Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Antivirus Live Infection

0 views
Skip to first unread message

Buck Rogers

unread,
Dec 7, 2009, 8:35:11 PM12/7/09
to
Hello All,

I have a customer whose computer is infected with Anitvirus Live.

I've googled and found many references about it. I've reviewed the
removal instructions at bleepingcomputers.com, downloaded Mbam, rkill,
and combofix, and have printed out the removal instructions.

However, the dang thing won't let me execute any programs........exe,
com, bat or whatever.........Normal or Safe Mode. I can't run
taskmgr, regedit, or msconfig.

What must I do to allow me to run the removal programs. I've renamed
them, to no avail.

Your help is appreciated.

Regards,

Buck

@nomail.afraid.org FromTheRafters

unread,
Dec 7, 2009, 9:11:24 PM12/7/09
to
"Buck Rogers" <bu...@rogers.com> wrote in message
news:ilarh55n1uq0qi28d...@4ax.com...

Whenever booting to "Safe Mode" fails to prevent malware from running,
the next thing to try is booting from an alternative source.

Some computers can boot from a USB device (BIOS support enabled in the
CMOS Setup). Others from optical drives. Run your antimalware (malware
removal) applications from there. Some OSes provide a bootable recovery
console that can be helpful also.


Buck Rogers

unread,
Dec 7, 2009, 10:06:46 PM12/7/09
to

FromTheRafters,

Thanks for the input. Good suggestion.

Question: Would Mbam or Combofix quash the crapware if I took the HD
out and slaved it to another computer? That is, would the programs
look at the registry, etc. of, and clean up the slave? If so, that
seems to be the best solution for me, as trhe computer will not boot
to a USB device.

Regards and thanks again for the input.

Buck

David H. Lipman

unread,
Dec 8, 2009, 6:24:52 AM12/8/09
to
From: "Buck Rogers" <bu...@rogers.com>


| Question: Would Mbam or Combofix quash the crapware if I took the HD
| out and slaved it to another computer? That is, would the programs
| look at the registry, etc. of, and clean up the slave? If so, that
| seems to be the best solution for me, as trhe computer will not boot
| to a USB device.

| Regards and thanks again for the input.

| Buck


MBAM - yes.

If you boot of the Recovery Console or if you place the drive in a surrogate PC you can
remove the offending EXE files, replace the drive in the affected PC and fully scan with
MBAM and other software such as Gmer.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


@nomail.afraid.org FromTheRafters

unread,
Dec 8, 2009, 7:40:14 AM12/8/09
to
"Buck Rogers" <bu...@rogers.com> wrote in message
news:4agrh5d6qe546q5id...@4ax.com...

If slaving the drive on another computer is easier for you - yes, you
can clean the drive of detectable malware that way.

> That is, would the programs look at the registry, etc. of, and clean
> up the slave?

No, you would still have to clean up the registry after bringing the
'cleaned' drive back to the "victim" computer. Depending on what
method(s) the malware used to defeat the execution of executables, you
may still not be able to run them easily if you boot from the affected
drive.

> If so, that seems to be the best solution for me, as trhe computer
> will not boot to a USB device.

No bootable CD either? You should suggest strongly to your customer to
remedy this situation (and make backups).

Maybe you could download a 'regfix' file to the victim drive while you
are still hosting the drive on the 'good' computer.

I've had some success with fixing the 'exefile' borked registry by
renaming the 'regfix.reg' (or exefix.reg) file as the malware filename
so that an attempt to run any exe (com,bat, or scr) actually invokes and
imports the regfile. I haven't tried this since I moved from Win98 to XP
though - so it might not work as I remember it.

A lot depends on your level of expertise - good luck.


Buck Rogers

unread,
Dec 8, 2009, 2:53:57 PM12/8/09
to
On Tue, 8 Dec 2009 06:24:52 -0500, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Buck Rogers" <bu...@rogers.com>
>
>
>| Question: Would Mbam or Combofix quash the crapware if I took the HD
>| out and slaved it to another computer? That is, would the programs
>| look at the registry, etc. of, and clean up the slave? If so, that
>| seems to be the best solution for me, as trhe computer will not boot
>| to a USB device.
>
>| Regards and thanks again for the input.
>
>| Buck
>
>
>MBAM - yes.
>
>If you boot of the Recovery Console or if you place the drive in a surrogate PC you can
>remove the offending EXE files, replace the drive in the affected PC and fully scan with
>MBAM and other software such as Gmer.

Mr. Lipman,

Thanks for the input. I'll start the slave process this afternoon.
I'll get back with my results.

Regards,

Buck

Buck Rogers

unread,
Dec 8, 2009, 2:59:50 PM12/8/09
to

FromTheRafters,

Thanks for the additional input. I'll start the slave process this
afternoon to see if I can get on top of this thing enough to at least
let me run an executable once I put it back in the original machine.
I'll get back with the results.

Regards,

Buck

David H. Lipman

unread,
Dec 8, 2009, 5:04:35 PM12/8/09
to
From: "Buck Rogers" <bu...@rogers.com>

| Mr. Lipman,

| Thanks for the input. I'll start the slave process this afternoon.
| I'll get back with my results.

| Regards,

| Buck

Please... Just Dave or David :-)

Buck Rogers

unread,
Dec 12, 2009, 12:46:53 AM12/12/09
to
On Mon, 07 Dec 2009 19:35:11 -0600, Buck Rogers <bu...@rogers.com>
wrote:


Hello All,

Just want to update you on my customer's infected computer.

Put the HD in a surrogate machine, deleted the (random)sysguard.exe
files, plus some other junk.

Replaced it in the computer, booted up, ran Mbam, Combofix, installed
Avira and ran a scan. Found a bunch of crap and deleted it.

All seems to be good now.

Thanks for all the help and suggestions.

Regards,

Buck

Tiestosteele

unread,
Dec 14, 2009, 1:36:23 PM12/14/09
to

Hello,

I am having this same issue, Would LOVE some help if anyone could.

I have this damn antivirus live infection, I found step by step
instructions on how to remove said virus. Basically it tells me to run
two removal tools, which I have transfered to the infected laptop's
desktop.

Issue is that the computer will not allow me to open any files, giving
me a message that this application can not be executed because it is a
virius.

I do not have the knowledge to take out the HD and slave it too another
machine. Is there anyway I can get this removal tool to open?

My only other option is best buy said for $200 they would reinstall
windows and I can start fresh. I dont really want to spend $200 the
computer is only 2 months old and cost me $1100.

Just sucks being able to find a solution but can not run the software
to fix the problem. I can not reinstall windows myself because my
computer never came with the disks I was supposed to make them myself,
never got around to it. Smart move on my part.

Any thoughts? Thanks


--
Tiestosteele
------------------------------------------------------------------------
Tiestosteele's Profile: http://forums.techarena.in/members/163919.htm
View this thread: http://forums.techarena.in/security-virus/1279655.htm

http://forums.techarena.in

Andy Medina

unread,
Dec 14, 2009, 2:40:37 PM12/14/09
to
What brand and model computer? Some have a restore partition that you can
use to restore the system to the way it was when new. Gateway for instance,
by pressing the F11 key just after the bios screen disappears and before the
Windows boot screen appears, will restore the computer to the factory image.
Hopefully nothing was dumped in there to reinfect the machine.

"Tiestosteele" <Tiestoste...@DoNotSpam.com> wrote in message
news:Tiestoste...@DoNotSpam.com...

David H. Lipman

unread,
Dec 14, 2009, 4:09:02 PM12/14/09
to
From: "Tiestosteele" <Tiestoste...@DoNotSpam.com>

| Hello,

| I am having this same issue, Would LOVE some help if anyone could.

To start...

DROP that POS front-end to Usenet called techarena.in and DIRECTLY access the Microsoft
news groups via the following NEWS URL...

news://msnews.microsoft.com/microsoft.public.security.virus

Then start your OWN thread and we will assist you with YOUR problem.

MEB

unread,
Dec 14, 2009, 6:38:07 PM12/14/09
to
On 12/14/2009 04:09 PM, David H. Lipman wrote:
> From: "Tiestosteele" <Tiestoste...@DoNotSpam.com>
>
> | Hello,
>
> | I am having this same issue, Would LOVE some help if anyone could.
>
> To start...
>
> DROP that POS front-end to Usenet called techarena.in and DIRECTLY access the Microsoft
> news groups via the following NEWS URL...

Ah, perhaps you are unfamiliar with India [if, in fact this party lives
there or otherwise in the region]... they have computer Cafe`s which, at
times, limit access to various access points and services. Perhaps this
party is using the REQUIRED access to work on a family computer or
otherwise. Others use the newer cell/high speed though it is costly and
also limited [curious? ask one of them or check the plans..].
Others find these issues via one of the search engines on the
*archival* sites/services and post in the apparent appropriate
thread/discussion.
Another potential reason for usage is the translation,,, do you
understand and write Hindi?

The point? Perhaps it might be best to layoff harassing and
brow-beating these portal users and deal with their issues... it is a
new world, we should be glad anyone still posts questions here in Usenet
rather than in one of the numerous private forums or like.

>
> news://msnews.microsoft.com/microsoft.public.security.virus
>
> Then start your OWN thread and we will assist you with YOUR problem.
>


--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

David H. Lipman

unread,
Dec 14, 2009, 7:29:56 PM12/14/09
to
From: "MEB" <MEB-no...@hotmail.com>

| On 12/14/2009 04:09 PM, David H. Lipman wrote:
>> From: "Tiestosteele" <Tiestoste...@DoNotSpam.com>

>> | Hello,

>> | I am having this same issue, Would LOVE some help if anyone could.

>> To start...

>> DROP that POS front-end to Usenet called techarena.in and DIRECTLY access the
>> Microsoft
>> news groups via the following NEWS URL...

| Ah, perhaps you are unfamiliar with India [if, in fact this party lives
| there or otherwise in the region]... they have computer Cafe`s which, at
| times, limit access to various access points and services. Perhaps this
| party is using the REQUIRED access to work on a family computer or
| otherwise. Others use the newer cell/high speed though it is costly and
| also limited [curious? ask one of them or check the plans..].
| Others find these issues via one of the search engines on the
| *archival* sites/services and post in the apparent appropriate
| thread/discussion.
| Another potential reason for usage is the translation,,, do you
| understand and write Hindi?

| The point? Perhaps it might be best to layoff harassing and
| brow-beating these portal users and deal with their issues... it is a
| new world, we should be glad anyone still posts questions here in Usenet
| rather than in one of the numerous private forums or like.


Sorry. That's too bad. If they speak or write Hindi, they can contact Quickheal for anti
malware support.

F**K techarena.in and its Usenet gateway !

MEB

unread,
Dec 15, 2009, 12:52:17 PM12/15/09
to

Well ,that's an extreme reaction, which I'm not sure has any basis for.
It isn't that these portals are the number one spammer's haven or
anything remotely like that:

http://www.projecthoneypot.org/1_billionth_spam_message_stats.php

Proceed along these lines, taking issue with the method of access, and
the death warrant for the groups is assured.

kml_thinktank

unread,
Dec 31, 2009, 7:08:01 AM12/31/09
to

i found a solution to almost any problem regarding regedit and
taskmanager hijacking from antivirus scareware, i googled the antivirus
2010 one day and was looking through the results and came to a you tube
result, the only one with you tube result actually, there i found
florida pc nerds walkthrough, in his tutorial he gives you a site to get
enable regedit and enable task manager programs that run themselves
after one click. heres what i do, run rkill.exe to stop and close
malware that is active, dont touch the alert boxes till you see that
rkill has run, then run it one more time for good measure, takes like 5
seconds, it will dump extra files onto the desktop, send those to
recycle bin, manually go into recycle bin and delete them one at a time.
next, run the regedit enable tool from florida pc nerds site or google
the you tube antivirus 2010(works for all the like viruses as well)
download the enablers and run them both, now you should have control of
both again and now its time to run malwarebytes and when its done(might
be awhile) you should be good to go, i left the enable tools on the
desktop with rkill and mbam and super antispyware, as well as spyware
doctor setup. when you get hit again(if) run rkill, then enablers, then
mbam and whatever else after that doesnt matter cause it should be fixed
after that. if you leave those on your desktop, you can easilly fix
hijacked task manager and enable regedit again with no
worries.......also go into windows folder look for prefetch folder and
temp folder and wipethe inside both clean and empty it all to the trash
bin for deletion, leave the folders there but just select everything
inside for delete, this is where some viruses hide 75% of the time, and
25% of the time its inside a restore point under hkey local machine in
regedit....


--
kml_thinktank
------------------------------------------------------------------------
kml_thinktank's Profile: http://forums.techarena.in/members/169331.htm

@nomail.afraid.org FromTheRafters

unread,
Dec 31, 2009, 8:52:50 AM12/31/09
to
"kml_thinktank" <kml_thinkt...@DoNotSpam.com> wrote in message
news:kml_thinkt...@DoNotSpam.com...

>
> i found a solution to almost any problem regarding regedit and
> taskmanager hijacking from antivirus scareware,

[...]

Care to provide a URL?


David H. Lipman

unread,
Jan 1, 2010, 9:37:55 AM1/1/10
to
From: "kml_thinktank" <kml_thinkt...@DoNotSpam.com>

| i found a solution to almost any problem regarding regedit and taskmanager hijacking
| from antivirus scareware, i googled the antivirus 2010 one day and was looking through
| the results and came to a you tube result, the only one with you tube result actually,
| there i found florida pc nerds walkthrough, in his tutorial he gives you a site to get
| enable regedit and enable task manager programs that run themselves after one click.
| heres what i do, run rkill.exe to stop and close malware that is active, dont touch the
| alert boxes till you see that rkill has run, then run it one more time for good
| measure, takes like 5 seconds, it will dump extra files onto the desktop, send those to
| recycle bin, manually go into recycle bin and delete them one at a time. next, run the
| regedit enable tool from florida pc nerds site or google the you tube antivirus
| 2010(works for all the like viruses as well) download the enablers and run them both,
| now you should have control of both again and now its time to run malwarebytes and when
| its done(might be awhile) you should be good to go, i left the enable tools on the
| desktop with rkill and mbam and super antispyware, as well as spyware doctor setup.
| when you get hit again(if) run rkill, then enablers, then mbam and whatever else after
| that doesnt matter cause it should be fixed after that. if you leave those on your
| desktop, you can easilly fix hijacked task manager and enable regedit again with no
| worries.......also go into windows folder look for prefetch folder and temp folder and
| wipethe inside both clean and empty it all to the trash bin for deletion, leave the
| folders there but just select everything inside for delete, this is where some viruses
| hide 75% of the time, and 25% of the time its inside a restore point under hkey local
| machine in regedit.... -- kml_thinktank

TechArena.in is a leech of Usenet and fakes that it provides forums when they are
actually Usenet news groups and uses the vBulletin USENET gateway. In this case it is a
news group within the Microsoft.* hierarchy and can be directly accessed via the Microsoft
news server; MSNews.Microsoft.Com using a news client via TCP port 119.

Users of TechArena.in are strongly ENCOURAGED to drop the TechArena.in leech of
Usenet and access "this" News Group directly with the following News URL...

news://msnews.microsoft.com/microsoft.public.security.virus

kml_thinktank

unread,
Jan 3, 2010, 12:49:26 AM1/3/10
to

http://flpcnerds.com/Downloads/asav.html <-----<---<enablers for
regedit and task manager, you will have to google rkill.exe for the
stopper to access task manager and kill the app blocking it, or use
sygate firewall to do the same, it acts like a task manager as well and
lets you terminate processes the same way...

@nomail.afraid.org FromTheRafters

unread,
Jan 3, 2010, 7:02:24 AM1/3/10
to
"kml_thinktank" <kml_thinkt...@DoNotSpam.com> wrote in message
news:kml_thinkt...@DoNotSpam.com...
>
> http://flpcnerds.com/Downloads/asav.html <-----<---<enablers
> for
> regedit and task manager, you will have to google rkill.exe for the
> stopper to access task manager and kill the app blocking it, or use
> sygate firewall to do the same, it acts like a task manager as well
> and
> lets you terminate processes the same way...

David didn't ask for any URLs, I did. Why do you respond to him?

Thanks for showing me where the 'reg' and 'inf' files you were talking
about could be found.

...still can't find rkill anywhere, but there are killers that ship with
Windows (taskkill.exe for tasks and tskill.exe for terminal services)

kml_thinktank

unread,
Jan 4, 2010, 12:18:24 AM1/4/10
to

heres the rkill.exe app url, enjoy.....
http://download.bleepingcomputer.com/grinler/rkill.exe

@nomail.afraid.org FromTheRafters

unread,
Jan 4, 2010, 7:03:50 AM1/4/10
to
"kml_thinktank" <kml_thinkt...@DoNotSpam.com> wrote in message
news:kml_thinkt...@DoNotSpam.com...
>
> heres the rkill.exe app url, enjoy.....
> http://download.bleepingcomputer.com/grinler/rkill.exe

Thanks.


Ron K.

unread,
Jan 10, 2010, 9:55:01 PM1/10/10
to
The best and ONLY way to be sure to get rid of this thing is to just reformat
and start all over.

"Buck Rogers" wrote:

> .
>

student@discussions.microsoft.com MSU student

unread,
Jan 11, 2010, 8:00:01 PM1/11/10
to
Can Microsoft Security Essentials clean the infection? Can Microsoft
Security Essentials provent the infection once removed?

"David H. Lipman" wrote:

> .
>

jbpadi

unread,
Jan 25, 2010, 9:41:01 AM1/25/10
to

"Buck Rogers" wrote:

> .
>

David Kaye

unread,
Jan 25, 2010, 5:26:30 PM1/25/10
to
=?Utf-8?B?amJwYWRp?= <jbp...@discussions.microsoft.com> wrote:

>> However, the dang thing won't let me execute any programs........exe,
>> com, bat or whatever.........Normal or Safe Mode. I can't run
>> taskmgr, regedit, or msconfig.

You have to load an OS from a disk, NOT from the hard drive, and then remove
the offending files, which are usually easy to find because the dates are very
recent.

Comgeek

unread,
Jan 26, 2010, 12:21:01 AM1/26/10
to
@ Buck Roger,
Antivirus Live is a rogue spyware fake program. you should ask you customer
to run an Antispyware or anti malware program to get rid of Antivirus Live.
this virus cana lso be removed by doing the manual removal steps
http://www.darfuns.com/spyware-removal/antivirus-live-2010/

David H. Lipman

unread,
Jan 26, 2010, 6:28:46 AM1/26/10
to
From: "Comgeek" <Com...@discussions.microsoft.com>

This is NOT a "virus" either but it is malware.

0 new messages