• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10312
  • Last Modified:

how to effectively remove rouge "Personal Antivirus" (PAV.exe)

I am working on a machine infected with the rouge antivirus Personal Antivirus. I thought I had it removed, but, no, it has reared its ugly head again in a different way. At first it displayed pop-ups saying "your computer may be infected...etc...click here to download protection." I stopped the PAV.exe process in Task Manager, found all PAV files and deleted them...thought I had it...the pop-ups were no more. However, I was running WinDoctor and it found unfixable problems with Norton Internet Security engine "not running." (Norton Internet Security 2009 was installed and running prior to the infection) I went to Symantec website to run automated support tool...when I clicked on support...I went to "about:blank" this website may have malicious content....click here to download removal." I ran Hijackthis and tried to submit the log to Hijackthis.de, and got the "about:blank webpage again. I tried to run TrendMicro Housecall and got the "about:blank" page as well. I looked in the registry, but couldn't find anything.
Symantec support tech said they would remove it for $99.00. I said I thought that since NIS 2009 let it through that they should remove it for nothing. They said no. So I am now turning to the experts!! I have run Spyware Doctor and MalwareBytes and still have the infection. I ran HijackThis in safe mode ...was able to submit, but DE came with nothing nasty. Ha anyone encountered this particularly insidious rouge?
0
atf3doc
Asked:
atf3doc
  • 3
2 Solutions
 
johnb6767Commented:
First of all, I dont trust the automated scanners..... Upload the HJT log here please.....

I would actually do a few things first........Install and update Super Anti Spyware and reboot to Safe Mode. Then do a full scan, and see what it finds. I havent been too impressed with MalwareBytes when it comes to the Rogues. Did some realtime tests/comparisons, and watched it allow 3 different ones to install, while SAS killed it off the bat.

SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
http://www.superantispyware.com/
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection). Under the Options, go to Scanning Control> and make sure it is set to the following.....

Terminate memory threats - checked
Ignore non executable files - unchecked
Scan only known file types - unchecked

Manual Definitions Download....
http://www.superantispyware.com/definitions.
0
 
johnb6767Commented:
Also.....

RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner. Or post us the log.........

Can also use Combofix. (stolen from rpggamergirl's postings...)  :)

Here's the instructions, if it doesn't run at first, then redownload and rename before saving to your desktop.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Personally, I wouldnt install the recvovery console.

0
 
satyan1894Commented:
Step 1 : Use Windows File Search Tool to Find Personal Antivirus Path
1.Go to Start > Search > All Files or Folders.
2.In the "All or part of the the file name" section, type in "Personal Antivirus" file name(s).
3.To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
4.When Windows finishes your search, hover over the "In Folder" of "Personal Antivirus", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Personal Antivirus in the following manual removal steps.

Step 2 : Use Windows Task Manager to Remove Personal Antivirus Processes
1.To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2.Click on the "Image Name" button to search for "Personal Antivirus" process by name.
3.Select the "Personal Antivirus" process and click on the "End Process" button to kill it.
4.Remove the "Personal Antivirus" processes files:
5.%PROGRAMFILES%\PAV\pav.exe
6.pav.exe
7.PersonalAntivirus[1].exe
8.%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe
9.%UserProfile%\Application Data\Microsoft\Windows\winlogon.exe
10.%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
11.%UserProfile%\Application Data\Personal Antivirus\unins000.exe
12.c:\Program Files\Personal Antivirus\PerAvir.exe

Step 3 : Use Registry Editor to Remove Personal Antivirus Registry Values
1.To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
2.Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
3.To delete "Personal Antivirus" value, right-click on it and select the "Delete" option.
4.Locate and delete "Personal Antivirus" registry entries:

One of the best on the market (and it is free, although you can upgrade and get Real Time Protection). Under the Options, go to Scanning Control> and make sure it is set to the following.....
Download and install the Malwarebyte's Anti-malware and scanned and removed the infections.
0
 
atf3docAuthor Commented:
SuperAntiSpyware seemed to get it! It picked up a Browser Hijacker Fake Alert and removed it. I am running tests now to be sure. Looks good so far. Thanks for the tips.

Thanks for your input Satyan1894. Most of what you suggested I had already done. I also like MalwareBytes, but it didn't catch this one.

atf3doc
0
 
johnb6767Commented:
Im glad it worked.... If you dont mind spending a few extra bucks, you can get the Real Time protection in SAS. It is a one time purchase, with LIFETIME updates. That's where I have found it to do its best work, in prevention .
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now