A long time reader of ShanKrila and a blogging friend of mine, Jeanne Dininni of Writer’s Notes contacted me yesterday by email with a computer question.
I’ve been battling a “PC Antispyware 2010″ computer infestation. Don’t know whether you’re familiar with it or not, but I was hoping that maybe you’d be able to give me a little advice or recommend an effective tool for removing it. Otherwise, I’m pretty sure I’ll have to uninstall/reinstall Windows to get rid of it.
That’s when it dawned on me that I faced the same situation a few months back on my desktop and I fought hard to successfully remove it from my computer. But, I forgot to blog about it here even though I wrote about the Conficker worm. It would have helped Jeanne and many others looking for such information. So, I am sharing my experience with how I removed it here.
What is PC AntiSpyware 2010?
PC AntiSpyware 2010 is a rogue antispyware program that looks like a genuine antispyware program. You could get infected with it by visiting some malicious sites. Here are a few symptoms if you were infected with this:
- You will be prompted to run this program showing fake malware infections on your computer repeatedly
- It disables Windows Defender (Microsoft’s genuine security product)
- Disables your system security programs and spyware programs
- Disables you from updating any installed anti-virus program
- Disables the ability to install any new security software
- Redirects you from going to directly to any of the security software websites in Internet Explorer
Jeanne is Internet-savvy and she had done all the right things anyone would do in situations like this. In fact, I went through the same steps before realizing how sneaky this malware really is.
Here are a few things you would do if you had a virus in your computer
- Try to update and run Windows Defender
- Try to update and run installed Anti-virus software
- Try to update and run installed AntiSpyware programs like Spybot, Adaware, etc
- Try and run a RootkitRevealer program
- Use an advanced process program like Process Explorer to see currently running programs and kill suspicious processes
- Use a startup tweak program like Autoruns to disable unwanted stuff from automatically starting up
- Use HijackThis to see what programs may be malicious
PC AntiSpyware 2010 is so sneaky that it actually disables pretty much all these programs. It even disabled my command prompt and Control Panel.
It adds itself to your computers registry and even if you are able to clean up some of it, it automatically installs itself when you reboot your computer. Plus, I even saw it morph into installed genuine programs randomly so you can’t really find it in Task Manager. One sure indication that a genuine looking program is the malware is to kill it and see it spring back to life automatically. Mine was latching on to LogMeIn program even though I didn’t have it set to automatically startup.
So how did I get rid of this malware from my desktop?
Steps to remove PC AntiSpyware 2010
Using Malwarebytes’ Anti-Malware
- If your PC is still able to download and install security software, try and download -
Malwarebytes’ Anti-Malware - Run Malwarebytes’ Anti-Malware and see if this helps remove the infection. A lot of people seems to have luck with it.
I wasn’t so lucky as my infection wouldn’t even let me install this software. If that’s your case, read on.
Using Manual Registry Edits
You could also try manual file deletion and registry edits like described here. I haven’t tried this and I followed the next section to remove mine.
Using Bootime Anti-Virus Scanner – Recommended
Since most of the usual system cleanup methods are disabled, we are left with one solid option. To use a boot-time anti-virus solution. This ensures that any installed malware is not activated while you are cleaning up your computer.
Here are the steps I followed to clean up the infection successfully
- Download and burn a boot time anti virus software like Avira to CD/DVD (look below for a list of good ones I came across). Make sure you burn it as a bootable image and not as a data disk.
- Put the CD/DVD in your computer tray
- Shutdown your computer
- Disconnect the network cable from your computer
- Reboot your computer
- Most computers automatically boot from CD/DVD before trying to boot from the hard drive. If not, while booting go into System boot menu by hitting F2 or F10 (you will see a hint on that) continously and change your boot order to boot from CD/DVD first.
- Let the boot time anti virus software to do its job.
- Reboot your computer (without connecting to the Internet) and see if you can run the usual security programs now.
- If you can, connect to the Internet and update Windows Defender and your primary anti-virus programs immediately. Run a ‘full scan’ or ‘deep scan’ option on your computer with the latest updates.
If in step 8 you still see that your computer is infected, try using another boot time virus scan program through the same steps. There seems to be many variations of these infections and not all programs remove all infections. That’s why its best to download and keep multiple programs at hand while attempting this.
Here are a few Boot-time Antivirus Scanners that you can download and try
- Ultimate boot CD for Windows (includes an anti-virus software)
- Avira AntiVir Rescue System – a linux based virus scanner that is updated daily
- Kaspersky Rescue Disk
- BitDefender Rescue CD
- F-Secure Rescue CD
- Trinity Rescue CD Kit – A combination of popular free antivirus software in one kit with online update capabilities. For the advanced user.
Re-installing Windows isn’t fun unless you had a system restore image with all your favorite applications before hand. I had success cleaning up this pesky virus from my desktop and since been virus free. I make sure once in a while that all my virus definitions, firewall software and spyware software are updating regularly.
If you have any questions, please feel free to ask in the comments.
Jeanne, thanks for asking the question that prompted me to write this post. I hope you have your computer cleaned very soon.
Popularity: 14% [?]
17. September 2009 at 1:14 am
Bob,
This is definitely a tough one! I never installed the program either–at least not that I recall. I may have unwittingly downloaded it by allowing a Java update while I was online, though. It’s possible that I could have installed it thinking it was a Java update, but I doubt it. It does sound as if your non e-book may have been the culprit for you. The continuously replicating nature of this malware is one thing that makes it so difficult to get rid of–along with all the hidden files it places all over your PC. I’m still finding abnormalities (including strange-looking registry entries and missing or misplaced files) now and then that I’m attempting to figure out. It’s quite a puzzle!
It must be possible for this program to run automatically once it’s been downloaded; otherwise, how could these windows just suddenly begin popping open all over the place with no encouragement from us?
This program has the capability of disabling any anti-malware programs we happen to have on our PCs at the time it’s downloaded. It certainly isn’t only MalwareBytes that’s affected. Avast! was greatly (though not totally) incapacitated on my system when I contracted the infection, and Windows Defender was completely disabled. As I’ve mentioned, I eventually got both programs working again, though. Didn’t download MalwareBytes until later, and once I did, it worked great.
Let’s HOPE no one gets this nasty infection again, because one time is one infection too many!
19. September 2009 at 10:07 am
Hi, i was just wondering if it is necessary to have PC Antispyware 2010 installed on your computer, in order to uninstall it?
At the moment i have the bubble which keeps popping up, but i always close the program when it says that PC Antispyware 2010 is downloading. My antispyware programs still don’t work, i searched my computer for bravix and cru628 files and i found some and deleted them, but this doesnt seem to have helped
I also tried to get Windows Security Centre working again, but when i type in the address in the bar it doesnt seem to find it
19. September 2009 at 6:45 pm
Matthew,
It’s hard to say whether the program needs to have been installed in order to be uninstalled. I doubt any of us has knowingly installed it, yet suddenly there it was! This infection is highly complex and difficult to get rid of, so it takes real persistence and consistent attempts at trying various things in order to figure out what will work. Have you tried the things I mentioned in my earlier comment to you?
It’s important to make sure PC Antispyware 2010 is not loading on startup, so you’ll want to make sure it’s unchecked in your Startup list. You’ll also want to do everything you can to get your anti-malware programs working again and/or get new ones downloaded and operating, because they will find and handle all the malicious files the program has placed on your system.
I wouldn’t worry about trying to locate my Security Center at this point. It’s likely operating, even though you can’t access it (a fact which you can double-check by looking at your Services list). Once you’ve gotten rid of the main malware infection, you’ll be able to concentrate on accessing your Security Center and replacing its icon in your Control Panel. Getting rid of the infection is really top priority right now.
19. September 2009 at 6:47 pm
You still got it bro….i didn’t install it either and was still screwed…. read every reply on here as we’ve talked about it to death, then come back and tell us if you’ve had any luck…..
22. September 2009 at 12:30 pm
Hi, I seem to have got rid of it!
It turns out that it was the braviax virus, and i am guessing that this is what it was for everybody else
Here is how i removed it :
Firstly, I removed braviax from my startup programs by typing msconfig into run
Then, the next time i started up the cross wasn’t there, and neither was the pop up
I tried running Malwarebytes AntiMalware at this time, but it still wouldn’t work because the virus recognised mbam.exe, so what I did was download Malwarebytes onto another computer, change mbam.exe to zzz.exe and then replace the file on the infected computer with zzz.exe. Then, when i clicked on it, Malwarebytes antimalware started up, and i was able to scan my computer
22. September 2009 at 2:02 pm
Good for you, Matthew!
It’s a great feeling to boot up and not see those annoying pop-ups anymore, isn’t it? Glad you managed to get the culprit out of your Startup list. That was definitely critical to your success in eradicating the virus. (Yes, it is Braviax/cru629 that’s at the root of this malware infection.)
Also glad you’ve managed to figure a work-around to get Malwarebytes up and running. It will help you get rid of many of the malicious files that are hidden in various places on your PC. I’d recommend that you download and scan your system with as many other anti-malware programs as you can, since I’ve noticed that different programs find and remove different malicious files. In addition to Malwarebytes, I’ve had good success with Avast!, Windows Defender, Ad-Aware, AVG, and Trend Micro RootkitBuster. Autoruns is also good for checking which programs are automatically loading on startup, and HijackThis can give you a comprehensive (though complex) picture of everything that’s going on with your computer system (though it can often require an expert to decipher it all).
Now that the infection is gone, you might want to follow my suggestions earlier in this thread to locate and restore your Windows Security Center. I still haven’t returned to describe the final step that fully restored everything to its proper place on my PC, because truthfully, I’m not even sure how it all happened myself and so don’t really know how to describe it. Yet, if you follow the explanation I’ve posted so far, you should at least be able to get a usable link to your Security Center onto your desktop, which will enable you to access it–and access is really the most important thing.
Congrats on your persistence and success in eradicating this infuriating malware!
24. September 2009 at 10:35 pm
Thank you so much, because of this, I finaly removed it. This gave me a couple hints. But this what I did was is go onto my sisters laptop, download Malwarebytes into a USB, and import into the infected computer. Then once the softwarer was in there, I disconected the internet. Then I put my XP on safe mode, and began the proccess. A quick scan was enough to remove Antivirus 2010. Then everything was working again. It turns out the virus tweaked my internet settings so nothing can get in. Anyways, thanks alot!
25. September 2009 at 12:28 am
That’s great, Ryan!
Good move! Glad to hear you’re rid of it! Thanks for explaining how you did it! I’m sure it will help someone else!
28. January 2010 at 6:41 pm
Do any of these methods cost money?
30. January 2010 at 2:18 am
Yi Soon Shin,
As far as I know, all these tools are free.
Take care!
Jeanne
30. April 2010 at 8:17 pm
I always prefer to use Kasperky over Avast or McAfee. Kaspersky is much better in detecting new viruses and it does not consume too much resources on your dektop PC.:.~
6. May 2010 at 1:27 pm
Great tip, Faith! Thanks for sharing!