How to remove a fake antivirus application

Over the last year I have been cleaning up a mess of fake antivirus applications. A pattern has developed which will hopefully allow anyone to remove these themselves.

In a nutshell, you need to kill or bypass the virus in order to run MalwareBytes Free Edition to remove it.

Boot into Safe Mode

First, you need to try to bypass the virus in order to install MalwareBytes. Start by booting into Safe Mode by holding down F8 while booting. You will get a menu from which you should select Safe Mode with Networking.

At this point, if the virus appears, your mouse or keyboard doesn’t work, or you cannot use it for some other reason, continue to the next step. Otherwise, move on to Removing the Virus.

Bypass the Virus using RKill (alternate)

If Safe Mode with Networking doesn’t work, you will need a USB Key (Jump Drive, Flash Drive, whatever you call it; a CD-R or CD-RW would also work) and a second, working computer. On this computer, download rkill.com and mbam.exe and copy them to the USB Key. Back on the first computer, run rkill.com as an administrator, by right-clicking on it and clicking Run as Administrator. A command line will appear for a minute, and the virus should disappear. At this point, it will still be on the computer, but you can now bypass it and get to the internet.

Remove the Virus using MalwareBytes

At this point, unless you have mbam.exe on a USB Key, you will need to download it.

Install MalwareBytes and select Update and Run on the last screen. MalwareBytes will download the most recent virus definitions and then the main application will open (if for some reason it cannot download the definitions, MalwareBytes should still work). Select a full scan and run it. At the end of the scan which may last an hour, you will want to remove everything it finds and reboot. If it asks you to reboot while removing, click Not Now and allow the scan to finish. Once you have rebooted your computer, everything should be clean.

Postmortem

Make sure that you have an antivirus application and that it is up to date. If you don’t have one currently, or if your subscription has expired, I recommend Microsoft Security Essentials, a free antivirus application from Microsoft that doesn’t slow down your computer as much as most other products on the market.

Sadly, even having an up-to-date antivirus application isn’t a sure defense against this class of virus. I have cleaned these viruses off of computers that had up-to-date versions of Norton, AVG, and others. Make sure that Windows is up to date by running Windows Update from the Control Panel. Also make sure that you have the most recent versions of Java, Flash, and Adobe Reader. An easy way to verify this is to run the free online Secunia security scan. It will tell you whether you have the most recent versions of many popular applications. If you want a more in depth security scan as well as ongoing alerts, I recommend install the free Secunia PSI. It continuously scans your computer and alerts you if you have insecure versions of most applications. It will even automatically install updates for most recent versions.

2 Responses to “How to remove a fake antivirus application”

  1. Nick

    OK, I can download rkill.com and mbam.exe and copy them to the thumbdrive but when I boot in safe mode I still have to enter a password before I can go in as administrator. Can’t do that without the keyboard. Any way around this?

    Reply
  2. William Johnston

    I don’t know of any reasonable way to log into a computer without a keyboard. A possibility might be to try a PS/2 keyboard if you are using a USB keyboard, or vice versa.

    Reply

Leave a Reply to Nick

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>