Trojan: Antivirus Live

[ukeranian]

oh man.  I think we're screwed.  Does any Avast Technician know if GeekPolice.com website can be trusted?  I've used Avast for several years and I trust Avast technicians' opinions.

My husband (a computer newbie) and I (just an advanced newbie) have 3 computers on one LAN.  His (the primary) computer is infected with an "Antivirus Live" pain in the ass but I can't find anything on it in this forum.  The other two computers are NOT infected.  

My husband was just playing Spider Solitaire, minding his own business when this thing first popped up.  He thought it was Avast. The colors are the same blue but the Antivirus Live has a Shield icon with 3 diagonal stripes, the middle being white.  So my husband just told it to scan and shortly after that, he called me for help.

I've been researching around and found lots of removal advice but I don't know or trust those websites.  I want to go with GeekPolice but I don't know this website and am fearful to try their instructions for removal.

I can't find anything on the Avast website on this.  Apparently this fake security software is a new malicious specimen from the same group of fake antivirus software as Antivirus System Pro.  It's fairly new according (to GeekPolice on Dec 8, 2009).  It uses fraudulent strategies by displaying false or exaggerated security issues on your computer rather than any legitimate ones to coerce you into purchasing their software.

I cannot bring up any other website on hubby's computer -- it only brings up porno.org.  I cannot go into Internet Explorer's tools or any other menu item.  I cannot access any other website with Internet Explorer. It shut off the firewall on his computer, but not on my computer.  I remember seeing the LAN shut down earlier this morning but my husband wasn't on his computer at all then -- although his computer was also on at that time.  I can't activate Avast -- it keeps telling me certain files cannot be accessed because they are infected.  It multiplies the yellow Window Security with red exclamation icon -- if you don't do anything, it keeps on multiplying this icon on the taskbar.  I tried restarting the computer but nothing works.  In desperation, I just shut down his computer and there it shall sit till I find an answer to this problem.

All computers have Avast 4.8.  Two computers have XP (including the infected one) and both have been used since this problem came up.  The third, a wireless laptop using Vista has not been turned on yet.

Any advice would be most appreciated.  I feel so sick.

[spg SCOTT]

Hi ukeranian, welcome to the forum

Is this what you have?
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-live

If so, the instructions there should be able to help.

-Scott-

p.s. I don't know about geekpolice...sorry

[DavidR]

There is also a geekpolice.net, so perhaps one or other is feading of the others rep or something like that.

To me it seems like geekpolice.com doesn't want to show who it belongs to as they only have the registrars info on a whois search on the domain, see below.

   Domain Name: GEEKPOLICE.COM
   Registrar: GODADDY.COM, INC.
   Whois Server: whois.godaddy.com
   Referral URL: hXXp://registrar.godaddy.com
   Name Server: NS1.DSREDIRECTION.COM
   Name Server: NS2.DSREDIRECTION.COM

Same it seems for geekpolice.net

   Domain Name: GEEKPOLICE.NET
   Registrar: GODADDY.COM, INC.
   Whois Server: whois.godaddy.com
   Referral URL: hXXp://registrar.godaddy.com
   Name Server: NS25.DOMAINCONTROL.COM
   Name Server: NS26.DOMAINCONTROL.COM

[Pondus]

GeekPolice.com looks suspicious  http://hosts-file.net/default.asp?s=GeekPolice.com

WARNING: The IP PTR associated with this record, does not resolve back to it's original IP address. This is very bad practice.

Original: 208.73.210.27
PTR IP: 208.73.210.27, 208.73.210.26

[Spiritsongs]

   Hi Ukeranian :

 The "Instructions" on the Bleepingcomputer Site are a good Starting Point for
 dealing with your husband's computer ; however, the "rkill" program has
 recently been ineffective in helping with "Antivirus Live" predecessor called
"Antivirus System Pro" and most likely you should use what other "Advanced
Malware Removal" Forums use, namely a program called "exeHelper" .

 Unless CERTIFIED, Volunteer "Malware Removal Specialist" "essexboy" shows
 up here, I recommend you seek someone with similar skills on an "Advanced
 Malware Removal" forum, such as the One where "essexboy" usually helps out,
 namely "GeeksToGo" at www.geekstogo.com/forum/forums.html .

[YoKenny]

Welcome ukeranian

I love Varenyky (or pyrohy or perogies) and Holubtsi cabbage rolls.

I recommend Malwarebytes' Anti-Malware (MBAM)

Download Malwarebytes' Anti-Malware (MBAM) then get the latest definition updates then run a Quick scan and have it remove what it finds:
http://www.malwarebytes.org/mbam.php

Post its log here if you like.

Go to Secunia Online Software Inspector then run it to see what applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

[Tarq57]

I'd certainly give MBAM (above) a try.
The below instructions are made for the situation where you can not download MBAM on the sick computer.

Download the installer on the good computer. (Save the installer file on the desktop.)
Install MBAM on the good computer. Once installed, update it. After it updates, find a folder (In Windows XP) "C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"  (you will need to enable viewing hidden and system files in "folder options" to find it,) and in that folder locate the file "rules.ref". It will be ~3.5Mb. Copy and paste it to the desktop.
Rename the installer file mbam-setup.exe to something more random, say ukeranian.exe.
(The reason for doing this is that many of these rogue apps. will block this program from being installed. This may fool it.)
Transfer the renamed installer to a flash drive. Transfer the file "rules.ref" to the same flash drive.

Transfer the flash drive to the sick computer. Open the flash drive (if it doesn't auto-open) and double-click the setup file to install the program. (You may have to transfer the file to the desktop first.)
Once it is installed, go to the folder "C:\Program Files\Malwarebytes' Anti-Malware" and rename the file "mbam.exe" to something else. Say, ukeranian.exe, or 1234.exe. (Once it is renamed, the program will have to be run by double-clicking on that file from within the program files folder; the start shortcut will not work.)

This making sense so far?
Open the folder C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware on the sick computer, and transfer the rules.ref file to it. "OK" the prompt asking you to replace the identical named file.

Disconnect the sick computer from the net. This can be done at any time, but do it now if it wasn't already.
Run MBAM by double-clicking the renamed file in the program files folder. Have it run a quick scan.
At the completion of the scan, place a tick beside everything detected, and select "remove selected". If you are prompted to reboot to complete removal, do so immediately. After reboot, run another quick scan to see if removal was successful.
Please post back, and post the scan report/s. (Before and after.)

[ukeranian]

I haven't had a chance to get at my hubby's computer yet, been reading through everything and I THINK I can tackle it... right after Christmas. Hubby is being extremely careful on his second computer now.   

I have to say that you people have all been awesome in your replies!  Please know that you have comforted me with your support and welcoming me to this forum!

PS YoKenny: I'd squeeze some perogies & holubtsi your way thru the cables, if I could!   

Thank you all again!

[Tarq57]

You have yourselves a merry Christmas then, and please post back later to let us know how it's going, or if/when you need more help.

[ukeranian]

It's been a great night for us, thanks to all of you who responded to my problem.  We got rid of the Antivirus Live from the primary computer. 

Naturally, Antivirus Live wouldn't let me use the infected computer to do anything.  It kept putting checkmarks back on the "Use a proxy server for your Lan" and "Bypass proxy server for local addresses" in my Lan Connection in the IE internet options after every time I unclicked the boxes.  I was so frustrated!

Tarq57's notes were most helpful in dealing with this particular problem.  Turning off the internet line to the infected computer and restarting the computer in safe mode enabled me to get Rkill to do it's job and then I was able to get on the internet and download and activate Malwarebyte's Anti-Malware.  I never saw Antivirus Live again after that!  What a glorious feeling!

My husband was so pleased with his repaired computer and you all have made me look like I am some kind of computer whiz.  It looks like Christmas is going to be back to being a cheerful one without having this computer nonsense in the back of our minds.

Just for the heck of it, I installed Malwarebyte's Anti-Malware on MY computer and it found 3 infected files!! Yikes -- here I was egotistically sure that my computer was not sick!  I always thought I was so careful by browsing sites I trust. 

So I must say thank you again to all of you and extend my most heartfelt wishes that you all will be having a wonderful holiday season!  You have really made mine!   

[Tarq57]

Superb.
Replies/acknowledgments like yours are really the icing on the cake for us who like to help (and learn in the process.)
Merry Christmas!

[YoKenny]

Just for the heck of it, I installed Malwarebyte's Anti-Malware on MY computer and it found 3 infected files!! Yikes -- here I was egotistically sure that my computer was not sick!  I always thought I was so careful by browsing sites I trust.

The malware purveyors have a bit of an ego but they are in it for the money.

[Mollysarmy]

Hi all, my first time here.

I just read this thread as my partner's computer has just become infected with this thing.  I tried to follow the directions regarding downloading onto a flash drive, renaming the .exe program etc.  However, it seems to identify the program even when it is renamed and will not allow me to run the set-up from either the desktop or the flash drive.  We are on a secure home wireless network but I have disconnected that computer from the network for now.  Any suggestions? 

[YoKenny]

Welcome Mollysarmy

You need to provide more information as to operating system and its Service Packs installed and start your own topic by selecting NEW TOPIC as it becomes confusing for helpers and the people needing help.

Please read
I'm infected - What do I do now?, Please follow these instructions to clean your system 
http://www.malwarebytes.org/forums/index.php?showtopic=9573