I will chuck in my oft-posted suggestion too that a boot-time AV scan is an excellent weapon in the armoury. Avast offers such. This scans your system BEFORE Windows activates (which is where a large number of viruses etc lurk). It finds those that 'hide' themselves in Windows.

For anyone who hasn't already seen it several times, my solution to this one was as follows.

The first time a child got a nasty I pulled their network connection until such time as I had time to clean up their PC. So, no internet for a week. I explained that each time this happened it would take me twice as long to get round to dealing with it. Some child downloaded and installed and ran a virus a second time. Two weeks with no internet.

That was sufficient to get them to believe me. That was several years ago now. There have been no problems since - none of them wants to live without the internet for a month.

For the others of us whom have 'real lives' and 'other things to do', copying off the useful stuff and reinstalling /re imaging/reformatting IS the best and most intelligent course of action.
Besides. Some may install a rootkit which is virtually undetectable.
Boot time virus checks may help, but add to your boot time, encouraging you to not reboot at all (which negates the value of boot checks)

You can EASILY become infected behind a router or firewall if you access the net at all.
Comodo Antivirus/Firewall is very effective even though the false alarm 'training' is somewhat annoying initially.

- I think you mis-understood - these are 'one-time' boot scans, not regular. No dis-incentive at all if it gets rid of a nasty?

Again, thanks for all your help.

M.Mouse, the instructions on your link look as if they'd certainly do the job, but unfortunately, I can't do anything at all on my computer, it seems to be completely disabled. If I try to run the add/delete programs, it won't let me, and an 'infected' message pops up.

The same happens if I try to right-click on the anti-virus icon that has been installed. I can't get on the internet at all, and programs such as Word, etc. will not run, just bringing the pop up message 'infected, buy and run our program to clean' (or words to that effect), up.

I'm going to try the boot in safe mode suggestion tonight, but am not sure whether it'll let me do that or not, I suppose it is determined by how soon after applying power to the computer does the virus activate.

I've encountered a few virus' in the past, but nothing that AVG couldn't get rid of, and certainly nothing as vicious as this one appears to be.

And in the long run almost as time consuming as repairing the damage instead. Having to retrieve everything you want and restablishing the appearance and set up which the user likes and is used to also takes time. It does of course assume that the users data is all neatly stored in sensible places and easily transferred to an interim medium or backed up even. In my experience that is rarely the case. Hence the user loses all sorts of stuff but hey, who cares, you can get on with your 'real life'.

Rootkits are perfectly detectable and removable. They are also becoming more common.

Of course you can but then the fundamental purpose of a firewall is not to prevent a virus infection.



G String

You will be able to boot into safe mode. The initial actions to remove malware can be a little difficult and slow because the malware itself often obstructs attempts to remove it and also blocks access to helpful internet sites if not all internet access.

Do you have access to another PC? If so one useful technique is to download the programs you need to a USB memory stick and run them from there. You sometimes have to rename the programs you wish to use to prevent the malware recognising the program you are trying to run.

Agree with MMouse that whatever you do must be done methodically. Erratic deletion etc. will make matters worse. If internet connection is impossible you will have to revert to another computer to download whatever is needed.

- not necessarily! It depends which 'cold' he has caught. If Safe mode has been disabled, http://www.didierstevens.com/files/data/SafeBoot.zip will restore the registry keys for him.

I had the same problem on a computer a few weeks ago. Reboot in safe mode didin't help. Couldn't open taskmanager either (to kill the process). The virus acted as a popupblocker and blocked taskmanager.

What to do:
press CTRL-ALT-DEL AND KEEP IT PRESSED !!!! This way task manager will open a few dozens of taskmanagerwindows at the same time and the blocker can't keep up with this. So you will have your taskmanager again.
Then go to processes and look for a process with some random letters/numbers with the .EXE extension. For example hjapgkwagnz.exe or qkwcrrwagnz.exe. Killing this process gave me control over the internet explorer again.
Then I went on the net, downloaded and installed malwarebytes, ran a scan and the program was removed.

Hope this helps and good luck :ok:

Although all of us here rekon that Malwarebytes is a good program for getting rid of nasties, my wife was complaining that she was getting fed up of windoze (XP) repeatedly crashing recently. It was only a few months ago that I rebuilt XP on her machine. A scan with Avast revealed nothing, Malwarebytes found nothing, so in desparation I tried good old windoze defender. It found a nasty trojan which it managed to remove. This was clearly well embedded as when windoze boots now it complains that it cannot find a certain .dll but still runs happily. Problem appears to be solved.

P.P.

PP: it may be that the .dll in question is a valid Windoze one that the trojan "modified", but that it provides a function that you don't use.

You may be able to download or acquire a valid (clean) copy of it and eliminate whatever isn't working.

Or not, of course.

Thanks Keef - I was thinking along those lines as well, all I've got to do is to make a note of the file name and see if I can find it on my machine then I can copy it over. As you say, the file is probably involved in an unused function.

P.P.

I had an issue with a similar program called Personal Security a few months ago. I followed this process:

To start with I booted up and started Task Manager before the malware program started and stopped it running, then:

Personal Security manual removal:
Kill processes:
psecurity.exe
HELP:
how to kill malicious processes

Delete registry values:
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "PSecurity"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Internet Settings\5.0\User Agent\post platform "WinTSI 01.12.2009"
HELP:
how to remove registry entries

Unregister DLLs:
win32extension.dll
HELP:
how to unregister malicious DLLs

Delete files:
psecurity.exe Uninstall.lnk win32extension.dll Computer Scan.lnk Help.lnk Personal Security.lnk Registration.lnk Settings.lnk Update.lnk
HELP:
how to remove harmful files

Delete directories:
C:\Program Files\PSecurity
C:\Program Files\Common Files\PSecurityUninstall
C:\Documents and Settings\All Users\Start Menu\PSecurity

Obviously the details will be different, but the above worked fine and I haven't had a problem since.