My sister got one of those fake antivirus trojans on her Vista laptop. It didn't change her background, but pops up "Vista Security Center" BS stuff all over the place and has killed her internet - both IE and Firefox crash when they start up, and if they do stay up there's some DNS redirect or proxy or something saying the computer is infected. Bah!
Normally when I've had to clean these things up I start in Safe Mode, run HijackThis to disable the offending process from starting up automatically and then reboot and run scanners (adaware lately) to clean things up.
This time though, the friggin' thing even runs in safe mode. I'm in safe mode, but after a few seconds the trojan app pops up, and I can't connect to the Internet because of the same proxy junk that it has. Soooooo....my questions:
My plan now I guess is to run a bootable AVG cd and see if that can clean it, but I haven't had luck with that in the past, leading to..
This is now the third infection like this in as many weeks from people I know. All computers were supposedly either running MS Security Essentials or AVG - are those just not catching whatever this is before it does damage and they suck, or is something else going on?
Speaking of AVG, I tried running the bootable CD on another infected computer awhile back and it didn't find anything. It wasn't until I did the hijackthis stuff until I had success cleaning things.
How is this thing running in safe mode even? And how can I disable startup items in that case? I didn't see anything funny when running msconfig, but maybe I missed it. I didn't have hijackthis on me when I was looking at it tonight so I'll try running that next and see what happens, but since the trojan is running even in safe mode I'm not confident it won't kill that when I try and run it.
Any thoughts or ideas? Thanks!
EDIT: Thanks all for the advice! This one turned out to be one of the trickiest removals I've done. I managed to run HijackThis in Safe Mode, in between popups (it was an obw.exe that kept running) and disabled a bunch of things that didn't look right, but none of them jumped out at me as the offending application. I was also able to run AVG's scan in safe mode but it didn't say it found anything. But somehow I (or the trojan?) managed to disable .exe extensions with running - I booted into regular mode and could no longer launch an application. Every .exe shortcut prompted for which application I wanted to associate it with; trying to run task manager or regedit said it couldn't find the application.
I managed to find some instructions that had me copy regedit.exe to regedit.com, letting me run regedit to try and restore some .exe association so that they would run. I found in the key (ROOT-something?) that it apparently was calling this obw.exe application and running every .exe launch through that. Nice. Anyway, once I restored the registry settings everything seemed to be set. I ran AdAware and MS Security Essentials scans and both came back clean. Crossing my fingers that it'll stay that way!