Everyone has good answers, but the key is, as one poster noted, DON’T USE JUST ONE.
I was shocked when Microsoft Security Essentials found java trojan. Someone here mentioned how java kept asking for updates. I have java turned off in my browser so it wasn’t much of an issue. But AVG, AVAST, Malwarebytes, Windows Defender and Spybot didn’t catch the java trojan.
Usually you can’t really run more than one antivirus program. I use AVG on one computer and AVAST on my other. Malwarebytes and Spybot are more geared to spyware and redirects than viruses, though they certainly handle both. This is why Malwarebytes and Spybot can easily be run with an antivirus program.
I would make darn well sure I downloaded Spybot, Malwarebytes, MSE, AVG (or AVAST) and update Windows Defender. Then run one after the other.
Make sure when you run them you are RIGHT CLICKING and running them as administrator. (Or run from Safe Mode).
Run one virus / antimalware program after the other to make sure. Always reboot after the scan is finished. Rebooting will make it obvious if the malware is hiding and reinstalling itself.
You can worry about resetting the DNS setting to the default later.
It sounds like malware rather than a virus, and it may be a fake anti-virus program. Verify the names of your anti-virus programs, it may tell you what you need to look for.
Also, your ‘antivirus’ alert is naming the same files multiple times and they are all system files. I think that I saw that as a red flag when the alert specified a background process that happened to be running at the time. Don’t trust that alert window, I suspect that it is the main problem.
I had one like this back in January. It downloaded in the background without asking. It was called Security Tool and it hid a couple of files that it kept copying and renaming every time I booted which made it very difficult to remove. Also the name was something random like GVH89FK. Fortunately I could find that name in the directories and registry and wipe them out using Malwarebytes and Spybot and booting to safe mode.
Judging by the fact that your Firefox has a fake IE error page, it may be doing the same thing. Make sure you are booting to safe mode when you are running these things. The randomly named directory that you deleted may pop back up. Take note of the name and search your registry and system drive for that name as well.
I was lucky as the malware only hijacked my browser and sent out these fake messages…it didn’t harm the rest of my data or computer. It took hours to wipe out.
You might have to do this if you can’t stop the shdw.exe program from running…
Open up your ‘Start’ menu, choose ‘Run’ and type in ‘msconfig’. On the new window that opens, hit the ‘Startup’ tab and locate a executable like 'shdw.exe’. Untick this process. Save the changes and restart. Now that Security Suite malware is not loading at startup, you can go ahead, download and launch our removal tool.
Keep in mind that there may be another one hiding there as well.
You may have a rootkit. Your screenshot looks like a legit AVG dialog and the detection (Win32/Patched) indicate an external process inserted code into the legit Windows ones. Some fake AV installers drop one on the system along with the main malware. Symptoms include repeated reinfection or browser redirects even after clearing out rogue DNS settings and the like. You can spot-check for TDSS (the most common) with TDSSKiller, with a more general scan using GMER. Also, for general scanning the free standalone Kaspersky Virus Removal Tool is useful, but it does takes a while to scan.
Other thing to do is use the System File Checker by running sfc /scannow. You’ll want to have a Windows disc handy in case the files really are infected and have to be restored from the install CD.
If it’s a rootkit, it may take more than a AV to remove it. I had a TDSS variant last year, which took a while to pick apart. It finally took Combofix to stop it. If this is the case, I think he should consult either his AV/AM board, such as Malwarbytes’s, or Bleeping Computer, where the consultants have more experience using it. Usually, settings have to be written for it, so please consult them before using it or you might be in more trouble.
I have a mate’s Dell Inspiron here that had a rootkit.
After a couple of hours mucking about I reinstalled Windows, quicker and certain to remove it (repartitioned the hard drive)
The advice in my first post was not a joke or platform bashing. Save your important files somewhere, wipe the disk, and reinstall Windows.
Screwing around with all these recovery tools is a royal PITA and not guaranteed to fix your problem. Some of the recovery tools you find are just as likely to trash your system as whatever viruses you may have. Especially if you had a rootkit, you may find the system acts weirdly from now on even if it is apparently clean of viruses.
Wiping the disk and starting fresh takes maybe three hours of your time, depending on how many programs you have installed, and is guaranteed to work.
Actually, rootkits are simple enough to deal with if you can boot into another OS (something like BartPE or WinPE). They are usually in the C:\windows\system32 folder; just look there and rename any files that date from the time of the infection or later (don’t delete in case they’re needed – a rename will keep them from running without deleting them). You should be able to then run a scanner like Malwarebytes to clean the rest of the infection.
Malwarebytes got the computer to getting web pages, but I couldn’t run Spybot because it insisted on updating before running, and both it and Java said they couldn’t contact their update servers.
I ran TDSSKiller, and it said it found things to fix, and that I would be healed after rebooting. When rebooting, the computer got about halfway through and then rebooted. This happened continually. It is now with the local computer geek woman, getting its little brain removed by way of a new 2TB partitioned boot drive, and the old boot drive being only storage, with of course its Windows files deleted.
I guess I should keep Spybot’s Tea Timer running from now on?
I hate to be the bearer of bad news but I have seen this type of virus on computers running every type of antivirus software going, none of them are able to stop infection. As always the best course of defence is caution on behalf of the person using the computer.
Security Suite will corrupt your rollback points. I had to wipe my computer and reinstall. It also messed up my motherboard so now I have no sound on my computer. On my laptop, I tried using AVG, UAC, Teatime, and another user account with no luck. My work computer has no hassles at all, but apparently my company is running top of the line anti-virus software, ESET NOD32 antivirus.
Damn, you guys make me want to get an SS infection just to see how much fun it is…
So…I guess I’d need to allow scripts and ads, switch to a non-daily updated browser… and possibly turn off my AV, and firewall (NAT too?)… what else? Should I also stop monitoring network traffic? And turn system sandboxing off? How about the (heuristic) memory protection? Or the stuff I have iceboxing my registry? Should I also turn on all those disabled windows system processes I deemed too unsafe to be allowed ever to be run?
Oh… and will SS mind if some windows system files are rewritten to behave in a non-standard way?.. or simply don’t exist. How about not using any program that’s made by Microsoft… will that be an issue? Like, if I’m not running explorer.exe… is that going to be a problem? I’m sure I have it somewhere if it’s needed. Can it go all MBR rootkit and stuff with Grub in the way?
Anything else come to mind that I should do to ensure I get infected?
You’ll never be sure, you can never trust an infected system again. Save your important files. Format the disk. Reinstall the system from a clean disk, and make sure you check any file from the old corrupted system before you use it in the new clean install.
…and for whatever’s sake you want, don’t buy a mac.
As I stated above, Comobofix should only be used with help from someone experienced with it. Many times, a script for a particular rootkit must be written for it. So, using it can either do nothing for the infection or make it worse by adding more problems.
I still have yet to see anything get by processguard. All it requires is knowing what programs run on your system, so you know not to let unknown ones run.
And, for goodness sake-get a flippin ad blocker: it truly is security software, and even Ed has recommended it until they can solve the virus problem.
I know this is an older thread, but I just wanted to say THANK YOU for posting this. My SO’s laptop got infected with XP Antivirus 2010 today when he was visiting Monster.com. An hour of trying the detailed Manual Removal tips specifically for that malware got us nowhere - the computer kept restarting before we could even get through step one (end processes in the task manager) - and one of the delights of that particular malware is that it blocks internet access, so you can’t get online to download tools to remove it.
Neither of us is particularly computer savvy, but following the instructions in this post of yours got him back online to download Malwarebytes, install it, and it did the trick beautifully.
While I was at it, I installed Malwarebytes on my laptop, even though I’m not currently having any problems, so if I get a nasty, maybe it’ll be easier to deal with.
