A long time reader of ShanKrila and a blogging friend of mine, Jeanne Dininni of Writer’s Notes contacted me yesterday by email with a computer question.
I’ve been battling a “PC Antispyware 2010” computer infestation. Don’t know whether you’re familiar with it or not, but I was hoping that maybe you’d be able to give me a little advice or recommend an effective tool for removing it. ย Otherwise, I’m pretty sure I’ll have to uninstall/reinstall Windows to get rid of it.
That’s when it dawned on me that I faced the same situation a few months back on my desktop and I fought hard to successfully remove it from my computer. But, I forgot to blog about it here even though I wrote about the Conficker worm. It would have helped Jeanne and many others looking for such information. So, I am sharing my experience with how I removed it here.
What is PC AntiSpyware 2010?
PC AntiSpyware 2010 is a rogue antispyware program that looks like a genuine antispyware program. You could get infected with itย by visiting some malicious sites. Here are a few symptoms if you were infected with this:
- You will be prompted to run this program showing fake malware infections on your computer repeatedly
- It disables Windows Defender (Microsoft’s genuine security product)
- Disables your system security programs and spyware programs
- Disables you from updating any installed anti-virus program
- Disables the ability to install any new security software
- Redirects you from going to directly to any of the security software websites in Internet Explorer
Jeanne is Internet-savvy and she had done all the right things anyone would do in situations like this. In fact, I went through the same steps before realizing how sneaky this malware really is.
Here are a few things you would do if you had a virus in your computer
- Try to update and run Windows Defender
- Try to update and run installed Anti-virus software
- Try to update and run installed AntiSpyware programs like Spybot, Adaware, etc
- Try and run a RootkitRevealer program
- Use an advanced process program like Process Explorer to see currently running programs and kill suspicious processes
- Use a startup tweak program like Autoruns to disable unwanted stuff from automatically starting up
- Use HijackThis to see what programs may be malicious
PC AntiSpyware 2010 is so sneaky that it actually disables pretty much all these programs. It even disabled my command prompt and Control Panel.
It adds itself to your computers registry and even if you are able to clean up some of it, it automatically installs itself when you reboot your computer. Plus, I even saw it morph into installed genuine programs randomly so you can’t really find it in Task Manager. One sure indication that a genuine looking program is the malware is to kill it and see it spring back to life automatically. Mine was latching on to LogMeIn program even though I didn’t have it set to automatically startup.
So how did I get rid of this malware from my desktop?
Steps to remove PC AntiSpyware 2010
Using Malwarebytes’ Anti-Malware
- If your PC is still able to download and install security software, try and download –
Malwarebytes’ Anti-Malware - Run Malwarebytes’ Anti-Malware and see if this helps remove the infection. A lot of people seems to have luck with it.
I wasn’t so lucky as my infection wouldn’t even let me install this software. If that’s your case, read on.
Using Manual Registry Edits
You could also try manual file deletion and registry edits like described here. I haven’t tried this and I followed the next section to remove mine.
Using Bootime Anti-Virus Scanner – Recommended
Since most of the usual system cleanup methods are disabled, we are left with one solid option. To use a boot-time anti-virus solution. This ensures that any installed malware is not activated while you are cleaning up your computer.
Here are the steps I followed to clean up the infection successfully
- Download and burn a boot time anti virus software like Avira to CD/DVD (look below for a list of good ones I came across). Make sure you burn it as a bootable image and not as a data disk.
- Put the CD/DVD in your computer tray
- Shutdown your computer
- Disconnect the network cable from your computer
- Reboot your computer
- Most computers automatically boot from CD/DVD before trying to boot from the hard drive. If not, while booting go into System boot menu by hitting F2 or F10 (you will see a hint on that) continously and change your boot order to boot from CD/DVD first.
- Let the boot time anti virus software to do its job.
- Reboot your computer (without connecting to the Internet) and see if you can run the usual security programs now.
- If you can, connect to the Internet and update Windows Defender and your primary anti-virus programs immediately. Run a ‘full scan’ or ‘deep scan’ option on your computer with the latest updates.
If in step 8 you still see that your computer is infected, try using another boot time virus scan program through the same steps. There seems to be many variations of these infections and not all programs remove all infections. That’s why its best to download and keep multiple programs at hand while attempting this.
Here are a few Boot-time Antivirus Scanners that you can download and try
- Ultimate boot CD for Windows (includes an anti-virus software)
- Avira AntiVir Rescue System – a linux based virus scanner that is updated daily
- Kaspersky Rescue Disk
- BitDefender Rescue CD
- F-Secure Rescue CD
- Trinity Rescue CD Kit – A combination of popular free antivirus software in one kit with online update capabilities. For the advanced user.
Re-installing Windows isn’t fun unless you had a system restore image with all your favorite applications before hand. I had success cleaning up this pesky virus from my desktop and since been virus free. I make sure once in a while that all my virus definitions, firewall software and spyware software are updating regularly.
If you have any questions, please feel free to ask in the comments.
Jeanne, thanks for asking the question that prompted me to write this post. I hope you have your computer cleaned very soon.
JoshMac,
Glad to hear your anti-malware programs are partly functional. Every little bit helps! Unfortunately, you may not always spot them easily in your list of Services because they sometimes use abbreviations that aren’t easily recognizable. You may have to do a little detective work to locate some of them.
Also, don’t forget to check your entire list of Services, and not only your anti-malware programs, because you’ll want to make sure ALL your system services are functioning properly. This is an important step in getting your system back to normal.
In “Add or Remove Programs,” you’ll find that some of your programs will offer only the “Remove” option, but others will provide either “Change/Remove” or separate “Change” and “Remove” options. You may need to experiment a bit here. If you have a “Change/Remove” option, click it and see what you get. If you notice the “Change” option is totally separate from “Remove,” try clicking “Change.” If you have no other choice, you may even have to try clicking “Remove” for a totally non-functional program and then try downloading it again. What have you got to lose, if it isn’t working anyway?
Glad you aren’t finding infected files in any of the folders you’ve mentioned. If you haven’t yet, be sure you also go into your Start menu, click “Run,” and type in “msconfig”; then click “OK.” You can then check your Startup list to make sure PC Antispyware 2010 is no longer in it (or at least is no longer checked). You’ll find it in the Startup tab. (Be sure not to make changes other than unchecking PC Antispyware 2010 while in the System Configuration Utility, though, so you don’t end up causing any system problems. (It would probably be best to do this with your computer in Safe mode–though it will be even more important to use Safe mode when you go in later to delete the PC Antispyware 2010 registry sub-key that’s placed the program into your Startup list in the first place.)
RootkitBuster found several nasty files on my PC, though Avast!, Windows Defender, AdAware, and MalwareBytes found many more. If MalwareBytes isn’t working, try uninstalling/reinstalling it. Maybe that will help.
Keep us posted on your progress.
Bob,
This is definitely a tough one! I never installed the program either–at least not that I recall. I may have unwittingly downloaded it by allowing a Java update while I was online, though. It’s possible that I could have installed it thinking it was a Java update, but I doubt it. It does sound as if your non e-book may have been the culprit for you. The continuously replicating nature of this malware is one thing that makes it so difficult to get rid of–along with all the hidden files it places all over your PC. I’m still finding abnormalities (including strange-looking registry entries and missing or misplaced files) now and then that I’m attempting to figure out. It’s quite a puzzle!
It must be possible for this program to run automatically once it’s been downloaded; otherwise, how could these windows just suddenly begin popping open all over the place with no encouragement from us?
This program has the capability of disabling any anti-malware programs we happen to have on our PCs at the time it’s downloaded. It certainly isn’t only MalwareBytes that’s affected. Avast! was greatly (though not totally) incapacitated on my system when I contracted the infection, and Windows Defender was completely disabled. As I’ve mentioned, I eventually got both programs working again, though. Didn’t download MalwareBytes until later, and once I did, it worked great.
Let’s HOPE no one gets this nasty infection again, because one time is one infection too many!
Hi, i was just wondering if it is necessary to have PC Antispyware 2010 installed on your computer, in order to uninstall it?
At the moment i have the bubble which keeps popping up, but i always close the program when it says that PC Antispyware 2010 is downloading. My antispyware programs still don’t work, i searched my computer for bravix and cru628 files and i found some and deleted them, but this doesnt seem to have helped
I also tried to get Windows Security Centre working again, but when i type in the address in the bar it doesnt seem to find it
Matthew,
It’s hard to say whether the program needs to have been installed in order to be uninstalled. I doubt any of us has knowingly installed it, yet suddenly there it was! This infection is highly complex and difficult to get rid of, so it takes real persistence and consistent attempts at trying various things in order to figure out what will work. Have you tried the things I mentioned in my earlier comment to you?
It’s important to make sure PC Antispyware 2010 is not loading on startup, so you’ll want to make sure it’s unchecked in your Startup list. You’ll also want to do everything you can to get your anti-malware programs working again and/or get new ones downloaded and operating, because they will find and handle all the malicious files the program has placed on your system.
I wouldn’t worry about trying to locate my Security Center at this point. It’s likely operating, even though you can’t access it (a fact which you can double-check by looking at your Services list). Once you’ve gotten rid of the main malware infection, you’ll be able to concentrate on accessing your Security Center and replacing its icon in your Control Panel. Getting rid of the infection is really top priority right now.
You still got it bro….i didn’t install it either and was still screwed…. read every reply on here as we’ve talked about it to death, then come back and tell us if you’ve had any luck…..
Hi, I seem to have got rid of it!
It turns out that it was the braviax virus, and i am guessing that this is what it was for everybody else
Here is how i removed it :
Firstly, I removed braviax from my startup programs by typing msconfig into run
Then, the next time i started up the cross wasn’t there, and neither was the pop up
I tried running Malwarebytes AntiMalware at this time, but it still wouldn’t work because the virus recognised mbam.exe, so what I did was download Malwarebytes onto another computer, change mbam.exe to zzz.exe and then replace the file on the infected computer with zzz.exe. Then, when i clicked on it, Malwarebytes antimalware started up, and i was able to scan my computer
Good for you, Matthew!
It’s a great feeling to boot up and not see those annoying pop-ups anymore, isn’t it? Glad you managed to get the culprit out of your Startup list. That was definitely critical to your success in eradicating the virus. (Yes, it is Braviax/cru629 that’s at the root of this malware infection.)
Also glad you’ve managed to figure a work-around to get Malwarebytes up and running. It will help you get rid of many of the malicious files that are hidden in various places on your PC. I’d recommend that you download and scan your system with as many other anti-malware programs as you can, since I’ve noticed that different programs find and remove different malicious files. In addition to Malwarebytes, I’ve had good success with Avast!, Windows Defender, Ad-Aware, AVG, and Trend Micro RootkitBuster. Autoruns is also good for checking which programs are automatically loading on startup, and HijackThis can give you a comprehensive (though complex) picture of everything that’s going on with your computer system (though it can often require an expert to decipher it all).
Now that the infection is gone, you might want to follow my suggestions earlier in this thread to locate and restore your Windows Security Center. I still haven’t returned to describe the final step that fully restored everything to its proper place on my PC, because truthfully, I’m not even sure how it all happened myself and so don’t really know how to describe it. Yet, if you follow the explanation I’ve posted so far, you should at least be able to get a usable link to your Security Center onto your desktop, which will enable you to access it–and access is really the most important thing.
Congrats on your persistence and success in eradicating this infuriating malware!
Thank you so much, because of this, I finaly removed it. This gave me a couple hints. But this what I did was is go onto my sisters laptop, download Malwarebytes into a USB, and import into the infected computer. Then once the softwarer was in there, I disconected the internet. Then I put my XP on safe mode, and began the proccess. A quick scan was enough to remove Antivirus 2010. Then everything was working again. It turns out the virus tweaked my internet settings so nothing can get in. Anyways, thanks alot! ๐
That’s great, Ryan!
Good move! Glad to hear you’re rid of it! Thanks for explaining how you did it! I’m sure it will help someone else! ๐
Do any of these methods cost money?
Yi Soon Shin,
As far as I know, all these tools are free.
Take care!
Jeanne
I always prefer to use Kasperky over Avast or McAfee. Kaspersky is much better in detecting new viruses and it does not consume too much resources on your dektop PC.:.~
Great tip, Faith! Thanks for sharing!
I got that nasty virus this spring and it took me an entire week going through my registry. What a pain in the butt.
Even after I got it cleaned up, I made a backup for my pc and then reformatted my hard drive.
works like a charm now!
That’s great, Mark! It’s a tough one to get rid of! Sounds like you did all the right things. ๐
My mom’s computer has another issue…it was infected, then we cleaned it, but we don’t have access to windows updates anymore.
It comes up as page cannot be displayed and even google redirects you if you search for windows updates. It’s a different virus than the PC AntiSpyware but it’s almost just as bad because we can’t get windows xp updates unless I search for them 1 by 1 and install them, which is pretty much impossible unless you kno exactly which updates that computer needs. Any ideas on which virus does that?
Wow, Bob! That sounds like no fun! I’m afraid I don’t know anything about that particular virus. (Not sure whether K does.) I would recommend contacting Microsoft and explaining the problem. Perhaps they’ll be able to help. It’s possible they know something about this particular virus, since it affects their OS updates.
You might also try doing some online research to see whether you can find others who have overcome this problem and who therefore know what causes it. That’s the way I found out how to get rid of PC Antispyware 2010/Braviax. (I’m not even a techie type — just an inveterate researcher and very persistent.) If I learn anything about it, I’ll come back and share what I find. You might want to stay signed up for comment notifications on this post or check back periodically just in case.
Good luck getting this sticky problem worked out for your mom! She’s blessed to have you in her corner!
Just wondering, Bob, whether you’ve gone into the computer’s Control Panel and checked to see whether Windows Automatic Updates is turned on. It’s possible it was turned off somehow when you cleaned the computer. Your problem is likely not that simple, but it’s worth checking (if you haven’t yet).
You might also visit the Microsoft Update Solution Center, where it’s possible you’ll find some info that could prove helpful in correcting the problem. Fixes are mentioned there for specific situations, which might just help if one of the Top Issues they cover happens to apply. If not, the above web page also links to the MS Support Contacts page, where you’ll be able to access support professionals or discussion groups to try to get an answer to the problem.
Another way to get answers is at BleepingComputer.com a website where computer experts help people solve their computer issues. The site has quite a few different discussion boards/forums, depending on the problem, and also offers tutorials on various computer issues, along with malware removal guides. I haven’t scoured the site for an answer to your specific issue, but it might be a good place to look.
Just so I understand what you’re saying, can you tell me exactly what comes up as “page cannot be displayed”? What link have you clicked or copy/pasted into your browser’s address bar before getting that error message?
When you enter anything related to windows updates…yep….even google, the browser wil be hijacked and redirected. Also… under the start menu when you simply hit windows updates…you get page cannot be displayed or error. It’s something strange and yes, updates are on automatic but you can’t see what updates have been installed in the past either. I came here because I just though maybe someone had an easy fix. The other places require you to use 2-4 other programs and logs and it gets complicated. It’s not my computer, but my mom’s work at home computer. I could go in and really mess with it, but as it is right now she can still work on it but I know it’s not 100% secure or safe and I don’t like that.
Bob,
Is your mom’s antivirus program working, and have you tried a boot-time antivirus scan? If it’s a virus, you may be able to get rid of it that way — before the virus has a chance to load. A boot-time scan helped me get rid of a bunch of unwelcome PC Antispyware 2010 files (once I got my antivirus program back up and running). You should be able to set your mom’s antivirus program to do a boot-time scan on her next restart. Then you can either restart immediately or let the program run the scan the next time she turns the computer on. Once you’ve gotten rid of the virus, you’ll be able to focus on figuring out how to get Windows Updates up and running again. That should be a lot easier once her browser is no longer being hijacked.
Bob,
Curious whether your mom has Service Pack 3 for her version of Windows XP. Just read on the Microsoft website that support for the Service Pack 2 (32-bit) version has ended, which means that version is no longer eligible for updates. (The 64-bit, SP 2 version is still eligible.) Here’s the link: Support is ending for some versions of Windows.
Yes, all the basic question I have looked into…it’s a deep one. I’m going to try SuperAntiSpyware next. It’s good at getting rid of stuff others cannot find….but not sure it will enable the proper IE finctions or the update problem. Will report back. I did this on my computer which has no threats as far as I know, and it came back as finding some Vundo/MS fake variant…once I deleted those I came up with some Error 339 runtime code during startup but nothing that I know of was affected yet. But I found the fix for it anyhow.
So, you’ve run a boot-time anitvirus scan (mentioned in my second-to-last comment above)? And it came back clean?
I’m not familiar with SuperAntiSpyware. Is that an especially good antispyware program? I do know it’s always a good idea to try as many different antivirus/antispyware programs as possible because each one catches things others don’t.
Hope you get your mom’s computer problem fixed soon!