browsing the Internet, pops up and amongst other things either:
a) Tells you your PC has a virus and you should click to remove the virus…
b) Tell you that your antivirus product has expired or is unregistered and you should supply credit card details…
c) Offers to clean your registry because it has problems…
Then you should STOP! And run through the following points:
1. Was that your software that gave you that message? Lots of viruses are crafted to look like it should be a Windows system product.
2. If you are even slightly unsure, your next action should be to close that message without clicking 'Yes'. We'd say don't even click 'No'.
3. Instead, close that window using the x in the top right hand corner of that window.
4. Close all other Internet browser windows - you've likely come across an infected website and you may have unwittingly installed a rogue program.
Already Infected
Of course, your computer could be like this laptop. Already infected.
This virus, and there are many variants like this - such as Antivirus 2010 - is able to disable any antivirus you already have. In fact, it is able to prevent most programs from running.
Why doesn't my present antivirus protect me from this?
We knew you'd ask this. Up to date antivirus (AV) products would normally stop this virus. But this isn't a run of the mill virus that you may come across. This one disguises itself as a legitimate program that seems to come to your rescue. You may have thought it was a legitimate program. You may have thought you were installing a video codec.
This rogue program uses a 'trojan method' to get to you. It disguises itself as a system file. The installer program is always changing - the people that write this stuff keep it up to date.
You invite this one to install, and we suppose that when you do, you essentially ask your antivirus to step aside.
Sneaky Virus
Once the virus has taken hold of your computer, it is able to prevent you from running most AV.
In starting to repair the laptop, it's important not to connect a virus infected computer to the network. A lot of viruses are able to hop across to any other computer on the network.
As it was, even though the laptop wasn't connected to the internet, the fake antivirus was declaring that all sorts of internet attacks were being launched upon the poor unconnected computer. It wanted a response but we weren't going to give it one!
Task Manager
We were able to start Task Manager. You can learn a lot about what you are dealing with here by looking at the processes that are running and looking out for those that you don't recognise.
In this case, we saw av.exe and ave.exe running and we reckoned that they were fake AV programs trying to look convincing. We found these inside the user profile of the person that was infected and so we renamed these. We also saw wuaucldt.exe, pretending to be a system file. But it was in the wrong place, again in the users profile directory, so we renamed that too.
Now the laptop was a lot quieter. It was no longer popping up and making declarations. But there was still a fake icon in the system tray; clicking this would have shown something like the screen above, imploring you to click on it and fall into another trap.
At least we now had more control of the computer except that the toolbar and start button were not there.
So we ran explorer.exe from Task Manager.
Bring Out the Anti-Virus
With the virus partially defeated, it was time to properly clean the computer with an AV. We keep a copy of AVG Antivirus on USB. The nice people at AVG do a free version that is top notch at detecting and cleaning viruses. The full version just offers you more and more protection, which can only be a good thing. But the free version is good enough for what we needed to do now.
As mentioned, this virus (and a lot of others) is able to stop an anti-virus product from running, and so we reckoned we had two choices:
a) Create a new user to run the AV with, or
b) Rename the AV executable - the idea being that the virus won't recognise what's coming!
We were able to create a new login whilst logged in as the virus-infected user, and give that user administrator rights. The new user's profile wasn't infected and so we were able to run the AV.
The AV picked up a number of other viruses - this computer had been on the Internet for a year without any up to date protection. AVG dealt with the viruses without any problems.
Taskbar still not starting when the computer starts
Despite being cleaned by AVG, the computer remained 'broken'. The taskbar would not start and so we had a computer that would only give a blank desktop along with Windows Explorer starting at the Documents folder.
This wouldn't be satisfactory for our customer.
We began to look for a fix on the Internet. On another computer of course. We found loads of scary stuff that we should warn you about.
Most articles that describe this problem well enough are then hijacked by lowlifes that post responses recommending that you follow links to various websites to 'fix' the problem. These websites invariably were infected. So, be careful out there.
We knew that we could start explorer.exe (the executable responsible for displaying for the Taskbar, the Start Button and the system tray) by using the Task Manager. But if explorer.exe is then clearly working OK, then what stops it from working when the computer starts?
Enter the registry.
Here's what a working system would look like:
Copyright 2010 Cairos Computing Limited
Help Computing is a trading style of Cairos Computing Ltd.
Help Computing is a trading style of Cairos Computing Ltd.
What are we
up to?
up to?
We'll write about the
sorts of things we get up
to. It'll be a slightly techy
read, but we'll try our
best to make it readable!
There'll soon be lots of top tips for the technically minded too.
Want to know more? Click the icon above..
There'll soon be lots of top tips for the technically minded too.
Want to know more? Click the icon above..
We recently met a laptop that was suffering from loads of pop-ups and a fake antivirus virus (see the picture
below).
You'll see that the value for Shell is explorer.exe. This screenshot was from a working Windows 7 machine.
On the ailing Vista laptop, the value was Explorer.exe C:\WINDOWS\Config\csrss.exe.
csrss.exe is a normal system file, but in this case, living as it was in c:\WINDOWS\Config, it was a remnant file from the virus. This virus copies the naming of several system files in an effort to remain undetected. Because the file (virus) no longer existed in that location, it would seem that Explorer.exe never got executed.
We corrected the registry so that the value was only explorer.exe and on reboot, the problem was resolved.
So now, some time later, we're on the home strait!
Update the AV, uninstall any suspect programs, get Windows fully updated. Setup the computer properly. Issue some recommendations for the laptop owner. I can't be certain the user's logon isn't still compromised so I'll have to test that. Oh, and there are still 41 Windows system updates to install…
We reckon that most companies would have given up a lot earlier and wiped the laptop and started again. But we never like to put a good laptop down! That's not to say that we don't meet computers that are so messed up that we have to. But happily, not on this occasion.
News Flash!
As we type, we've discovered that the User's Logon is still messed up! File associations seem to be broken. This is only the case for the originally infected user.
We could just delete that user - we had already warned our customer that we might have to do that, and we did it on a previous job with a similar infection. But we are flushed with success, so far, so we'll finish the job and bring every laptop back home!
We'll work some more on this and let you know what happened and how we resolved it.
On the ailing Vista laptop, the value was Explorer.exe C:\WINDOWS\Config\csrss.exe.
csrss.exe is a normal system file, but in this case, living as it was in c:\WINDOWS\Config, it was a remnant file from the virus. This virus copies the naming of several system files in an effort to remain undetected. Because the file (virus) no longer existed in that location, it would seem that Explorer.exe never got executed.
We corrected the registry so that the value was only explorer.exe and on reboot, the problem was resolved.
So now, some time later, we're on the home strait!
Update the AV, uninstall any suspect programs, get Windows fully updated. Setup the computer properly. Issue some recommendations for the laptop owner. I can't be certain the user's logon isn't still compromised so I'll have to test that. Oh, and there are still 41 Windows system updates to install…
We reckon that most companies would have given up a lot earlier and wiped the laptop and started again. But we never like to put a good laptop down! That's not to say that we don't meet computers that are so messed up that we have to. But happily, not on this occasion.
News Flash!
As we type, we've discovered that the User's Logon is still messed up! File associations seem to be broken. This is only the case for the originally infected user.
We could just delete that user - we had already warned our customer that we might have to do that, and we did it on a previous job with a similar infection. But we are flushed with success, so far, so we'll finish the job and bring every laptop back home!
We'll work some more on this and let you know what happened and how we resolved it.
helpcomputing
If you and your computer are in or around London, we
could help!