I had one of these last night. When I ran regedit (having logged in normally) it opened and then promptly closed down. Booted into safe mode and checked the software\windows\currentversion\run & runonce keys for anything that looked suspect (running from temp, app data, etc. Removed those keys, and the random named .exe they launched.
Rebooted back into windows, cleaned up the host files, and then downloaded the latest version of MalwareBytes. 90 minutes later and the machine reported itself as clean. I need to run another scan to check and then work out what AV package is on there, as there were shortcuts for Norton, AVG and MacCr@ppy on the desktop. From: Rankin, James R [mailto:kz2...@googlemail.com] Sent: 20 May 2011 20:51 To: NT System Admin Issues Subject: Re: System Restore and Scareware Some of these little beasties are easy to beat - I've seen ones where deleting a file did the trick. Unfortunately at the other end of the scale live some crafty process-injection nasties that are a veritable nightmare to find. Fortunately MalwareBYtes has a good track record of pulling them out for you. Typed frustratingly slowly on my BlackBerry(r) wireless device ________________________________ From: "Bob Hartung" <bhart...@wiscoind.com> Date: Fri, 20 May 2011 14:47:23 -0500 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> ReplyTo: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter "%systemroot%\system32\restore\rstrui.exe" at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. ---------------------- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin