Step One: Reboot your computer into Safe Mode with Networking. AV Security Center tries to block any actions you might take to download something that may destroy it, so first we need to stop it from interfering with our cleanup process.
Step Two: Open Internet Explorer (even if you typically use Mozilla Firefox or Google Chrome). When the program is open, click on the Tools menu and select Internet Options. Click on the Connections tab. Click on the LAN Settings button. In the Proxy Server area, uncheck the checkbox labeled Use a proxy server for your LAN. Click the OK button on this screen to save the new setting, and then the OK button one more time. W this because AV Security Center was using this setting to redirect all your Web browsing to its own filter.
Step Three: Download this program by right-clicking on this link and doing a Save As:
rkill.com. Run this program once it’s downloaded to your system. This program’s purpose is to kill any currently running processes of AV Security Center.
Step Four: Download
Malwarebytes’ Anti-Malware (free version, but consider paying for it since it’s really going to help you out). If you can’t successfully download the program from that page, right-click and Save As to this direct link hosted by bleepingcomputer.com:
Malwarebytes’ Anti-Malware Download Link.
Step Five: Install Malwarebytes’ Anti-Malware (MBAM) by executing the file you just downloaded. Leave the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware options checked, as we want to update MBAM to its latest version and also want to run it immediately afterwards.
Step Six: Once MBAM is updated and has launched, select the Perform full scan radio button, and click on the Scan button to begin scanning your computer. This will take a while as MBAM is looking at every file on your C: drive, so take a break while it runs.
Step Seven: When the scan is finished, click the OK button and then click Show Results. Has it found malware? Hopefully so – click the Remove Selected button while the items are checked.
Step Eight: MBAM will finish up and may ask you to reboot your machine. Don’t do so – quit MBAM and continue following this guide, because unfortunately we’re not done yet.
Step Nine: I next downloaded ComboFix, a program designed to specifically hunt down and eliminate various types of malware. Download ComboFix at
its hosted location on bleepingcomputer.com (here’s a
second mirror). Note: Don’t download this file from anywhere else.
Step Ten: Run ComboFix. This program is fairly interactive so stick close by, but expect the entire run to take about half an hour. A number of reboots will be needed. A wonderful guide to using ComboFix is available at bleepingcomputer.com.
Step Eleven: Yes, we’re still going (but getting not too far from the end)! Navigate to
this page on the Kapersky Labs website and download TDSSKiller.exe (
direct link).
Step Twelve: Run TDSSKiller.exe. If a “TDSS rootkit” has been installed on your machine as part of AV Security Center’s bid to keep control of it, this program will disable and then remove it.
At this point your machine is likely successfully disinfected. I’d still however follow through with these two last steps to completely erase the memory of your malware infection from your mind.
Step Thirteen: In your Windows Registry (Start > Run > regedit.exe), locate and delete these registry entries (where they still exist):
HKEY_CURRENT_USER\Software\avsoft
HKEY_CURRENT_USER\Software\avsuite
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:1041″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “ouferdbubtdve”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “ouferdbubtdve”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = “1″
Step Fourteen: One of the most annoying things about this malware infection for me was admittedly rather clever: The program had gone in and changed my list of search toolbar providers to direct my searches to its own site (wish-search.com – don’t go to it) in order to get ad revenue. Generally, it seems to masquerade as the Google search engine.
To remove this fake entry in Internet Explorer 7, go to Tools, Internet Options, and on the General tab find the Search area. Click the Settings button in this area. Remove the entry for Google (re-add the true entry by clicking the Find more providers link on that page).
In Mozilla Firefox 3.x, locate the search box in the window and click the little down arrow beside the name of your current search provider. A drop-down list will appear – select the Manage Search Engines option. Remove the false entry for Google.
Step Fifteen: That’s it! By the end of this process, I no longer exhibited symptoms of malware infection. Hope this helps someone else out there.