So this morning my computer randomly started screwing up. I'm running Windows Vista on a Sony Vaio, with AVG Free Antivirus. The Windows Security Center suddenly popped up, and started doing a virus scan. But it only lasted about 20 seconds, and then claimed I had 28 major threats, including several worms and trojans. It then began demanding that I register and purchase Vista Internet Security.

Now, I've seen fake antivirus programs and advertisements before. But this one is pretty convincing. It looked just like the real Windows Security Center, but several of my settings looked different from how I normally have them, and it wouldn't let me change them. Also, it had one or two typos. It kept asking me to register and/or buy Vista Internet Security, so I hit yes to see what would happen. It took me to a site which looked pretty official, but it made no mentioning of Microsoft or anything else I'd expect from a Windows Vista Site. Also, it had just been copyrighted in 2010... So I exited out of the site and my "security center."

I went to my real Windows Security Center... and lo and behold, it brings the pop-ups back up. So now I'm worried that either my computer really does have all these terrible viruses, or my security center has been corrupted and replaced with a fake thing trying to convince me to buy their product. Every now and then, a small pop-up appears in the corner, claiming it detected a worm attack or that my computer is being hacked, and asking if I want Vista Internet Security to stop it. If I hit no, it goes away. If I hit yes, it takes me back to a little window claiming how awesome Vista Internet Security is.


I ran an AVG scan, and all it found were some tracking cookies. The pop ups still appear every 15 minutes or so, and occassionally my Security Center pops up, too. AVG hasn't made a peep... I went to Microsoft's website, and went to the Windows Vista site. There was NO mention of a Vista Internet Security program. If anything, it described how badly a 3rd party AV program is needed. Symantec, or whatever the big AV company is, made no mentioning of it either.



So yeah. What is it, and what do I do? :smallfrown:

I'm going to take it by my college's computer office tommorrow when I get back to school. They can fix viruses and messed up computer. But I'm not sure if it'll cost me anything, or how long it'll take.

You wanna see:
Here, (http://www.2-spyware.com/remove-vista-internet-security-2010.html)and here. (http://hands-oncorp.com/2010/02/02/vista-internet-security-2010-removal-instructions/)

I hope I got the adresses right.

Awesome!

What option(s) would you suggest? I'm not the most computer literate person...

Also, the first link says I'd have to download Spyware Doctor. Will this conflict with AVG, since AV programs are said to conflict? :smallconfused:


Edit:

I think I'm going to go with the first site. It gives a bunch of instructions on how to do it, but then it offers an automatic solution. Which should I do, follow the instructions, or just click the automatic one? :smallconfused:

Anti-Spyware and Antivirus should be run together. Antivirus doesn't protect from spyware and vice-versa.

Ah, okie-dokie then...

Well, I guess I'll give it a shot. But should I follow the instructions, or just click on the automatic remover? :smallconfused:

If you're not comfortable removing it manually, use the automatic one. If you're okay with manually editing the registry and don't really trust the automatic one, or you just really want to do it yourself, then go for the manual one. Either is fine. You can even use the automatic one and then manually confirm that the keys you would have removed on your own are indeed gone.

What the heck?!

I downloaded Spyware Doctor, and it did the scan. It finished, and it shows what all it found. Then it says either: "Fix Checked" or "Cancel."

Naturally, I don't want to cancel it. :smalleek: But then when I click on the Fix Checked option, it wants me to buy the full program in order to actually delete the malware! :smallmad:


So... Apparently all this did was tell me what the specifics were, and now I've got to pay 30 bucks to actually remove the problems when they're right there. And then to top it off, the Vista Internet Security pop-ups came up right after the scan finished... So if I do buy the Spyware Doctor stuff, how do I know the friggin Malware won't hijack my information? This is so redundant! Why can't it just remove the problems as easily as it found them? :smallfrown:

In my experience, Spyware Doctor's a program that's just looking for a quick buck - also, I can't say I've had the exact problem you have, but I have had the Windows XP version of it. If I remember, I did have to muck around with the registry to finally get rid of it.

There are several other spyware/adware/whatever-ware programs (that are completely free) that work very well, especially when used together. (It's alright to have multiple spy-ware scanning programs; in fact, some will catch things that others won't)

I run: Spybot: Search and Destroy, AdAware and Malwarebytes Anti Malware (which, I might note, the first link recommends as an alternate to Spyware Doctor). All of these are well-known, reliable, and trusted.

Hope this helps, and best of luck getting that annoying bit of malware off your computer.

So... What's the best way to get rid of it for free? :smallfrown:

Those sites had some info on manual removal of the viruses. I don't have much experience with files and stuff like that, but if I follow the instructions and stuff, do you think I could pull it off? It does suggest against it if you don't have much experience with such things... :smalleek:

If you follow the instructions very carefully, you should be able to remove them manually.

Spybot: Search and Destroy and Ad-aware are two good options, though. Both are free and both work quite nicely.

Yes, but I don't how how to manually remove it and type in all the information and stuff it provides.

I'm looking at Malwarebytes Anti Malware right now, and it looks like a good option. But some reviews aren't too favorable for it. You guys think I should give it a shot? I'd hate for it to blow up in my face... :smalleek:

Edit: Oh, and show I delete Spyware Doctor before I try to download Malwarebytes Anti Malware, if I give it a try?

I'd say delete Spyware Doctor. It's not helping your computer at all, just taking up space.

Anyways, going through manual removal of malware probably isn't a good idea if you're not comfortable with the idea of editing the registry. The results of a mistake there are not pretty and while it's not that easy to break your computer entirely and render it an unworkable, blue-screen-stuck piece of electronics, you certainly can do it. So I'd suggest just downloading one of the programs recommended here. I have not personally tried Malwarebytes or Anti-Malware, so I can't say much about them. I've only tried Ad-Aware and Spybot: Search and Destroy, both with great results.

Is it this one (http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1335065,00.html), by any chance? Or this one (http://www.spywareremove.com/removeAntivirusXP.html)?

Rogue antivirus programs are always some of the worst of the bunch. Since unlike real viruses (whose purposes are often to control workstations or destroy data), these trojans are actually out to scam money, they are usually considerably more annoying in the number of nooks that they burrow into.

I've gotten one of these before on a school laptop. The virus downloaded itself through a firefox exploit, and proceeded to install 80+ viruses and backdoors on my computer. It also set up an IE add-on and modified my proxy settings so that every single search for the software on, say, Google redirected me to their own site. That virus burrowed itself in twelve different "startup" routes on my PC, so hijackthis and Malwarebytes missed some of them.

For a preliminary method, try this:

Check if the rogue AV set up a proxy by searching various terms related to rogue antivirus on google. If it does not, you're in luck.
Go to task manager (Ctrl+Alt+Del) and show processes from all users. Check any process that seems to be suspect on google, and if google doesn't know what it is, shut it down. If your computer has been proxied, shutdown anything that doesn't seem legitimate, and shut down everything that runs under the user space [username] rather than LOCAL NETWORK or SYSTEM.
Go to Start -> Run, and type services.msc. Find the service corresponding to windows defender, right-click it, and select "Stop." This ensures that windows defender is shut down, and anything that resembles it will 100% be the rogue AV.
Go to Start -> Run, and type Regedit.exe. Click HKEY_CURRENT_USER, Software, Microsoft, Windows, CurrentVersion, and check both the run, runonce, and runservices folders. If there's anything suspect in there, add gibberish in front of it. For example, instead of "C:\something", name it "yyLO009C:\something." That way, the program won't restart on windows startup.
In Registry Editor, follow the same proedure for HKEY_LOCAL_MACHINE.
Run your anti-virus, including Malwarebytes. Remove anything it finds.

This should fix most snoop AVs. There are some (like the one that I got) that are persistent, in which case do the following.

Download HijackThis from TrendMicro. Run it and save a log.
Download Silent Runner (it's a vb script). Run it and find the log.
Post both logs on a support website, or sent it to your computer's manufacturer. Alternatively, post it here and we can see if we can analyze it (I assume that's not against the rules).
Trust the expert to help you get rid of every trace of the rogue AV.

Yeah, its neither of those viruses. I can't read the first article, but its dated 2008. This is a 2010 thing...

I'm reeeeally uncomfortable mucking around in files and stuff. I'd rather try anti-malware programs first... I just don't know which ones to trust. :smallfrown:

I already provided two options... :smalltongue:

Do you have a link to Ad-Aware? :smallconfused:

Although, the site Crimmy originally linked didn't mention it. So I dunno if it'll work or not... :smallfrown:

Here you go (http://www.lavasoft.com/products/ad_aware_free.php). And... here's Spybot, too (http://www.safer-networking.org/en/spybotsd/index.html)

Anyways, it doesn't matter if it's not mentioned, really. There's several solutions out there, people will only really mention the one they use most or one or two. I've personally used them with good results, and they're free, so they're worth a shot for your issue.

MalwareBytes' Anti-Malware certainly won't blow up in your face.

Most of the decent security software can be found here:

http://download.cnet.com/windows/security-software/

Which one do I go with, Free or Plus? I have to fill out some sort of offers for Plus, apparently... :smallannoyed:

For ad-aware? Free. Plus version comes with a few extras, but that does cost money. Don't worry, the actual malware-removal is the same in both things.

Lets try Ad-Aware first, and see what happens... :smallsigh:

Alrighty... Several hours of computer warfare later, and I've made... 0 progress. :smallannoyed:

I tried Ad-Aware, but it couldn't update its database without restarting the computer. And some people have reported that restarting your computer has a chance of making the infection progressively worse. Sooo... I ran a scan without the updated database, and found plenty of tracking cookies. But no adware. :smallsigh:

So, uninstalled Ad-Aware, and installed Malwarebytes. It seemed pretty nifty, but it found... nothing. Scanned everything - regular scan, C drive, D drive... Only 1 or two tracking cookies.

Tried Spybot. It found 4 tracking cookies. But no adware.

So yeah. At the moment, I've got AVG, Malwarebytes, and Spybot installed. None of these 3 removed the problems. So, I'm just going to shut my computer down, and try Ad-Aware again tommorrow. If things get worse, hopefully 1 of those 3 programs will keep it in check.

More than likely, I'll drop it off with my school's tech center. If they can't do anything, I'll take it to a friend's family's computer repair store. And if nothing works...

Well, there is an option to restore it to factory settings. :smallsigh:

I had this same thing happen just the other day. I:
- ran Avast, Spybot, and another that doesn't seem to do much.
- fixed Ad-Aware using information from my boyfriend's internet (it had gone screwy).
- restarted.

I haven't seen a single pop-up warning of hijacks or viruses or whatever since, nor has my internet been redirected again. Unfortunately, I forgot to check whether my Security Centre control panel was back to normal. Now that was a pain in the arse... It disabled my firewall, and wouldn't let me reactivate without clicking on its stupid "OH MY GOD YOU HAVE TO BUY THIS OR YOUR COMPUTER WILL ASPLODE!!!" link.

Yep. Sounds like the exact same thing I've got...

But I'm too tired to deal with it right now. :smallsigh: I'll see what can be done tommorrow. If Ad-Aware worked for you, I'll give it another shot before going to the tech center. Hopefully shutting it down overnight won't come back to bite me in the butt. :smallannoyed:

I had a problem similar to this once when I foolishly surfed Ye Olde Interwebs on a laptop sans proper protective measures.

If spyware/malware/adware scans aren't doing the trick for you, I advise you google "*Name Of the Program Here* Removal". One of the very first links should be step by step instructions to remove it manually.

Now, take a deep breath. It's a lot to take in at once when you start mucking around in the registry. However, so long as you do exactly what the removal instructions say, you won't do any harm to your computer. All you're doing is removing the spyware/adware files hiding around your computer.

These fake antivirus programs tend to be especially difficult to remove, with stuff hidden all over the place, but a bit of reading up and some proper following of instructions will see you with a properly functioning computer again.

Of course, if you really don't want to do that, a professional can remove it for you. Just be sure you get back everything you give them. I've had... bad experiences with computer repair places. (Namely, I just found out that my last one forgot to return my installation CDs. Pfft.)

By the way, my boyfriend's former boss once had this happen to his computer. His reaction: "OH NOES! I'd better download it like it says to!" *click* >pays all the money they ask for<
People like him is the reason these things work... :smallsigh:

By the way, my boyfriend's former boss once had this happen to his computer. His reaction: "OH NOES! I'd better download it like it says to!" *click* >pays all the money they ask for<
People like him is the reason these things work... :smallsigh:

Well, to be fair, they are pretty convincing. The one I got looked exactly like the Windows Firewall, down to the little toolbar shield and toolbar popup. It's not so hard to see how a less savvy computer user could be fooled.

Though I do shake my head at actually paying money for the thing.

Yeah, I know. And they just won't take "no" for an answer! But still... :smalltongue:

Just thought I'd update and let ya'll know I fixed it. ^_^

It took a few days, and I had to try Ad-Aware twice, but my computer is finally clean. Oddly enough, I think AVG got rid of it. :smallconfused: While running Ad-Aware, AVG randomly popped up and said it blocked a Fake AV Program. After the Ad-Aware scan, I went to my Security Center. Nothing but green lights! :smallbiggrin:

So yeah, everything seems to be running perfectly... Thanks for the help, guys and gals. :smallsmile:

Mine came back again :smallsigh: Think I've gotten rid of it this time, though.

Hm. Well, my Security Center is all green lights, and it says the computer does have a functioning anti-virus. Just to check, I clicked the "what Anti-virus programs are on this computer?" tab under the green light, and it showed AVG Free and Ad-Aware Free as both running, while Windows Defender was off...

At any rate, it all looks clean to me. So, no worries for the time being... :smallsmile:

Yeah, probably the biggest tip you can take from this is to avoid playing games with programs you aren't familiar with- kill it with fire (ctrl+alt+del and end process) and keep a legitimate program running- actually look for complaints about a given piece of software and not just reviews, that'll keep you from downloading something that's not going to work for you.

Eh? Mine started before I even downloaded anything, just when I got onto the site (which I can't remember the name of, dagnabbit...), and ctrl-alt-del found nothing.

A lot of rogue anti-virus software uses drive-by downloads, so it's sometimes a case of hoping that your web browser doesn't have a drive-by download hole.

If you do get an alert or a confirmation box from a web page that says your computer may be infected with malware, it's usually a good idea to select "stop executing scripts from www.example.com" before you close it, and/or close the tab.

That might not be helpful - most web browsers seem to let javascript spawn modal dialogues, and not all web browsers include an option to block scripts either.

I had no such option. It went like this: >click on link to website< -> >half a dozen warnings about how I desperately need to download this totally legit anti-virus program or my computer will literally impode and create a black hole that will kill us all<
I may be exaggerating, but only slightly.

What program will destroy a decompression bomb? My avast! picked one up, apparently, but I couldn't delete it. Oddly, it appears to be in a Neverwinter Nights download folder. Does this mean that Bioware spread this to my computer? :smalleek:

So yeah. Will AdAware solve this?

I have one of those, too, only it's in... some other game I never play, something to do with wars, I think. Battlefield 2, maybe. It also comes up with a huge list of "could not open: folder is password protected" or somesuch.

What program will destroy a decompression bomb? My avast! picked one up, apparently, but I couldn't delete it. Oddly, it appears to be in a Neverwinter Nights download folder. Does this mean that Bioware spread this to my computer? :smalleek:

So yeah. Will AdAware solve this?
Avast is excessively paranoid about decompression bombs, and will point to a random archive file and scream bloody murder. You're probably fine.

http://4.bp.blogspot.com/_Gr3uCNxPTu4/SuPOj5rPBII/AAAAAAAACaM/_p5K8kVLbzQ/s400/Sutherland-body-snatcher.jpg
"DECOMPRESSION BOMB!"

Actually, ever since 5.0, Avast! is a woman.

Fine.


http://www.movingimagesource.us/images/articles/invasion-of-the-body-snatchers-003-20080627-121656-medium.jpg
"DECOMPRESSION BOMB!"

Well, I had to look it up on wikipedia, but a decompression bomb is just an attempt to tie up your antivirus software.

Avast! probably just chucks a prompt if it takes too long to unpack a file.

Wikipedia mentions something called 42.zip, which has a packed size of 42 kb and an unpacked size which could easily be 22,500 times larger than your hard disk. It certainly won't ever unpack successfully.


If you'd like to see how a computer will respond to a real virus, you can make an EICAR test file on your desktop. Wikipedia has instructions (http://en.wikipedia.org/wiki/Eicar_test_file)

Thanks Serpentine, Flickerdart and Lesser_minion.

I'm not very computer literate. How do I run the EICAR Test file? As a 70 byte file, can it actually harm my computer?

[hr]
Also, another issue has occurred a few times now. What happened is that my computer spontaneously makes the same sound it makes when I insert my thumb drive/flash drive/USB key (a kind of double bell sound) and makes the sound several times in a row. A pop up notice appears similar to the one that appears when I plug in my thumb drive, which says it has detected unknown hardware. Obviously, I have not plugged in anything at all. So why is it happening?

I'm kind of paranoid, and came to the conclusion that someone has remotely accessed my computer and is downloading files onto their removable disk. Is that what is happening? How can I prevent it in the future?

Generally, your antivirus software will pounce on the EICAR test file the instant it recognises it. You usually won't need to try to run it. It can't damage your computer on its own, although your antivirus software might do something counter-productive if you put the file in the wrong place.

Bear in mind that a 70 byte file could damage your computer, however - a 70 byte shell script or batch file could be dangerous, for example.

I'm not exactly sure why windows would behave that way, but it doesn't sound like someone on a remote connection. If you've installed or uninstalled software recently, it might have left something behind which windows is picking up on. Otherwise, I guess something could have become lose.

Hopefully, somebody else will have more information.