Anti Virus 2010 Removal

You might want to also try MalwareBytes http://www.malwarebytes.org/
I just had a coworker with Antivirus 2010 and MalwareBytes cleaned it up completely and easily. When you click on the above link, download the free scanner on the left of the page. Run the program, and after it installs and does an automatic update run the program and do a quick scan. Make sure to disable any antivirus software before running the program. After it completes the scan, follow the prompts for remval. You will need to reboot to complete the removal process.
Hope this helps, did for me!

Floks Nothing is working. Whatever it is on this PC will not allow .exe files to run Combofix included.

So far these programs will not run no matter what I try.

Ad-Aware
Malwarebytes
Combofix
AVG did remove viruses

I've also tried running RegCure and Spyware Doctor, but they want paymet before proving thier products will work. I have no issue pay, but they're not goig to take my money and run.

One you could search for the spyware doctor starter edition, it is in the google pack and is free.  Second try runnign an online scan if you can still get to certain websites such as

safety.live.com
housecall.trendmicro.com

those two can scan without installing and might give you a good start
Avast is also free and i have seen a lot of malware that for some reason lets avast install and then yo ucan schedule a boot time scan

I see. Download the Kaspersky Live CD from here: ftp://ftp.downloads1.kaspersky-labs.com/devbuilds/RescueDisk/ and burn the ISO as an image on a CD. Then boot your PC from this CD and run the scanner. Following this scanner, boot your PC in normal mode and use MalwareBytes scanner to remove anything that is left.

The CD might ask you to update its definitions, but don't worry about the message. Just close it.

Have you tried to run MalwareBytes in safe mode? At bootup press the F8 key and choose safe mode, you should be able to run the program from there. Let me know.

Folks

It doesnt seem to matter whether the PC in safe mode or not it is still stopping all .exes or programs that would potentially remove the Malware or whatever is on this PC for running.   I just installed TredMicro program as suggested by StrifeJester: It is now stopping that  program from launching too.
Im working on creating a ISO disk as suggested by Warturtle. I'll keep you posted.

I am having the same problem with this "Home Antivirus 2010" I don't know if it's the 2010 anti virus software or something else that was bundled with it.

I'm not sure how they are doing this now, but before it seemed like there was a hidden device in the device manager which needed to be removed to get the software to install and run. Now after following several walk troughs to get this infection off the system, I keep running into a dead end as the majority of dll's and registry entries that are required to be deleted are non-existent.

I even pulled the drive out of the laptop and hooked it into my workstation on my tech bench and ran a Malwarebytes scan on the drive and it came up with 3 infections. After removal I saw no difference with the machines behavior.

I wish I could help you out PlymouthIT.

It seems to be a rootkit that is operating in the background and has registered itself as a driver within the system. The Kaspersky Live CD will not load Windows files or drivers and would be very effective against rootkits hence. This CD has a small linux system onboard and doesn't need any windows support to boot. Here is some information on Antivirus 2010:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010

@pcmircles:
You can try the same solution as well  

Ok

I just finished the Keapersky Live CD. It did remove a malware called Myway something. I didn't write down the full name.
I booted in safe mode and tried Malwarebytes again, same problem. Spmthing blocked it from loading.  I 'm getting ready to format the hard drive, I've spent to much time on this one. Does anyone have a second idea or two before I wipe the drive?

It would be nice to find out what it is that's causing this.

Can you send us a HijackThis log from your system before formatting it? It can be downloaded from:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

I am trying to see if its a program that is starting at bootup.

super antispyware safe mode

http://www.superantispyware.com/

also try renaming the program before installing and location where it installs

i mean rename malwarebytes program that you download and install something else like maware1.exe then install sorry i don't think i was clear

Alternatively, you can download FileAssasin from here:

http://www.malwarebytes.org/fileassassin.php

and delete all the files within these directories:
    * %ProgramFiles%\HomeAntivirus2010
    * %UserProfile%\Start Menu\Programs\HomeAntivirus2010

Then, following that remove the folders themselves. Now, if you can load MalwareBytes and run it, that should finish off the infection.

Yet another way of doing this is using a Linux Live CD, download or get Ubuntu or Knoppix Live CD from: www.ubuntu.com or www.knoppix.net and burn them as an image on a CD. Boot from this CD and delete the folders on the hard-disk that are mentioned in my last thread. Booting from linux will not let any windows files load in the background and that should allow us to delete all harmful stuff.

Hello Everyone.

Well, the Superantispyware almost got up and runing and then everything stopped and now I get the same message as all the others 'Windows cannet not access this spexific device,path,or file. you may not have the appropiate permions to access it."  Once this happens that is the end of ever tying to run or open the program again.  
I'm in safe mode and run the install from my jump drive. I should note that I had to rename the .exe file in order to get the program to start up at all.  We can not let this one win! Come on guy's dig deeper!

one other note.

Once these malware or whatever it is causing it the stop these programs from running. It will not let me rename the file again  It gives me a bogus error message cannot rename <filename> you do not have permission.  Well guys? Should I start reinstalling Windows? I hope we can win this battle.

well sometimes you need to look at time invested compared to backup data and reinstall sometime you just need to format and reload to me it is a time thing but after i spend two days figuring something out i just say reload

One more thing

There's a red dot in the lower right with a white x in the middle. I think this is the Anti-virus 2010. Which I beleive Malwarebytes will remove once I get it run on this PC.

One anyone what to try LOGMEIN to take a look yourself?/?

2 things to try before we try the LogMeIn method:

1. Open Windows Explorer and goto the folder where SuperAntiSpyware is installed and rename the SuperAntiSpyware executable to KMD.exe and then double click and run it again.

2. Download ComboFix again and save as jabba.com instead of jabba.exe and run it.

Try those 2 first and report back.

PlymouthIT,

Use this link ComboFix
If it doesn't work, I have another idea.

Please download ComboFix by sUBs:


You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

<<<"Should I start reinstalling Windows? I hope we can win this battle.">>>

Not yet please, I still have plan B.
Let us know straightaway IF that Combofix I posted also won't run.

Anyway, reinstalling Windows on an infected system is not a good idea unless it's a clean install.

Warturtle

Last night I did get the SuperAnti spyware to run. Feeling like I won the battle, all of a sudden the program terminates and I get the errors like the ones I listed in previous emails. I one thing SuperAntispyware will allow me to rename the file again and it will start running again all others required a reinstall.  

List here are a few of the Malware files SuperAntispyware uncovered before crashing.  Tried stopping the scan and removing them and it didnt seem like SuperAntispyware removed them because they were list again during the second scan

Rootkit agent Gen UACFake
Unclassified\Braviax
TrojanAgent\Gen

Rootkit agent Gen UACFake
Unclassified\Braviax
TrojanAgent\Gen

Combofix can handle all the above infections, they are actually older infections. Have you tried running Combofix yet?

With Braviax present in the system, you need to rename the scanner BEFORE saving to your desktop or before in contact with the infected pc.
Renaming the tool after it has been downloaded will not work. Use the Combofix link in my first post.

Yes, its good to see that SuperAntiSpyware told us the threats that are inside the PC. Now, its time to use ComboFix.

I had posted prior to a lot of the comments in this thread. I forgot to mention that I had attempted to run all the listed tools below, which were renamed and saved to a thumb drive before being moved to the local disk on the infected machine to be run. All were unable to run with the infection on the system (Safemode and Normal Mode).

Malwarebytes
Super Anti-Spyware
ComboFix
SDFix

Hello @pcmiracles,

Did you try to save ComboFix.exe as jabba.com and run it? Has your problem been resolved by a clean install only?

Fallow the below mwntioned link and try to remove it manually as well
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010

rpggamergirl:

Combofix doesn't run per instructed. I running this using LOGMEIN this afternoon. I try it again when I get home in safe mode and no Logmein.

Have you tried the smitfraudfix, i had a varient of this.  Last years 2009 to be exact that a lot of it got beter after running the smitfraud fix and then getting avast installed, along with a-squared free anti malware. http://siri.geekstogo.com/SmitfraudFix.php  try to download this in safemode with netowkring and run it from teh desktop.

I was jsut reading the page again and Antivirus 2010 is listed as something it will remove, as mentioned and i can't emphasize this enough downlaod it in safemode with networking to help quell some of it from loading and stopping it from doing its job.

PlymouthIT,

When you try again, please use the Combofix link that I posted in {http:#a25002956}

IF that still won't run, then do this next please.
Download Process explorer and save to your desktop.
http://live.sysinternals.com/procexp.exe

IMPORTANT:  Rename the file to winlogon.exe and the run it.
Then look for any random numbers executables e.g.,3425631.exe, highlight any random.exe and rightclick and select "kill process".

Once the process is killed, you can then run Combofix and other tools.

Hello Everyone

The time has come to admit we have been defeated. With that,  I tried everything possible to get Combofix to run, but as with all the other malware\spyware etc.  removal tools recommend by this group nothing has worked. The results are the same, if and when I do get the repair tool running after about 2-3  minutes it is immediately shutdown by this attacker.  If anyone wants to remote control  this PC to see if you can find the attacker let me know Ill provide the LOGMEIN information giving access to it.

One last thng i forgot to tell everyone
I also change the boot start up settings in MSconfig. I also tried procexp. FYI

Thanks a bunch everyone

Did you download Process explorer and rename it to "winlogon.exe" and kill any random.exe first before trying to run Combofix?
Process explorer has to be renamed as winlogon.exe first, as I've asked in my post -->  {http:#25010243}

rpggamergirl:

Sorry I did as exactly as instructed and Combo fix will not run. Nothing. It never did really. It's been the one the has worked the least in this case.

I did notice that there were five Internet expolorers runing. I killed all but one to see if that would help matters. It did nothing to help.

sorry to say it but i think you are at the point like i wrote before .  time invested compared to time to backup and reload system.  sometimes it is the only way which is horrible i know but i think you are there now ..

Try this link ComboFix:

This is a different one.

This one still won't run? ComboFix:

Then something there that I haven't acquainted yet..

Download RootRepeal.zip and unzip it to your Desktop. (IF it doesn't run at first then rename it to winlogon.exe)
http://rootrepeal.googlepages.com/RootRepeal.zip

   * Double click RootRepeal.exe to start the program
   * Click on the Report tab at the bottom of the program window
   * Click the Scan button
   * In the Select Scan dialog, check:

         o Drivers
         o Files
         o Processes
         o SSDT
         o Stealth Objects
         o Hidden Services

   * Click the OK button
   * In the next dialog, select all drives showing
   * Click OK to start the scan

         Note: The scan can take some time. DO NOT run any other programs while the scan is running

   * When the scan is complete, the Save Report button will become available
   * Click this and save the report to your Desktop as RootRepeal.txt
   * Go to File, then Exit to close the program

rpggamergirl:

Using the other Combofix I get this error message: THe little green meter bar starts,but then

You cannot rename Combofix as 84505-CF[1] Please use another name preferably made up of alphanumeric characters
I'm going to try you other suggestion. now

rpggamergirl:

I got roorepeal to run for a few seconds and it stopped and closed everythng.It  stop when this file was fouond  $hf somthing. I did catch the entire file name because it closed Rootrepeal in a second or less.

As with the other programs I get the same error message  'Windows cannet not access this spexific device,path,or file. you may not have the appropiate permions to access it."   When I  try to rerun the program after the attack.

Try running this tool first to fix your exe files and immediately following that use either ComboFix or SuperAntiSpyware:

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

Try that and let us know, what is the progress.

Warturlte

Same thing. I tried both Combofix and SuperAntispyaware.

Instrusting point here. The attacker is changing the .exe to a log alphanumeric file name. (looks like a registory file name) Then the sceomd run it displays the file rights error as I stated earlier.

Combofix starts to run, and the progress tool bar flashes the screen and  it leaves the blue boxthere for ever. "Combix fix is preparing to run" nothing happens

one other note:

SuperAntispayware displays the Windows file  loading error sceen when attempting to run it a second time after the attacker stopped it from running the first time too.

Is the laptop connected to a network that gives it access to the internet? If yes, take it off the network and then try the method again. Do you get any popups asking for money? I have seen some other thread where someone was asked for money to decrypt the files on their computers.

Secondly, as another option could you try doing a scan with Dr Web Cure It Live CD? Download it from here: http://www.freedrweb.com/livecd/ . Burn it as an image on a CD and boot your PC from it. I am trying to find out if its a file infector virus.

F-prot also makes an ISO that you can download to boot to and scan.

Did you rename RootRepeal as "winlogon.exe" and that still wouldn't run?

Last weekend I purchased a hardware device that connects EIDE \SATA  drives to my laptop as a USB drive. Really cool tool for only twenty bucks.  I started by running AVG which found 12 Viruses, 5 of which it could not remove. At the same time I started the Malwarebytes scan it found 63 malware files lots of different types of RootKits, and Path Ponder malware.  

I put the drive back in the PC and CHDSK started to run after completion, the PC booted MS XP as normal. I reinstalled AVG and Malwarebytes without fail.

I ran AVG once more and which did remove the last five viruses and Malwarebytes found and removed 27 more malware programs. In all there were 12 virus and about 127 various strains of  Malware files were uncovered.  At this point the PC is booting fast and all programs are working as they should be.

I spent 30 minutes cleaning up all of the programs I downloaded, all of the renamed file etc. used to address this attack.  Combofix, SuperAntispyware, and others are great tools that I will keep in my PC repair toolbox, but  lesson learned: if your  Antivirus or Malware remover doesnt run or has been disabled by the attacker remove the drive and scan it as  StrifeJester suggested it will save a lot of your time and frustration when deal with really bad attacks.

A BIG thanks goes out to everyone who helped solve this issue.

Hi,

Have you tried this solution?

http://forums.majorgeeks.com/showthread.php?t=208108

I got the normal Xp internet security rogue malware, and got a detailed plan on mayor geeks on how to remove it.  It looks almost gone, but as always it is to uncertain to leave your pc after one of this attacked, so I am most likely formatting it today.