Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
Does this fake Anti Virus disable internet access even in safe mode?
Depends, the executable-based infection will not be running, however in Safe Mode, the user will not have Internet/Network access either, naturally.
The correct option would be Safe Mode with Networking.
The best thing, IF POSSIBLE, when infected and as soon as it is infected, you shutdown the PC, even abnormally by unplugging the power cord if necessary. Boot in Safe Mode with networking to download one of the available tools to disable the infection first, then use Malwarebytes and/or Super Anti-Spyware to clean up the leftovers. Make sure the scanner you are using it up-to-date.
The registry-based infection will not care if you are in Normal Mode or Safe Mode, etc. since it associates itself with a number of file types, when you try to call any of the associated file types, the malware will kick in.
For example, one of the file types it takes over is .exe so any application/program you run which has the .exe extension such as Internet Explorer (iexplore.exe) will initiate the malware instead. You cannot even launch Registry Editor (regedit.exe) so it puts the average users in a catch-22 situation preventing them to use their PC, period.
That sound great. The problem is that the last time I saw this Fake AV it was running even in Safe Mode, had disabled System Restore and would not allow any .exe files to run, even in Safe Mode. I've got Turco's solution saved so I can try it the next time I find this problem.
That is correct...it will still run. To stop it, you run RKill which will stop it's processes so you can regain control of your machine and begin removing the fake antivirus and clean your machine up.
TurcoLoco gave some very good advice as to what to do the moment your realize you have one of the fake antivirus'. Immediately shut the machine down as quickly as possible. Then get on a different machine if necessary to do some research and gather the tools you need. Once you have everything you need and have done your homework to become familiar with how to kill and remove it, start the machine up and quickly run RKill.
I downloaded the necessary tools (rkill, Malwarebuytes, etc...) to a USB drive, using another computer, back when I dealt with this "virus". It would not let me download anything. However, I was able to run rkill off of the USB stick and then install malwartebytes from there.
I downloaded the necessary tools (rkill, Malwarebuytes, etc...) to a USB drive, using another computer, back when I dealt with this "virus". It would not let me download anything. However, I was able to run rkill off of the USB stick and then install malwartebytes from there.
I went to bleepingcomputer.com to download RKill but their site is so confusing because there is so much advertising everywhere.
How can a person tell which is the right link to download RKill?
For instance where it says RKill download Link,... right below it says .. "take conatrol of your network traffic and bandwidth etc with a button that says "Download" / 30 day trail. (I'm sure that is a paid advertisement)
Then under that it has two "Download Now" bars. First one says.. "See below for other download links" and the other one says .. "iExplore.exe download link" (what does that have to do with RKill?)
Below that there is Program Description and then in large bold black font it says - RKill donwload links: (with the following links listed)
•RKill.com Download Link
•RKill.exe Download Link
•RKill.scr Download Link
•eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
•iExplore.exe Download Link
•uSeRiNiT.exe Download Link
•WiNlOgOn.exe Download Link
So which is the right llink to get the one mentioned in this thread?
I went to bleepingcomputer.com to download RKill but their site is so confusing because there is so much advertising everywhere.
How can a person tell which is the right link to download RKill?
For instance where it says RKill download Link,... right below it says .. "take conatrol of your network traffic and bandwidth etc with a button that says "Download" / 30 day trail. (I'm sure that is a paid advertisement)
Then under that it has two "Download Now" bars. First one says.. "See below for other download links" and the other one says .. "iExplore.exe download link" (what does that have to do with RKill?)
Below that there is Program Description and then in large bold black font it says - RKill donwload links: (with the following links listed)
•RKill.com Download Link
•RKill.exe Download Link
•RKill.scr Download Link
•eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
•iExplore.exe Download Link
•uSeRiNiT.exe Download Link
•WiNlOgOn.exe Download Link
So which is the right llink to get the one mentioned in this thread?
.
Actually, the reason for the different flavors is due to the fact that some malware may try to block one version. Also, malware can prevent .exe files from running, which is why there are .com and .scr versions. So therefore it is a good idea to download more than one flavor of RKill if one doesn't work.
Just went through this on my mom's pc...bleepingcomputer.com is the place to get the info to get rid of it. Print out the instructions if necessary and follow them, it wasn't difficult.
I disabled the program by hitting CTRL + ALT + DEL. Then, I selected "Windows Task Manager". When the window popped up, I think I clicked on "Processes" and stopped some that ended in .exe. It didn't show up and I was able to use the internet. Was it removed when I did that?
I disabled the program by hitting CTRL + ALT + DEL. Then, I selected "Windows Task Manager". When the window popped up, I think I clicked on "Processes" and stopped some that ended in .exe. It didn't show up and I was able to use the internet. Was it removed when I did that?
The ransom-ware being discussed here doesn't let you open/run any programs, including the system based ones such as Task Manager so the fact that you were able to launch Task Manager leads me to believe:
- You do NOT have this particular type infection
or
-It is either partially or completely removed.
Just like my own script, rKill goes after the executable that prevents you from doing anything, that is step #1. Step #2 is the cleaning up the leftovers, related registry entries, etc. If you are able to run Task Manager, then I would advice you download free version of either Malwarebytes or Super Anti-Spyware, then install and update it. Then run a full scan of your system to make sure.
The trick I discovered is that both versions of the infection stays within the user profile of whichever user was logged on at the time of the infection so if the user has access to the all users\startup folder, then creating a shortcut for any given program allows user to run that program since it would be run by the system and not initiated by the user themselves. Sooner or later this infection will be updated and be powerful enough to prevent running all executable file types. When that happens, it will render rkill completely ineffective. So, remember the trick I mentioned above which might save your b.tt.
Again see the link I mentioned in my previous post for further info on this.
Good luck.
Last edited by TurcoLoco; 01-19-2012 at 05:42 PM..
OK, did you also do a deep scan with one of the aforementioned malware scanners after updating it?
Make sure to remove any and all remains. You might also want to use a free application to easily and quickly take a peek at your startup location just in case.
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
This may be a stupid question... but...
