Virus

john · Jul 11, 2010, 18:13:13

I've just spent several days trying to rid my laptop of a virus called "Desktop Security 2010" (there is also an associated one called "SecurityCenter").

I'm not sure if its the same or similar to the one discussed here : PC Compromised by Trojan

What it does is install itself and then opens a window which reports that the machine is infected with a list of viruses/trojans and asks for payment for a licence key to get rid of them (no chance!).

I tried at first to open Task manager and kill any processses called "Desktop Security 2010" and "SecurityCenter" and then did a seach for folders/files with these names and deleted them.

However when I logged off and back in again it reproduced itself so I did the same thing again and used regedit to seach and delete them in the registry but still it opened up again and it tries to stop anything else opening up the desktop goes dark except for the window it opens but fortunately I could open the task manager and kill the processes again.

I did a seach on Google for it and it listed many sites with removal procedures but I tried several without success.

I have also used several antivirus/malaware apps including Malwarebytes, Windows Defender, Dr Web (ensuring that the latest updates were used) but still it persisted. This has what has taken the time as it took several hours to scan through all the files but reported everything was okay.

I think I have finally managed to get rid of it by using an application called Regcleaner which listed the files that were starting up but was unable to delete them so I deleted them manually in Windows Explorer. I then again deleted the files/folders/registry entries as above and it appears so far to have got rid of it (although I suspect there is a still file somewhere that would start it again if it was executed).

Fortunately it only seems to have affected my account and I could therefore still use my admin account to download updated versions of antivirus/anti malaware apps and also to create a new account.

I can't remember which website I intitially went to that caused the infection but it wasn't anything dodgy.

I hope none of you get it because it's a pain to get rid of and if anyone knows of any further steps to ensure it never comes back then please post them.

Steve · Jul 11, 2010, 18:43:03

This seems a good walk through John http://www.malwarehelp.org/desktop-security-2010-removal-2010.html if its complete? What about system restore will that have the malware as well?

Simon · Jul 11, 2010, 18:48:37

Good link, Steve.

john · Jul 11, 2010, 19:48:57

Quote from: Steve on Jul 11, 2010, 18:43:03
This seems a good walk through John http://www.malwarehelp.org/desktop-security-2010-removal-2010.html if its complete? What about system restore will that have the malware as well?

Thanks for that Simon, I did see that website and deleted the files it listed (I may not have deleted the ones that are randomly generated though) but it still persisted and the link to 'HijackThis executable' wasn't found.

I've not set a restore point for a long time so haven't tried that. I'm just doing another Malwarebytes scan and then I'll set one.

Steve · Jul 11, 2010, 22:40:59

You need to turn off system restore so it will delete any 'memories' of the malware and then re enable.

Edit http://free.antivirus.com/hijackthis/ which is missing from my earlier post

Steve · Jul 14, 2010, 20:25:32

Got home today. "Dad something wrong with the laptop" BankerFox.A something or other and I can't get rid of it."

It's now gone, what a nuisance no internet access, all proxied to goodness knows where,security popups all over the place.I managed a bit of regedit to gain internet access and managed to download Malware bytes and the database,which seems to have done the trick.

I would have used Hijackthis to gain internet access and permit the remover download but didn't know which process to block but I found a regedit which seemed to work

Code Select


Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command] [-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
 [-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe] 

@="exefile" 
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]

http://hands-oncorp.com/2010/02/22/banker-fox-a-removal-instructions/

Simon · Jul 14, 2010, 22:23:00

We should start building a database of these fixes, Steve.

Steve · Jul 14, 2010, 22:38:27

I've no idea where he found that one,but its a sod . Superantispyware just crashed every time I tried to load it unless used in safemode and I could not update the database. I had to use the Mac

to get the files and prepare the regedit frustratingly most of the googles led to spyware doctor which is not free. We've now got Malware bytes on the other Windows machines.

Although the laptop scans clear now I still had to manually turn of the Trojan induced use proxy setting in IE and FF.

Niall · Jul 14, 2010, 22:52:18

It does make you wonder when specific virus attacks lead back to one removal product, doesn't it?

Steve · Jul 14, 2010, 22:57:44

Although I believe PCtools Spyware doctor is a legitimate app on this occasion,they managed to advertise well.