Virus removal help needed

tehidyman · Apr 23, 2011, 17:03:44

I have picked up a problem on my computer. At practically every operation I am getting a message that I have been infected with 38 malicious items which I need to remove with MS removal tool which it seems will cost me lots of dollars. My microsoft security essentials appears to be blocked and so is my malwarebytes. What is the best solution? I can work on my netbook which is wireless to the router. Any help will be much appreciated as I am close to panic.

Simon · Apr 23, 2011, 17:11:24

Can you get into safe mode? If so, do so, and sweep with Malwarebytes.

Steve · Apr 23, 2011, 17:16:24

If you get the name of the software it wants you to purchase, it should give a clue to the infection and then you(we) can look for the software to try to eradicate it. It is likely it's blocked access to the internet apart from one website. You should be able to use the netbook to get the required software and then copy across.

Baz · Apr 23, 2011, 17:17:23

sorry cant help much but this sounds very similar to a problem I had about a month ago.I too kept getting the 'MS removal tool' window and it blocked all my AV program so I couuldnt do any thing.I dont ever remember downloading any MS removal tools so this instantly made me think its a virus in itself.

All I could do was boot into safe mode and do all spyware and malware checks and anti virus checks then reboot.these came back clean but on reboot the fault showed again.
I eventually was in the process of doing a install from a recent back up and it just sort of cleaned itself

and stopped flashing the warning.

Stinks of virus to me I just dont know.I havent had it since thankfully so unless the safe mode checks killed it and just took a while to right itself I dont know.

nasty thing it was though.Hope you get it sorted sorry I cant help

Technical Ben · Apr 23, 2011, 17:17:38

Malware bytes should kill it in safe mode. But it will keep coming back, unless you delete the folders and registry entries the virus made. These can be random, so hard to find. I'm not sure how to go about that though.
This site gives some advice. http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool
This one has a simpler list...
http://www.precisesecurity.com/rogue/microsoft-removal-tool/

Niall · Apr 23, 2011, 17:22:04

This is actually a bit harder to get rid of than you'd think. My aunt had this a couple of months ago. It took me hours getting all the rubbish off her system. Malware bytes does tell you what the malware is, but if it's the one she had, you'll need to find the name of the virus/malware and search google for it. There are removal tips everywhere, and while you can remove it, be sure to check all your temp folders for rogue files. Also run registry cleaners, and it's worth having a look manually through the registry for entries too.

I actually couldn't get rid of everything, even in safe mode. Well, not the first time. As I say, it took me hours, although a lot of that was the incredibly slow netbook she has, taking about 5 minutes to do something that normally takes 20 seconds. Also her system was so slow, PSI wouldn't run properly!

Oh, that's another thing. Try installing PSI when you've got your system clean. It's ace for keeping your vulnerable programs updated.

{edit} and while typing, I see someone has already said what I just did. Bah

Steve · Apr 23, 2011, 17:27:26

I see you must be using your aunt's machine Niall.

Niall · Apr 23, 2011, 17:28:01

Ted · Apr 23, 2011, 17:38:21

First thing I'd do is boot the machine from a Linux live cd, Ubuntu's always good. Then copy all your work , documents etc onto a removable drive, and then try to get rid of the problem. worst case is that you have to reinstall the OS. But as you now have all your stuff, no problem.

Glenn · Apr 23, 2011, 20:04:34

Look in C:/documents and settings/all users, ensure that files and folders are visible, along with Hide protected operating system files. I that directory you should find a randomly named sub directory (eg WUJKLRFBDERT), with a randomly named file inside it(eg AVME.exe), delete that file and reboot, the scareware should not re appear.

tehidyman · Apr 23, 2011, 22:07:42

Thanks for all the suggestions. Running Malwarebytes in safe mode did not find anything. However following all the instructions in http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool took a long time but has worked. So panic over and again thanks for the help

Steve · Apr 23, 2011, 22:09:40

Now if you can remember where you caught it.

Lona · Apr 23, 2011, 22:21:12

Last time I got that one I did a system restore and it got rid

sobranie · Apr 23, 2011, 22:36:04

Loads of these virus cleaners around at the mo. Guaranteed to louse up your machine if you click on them.
ctrl/alt/delete to stop the prog doesn't seem to work either.
So, if you get the 'little box' best thing to do is to shut down immediately, NO NOT REBOOT, SHUT DOWN. If you can't then switch off at the wall. Start the 'puter as normal a few minutes later and the little box should have vanished.
This info. comes from experience of my other half falling foul of the 'OFFER' which resulted in a complete reformat as the one she clicked on wouldn't permit
access to the net.

pctech · Apr 23, 2011, 22:44:02

I'd recommend a complete powerdown immediately as shutting down gives it time to do mischief.

Hold in the power button for 10 seconds and the machine will power off, this is defined in the ACPI specs so is not machine specific.

Give it 5 minutes and then boot it back up.

TheDuke · Apr 24, 2011, 13:03:12

I would strongly advise against holding down the power button to turn off your PC, unless absolutely necessary, doing so can result in half written files on your hard drive and if the half written file is important, you may find yourself unable to boot your PC.
Our clients are always getting these types of malware on their PCs.
In my experience by far the quickest way to remove these types of malware is to reboot your PC into safe mode and do a system restore, make sure you restore a good couple of days before you noticed anything strange and all will be fine.
The system restore will not remove the malware installer (usually in temp files) from your computer, so if you want to put the energy into it, then you can also run a scan with your favourite tool once your back up and running.

Technical Ben · Apr 24, 2011, 14:24:09

Quote from: tehidyman on Apr 23, 2011, 22:07:42
Thanks for all the suggestions. Running Malwarebytes in safe mode did not find anything. However following all the instructions in http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool took a long time but has worked. So panic over and again thanks for the help

Glad to hear it was sorted. I'd not been able to do this on a friends computer for the reason it takes time. Having 15 mins free while over there was not enough to get it done. When they did not have the time themselves, I ran out of advice on what to do.

john · Apr 24, 2011, 18:49:24

Sorry, I've only just seen this thread, it seems similar to the one I got last year (discussed here)

I did get eventually get rid of it by manually deleting some suspicious files in (I think) my temporary internet files folder which were not deleted by CCleaner or using the option in the browsers 'tool' window.

gyruss · Apr 28, 2011, 10:03:47

super antispyware do a good 'portable' scan/cleaner which is a .com file too. Runs very well, and has removed instances of this kind of thing when malware bytes appears to be blocked.