[cmonkedo]

I have run into several varieties of this demon of a virus all of which have defeated my attempts at removal forcing me to do a clean install of windows. I have tried several different methods found online and all with some success but never complete. my first step is to remove the drive from the offending system and run a scan with NOD32 then to run a scan with Malwarebytes then to go through all temp files and application data folders to manually remove any files I can determine are a part of the virus. Any tips would be great or any methods found to work as of recent.

[macgyvr]

Malwarebyte's will remove it completely with no other intervention needed. I've done about 40 of them in the last 6 months. I run a computer repair shop.

[cmonkedo]

Are you running malwarebytes on your pc scanning via ide/sata to usb or are you running it locally on the infected pc? if local safe mode or normal mode?

[PC_LOAD_LETTER]

Ive cleaned tons of these fake AVs including PAV and here is my process:

• Install MBAM
  if install fails to run show up but is showing as running in the processes tab of taskmgr, the window is being hidden from you.
  
  • end task on all mbam-setup.exe in process tab of taskmgr
    
  • rename the installer to calc.exe, notepad.exe, iexplore.exe, etc
    
  • execute the renamed installer
  
  
• Start MBAM and Update its definitions (if possible -sometimes by the time our machines have been reported to me, our networks ASA has blocked their network access and Ii have to call and have them removed from the blacklist before i can update )
  if MBAM fails to run show up but is showing as running in the processes tab of taskmgr, the window is being hidden from you.
  
  • end task on all mbam.exe in process tab of taskmgr
    
  • make a copy of mbam.exe and call it calc.exe, notepad.exe, iexplore.exe, etc (usually anything that does not start with mbam will work. On XP usually "Copy of mbam.exe" will run fine but on Vista, "mbam - Copy.exe" will not)
    
  • execute the renamed mbam.exe
  
  
• Run quick scan. Abort if it finds something right away (within 2-3 minutes), remove all that it finds and reboot if prompted. (the reason for this is mbam scans active processes first and then scans a bunch of stuff thats likely dormant)
  
• Run quick scan again.
  
  • if something was not found in the first half of the scan, abort and skip to step 6.
    
  • if something was found in the first half of the scan, let the scan finish & use msconfig/autoruns/regedit/HJT/whatever to clean startup group before rebooting this time
  
  
• Delete the contents of %TEMP%, c:\windows\temp, and IEs Temp Internet files. 90% of the time IE was the start of the infection but thats not why you clear it -it speeds up the MBAM Full scan
  
• Run full scan with MBAM
  
• Run full scan with a real AV (precationary)

[macgyvr]

I think what the OP is saying is that he took the drive out of the computer and attached it to a different computer to run MBAM. On systems where MBAM will not run, this is a great solution, but it only takes you so far. It will usually take off a chunk of the offending material, but then you MUST put the drive back in the original system and run MBAM again natively. Otherwise, you are not removing everything.

[cmonkedo]

Thanks for the great tips Mac/PC_ this will prove very useful.