AV Security Suite removal

[Kitten Kong]

Hi everyone, im really stuck with this one, and wondering if theres anyone who can please assist.

I have a clients laptop here, which he uses for business. Their IT dept, have a business logon, to enable him to gain access to their system. The laptop is infected with the AV Security Suite.

Normally I would go about removal of this one via safe mode. Unfortunately I am unable to access safe mode, because the pc claims the password is incorrect for the logon.

I have attempted to remove the password, av ss claims the file is infected.
attempted to alter the hosts file, again file is infected.
unable to run task manager, file infected.
unable to run any of my tools, as file infected.

attempted to install rkill. again file infected.

without getting into safe mode, is there anything else I could try? or any tips for gaining access into safe mode?

I have tried safe mode, with networking, and that bsod'd with code C2. Bad pool caller. Basically faulty driver or buggy software.

many thanks..

 

[Martyn]

Won't a boot cd work?

 

[Kitten Kong]

DOH!!!.. I didn't even think of that.. thanks martyn. trying it now.

will report back shortly.

 

[Omegaspectral]

"Av Security Suite" Is a little nasty. Be sure that you turn off all the proxy settings in ALL BROWSERS!!! or it will re-infect you. Also AV Security Suite relies on the Host OS (i.e. windows) in order to do its damage. So the best thing you can do is make its strength its weakness. Take the host OS out of the equation. Try a boot cd like the person above me suggested, or take out the HDD and hook it up to another computer you can run scans from.Also look on-line for manual removal as well. MBAM and others will pull the infection but miss a couple of reg keys, so be sure to check those.

 

[joydivision]

It contains a very nasty rootkit. It took me a few days to sort out the last infection I had. I used GMER in the end which helped me find the rootkit.

Combofix helped too.

I found I could not edit the hosts file, but it kept crashing with Linux boot CDs (due to being ancient and having a 8mb internal video card). In the end I used the recovery console to delete the hosts and make a blank host file.

Some drivers were infected with the rootkit too but GMER found them. It was iexplorer.exe which was infected with extra rootkit code. GMER had a restore code facility which solved the problem. I then used SFC which replaced a few files and its been fine ever since.

The thing about AV Security suite is it appears to be just a normal bogus anti virus program but it does a lot more damage than that. I found Malwarebtyes and MSE would both find the drive was completly clean when the rootkit was clearly still there.

 

[Blues]

Im just fixing this now on a company machine. I would guess that the PC logs into the domain under normal operation however in safe mode you cant use domain logins at all only local you would need the local admin password and hopefully local admin isn't disabled. A boot disc should let you reset local admin password and ensure it is unlocked. From there this is an easy fix in safe mode I believe this is not the first time fixing this infection myself.

 

[vdub12]

I just boot from ubcd4win and go to the users local settings folder and find the random named executable. I always back it up for my own use later and delete it. Then reboot in to windows and fix the exe file association. From there its just a mater of cleaning up the damage the AV program caused. You might need to fix the default Internet settings in the start menu. Also fix the proxy settings.

I created a couple of reg file backups that fix the EXE association, IE/Firefox default Internet links. Other then that the rest is just investigating what works and what doesn't.

One of the reasons I save the virus is for later research. If its a new variant I like to infect my VM to check for new problems that it causes. This way I can create scripts and reg backups to remove it next time.

 

[Kitten Kong]

Thanks for all the help guys.

In the end, it was a combination of tools, and things which fixed the laptop.

Firstly, I a live cd, then used dr web, which didnt find any trace what so ever.
Then kaspersky rescue, which did find 6 viruses, and removed those.

Then slaved the drive onto my test machine, ran mbam, which removed the av suite, and other nasties.

Ran GMER, which removed the rootkit. Managed to get into the host file, and amend that to suit.

Tried a manual removal, to see if there was any other nasties still lurking, but could not see anything too unusual. I could not gain access via safe mode, no matter what i tried . The pc did log into a domain, in normal mode, and i did not have the local admin password. With it being a company laptop, I was wary of removing any passwords on the laptop.

When I rang my customer and told him the above, he said, its fine to do, ill take the sting if theres any comeback, but thought better not do this just in case.

Then to top it all off, ran combofix, for good measure. this found a couple of entries which everything else missed.

There was a issue with explorer not working, but he uses firefox in any case, and up to now alls well.

All in all, this took over 6 hours to complete, from when he first handed me the machine, to when he took it back earlier. I would of loved to of had more time with it, to be secure in my mind that it was completely removed, but my customer needed it for work in the morning. (He has his boss with him all day, which is another reason for needing it urgently).

He is under instructions to get it back to me, immediately he spots any further issues, and to leave it with me a bit longer next time lol.

I have to admit, I was getting strung out by this lil beggar.. its one of the worst ones, ive ever come across. Thanks for pointing out the live cd. I dont know why i didnt think of it earlier myself..

thanks again everyone, for your helpful insights.

 

[Martyn]

Great result. Thanks for the feedback it all helps.

 

[vdub12]

You could use konboot to bypass the passwords without changing them.

The explorer problem I am sure has to do with the fake AV. The location in the reg where the default browser information is kept for the start menu links has more then likely been changed.

 

[Coffee is good :)]

You could use konboot to bypass the passwords without changing them.

The explorer problem I am sure has to do with the fake AV. The location in the reg where the default browser information is kept for the start menu links has more then likely been changed.

Might this program fix the problem with IE?

http://www.thewindowsclub.com/repair-internet-explorer-with-fix-ie-utility

 

[vdub12]

Might this program fix the problem with IE?

http://www.thewindowsclub.com/repair-internet-explorer-with-fix-ie-utility

Its honestly even easier then that. Its just a location reference in the reg. If its the problem I am thinking of.

 

[Kitten Kong]

Thanks again everyone. I will try the ie fix, if / when the lappy comes back in. I know it will pretty soon, as this isnt the first time I have removed a fake av for my client.

I keep asking him to run the programs on a regular basis, and to change his surfing habits, but there are shall we say certain websites, that he visits on a regular basis, which infect him. I have mentioned to him, the more your going to these sites, the more infected you will get, and the more you keep bringing in for me to clean, the more its costing you.

To be told, well it all goes down on expenses, so im not paying for it.. What more can you do? lol

 

[Graystar]

To be told, well it all goes down on expenses, so im not paying for it.. What more can you do? lol

What more can you do?
Add him to your Christmas Card / Gift list!
That is what I would do.

 

[Kitten Kong]

LOL @ Jim. Thanks buddy. you've made my morning

 

[RegEdit]

Please private email me this AV Security Suite .exe file if you can find it in the downloads folder. I'll test fixes for it.

 

[Kitten Kong]

Hi reg, i would mate, only my client has the laptop back again.

If I could across it again at a later date, i will send it on to you.

 

[vdub12]

Thanks again everyone. I will try the ie fix, if / when the lappy comes back in. I know it will pretty soon, as this isnt the first time I have removed a fake av for my client.

I keep asking him to run the programs on a regular basis, and to change his surfing habits, but there are shall we say certain websites, that he visits on a regular basis, which infect him. I have mentioned to him, the more your going to these sites, the more infected you will get, and the more you keep bringing in for me to clean, the more its costing you.

To be told, well it all goes down on expenses, so im not paying for it.. What more can you do? lol

Why not turn him on to a different browser. Maybe have him use Firefox or something thats not affected as much.

 

[Deleted member 13571]

Hrm, I didn't know this usually came with rootkit as well. I don't recall if I just fixed this on a clients computer a few weeks back, but I may want to follow up and do a scan on her system.

IIRC AVG Boot Disk + MBAM did the trick -- so maybe it was somethign different.

 

[Kitten Kong]

Why not turn him on to a different browser. Maybe have him use Firefox or something thats not affected as much.

I installed ff for him the last time it was in here, and as far as im aware, he continues to use it now.

But even that wont stop him from his surfing habits.. need i say much more?? lol