Results 1 to 3 of 3

Thread: Fake Anti-Virus Removal Script

  1. #1
    Join Date
    Aug 2006

    Thumbs up Fake Anti-Virus Removal Script

    For the last several months, Fake Virus/Spyware scanner type infections seems to be getting more and more commonplace, so I decided to tweak the last CleanupXP+ script to handle these ransom/extortion-ware type infections.

    The installation of this type of infection typically starts when the click on any of the buttons on any of the pop-up screens (see below for exmaples).
    Best thing to do is, open TaskManager right away and "End Task" the browser entries listed under "Application" tab. If unsure, End Task everything. If still confused, shutdown the computer without interacting with anything on the screen, period!

    If the user can avoid this common pitfall, then by running a temp file cleaner such as CCleaner, FCleaner or ATF-Cleaner gets rid of most if not all of the remains but I still advice for a complete system scan using Malwarebytes or Super Antispyware afterward.

    From a research I have done shortly before creating this post, I encountered mainly 2 types of ransom/extortion-ware type infections:

    1) Type A: Single aggressive executable that when active, intercepts all system calls to open any of the executable file types it monitors (.exe, .com, .bat, etc.) and immediately shuts it down and runs itself and pretends the file/program that was being launched was infected. This infection does create and modify some of the registry keys but the infection is typically limited to the standalone executable itself. Executable is active from the moment system loads. In normal mode, the only way to take control is to forcefully terminate the executable but since the user cannot even run any programs Windows based or 3rd party, it becomes a catch-22. To clean, boot the system in Safe Mode and delete the executable -typically- located in the "%userprofile%\Local Settings\Application Data" directory. On Windows XP and up, you can copy/paste the bold line in the Start > Run box. On Windows 7 system, the location would be either (Start > Run > %appdata%) which refers to %userprofile%\AppData\Roaming or %userprofile%\AppData\Local. The script checks for both locations.

    2) Type B: Once active, the ransom-ware simply changes file associations to most file types, then the executable itself is no longer running in the background. You actually will not notice this executable unless you try to open one of the file types it associates itself with. Even for an experienced user or IT pro, taking control and accessing registry or running an executable to fix this would be quite challenging to say the least. For a novice home user, I can only imagine the frustration. This type only makes changes to Windows registry, it associates itself with multiple, commonly used file extensions so it need and has no startup entry points.

    Both types also have residue in the Temp locations which need to be emptied out. The "Additional Cleanup" option of the script will handle that if selected but I recommend you either use another tool such as ATF-Cleaner or CCleaner or manually check and delete the temporary file locations yourself. When this malware is active, cleaning up the system, for an average user, would seemingly be impossible.

    For type A, script looks for the common location for .exe files where normally there should be none. It lists the executable it finds. User is prompted to enter the full file name (khq.exe), the included process killer "kills" the executable and then deletes it along with all common temp file locations and internet cache. User at this point has full control of the system. Further scans and cleaning might be useful.
    Due to its nature, running the script when type A is active would not work, so a shortcut to the script needs to be created in the Startup folder for either the current user or "all users" profile.

    For type B
    , cleans up all common temp file locations which should take care of the malicious executable but it also prompts for registry patching to correct file associations. Afterwards, user have full system control but further scans to clean and correct leftovers might be necessary. You should be able to run the script directly by double-clicking on CleanFAV.bat file:

    If running that batch file provokes the fake AV scanner, then you are infected with type A (see above).
    If the script found and displayed any executable on the list, enter the full file name so it deletes it. Additional cleanup is optional but when asked to patch the registry, you will have to do so in order to revert the changes this type typically makes in the registry.

    Please ask for one of the Spyware experts on this forum before running this script. It should have no negative impact on your system but still be wary of running the optional "Additional Cleanup" (2nd step) and/or the registry patching (3rd step) if you do not know what you kind of infection you have!

    1. Download the zip file from the link at the bottom of this post.
    2. Extract anywhere on your system (desktop would be a good choice).
    3. In the extracted folder, locate CleanFAV.bat and double-click on it to run it:

    4. If the above action provoked the infection, then you have type A on your system so create a shortcut to CleanFAV.bat in the startup folder:

    For Windows XP, the Startup folder is located at --> "C:\Documents and Settings\username\Start Menu\Programs\Startup"
    - Right-click on START button and select "Explore"
    - In Windows Explorer window, "Start Menu" location should be high-lighted already
    - Expand 'Programs' sub folder listed under 'Start Menu'
    - Under 'Program' sub folder, locate 'Startup' folder and click on it to high-light it

    For Windows 7, the Startup folder is located at --> "C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
    - Right-click on START button and select "Open Windows Explorer"
    - Locate "Local Dosk - C" on the folder list and browse to the above location by expanding each directory in the path

    - Another, perhaps quicker way is: Hold the WinKey and press R
    - In the Run box, type: %appdata% and click OK
    - The above shortcut will take you to "C:\Users\username\AppData\Roaming"
    - From there browse to the final destionation by expanding the remaining 4 sub folders.

    To create a shortcut to the script, right-click and hold on CleanFAV.bat file and drag it to the 'Startup' folder, then choose "create shortcut" option so it runs next time you restart your PC!

    What will it look like when the script runs?

    1. The infection might kick in as it will be active but the script should run regardless
    2. The script will close "explorer.exe" and a few non-critical processes if they were running, so do not panic as you will not see your desktop, taskbar or icons

    3. The script should display an executable file name, click on the script window if it is not in the foreground so it becomes active and you can type in it:

    4. Once the included program kills the process, the script will automatically delete the executable itself:

    5. When you press any key to continue (Spacebar or ENTER), the script will re-scan the same location, if previous step was successful indeed, then it should not be able to find anything there:

    6. When it displays "File Not Found" then all is well, you should type s and press ENTER to continue on.
    7. If you want script to empty out the common junk/temp file locations and also have it scan for (and delete) certain file types at specific locations where there should be none,
    then you can press Y (yes) at the "Additional Cleanup" screen:

    8. After the cleaning if done (or if you pressed N (No) at the above screen), the final option is for patching the registry file association.
    Again, if choose this option if your are certain you have type B infection (being able to run this script from its own folder would confirm this):

    9. Depending on if you choose registry patching or not, you should see one of the final screens, top screen if patching was done, lower screen if it was skipped:

    10. As an added safety measure, before patching the registry, the script will first back them up to the RegBackup folder in the script folder:

    If the script was run on a Windows XP system, the reg file names will end with "_XP.reg" and on a Windows 7 system, they will end with a "_7.reg" where applicable.

    I have was not able to test this on a Vista system so I cannot comment as to if it would run and if it did, how it would behave. Feel free to test it at your own risk and let me know.

    If you get a chance to use this tool, please provide feedback so I can make necessary updates or corrections as needed.

    Thank you.


    PS. Even though I have personally test it a few times, I am offering it with no promises or guarantees. You are welcome to use it at your own risk.

    Alternate download link: CleanFAV
    Attached Files Attached Files
    Last edited by TurcoLoco; 01-10-2012 at 02:06 AM. Reason: The usual....

  2. #2
    Join Date
    Dec 2011
    I got my copy. I'm expecting this to save me a lot of trouble next time one of these nasties shows up.

  3. #3
    Join Date
    Aug 2006
    Quote Originally Posted by mensaguy View Post
    I got my copy. I'm expecting this to save me a lot of trouble next time one of these nasties shows up.
    Cool. Let me know how it performs please.

    One caveat though, on some systems, included process.exe can be identified as an "unwanted/cpu hack" type program by certain Anti-Virus scanners but it is not so that you know.


Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts