Wireshark Antivirus...anyone know how to remove?

[BLSAMPLES]

I have a wireshark antivirus that has downloaded itself onto my computer and keeps giving me errors and saying my computer is infected. I try to run the superantispyware, spybot, etc and the Wireshark says they are all infected and won't let them run. I tried to do the ctrl+alt+del, but I don't know what svchost I can quit, anything else anyone know I can do without totally loosing everything on my computer? Thanks

[freebird73717]

download and run malwarebytes. You may have to change the name of mbam.exe to something else to get it to run.

[redwudz]

Try booting into 'Safe Mode' and removing/uninstalling it there or try running your antivirus programs there. Safe Mode doesn't load most drivers, so it may work better for removal. Also unplug from the internet and disable the system restore as those are common ways for programs to automatically reinstall.

If it is a valid anitimalware program, they are set up to be hard to uninstall to protect themselves.

Safe Mode is usually accessed by hitting the 'F8' function key during boot.

And for more information, just do a internet search for ' removing wireshark '

[gerald.combs]

Hi, I'm the lead developer of the Wireshark network protocol analyzer. Please be aware that we do not and have never made antivirus software. Early this morning we started getting calls about "Wireshark Antivirus". Unfortunately we don't have much information about this other than that some jackass is using our name.

According to posts I've seen on other forums and Q&A sites you can kill "Wireshark Antivirus.exe" using the task manager or process explorer, then use a malware removal tool to clean up. Sorry I don't have more definitive information.

[mmi16]

I have used the task manager to stop it's excution....however it starts back up on it's own. How do I stop it...PERIOD.

Windows XP

I also ran a McAfee Quick Scan and it did not dectect anything.

[Noahtuck]

You stop it by removing it, 2 people already gave you options.

And you do realize it is NOT an actual antivirus program ?

[gerald.combs]

It looks like this might be a new version of a trojan that has been around a while:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/FakeScanti
http://www.symantec.com/security_response/writeup.jsp?docid=2010-022319-3715-99
http://freeofvirus.blogspot.com/2010/06/sysinternals-antivirus-removal-guide.html

The last link contains removal instructions, although it looks like you'll have to replace "Sysinternals" with "Wireshark".

[redwudz]

Thanks, gerald.combs, for the information and thanks for your program and welcome to our forums.
Wikipedia article on the real Wireshark: http://en.wikipedia.org/wiki/Wireshark

Apparently the 'antivirus' program in question is malware. Try removing it in safe mode as described above.

[BLSAMPLES]

WOW! Thanks everyone, you are simply amazing! I installed and ran the malwarebytes worked and unistalled great! I guess I shouldn't worry knowing you guys are here to help! THANKS SOOOOOO MUCH!!!!

[mmi16]

My McAfee Full Scan found and eliminated the Trojan

[freebird73717]

Glad you got it removed. You know malwarebytes can run in the background alongside your traditional anti-virus program and will block most of this crap before it ever even get on your machine. $24.95 for a lifetime license. Worth it if you ask me.

[normarosa]

It has everything blocked in my computer. I can't do anything to remove it. Not even in safe mode. I need help. I try to download malware remover and it won't allow it to install. nothing I do works.

[freebird73717]

Try renaming the malwarebytes setup installer to something else. Anything. Change mbam-setup-1.46.exe to xyz.exe or even something like iexplore.exe. Then try running the newly renamed file. Also you might try installing and running it in safe mode.

[redwudz]

If you can identify the root malware program, one other option is booting to a Linux live boot disc or Windows PE or Bart PE or similar. Then you should be able to run a antivirus or just kill part of the malware, enough be able to boot back into Windows to finish the removal. There is some risk involved as it may also damage the OS if too deeply entrenched. I would back up your data on your secondary drives, but don't back up the boot drive and the malware on it.

The last option is a re-install of the OS after wiping everything.

If you don't have some decent antivirus/antimalware/firewall installed, this would be a good time to add one and you may avoid these types of problems in the future.

[normarosa]

Thanks for the advice. I have webroot and for some reason it didn't block it. I'll try it doing this.

[TBoneit]

http://www.bleepingcomputer.com and go to the Am I Infected forum and follow the instructions stickied at the top. Don't bump the post that will make them think you are being helped.

or
http://www.dslreports.com/forum/cleanup


same deal and only do one.

[Noahtuck]

So out of curiosity, where are all you people picking this thing up ?

[aedipuss]

this one and the other fake a/v trojans are installed onto unpatched computers drive by style. the owner never has to click anything, they just take advantage of things like the m.s. .lnk exploit. it can come from visiting any infected website, and there have been some big name ones that get owned.

[wtsinnc]

Following removal of Wireshark Antivirus, build a flash drive with security applications for the next time you get infected.
Particularly good in my experience are Prevx free edition and Emsisoft Emergency USB stick (Link).

http://www.emsisoft.com/en/software/stick/

[freebird73717]

That's not a bad idea. If you do some google searching you can find instructions on how to create a portable version of malwarebytes and superantispyware. Good for use on infected machines that won't let you install them. Of course you have to know how to write a batch script to make it all work together. I've got a flash drive that I've put a portable version of malwarebytes and superantispyware on to clean infected machines.

Honestly though the best way to stop crap like those is by using good resident blockers like the pro version of Malwarebytes or SuperAntiSpyware. The free versions do a great job of cleaning out an already infected computer but the pro versions run a resident scanner that blocks the majority of that crap from even loading in the first place. The nice thing is they can run alongside your current antivirus software.

[isogonic]

Scareware can go by many different names. Its fraudulent software that has only one purpose: to generate money.
Its easily recognized once installed; balloon messages about malware etc, and prompts to activate or register the software. Some can be removed pretty easily with Malwarebytes, others might install rootkits and/or other malware. If you had or still have page redirects or pop ups then you should consider the possibility that a rootkit has been installed.

You can get scareware the same way you can get any other malware. User installed based on social engineering tricks (most common) or via vulnerabilities in unpatched Windows, your browser, Adobe products, Java etc etc.

[Noahtuck]

this one and the other fake a/v trojans are installed onto unpatched computers drive by style. the owner never has to click anything, they just take advantage of things like the m.s. .lnk exploit. it can come from visiting any infected website, and there have been some big name ones that get owned.

I didn't ask HOW they got infected or how it infected them, i asked WHERE they picked it up..

So out of curiosity, where are all you people picking this thing up ?

The very rare time or two i ended up with some crap like this over the years i knew exactly where it came from.

[Ai Haibara]

That's just it. It may not be as easy to tell where the problem originated, because practically any site can become an unwilling carrier for these things, at least if they support ad banners served from an outside source. All someone has to do is compromise an ad server, and then anyone viewing seemingly harmless ads will be getting a drive-by malware install behind the scenes.

The malware can hit through other avenues like email, of course, but from what I've seen, it's often the compromised ad servers.

[lordsmurf]

that has downloaded itself onto my computer

Nothing can "download itself" onto your computer.
A person did it, either because they were tricked, or because they're a stupid click-yes-to-everything style user.

This isn't a "virus", either. Virii don't really exist anymore.
This is malicious software, or malware.

[AlanHK]

My wife's office got hit by something similar. After whoever got it originally, their PC sent out emails with infected attachments that started the never-ending "YOU ARE INFECTED!!! popups demanding you register their software.

Since their IT staff was completely useless, and didn't even turn up for over a week, I spent a few hours cleaning it up using things like MalwareBytes, but caused some collateral damage and had to reinstall a bunch of stuff.

But while the virus was sent out automatically, it required the recipient to click on the attachment to activate.

[MJA]

that has downloaded itself onto my computer

Nothing can "download itself" onto your computer.
A person did it, either because they were tricked, or because they're a stupid click-yes-to-everything style user.

This isn't a "virus", either. Virii don't really exist anymore.
This is malicious software, or malware.

maybe remote access?

[fritzi93]

There is some risk involved as it may also damage the OS if too deeply entrenched.

That's why I just clone the OS drive (after the infrequent fresh install) to a partition on a separate drive in the computer(s). Separate physical drive for data as well. That makes the problem easy to fix.

Call me lazy if you like, but my wife has a talent for picking up nasties on her computer. Some are a real bitch to remove and break programs too. I can't bring myself to trust an OS after that.

Not too long ago, I encountered Security Suite Pro, I think it was. Threat level high, country of origin Russian Federation. Out of curiosity, I played with it awhile, doing just about everything already mentioned. It established itself primarily by changing proxy settings. After apparently eliminating it, it revived for a few reboots, although I finally killed it. Nevertheless, I re-cloned the backup.