Skip to content

Windows Recovery, Windows security, Windows Repair: Fake antivirus Program

July 19, 2012

The other day my girlfriend had to go out for a little.  She took our 10month old with her, leaving me alone for a little. I figured i had better capitalize on the situation, so i opened my PC up, turned it on, and navigated to some sites. Obviously these weren’t “family approved” sites. Needless to say i ended up clicking on something while exiting a pop up, when i saw the dreaded “you are infected”. I knew right away when i saw the icon come up for the fake antivirus program i was in trouble. I suddenly realized i wasnt using my PC, i was using hers, and i had better fix it quick. Plus i was mid session and giving up was out of the question.

I know from previous experience that starting in safe mode doesnt work (most of the time).  Indeed when i loaded into safe mode to remove the infected files i was greeted with the friendly fake antivirus. I had to do something and i had to do it quick. I did not have the CD i usually boot off of to get access to file system, then it hit me; I was going to be removing this from the good ole’ black background and white text. From removing this so much, i know the GENERAL places these types of things hide

If you dont have a cd you can boot off of that has linux, or some other form of accessing the hard drive, you can follow this guide to remove it.

Here we go,

1. Restart the PC and start pressing f8. Wait for a black screen with white text to come up. The first option should be repair your computer. Select that and then press enter.

2. Once the first screen loads, select your user account and put your password in if you have one. Once your finished, click ok.

3. Select command prompt (first option)

4. Once the command prompt opens, it should say x:

4.1 Type cd c:\  or just c: and the next line that comes up should say c:\

4.2 To make sure this is the correct drive type ‘dir‘ and look for indications of this being the correct drive (look for users folder, windows, program files….etc).

5. Now for the fun part. We need to navigate to the folders that have the virus and delete the infected files.

5.1 Type cd c:\program data THEN type del *.exe   (this will remove any file directly in that folder that has .exe extension)

5.2 Type dir and look at the contents. If you see any files that have random names such as fjefweifs3r23.dat delete them (this can be done by typing DEL then the filename and file extension ex: del  fjefweifs3r23.dat )

5.3 Type cd c:\users\(whatever your username is)\App data\local   (if you dont know your username type c:\users and then press enter, then type dir, and figure out which one of the list is yours)

5.4 Once in the app data\local folder type del *.exe (again this gets rid of anything that has .exe extension.

5.5 One last place to check. type c:\users\app data\roaming\microsoft\windows\templates

5.6 Once inside this folder type dir then delete anything that looks like random characters and numbers. Example: dejdfiwuehf34822.dat

6. After you have completed this, close the window, then reboot the computer. Cross your fingers.

7. If you load into windows and you still see it, Take note of the name of the virus and go to http://www.bleepingcomputer.com/ on another PC or your phone and search for the virus. They have the location of the infected files for most of these stupid viruses.

8. Once you make it so that the virus stops poping up, you need to start cleaning up. Run whatever programs you prefer to use that will remove viruses (i would at least run malware bytes, super anti spyware, Norton power eraser, and kaspersky tds killer).
So after removing my infected files i loaded into windows and started malware bytes. I ran the scan and finished my business just in the nic of time. The infection was gone, i was finished, and best yet, i even had some time to spare. Life is good. ENJOY

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: