WE'RE going to look at something that appears quite widespread at the moment judging by the number of times I've had to fix it for friends and family lately: Fake antivirus software.

There are many variations of this type of infection.  They often look something like this:

... or perhaps this...

... or even this...

As you can see, these things all share some fundamental commonalities:

• They're colourful and scary.  Lots of red.
• They use over-emphasis and hyperbole.
• They want your money.

They usually crop up without appearing to have been installed by the user, being as intrusive as possible, throwing up errors everytime you try and do something.

Bottom line: They are annoying.

The goal of these malicious application is simple: To get your money.  They report five thousand errors, they promise that they can fix them, you click "Repair", they ask for money.  In some cases, you pay something... and nothing happens, except your wallet gets lighter.

Here we will go through some instructions that will remove most of these infections.  From my own experience dealing with these over the past few years, around 80% of them can be removed with this method.

As always, read the Introduction post before following these instructions and make sure you're comfortable with it.

Removal

First of all, restart the computer as normal from the Start menu.

When the computer is restarting, after the very first initial boot screen appears, but before the Windows animated logo appears, begin tapping the F8 key.

You should get this menu up:

Select "Safe Mode" and press Enter.

You will get now watch some gobbledegook for 30 seconds or so.  Be patient.

When Windows starts properly, it will look somewhat funky.  The screen resolution will be very low, resulting in everything looking very big, you will have no sound, no internet, and a low colour palette.  This is because Safe Mode is a diagnostic troubleshooting mode of operation featuring only minimal software and drivers.

From here, we have 2 methods to use.  Method 1 consists of a manual disinfection.  Method 2 uses System Restore.  Personally, I prefer Method 1, only resorting to Method 2 if it proves ineffective.  If you want to use Method 2, skip to near the end.

Say "Yes" when asked if you want to continue.

Go to Start -> Run.  Type "msconfig" and press Enter.

Select the Startup tab.  Look for a suspicious entry.  Most legitimate entries have "C:\Program Files" or "C:\Windows" as the location.  Watch out for these tell-tale signs:

• - A blank "Manufacturer" field.
• - Located in C:\Users or C:\Documents and Settings
• - Containing "AppData", "Local", "Local Settings" or "ProgramData" somewhere in the loction field.
• - Unrecognisable/randomly generated filename made up of letters and numbers.

Disable any suspicious entries.  Windows does not require anything to be enabled in this list to start successfully.  Entries can be re-enabled later if needed.

Once you believe you have identified and disabled the offending executable, restart Windows.

Once started... watch and see if the offending software appears.

OPTIONAL: If it's gone, run msconfig again and navigate to the offending file location.  File locations start with a drive letter, and each folder is separated by a backslash.  For example, to browse to C:\Program Files\Norton\Antivirus, you would open My Computer (Windows XP) or Computer (Vista and on), double click the icon for the C: drive, double-click the Program Files folder, double-click the Norton folder, double-click the Antivirus folder.  It's worth noting that you may have to unhide hidden folders in order to do this... press F1 from the Windows desktop to bring up Windows Help, and search for "Show hidden files" for instructions on how to do this for your version of Windows.

Delete the offending file.

If you're now happy, carry on with life.  If not, we can run System Restore as a last resort.

Restart in Safe Mode again as per previous instructions.  Select "No" when prompted to enter System Restore.

Follow the on-screen instructions to restore the system configuration to a date before the virus infection appeared.  This will not affect your stored data.

After all that, hopefully you'll be one of the Lucky 80%.  If you don't have an antivirus at the moment, install Microsoft Security Essentials. Run a full system scan with it.

Blog Homepage