Cannot remove Antivirus 2010

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gamex, Oct 20, 2010.

  1. gamex

    gamex Private E-2

    I am having a problem removing the malware Antivirus 2010 from a coworker's computer. When I try to Malwarebytes' Anti-Malware in Windows, I click the Quick or Full scan, and it seems to start, and then it just closes. I try to boot into safe mode to run it, and about half way through loading all the drivers, I get a quick blue screen (it isn't up long enough to read the error), then the computer reboots. I also tried to repair windows, and after all the drivers are loaded, and the status is 'Starting Windows', I also get a blue screen with the stop code 0x0000007B (0xF78D2524, 0xC0000034, 0x00000000, 0x00000000).

    I tried to schedule a chkdsk in Windows, and when I restarted, it seemed to start, but then a few seconds later, it was booting into Windows.

    I tried looking up manual removal instructions, and it talks about a file in C:/Program Files/AV2010 and a file called AV2010.exe, but neither of those exist, so I am wondering if the computer has a newer version of the virus.

    I just tried to run HJK to get a log file, and when I go to scan it, the program is terminated, just like all the other spyware removal programs I try and run. I can normally figure out how to remove this stuff, but this one has got me stumped. Any ideas?

    Computer is running XP SP3 32 bit.
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    As part of its defense mechanism, Antivirus 2010 will also terminate the majority of programs that you attempt to run. When it terminates them it will also change the security permissions on the executable so that you will not be able to run the program again. You will know when Antivirus 2010 changes the permission on a program because when you attempt to launch the program you will be greeted with a Windows message that states:

    Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

    If you are greeted with this message for one of your executables you can regain access to the program by using the cacls.exe program that comes installed with Windows. Simply go to a Command Prompt and type the following command to give the Everyone group permission to use the file again:

    cacls <full path to the program> /G Everyone:F

    As an example, if you attempt to launch Malwarebytes' and it gives the above error, then you would type cacls "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /G Everyone:F and press enter on your keyboard. Once you enter that command and press enter, everyone on your computer will then have access to the file again. If you are using Windows Vista or Windows 7 then you will have to use an elevated command prompt.

    Then run MBAM with full scan option.
     
  3. gamex

    gamex Private E-2

    TimW,

    I should have mentioned that I already tried doing that. While it does allow me to open up MBAM after previously displaying the error message you mentioned, once I try to do a system scan, it immediately closes the program again. It seems as if this is a newer version of Antivirus 2010 that can get around the current methods used to remove it.
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you able to run either ComboFix and/or MGTools.exe? I need to be able to see some logs to know what is happening.

    EDIT: Tell me if you can download and run THIS.
     
    Last edited: Oct 20, 2010
  5. gamex

    gamex Private E-2

    TimW,

    I was able to run MGTools, and I have attached a log. ComboFix would not run. When I started to do the scan, there were about 7 or 8 lines of "Access is denied", then it just hung at that screen for 5 hours. I have attached that log.

    I did an ESET online scan, and it said it found Antivirus 2010 and removed it, and when I restarted, the background was back to normal and the AV2010 scan didn't start up like it usually did, but I still cant run MBAM. I attached the log as well.

    When I attempted to install the Spyware Doctor link you sent me, it installed, but then said installation failed, and it would not let me perform a scan.

    Edit: Forgot to click 'Upload'
     

    Attached Files:

  6. gamex

    gamex Private E-2

    I know I am not suppose to 'bump', but I was finally able to run RootRepeal and there were a lot of entries pertaining to "vbmac4d7.sys" so I felt I should post it along with the other logs I submitted.

    Thanks
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try using CCleaner to uninstall Antivirus 2010.

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now clean out this folder:
    C:\Documents and Settings\Chris\Local Settings\Temp

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  8. gamex

    gamex Private E-2

    Alright, so here it goes:

    I attempted to run the reg fix, but I got an access denied message while trying to run it.

    I ran Avenger and everything worked smoothly. I have attached the log.

    I then ran MGTools, and attached that log as well.

    I was actually able to run ComboFix as well (I was getting an Access is Denied error last time), so that log is attached.

    I reinstalled MBAM and that too was able to run. I have also attached that log. Edit: I pasted that below since I can only upload 4 files, and this log was the smallest.

    I was able to add that registry entry after running all of those scans.

    Finally, I ran HijackThis and attached a log.

    I am currently RDPing into the computer, so I cannot attempt to boot into safe mode to run a scan, that will have to wait until the morning. I think the BSOD I got when trying to repair windows may be related to a RAID driver.

    I think we may have gotten this thing. Any other suggestions???

    Thank you so much!

    MBAM Log:
     

    Attached Files:

  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am still seeing AV 2010 in your add/remove list. Did you try to uninstall it?

    We will reuse Avenger, but you really need to manually remove all the junk in this folder:
    C:\Documents and Settings\Chris\Local Settings\Temp\

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
  10. gamex

    gamex Private E-2

    When I try to uninstall it through Add/Remove programs, I get the following error message:

    Also, I tried deleting everything in that temp folder, but this file cant be deleted because it says it is in use: ~DFAF24.tmp (It seems to be randomly named, because after rebooting, I cant delete ~DF9A09.tmp). There are also a bunch of language files in there (English.bin, German.bin, etc) that I deleted, but showed up again after rebooting.

    I ran Avenger, CCleaner, and MGTools (in that order), and have attached the two logs
     

    Attached Files:

  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try this, go to an elevated command prompt ( Start / programs / accessories / right click command prompt and choose to run as administrator. )

    In the command prompt, type:
    cacls "C:\Windows\system32\userinit.exe" /G Everyone:F

    and press enter on your keyboard. Once you enter that command and press enter, everyone on your computer should then have access to the file again.

    Then immediately try to uninstall AV 2010.

    Have you tried any other removal tool such as CCleaner or Your uninstaller?
     
  12. gamex

    gamex Private E-2

    The first method you suggested did not work.

    I downloaded Your Uninstaller and that seemed to do the trick. Well, not sure if it removed everything, but it said it removed some registry settings and I no longer see AV2010 in the windows Add/Remove list anymore.
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet!!! I was hoping something would kill it. Good to know.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
  14. gamex

    gamex Private E-2

    Thank you very much!

    I will go ahead and pass that last link around to everyone else so I can hopefully prevent this from happening again!

    Thanks again!
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds