Trojan taking over PC

[computing50yrs]

I am getting a lot of calls to fix a particular trojan which goes under many different names but which causes mayhem giving multple windows all telling you that you have dozens of virus and trojans - My grandchildren had it on 3PCs and from my computer club I have had members calling me with the same trojan.

The trojan switches off any attempt to run anti virus or spyware programs. Stops you going to Microsoft web pages. You cannot access Task Manager or MSCONFIG.
The current cure is to download latest Malwarebytes (MBAM.exe) via another PC put on memory stick and also rkill.exe (this if you can put it on your memory stick should stop the processes associated with this trojan)

Start PC in Safe mode with network and run rkill from the memory stick which will stop any of processes which may be running, then install malwarebytes and update it and then do a full scan.In most cases this will find and remove the problem. Rebooting then allows you to use your PC as normal

[nike]

Yep, that's a nasty one alright. Even after running MBAM and SAS in safe mode with networking, the computer still seems to be infected with traces of this trojan, so when I come across it, I save all their data files, and do a full re-format and re-install. At least I know then that it is gone completely.

[mikkh]

I use this as a first step in removing stubborn infections

download.bleepingcomputer.com/sUBs/ComboFix.exe

It gets updated regularly, so you need to use that link. Ignore the request to download Microsoft Recovery Console when using it and check the services after as it likes to put them back to Microsoft defaults - System Restore, Automatic Updates, Security Center etc are all switched back on

[ken]

Combo Fix only works with Win 2K, XP and Server 2003.

[mikkh]

(puts on loud panto voice)

Oh no it doesn't

I've used it on several Vista machines with no problems. I think I've used it on a Windows 7 machine too - in fact I'll run it on mine to double check later.

www.bleepingcomputer.com/combofix/how-to-use-combofix

That was dated 2008 and it mentions use in Vista

[ken]

I only run 64 bit systems Mikk, so its that. I even used the compatibility wizard and it still comes up with that sign and its says Win 32 on the top. Sorry; I thought it was a Win7 problem, I wasn't thinking about 64 bit and didn't read the header.

[nike]

I've tried ComboFix on a few occasions Mikkh, with not much success against this type of infection. As time is money these days since I gave the major part of my bus driving away, i'd rather save their files and do a re-format. There is no cleaner machine than a reformatted and re-installed one.

[ken]

If you reinstall from an image, its quicker than messing around. I use a Paragon disk to reinstall, then I can do a full format before putting the image on. If you have got a fully installed system image on an external drive; you know its clean and a full format will get rid of all the nasties, no matter what. With Win7, you can do the same thing, without using a 3rd party program. I can reinstall in less that half hour, you can mess around for days and never get the system right after virus damage.

Thats where I like SAS Pro and Spyware Blaster running in the background, you have got to be dead unlucky to get one anyway.

[computing50yrs]

Just had another trojan calling itself vista antispyware 2010 which just plays havoc redirecting web pages, reporting numerous virus and trojans (except itself) Reported system compromised etc etc
Had Malwarebytes on the Laptop but it wasn't up to date and couldn't get the updates.
Managed to reinstall Malwarebytes from my master Software Memory stick and then copied a file from my master PC to the faulty laptop to update the Malwarebytes file and scanned thelaptop. Found 8 entries which it removed and now its back to normal

[ken]

A copy of MBAM on a flash drive, can save a lot of pain Graham. I think that virus started out as Antispyware XP 2007 and its been updated over the last 3 years. SAS Pro will grab it when it tries to get on. SAS Pro is normally $19.95 US, but they have one day only offers for $9.95 US. Its well worth buying if you can catch it on offer.

[ken]

You can also get the portable SAS that runs from a flash drive Graham. Download from here:

www.superantispyware.com/?tag=SUPERANTISPYWARE

Runs just the same as the installed version, just update it from a good computer before using it on an infected one.

[computing50yrs]

Many thanks for Info will download and put on mem stick, saves the hassle of trying to install with trojan present. Make life easier when I have to pop into a house to fix these trojans

Re-edit - Ok Downloaded and installed SAS Installed on Mem Stick
Installed Malwarebytes on stick and updated but the MWB update file under Win 7 goes into my C:/Program Data/Malwarebytes/rules.ref
Under XP it goes into C:/docs and settings/all users/application/malwarebytes/rules.ref

So need to copy from the updated file to mem stick set a pointer to the rules.ref which I copied to the Mem stick otherwise won't have the updates if using mem stick in another pc

Modify no 2

Computer Active gives a link to the following web site (wikpedia) which lists most of the known scareware program names

en.wikipedia.org/wiki/Rogue_security_software

[jojo]

Always like to have some extra tools. So I've just downloaded both onto my pen drive.

The SAS seems to be a DOS program.

If I ever need to use it, should I start the computer normally, insert the drive and double click on the SAS command?

[ken]

Yeah it says its a DOS program Jojo, but just double click it and it will work. I've run it on Win7 x 64 and there's no DOS in that.

[jojo]

Thank you Ken.

[ken]

Your welcome Jojo, no probs.