atf3doc
asked on
how to effectively remove rouge "Personal Antivirus" (PAV.exe)
I am working on a machine infected with the rouge antivirus Personal Antivirus. I thought I had it removed, but, no, it has reared its ugly head again in a different way. At first it displayed pop-ups saying "your computer may be infected...etc...click here to download protection." I stopped the PAV.exe process in Task Manager, found all PAV files and deleted them...thought I had it...the pop-ups were no more. However, I was running WinDoctor and it found unfixable problems with Norton Internet Security engine "not running." (Norton Internet Security 2009 was installed and running prior to the infection) I went to Symantec website to run automated support tool...when I clicked on support...I went to "about:blank" this website may have malicious content....click here to download removal." I ran Hijackthis and tried to submit the log to Hijackthis.de, and got the "about:blank webpage again. I tried to run TrendMicro Housecall and got the "about:blank" page as well. I looked in the registry, but couldn't find anything.
Symantec support tech said they would remove it for $99.00. I said I thought that since NIS 2009 let it through that they should remove it for nothing. They said no. So I am now turning to the experts!! I have run Spyware Doctor and MalwareBytes and still have the infection. I ran HijackThis in safe mode ...was able to submit, but DE came with nothing nasty. Ha anyone encountered this particularly insidious rouge?
Symantec support tech said they would remove it for $99.00. I said I thought that since NIS 2009 let it through that they should remove it for nothing. They said no. So I am now turning to the experts!! I have run Spyware Doctor and MalwareBytes and still have the infection. I ran HijackThis in safe mode ...was able to submit, but DE came with nothing nasty. Ha anyone encountered this particularly insidious rouge?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
SuperAntiSpyware seemed to get it! It picked up a Browser Hijacker Fake Alert and removed it. I am running tests now to be sure. Looks good so far. Thanks for the tips.
Thanks for your input Satyan1894. Most of what you suggested I had already done. I also like MalwareBytes, but it didn't catch this one.
atf3doc
Thanks for your input Satyan1894. Most of what you suggested I had already done. I also like MalwareBytes, but it didn't catch this one.
atf3doc
Im glad it worked.... If you dont mind spending a few extra bucks, you can get the Real Time protection in SAS. It is a one time purchase, with LIFETIME updates. That's where I have found it to do its best work, in prevention .
RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/
Under each tab, hit the Scan button, and see if you get any RED files/services/processes/d
Can also use Combofix. (stolen from rpggamergirl's postings...) :)
Here's the instructions, if it doesn't run at first, then redownload and rename before saving to your desktop.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Personally, I wouldnt install the recvovery console.