WTF? XP Security 2012

[Access Denied]

Anyone else seen this? Popped up on the woman's laptop this morning. Nasty bugger. Obviously as it's a rogue anti-virus it wouldn't let me run AVG, it also wouldn't let me get onto ANY websites. Installed Spybot in safe mode. Didn't think it would let me because that shit was even running in safe mode. Spybot found and removed it, immediately back again upon restart. Went through the registry and removed all entries for it, did everything I could think of and it just wouldn't go away. So I'm having to format and reinstall =(

Bad, bad week.

 

[Bahumat]

MalwareBytes
SuperAntiSpyware
Spybot

Install them via a usb key, boot into safe mode with networking and that's how I got rid of the Vista Security 2011 shit on my aunts laptop.

It also adds a file in msconfig iirc, so you have to manually delete it.

 

[Gwadien]

Yup, I got that one, was horrible, just used another pc to google it, said delete some file, run spyware, did it w/o using usb sticks etc

 

[Access Denied]

Yep, went into msconfig and deleted the startup entry. Came back upon restart so I tried getting into msconfig and it wouldn't let me. real nasty piece of work that is. However, since AVG missed it AVG has lost my faith and I shall be using MSSE.

 

[Zenith.UK]

I had 3 separate instances of that brought to my attention within a week of each other a month or so ago.

My Dad, my next door neighbour, and my wife's friend at the end of the road.
All had variations of the same thing. The problem is the longer you leave it, the worse the file corruption gets until you have no reasonable choice but to format and reinstall. Even though Malwarebytes found and nuked the source of the problem, it had already done some damage to system files.

I've now educated them in the fine art of keeping a duplicate of their photos/music/videos/etc on a separate physical hard drive, just on the off chance they need to nuke their Windows again.

 

[Access Denied]

I simply don't get how other people have all these problems with viruses and spyware and despite frequenting some rather dodgy sites, yes some of them are porn, the only problem I've had is the monitor issue.

Lesbian bondage ftw!

 

[Ch3tan]

It's not AVG's fault. It's user error, they would have explicitly allowed the files to run in most cases, and then it's too late.

Disable autorun in XP, that goes a long way to stopping spread via shared drives and USB keys. You can remove it btw, you just need to google it.

 

[Lamp]

Ooh that sounds like a horrible virus to get

Would you still be susceptible to it even if you run your browser & email client sandboxed?

 

[GimmlyThe3rd]

download and run and post hijackthis log, i'll look and tell you what to remove..

 

[MYstIC G]

Run the SuperAntiSpyware that comes as a .COM file from their website. This gets around all the "you cant start me" bullshit and it'll rub out this crap.

 

[ST^]

Run the SuperAntiSpyware that comes as a .COM file from their website. This gets around all the "you cant start me" bullshit and it'll rub out this crap.

I wish SuperAntiSpyware was called something else. It sounds more dodgy than any spyware I could have installed.

It is good though.

 

[Access Denied]

Meh, already formatted and reinstalled. Nice tip Mystic, I'll try that next time. Wouldn't have helped this time though, damn virus wouldn't let me load any web pages at all.

 

[Kryten]

These XP AntiVirus/Spyware/Tuneup things are a piece of pee to get rid of without hours of scanning (but that's hardly a bad thing these days)

Safe mode
C:\Documents and Settings(or users for Vista/7/2k8)\Username\Local Settings\Application Data
IN there, you'll probably find an .exe file. Whatever the hell it is, it shouldn't be there.
Note the name.
Delete it. If you're like me, create a folder with the same name and extension, then use command prompt to attrib +S +H it
Restart your PC into full mode
Regedit and search for that filename you noted. Delete all instances.
Clear internet cache/temp files.

You have a disinfected PC.

And yes, I'm a bit of an unfortunate expect on this - probably done it on around 40 PC's in the last 2 months. Some are nice and easy anyway and a malwarebytes scan will kill it off - a few newer versions however also do things like hide all files (yes, all files) and folders & install themselves as a rootkit/MBR infection too.
TDSSKiller.exe is an invaluable tool for those harder types. You all already know my feelings on superantispyware (unless they have updated it so it doesnt think just about everything on your PC is potentially dangerous to falsely bulk out results)