Fake Security Software Blocking MalwareBytes

[timswim78]

I got a call from an out of town friend. His wife's computer has one of those bogus AV programs running. I suggested installing MalWareBytes. He tried that, but the bogus AV software said that MBM is a virus and blocked it.

The computer is running Windows 7 Home Premium, and I am sure that the only current account is an admin account.

What should his next steps be?

 

[Iron Woode]

1. run msconfig, click the start tab and disable everything, reboot.
2. if msconfig won't run then reboot, press f8 and boot into safemode and repeat step 1.
3. now install MBAM and MSE.
4. slowly restore msconfig start one program at a time.

what fake AV does he have? this can change how you remove it.

 

[jackofalltrades]

If you research the fake av program you will prob need to download Rkill and run it first then run mailwarebytes rkill will stop the fake av software and then mailwarebytes will clear the problem out.

 

[VampyrByte]

I've dealt with a virus like this before. It would block execution of HijackThis, and many other security software's like MBAM. It didn't take me long to figure out that it was filtering exe's by name, rather than with any actual scanning process.

Try changing the name of the program you are trying to run.

 

[Harvey]

One sure way to get rid of the problem is:

1. Remove the drive from the machine.

2. Connect it as a slave to another well protected and backed up machine.

3. Copy all critical files to a folder on the second machine, and scan them.

4. Wipe the original drive, and re-install Windows and all software from the ground up.

I know it sounds tedious, and it is, but it could take less time than trying to remove some of the more tenacious fake AV infections, and it's absolutely more certain to remove all of the infection. It's far better than working for hours to remove the infection and thinking you were rid of it, only to find that it comes back later from some hidden file that wasn't removed in the first sweep.

Infections like this are the reason I preach the value of cloning your hard drive immediately after sweeping it for malware. A "cloned" drive is more than a back up for your data. If your main hard drive becomes infected, do your best to save any files since the last backup, wipe it and clone the backup drive back to the main drive. If your main hard drive fails, the cloned drive is fully bootable and operational, and all you'll lose is any unrecoverable files since your last backup.

For Win XP, older versions of Norton Ghost that boot to DOS work very well. For Win 7 and (ugh!) Vista, Acronis True Image works very well between matched drives.

I mount my backup drive in a mobile rack like this one:

When it's not in use, I keep it unplugged from the system because no virus can jump the air gap to an unpowered drive. When it's time to clone the drive, I power down, plug in the drive and clone to it. When it's done, I power down and unplug it.

As long as you're sure your backup is not infected, no virus can take your last good backup point away from you. Worst case, if your motherboard fails, and you can't replace it with the same model, you'll probably have to re-install Windows, in which case, your cloned drive is still as good as any other data backup system.

Good luck.

 

[timswim78]

I suggested downloading the process explorer from MS and killing the processes that appeared to be related to the fake AV. My friend did that and was able to nuke the bad software with MalwareBytes.