Got a virus, don't know what to do:(

Stupot_ · 7 Aug 2010 at 13:37

Turned on my mums laptop today and after a while using it, a message popped up saying computer was infected and it started to run a virus scan. It also wouldn't allow me to browse to any websites as they were all flagged as being threats.

However...

These messages were not from my virus scanner (microsoft security essentials) they were from something called antivir solution pro. Somehow this was downloaded to the laptop (i was only on two websites at the time, ocuk and imageshack).

Every few seconds a 'windows security alert' balloon pops up and tells me wuauclt.exe is infected (I assume this is windows update, there are now about 20 instances of it open in my tray). Windows also pop up telling me things are infected, and whether I would like to activate my antivirus software (antivir solution pro, they obviously want my card details)

The program doesn't appear in my program list to remove, cant search for it, microsoft security essentials tells me it is infected so I can't run a virus scan. I also can't find anything suspicious in my startup list to uncheck when I go to system config.

If I restart antivir solution pro runs and greets me with a load of popup tat telling me to register and also starting a full system scan (obviously fake). It's icon is a little green shield with a tick in it in the tray.

What do I do?!

Stupot_ · 7 Aug 2010 at 13:39

Update....

weird. Just tried again after posting this. Antivir solutions pro has stopped running, I can now run microsoft security essentials.

Currently doing a full system scan, will see what happens.

Crowort · 7 Aug 2010 at 14:14

Malwarebytes tends to be the best at getting rid of this. It sometimes stops malwarebytes running or updating which can be a pain.

If that is the case renaming the .exe and manually copying the definitions from another PC is normally the route I go.

I tend to do a 'fast' run in safe mode, then a full scan in normal windows.

At least you can run .exes atm, sometimes this 'type' mess up the reg and stops .exes running.

Camarilla · 7 Aug 2010 at 22:48

Hope you've managed to get rid of the virus, but just for the future, I'd advise downloading rkill, it's a program that stops recognised malicious processes from running, allowing you to then remove them. I've had to use it before for a virus that stopped me opening the Task Manager, and it works a charm. It's available with various extensions too, to prevent malware from halting it's operation. You can find links to download it here.

iviv · 7 Aug 2010 at 23:07

http://www.bleepingcomputer.com/virus-removal/remove-antivir-solution-pro

Bleeping do very handy removal guides for most spyware, nice and simple to follow

Snograt · 8 Aug 2010 at 03:11

Had exactly the same thing on my wife's laptop yesterday. I suspect it originated from one of those scare tactic popups on't internet - "your computer has been infected - click here" yaddayaddayadda.

Apart from writing itself to the registry and into startup, it also sets up a null proxy so that any page you think you're browsing to comes up with that "attack site" warning.

I did however find it in sys config - an "unknown" randomly named program - so unchecking that from starting was my first step. Deleting the actual file from C:\Users\convolutedaddress was next, followed by setting IE and FF to not use the non-existant proxy.

A quick restart followed by a thorough Spybotting seemed to do the trick.

Destination · 8 Aug 2010 at 10:18

Do you guys have java installed?
Just wonder why so many of these are appearing in the last 7 days.

Gundog48 · 8 Aug 2010 at 13:59

I have had this too many times! Win Security Essentials is fake. Just google Windows Secutity Essentials on another PC (the one you are on) and it will tell you which processes to end, once you have ended the processes it will allow antiviruses like Malwarebytes to do a scan and remove it.