Avira Operations GmbH & Co. KG is a German multinational computer security software company mainly known for their antivirus software Avira Internet Security. Avira was founded in 2006, but the anti virus application is under active development since 1986 through its predecessor company H+BEDV Datentechnik GmbH.

We've all hit it lately, and it's not going away quickly enough.

Prevention: Educate your users!

The most common way to get AV80/90 is from a compromised, legitimate website (innocent browsing). Teach your users (if you possibly can) that you can be anywhere on the web, places that should be safe, and very suddenly you get a pop-up stating 'you are infected', or 'your machine is running slow, blah blah', literally yelling at you, and there is no 'Cancel' or 'Close' option.
It's all fake. Legitimate software does not yell at you. Press 'Ctrl-Alt-Del' , task manager, choose the applications tab and 'end task' on all the 'Blue E's' NOW! You will prevent a lot of irritation.

I wrote a tutorial on it, and it's worked for me (90 user, small office I know, but at least I feel education is a key reason I have no reoccurances of this problem)

5 Steps total

Step 1: When it's too late: I just can't stop these darn pop-ups!

First: educate your users! (again) let them know they do not really have a virus, the program, like people, lies to you so it can get your credit card information, you will fix it.

I'm lazy, I keep a flash drive handy with 2 tools:

- MalwareBytes
- Avira

(Always download the current version!)

Both free at download.com

Step 2: Install both programs

Scan away, if the network seems busy or the machine is unusually slow, pull the network cable and run off-net until you have finished all repairs to avoid reinfection.

Step 3: Reboot when prompted

I usually reboot if anything was detected anyways, then re-scan with both tools
If the machine goes unresponsive for an extended period, Reboot in safe mode and rerun Malwarebytes.

In this point, the original party starts listening to a background sound (Music on Hold), transfers the call and the person in extension 1090 picks up the phone and cannot hear a thing, meanwhile, the original caller is still listening to the music on hold.I don’t know if this is clear now, if not; tell me that I will try to clarify it.Thanks. Asterisk pbx.

Step 4: Reboot to normal

Reboot & Rescan, until you get NO more detections

Step 5: When no more detections are present, uninstall Avira

(It's only the corporate demo license)

And tell your users again, when something pops up on you that says 'You have a virus' click nothing, call IT.

This procedure is probably overkill, But it seems I ALWAYS find some old trojan or keylogger that's been hanging around, it always seems worth the trouble (I'm there anyways, right?).

I am SURE many of you have their own procedure, which may work great, I'm just letting you know what works reliably for me.

Tim C

Please note, BigTimmy is DEAD ON, Thank you for mentioning it (I had forgotten about this thread) and I have removed ComboFIX from the instructions, it's too destructive and not needed anymore.

Thanks BigTimmy! (Great Minds)

BUT I have to disagree about safe mode, you don't always need to use it anymore, but you DO need it sometimes (depending on how much other crap is also bogging down the PC)

Tim (yup, my name too!)

28 Comments

• Cayenne
  WaltB Oct 22, 2008 at 07:53pm

  Nice post, I ran into this for the first time yesterday. The PC in question was a general use PC, since I can reinstall that in about an hour I planned on just doing a format. Guess I'll spend a few min trying your fix and see how it goes.

  Using top antivirus utility, cleaning up junk feels periodically are some such examples. For music playback on PC, the WMP is not the only.- To keep your laptop or desktop performing well consistently, it is important to pay attention to some aspects. Clc main workbench crack mac. However, you also need to keep drivers of.- Symantec has been one of the most popular and major players in computer security solution for years. It is required for relaxation amidst work and nearly every user indulges in it.

• Pimiento
  DavidinSavannah Oct 22, 2008 at 08:53pm

  First of all great comments and recommendations for some of the top spyware removal tools. I thought this was the antivirus forum, I am trying to figure out where to post.
  My topic covers virtual software than can update signatures and scan any mapped drive on a network, this is about what spiceware is isn't it ?
  I have been working with network virus activity for over 5 years now as far as removal tools, prevention is a whole other topic, that will change daily. Anyway, I repair over 70 workstation/server issues on a weekly basis and have developed a viable scan/remove solution that runs in a temp environment.
  It is open source code from avira (coudeaus to your previous post) and bitdefender. They run as what I named duel scanner, truly awesome. If you have a virus causing your issue and this dont pick it up, I need to start over.
  I would love to test this, remember, it is virtual and never installs on any platform in question. I just started testing spiceworks and have not had the time to implement this testing on my network, I have been too busy fixing IE7, IE8 BETA, SP3, ISSUES. I spend my time fixing others so called updates etc.
  Don’t want to undermine the subject or start a new, working on virtual malware-bytes also. A few active-x issues to overcome yet.
  Like to test or comment on my duel scanner feel free to ask, its free and hate telling customers to this day their 80 dollar so called scanner is also costing them to clean what my free stuff will.
  I cant believe you would tell a customer how to do your job, you are asking for trouble. Mine always accept the fact it is way over their head and are so happy I fixed it for them, they have no problem paying for that. They do however have major issues if I try to walk them into something and they end up brining it to me, when all they wanted was the end result in the first place.
  Another business lesson, I am capitalizing on all of the glue heads that think managed services will make their butt bigger because they will never have to get out of their chair. Don’t be all that, sell it as a service and not a solution….
  Is that not part of being educated ? Have you seen the commercial with the doctor telling the patient where to cut, I mean, come on..

• Pimiento
  DRYDot Nov 4, 2008 at 08:56am

  I agree, all the right tools are in place. I would personally put a copy of Merijn's 'Hijack This' on that thumb drive as well. Don't install it on the infected computer, simply let it run off the thumb drive. It will complain a little, but it still works just fine. Leaving it on the infected computer is an open invitation for a user to 'lobotomize' their PC because they watched you kill things with it.

  Sometimes, you need to wrestle control over the remaining RAM by killing the processes that are in control. I've learned over time what they are and can spot them as they crop up. Google anything that you don't recognize and learn to weed out the crap.

  Disable the network card first, then go into Hijack and knock the legs out from under the undesirables. The reasoning here is that many times, the little boogers will reach out to a mother ship somewhere on the net and call in for re-enforcements. Its not fun to kill a process only to have

  Beyond that, you're good to go.

• Thai Pepper
  BigTimmy Nov 5, 2008 at 04:16pm

  I really don't know why we pay for SEP 11 if it doesn't stop this crap.

• Sonora
  Charles175 Nov 13, 2008 at 01:11pm

  http://forums.techguy.org/malware-removal-hijackthis-logs/739759-solved-av-2009-please-help.html

  The above has a link to mbam-setup.exe, this tool will remove the av 2009 without needing to be in safe mode. Worked very well for me today in removing that garbage from a user's pc!

• Sonora
  nathan.page Dec 15, 2008 at 05:26pm

  Thank You Sporkman!!!!

  FINALLY a straight-forward approach to getting rid of this NASTY piece of CRAP......Every other post I have seen wants you to go in and delete reg keys manually!!!!!!!!!

  Nathan

• Anaheim
  IT@Samui Dec 19, 2008 at 06:03am

  Thank you for your new way to solve this virus,
  I'm use sysclean from TrendMicro

  http://www.trendmicro.com/download/dcs.asp

  move data to other and scan virus to clean // delete old profile of user,

  Create new one, move data back done!

• Habanero
  DEngelhardt Dec 26, 2008 at 01:08pm

  I ran into a version called Antivirus Pro 2009 that for some reason the owner's son downloaded and paid for - by credit card no less. This version had three of the more pesky and virulent pop-up trojans and a rootkit that disable the true antivirus, but made it appear to be updating and running properly. Had to use the above combination plus some registry hacks to clear it to the point where any antivirus would run.

• Anaheim
  ITABWODI Dec 31, 2008 at 07:11pm

  Thanks for the clear instructions! I have a PC that got this today and still isn't clean after editing the Registry and deleting DLL files. SAV Corp. got some of the pieces, but obviously not all of it. I'll be trying this method as soon as I get back to the office. The situation also made me realize that I need to do a little more to make sure my users know what SAV Corp. looks like so that they can recognize a fake when they see it.

• Poblano
  Ted4668 Jan 13, 2009 at 06:52am

  I have another solution that includes a second machine, and a usb/firewire/hd/eide adapter. I simply update the software (malware remover) first, then boot into safe mode , add device and clean. has restored hundreds of dead boxes/laptops back to life.

• Pimiento
  Pam125 Jan 19, 2009 at 09:53am

  Would it be possible to get a copy of the tutorial or an idea of how you explained things so that your users understood? One of my biggest problems is getting users to understand how these things work. I have tried educating them but it just doesn't seem to sink in. Open to any suggestions on how to educate users about these dangers.

• Sonora
  Viperone Jan 26, 2009 at 09:41am

  I use SpyHunter to remove it. This piece of software is really good with malaware. I do have to scan twice though to remove it properly it it is very efective. It's good not just for AtiVirus 2008/09 but also all other bugs.

• Jalapeno
  Jon Foster - AITec Jan 30, 2009 at 02:31pm

  I've been seeing this with some trojans. Malwarebytes fixes it just fine when loaded in safe mode but some times MBAM won't even install. When that happens I check to see if TDSSserv.sys is loading in the Device Manager (go to View and click on Show hidden devices) then look in the non-plug and play drivers section. If it's there, kill it, reboot into safe mode and load MBAM. Once loaded, run a scan. Reboot into normal mode, update MBAM and do a full scan..

  Jon.

• Pimiento
  Christy2327 Feb 19, 2009 at 03:07pm

  I use MalwareBytes to remove this trojan, but I also have a few other tools I've used that I'll share. One is VundoFix.exe, and the other is TrojanHunter. VundoFix is free. TrojanHunter is about $35 for a one-computer license but it works really well and is well worth the charge.

• Thai Pepper
  BigTimmy May 21, 2009 at 02:24pm

  Running malware bytes will take care of it. You don't even need to be in safe mode. This should be updated because booting into safe mode and using combo fix is not needed anymore since it breaks things anyway.
  Update the how-to

• prev
• 1
• 2
• next

Avira AntiVir Personal Free Antivirus is a comprehensive, easy to use antivirus program for home-users only. It offers malware recognition of viruses, Trojans, backdoor programs, worms, incremental updates of antivirus signatures, permanent virus protection, scheduler, knowledge base with virus descriptions available on web site, rootkit detection and removal.

Upon finishing the installation of the program, a configuration wizard opens, and among other things, you can select which threat categories will be detected:

Upon starting, if you choose so, the program will perform immediately a scan:

By clicking on the Virus Information link, a new window with all kinds of information form Avira opens (just browse by links and tabs):

The Report button opens up a report in .txt format:

Avira AntiVir Personal – Free Antivirus is an extremely simple program to use, and offers all that the home user might need in view of computer protection.