*sigh* how can I remove av.exe ransomware?

There’s an exceedingly annoying virus infection roaming about, under various names like Internet Security, Windows Defender, and so forth. They all try to copy microsoft programs and then pop up with various warnings and get you to pay them.

I do not like this. They can in fact get onto my computer without my doing anything. It sucks.

Regardless, I’ve got one. I could almost certainly fix the damn problem except that some brilliant microsoft designer decided I am not allowed to actually delete half the things on my system even as administrator. I can close the active program (a previous version actually protected itself better in that way) and open regedit and find its files, but I can’t remove them. In fact, there’s apparently a file I can’t even see located in my (user)/local/appdata file called av.exe.

Now, Malwarebytes should remove it, but I can’t get it to install because the program protects against that. SpywareDoctor can remove it but they charge money. I am NOT going to pay them, since that sorta defeats the point and moreover there’s no guarantee they can be bothered to help me against the next threat down the line. I’m not sure if system restore can do anything useful at this point.

Basically, what can I do here? How can I get this damn thing off (this is the "Vista Internet Security: virus. Moreover, how can I stop this damn thing from infecting me again?

I started this exact thread a few months ago. I got some good advice and tried some stuff, but the result was that I had to reinstall Windows. Hope you have better luck than I did.

You might want to read up on ComboFix. I used it several years ago to rid a computer running WinXP of a bug that sounds a lot like yours.

I just got that again myself. Vista Security. I rebooted my computer and ran my McAfee and dumped it that way. Good Luck, It is a real pain and I also couldn’t find out where it was hiding but McAfee got rid of it.

Try stuff from this sticky before reinstalling OR running ComboFix.

ComboFix is the be-all-end-all of virus removal but it will fuck up some of your settings and you will be a bit frustrated to get everything running smooth again once you’ve gotten rid of the nasty. It’s best used by people who truly know what they’re doing and who are willing to deal with the consequences. I don’t think you’re there yet in terms of trying other stuff first.

You might want to try simply re-naming Malware Bytes’ exe file to something else to see if you can install it.

I’ve never had or seen this virus, but if it really IS a case of knowing which files you want to delete, but not being allowed to delete them by Windows, you could try running a bootable Linux CD (Ubuntu is probably easiest to use) and then just navigate to the appropriate Windows folder and delete the files.

Because the Linux disk is running straight from the CD, it won’t mess with your Windows installation, and because it is a completely different OS, it should also allow you to access and delete the relevant Windows virus and other exe files as if they were just regular old files.

Have you tried installing Malewarebytes when the computer is in Safe Mode?

IIRC, Malwarebytes doesn’t run or install in Safe Mode. One solution is to rename the malwarebytes installation file to something else, but that doesn’t always work.

Another solution is SuperAntiSpyware.

If those don’t work, you need to search for rootkits. Rootkit scanners are tricky, especially since the virus tends to detect a scan (and the scans take the folders in alphabetical order; which makes no sense since the rootkits are usually in Windows/system32; the windows folder and all its subfolders should be scanned first, not last).

GMER seems to do a pretty good job. Download it and use the random name option. If it finds anything, delete it immediately (or make a note of it).

If that doesn’t work, you will need to have a way to boot from a CD. BartPE is a solution. If you can boot from that, look in the C:\windows\system32 folder for anything put there lately, especially if it has a weird looking name and has been added about when you first saw the problem. Rename it (say from anihhn.dll to anihhn.bad – this allows you to go back if it turns out it’s a system file), then boot normally. You may be able to get Malwarebytes up and running and complete the fix.

Have you tried starting up in SAFE MODE and doing a System Restore to a previous good date? If that works, it will give you some time to install some antivirus software.

Ive had success renaming the executable.

I’ve also had success running MSRT in safe mode in the past:

http://www.microsoft.com/security/malwareremove/default.aspx

Also, Combofix removes most of these infections but not all. A user of mine got some fake AV today and combofix was unable to remove it.

Lastly, you can make a UBCD4Win (windows live boot disc) and run all sorts of AV offline without booting your infected installation:

http://www.ubcd4win.com/contents.htm

What errors do you get when you try to delete the file or registry keys, and have you tried removing them while in safe mode? Check the malware’s file permissions, under the Security tab of the file’s properties. It is possible to define file permissions that prevent you from easily deleting the file. As an administrator you can still take ownership, remove any deny entries, and grant yourself full control of the file. The same applies to the registry keys that define the malware’s startup entry.

Malware Bytes can run in safe mode. However, like all programs that use Windows Installer, it cannot be installed in safe mode without a tweak that enables the Installer service. That’s for XP. You didn’t specify what OS you’re running, so if you’re on Vista or 7 you should be able to Google up the exact instructions, but the idea is the same.

Some programs can be installed to a thumb drive on another computer and transferred to the infected computer, running off of the flash drive. I have done this with SuperAntiSpyware and Spybot-SD. If you are able to boot into safe mode without symptoms than you are in a good position to run these programs since it means the malware probably isn’t running and can’t protect itself. You can also rename the executables to random strings to help avoid interception.

Wow, this will come in handy.

A couple of months ago I was able to install Malware Bytes, but the final executable file was deleted by the virus. I googled the error message I got when I tried to start Malware Bytes, and found a site where you could download just the executable file, with a randomly-generated name. Put that file in the Malware Bytes folder where the rest of the Malware Bytes files are, run it, and you’re good to go.

I don’t know about Vista, but under XP, I was able to run (and surely delete) .exe files using a command prompt. To do that, you can got to start, run, enter command.com, which will bring up a black screen that looks just like the old DOS, cd to the directory involved and delete it. If it still won’t let you, then the deletion probably requires editing the registry, which is not a job for the faint of heart. But from the command line you run regedit. It has been a while since I did that, so I don’t recall the details, but there must be a search function, find the entry for your malware and delete it. Then you ought to be able to delete the file. Another point is that there is administrator and super-administrator. I believe that you get to be the latter by looking at control panel/users, but I am not certain.

If it were my computer, I would get expert help.

I had good luck running a system restore from safe mode.

Download Avast and run it in safe mode. Worked for me

Sadly, I cannot get malwarebytes to run. It just won’t go properly. SuperAntiSpyware also joins the crap swirling the drain.

try the Windows Malicious Software Removal tool; download from the Microsoft site. Use safe mode to minimize what loads.

I cleaned someone’s computer this week of some ransomware and used Malwarebytes.
In safe mode with networking, I downloaded the program to the desktop and then re-booted into “normal” Windows.
I changed the file extension from .exe to .com as per instructions from Malwarebytes and installed the program.
The instructions also said to change the file extension to .com on the program file also if the ransomware wouldn’t allow its execution, but I didn’t have to.
Malwarebytes started right up, I was able to update and then scan to get rid of the problem. I also then did a Spybot S&D scan and then an anti-virus scan to get rid of everything.
All in all, it probably was 8 hours of scanning to get rid of the problem.

A few other tricks I have picked up getting rid of stuff:

HiJackthis is a great program that IDs the stuff that is loaded when your computer starts up. You can edit what starts-up right from the program. After you reboot, run it again and you can see what you have

Sometimes I just go in Windows Explorer and find the offending file myself. Alot of times they are hiding in your temporary internet files and/or Windows folders under system32. I’ll sort the files by date and look at the properties of the files. If the properties don’t show who authored the file, I’ll change the extension to .BAD and reboot to see if that solves my problem. I can then do a search later for all the .BAD files then delete them.