Spybot Search & Destroy, run on the next start up.

Good luck, that virus is a pain in the ass.
posted by theichibun at 6:28 PM on August 20, 2010

Look up the profile of metafilter member deezil. He has an extensive list of steps to take.
posted by dfriedman at 6:30 PM on August 20, 2010 [3 favorites]

Nuke it.

A virus can be nasty to eradicate—you never know whether you've gotten the whole thing. I can never trust a computer again after it's gotten a virus. I grab any crucial information off it (careful. Convert documents to plain text where possible—Word documents and PDFs can be vectors for viruses) and reinstall a new OS.
posted by sonic meat machine at 6:32 PM on August 20, 2010 [2 favorites]

I recently got rid of Security Suite on my computer. I think it attacked so successfully because I had a lot of updates that I forgot to install. Getting rid of it wasn't difficult but took time. I ran the Malwarebytes scan in safe mode on my Admin account then took care of all the missing Windows and software updates. Then I logged in regularly to my personal account (the one I was using when the attack occurred) and ran Malwarebytes again.

It cleaned the virus out and the computer is working fine now.

I tried to run rKill at one point and couldn't get it to work.

Good luck!
posted by thewestinggame at 6:36 PM on August 20, 2010

seconding spybot (in windows safe mode) and "hijack this" as well
posted by pyro979 at 6:36 PM on August 20, 2010

Malware removal is a fairy tale. Back up any data you care about off the machine, and reinstall your OS. Recovering from an administrator-level infection is rather difficult. The malware may have replaced portions of your OS - how exactly will a cleaner program restore them back to a pristine condition? Even if you get the malware off odds are that you will encounter weird errors on the machine forever after.

Next time, don't let them have admin rights. (If they didn't have admin rights, then destroy the infected profile and recreate a new clean one.)
posted by benzenedream at 6:38 PM on August 20, 2010 [3 favorites]

I agree with nuking it -- I had a Windows XP machine that got a very similar virus. It looked like the virus had changed a bunch of entries in the registry and moved around some Windows system files so that running most programs wouldn't work. I don't think I could even run CMD.

I paid a computer shop to remove it; a week or so later the virus was back so I gave up and switched that machine to Ubuntu.
posted by Several Unnamed Sources at 6:54 PM on August 20, 2010 [1 favorite]

Test this out first - does a new clean account exhibit the same symptoms? If not, the malware didn't get into the actual OS but is hiding out in the infected account.

If it was a limited rights account (can't install software or change settings without an Admin password), then back up whatever you need out of the infected account, and delete the profile as an administrator. Create a new limited rights user account and the malware may be gone.
posted by benzenedream at 6:57 PM on August 20, 2010

make sure you've updated the malware definitions, even if you have to do this on another computer and import it with a jump drive. That's what I had to do to get rid of some security suite that got on my son's computer. This is the page I used to get rid of it - pretty easy once I had updated malware definitions.
posted by lemniskate at 7:06 PM on August 20, 2010

I'm going to agree with the "Nuke it" crowd. Don't waste your time trying to get rid of the infection(s). It's only going to leave you frustrated with a PC that is still infected.

Be careful, however, that you don't inadvertently infect the clean install when you move your files over. I would use something like Hiren's Boot CD to scan the files you're going to transfer
posted by Capa at 7:29 PM on August 20, 2010 [1 favorite]

Our Vista32 laptop picked that up in one account from a drive-by.

Getting rid of it was pretty simple, if time consuming. All we had to do was log in to the admin account, install MS Security Essentials and allow it to update, and then run a full system scan.

IIRC, that was it. At worst, we may have had to manually go into internet-settings and turn off the proxy it set too.

What exactly are the problems you're having?

Can you just not get onto the internet?

Can you not run firefox? If so, can you run other executables? When I was looking for answers, people were saying that rkill + this malware could interact so that you can't run executables, but that there are fixes for that.

Is the malware continuing to pop up its fake DANGER WILL ROBINSON windows?
posted by ROU_Xenophobe at 7:33 PM on August 20, 2010

Rather than nuking, I've found that removing the main drive, putting it in an external drive enclosure and scanning the drive from another computer is a very reliable way of cleaning out stubborn infections.
posted by randomstriker at 7:33 PM on August 20, 2010

randomstriker: bad plan! bad plan! Some viruses can infect the drive in such a way that accessing it from a machine which is vulnerable to the same exploit (the same OS, for example) is enough to infect the new machine. This happens constantly with USB drives in educational environments.
posted by sonic meat machine at 7:40 PM on August 20, 2010

I really disagree with the "nuke it" brigade. You can always nuke it in a couple-few days, and what with it being a spare machine you don't need to be in a big hurry..

In the end, all I had to do was install MSSE from an unaffected account and let it chew on the machine overnight. Not a big deal.

Even if that doesn't work, it makes more sense to delete the offending account and see what that does before nuking the entire system.
posted by ROU_Xenophobe at 7:45 PM on August 20, 2010

If you can, reboot in safe mode with networking by hitting f8 while restarting. Run Malware Bytes while in safe mode. You can often get around the warnings that malware puts up by renaming programs before running them.
posted by advicepig at 7:59 PM on August 20, 2010

I disinfect probably 20 computers a week. No need to go with the nuclear option straight away.

Try this:

Turn system restore/protection off.

Run Malwarebytes.

Download Combofix from Bleepingcomputer.com (not anywhere else). Save it to the desktop -- change the file name to something (say, fixit) when saving it. Run Combofix from the desktop. Combofix may go for several minutes at a time without seeming like it's doing anything, and it may reboot your computer.

Run Malwarebytes one more time to be sure.

If that doesn't do it, then you could resort to the nuclear option or have someone take a more careful look at the computer who knows what they're doing. 'Cuz if the above method doesn't work, you either have a particularly nasty (well, at least rare) rootkit or (very unlikely) virut.
posted by GnomeChompsky at 8:29 PM on August 20, 2010 [4 favorites]

Oh, and sorry -- as someone mentioned, run Malwarebytes first in safe mode if you can't get it to run in normal mode.
posted by GnomeChompsky at 8:31 PM on August 20, 2010

There are a few antivirus programs that come with boot disks. Kaspersky is one I found a free version of, it boots into a stripped down Linux and then downloads new virus definitions. A Ubuntu live CD can work for this too- boot into Ubuntu and install an antivirus package (AVG, probably) and scan.

When it comes down to it, do whatever you think will cause less stress... at a certain point, back up, DBAN and reinstall is the least bad option. Oh, but virus check the backup. I got a virus that installed itself in all the HTML files on my system by sticking an iframe into them all.
posted by BungaDunga at 10:50 PM on August 20, 2010 [1 favorite]

reload the OS, easiest, fastest, and best way
posted by fifilaru at 11:13 PM on August 20, 2010

Old Geezer: "...we just tried Spybot and it is blocked by the virus."

You'll have to run it in safe mode. When my wife's mom got it, it wouldn't update at all from safe mode, so make sure it's up to date.
posted by theichibun at 5:30 AM on August 21, 2010

I removed this virus by removing the infected files and editing the registry manually. However, if you don't feel up to that, try following these (lengthy) instructions.

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite
posted by Roger Dodger at 6:22 AM on August 21, 2010

I run into this one quite a bit at work. This particular one hides in the profile area, such as:

c:\documents and settings\username\local data\
c:\documents and settings\username\application data\
c:\documents and settings\all users\application data\

You may see it hiding inside of a suspicious looking jumble of letters of a folder..make sure you're also looking at hidden or system files.

The easiest way to remove these kinds of nusiances is to boot off of another media, like your windows installation CD (recovery console). Or if you have access to another PC, you can make a BartPE or UBCD4WIN cd that'll give you a graphical environment.

If Safemode is working however, get into those profile folders and look around. You can also run msconfig from your Start/Run to look at startup items.

These bugs usually don't come alone...you'll also want to open a CMD prompt and do the following commands:

dir/od/a c:\windows\system32
-and-
dir/od/a c:\windows\system32\drivers

These will list all the files in these folders, ordered by date (oldest to newest). If you see something suspicious and recent, you can try moving it out of that folder into a quarantine folder temporarily.
posted by samsara at 1:40 PM on August 21, 2010

Make a rescue cd. I like ubcd. It allows you to get to files that are otherwise unavailable, and you can run the antivirus tools from it.
posted by theora55 at 10:21 AM on August 22, 2010

This thread is closed to new comments.