Help me remove this virus Vista

[oaties]

I'm not sure it is a virus, but, yesterday my younger brother accidentally installed one of those fake antivirus programs (Vista Internet Security 2012) that spams you with fake virus alerts and tries to force you to upgrade it.

Anyways, it ran every time an exe file was run, so I changed in the registery to allow exe files and I managed to run Malware Bytes and Spybot S&D to remove it. All was fine, and fun in FF/TFC was had.

Now tomorrow, I wake up and try to launch steam, and I get the error: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

This happened with all of my exe's, including MalwareBytes and SpybotS&D, so basically I can't run them. I am able to re-install the programs, but shortly into a scan they crash and attempting to open them again gives me the same error;
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

It also re-directs my search results, for example if I select a result on google after searching it will re-direct me to advertisement sites instead of the site I was intending to go to through google.

This is really pissing me off now, I've been trying to fix it for hours with no success. Does anyone have any idea?

[Hammock]

Format C:\

But seriously though, can you boot into safe mode? If so, can you run things normally?

That fake antivirus shit is annoying, sometimes it's tricky sometimes it's super easy to get rid of.

Try doing a system restore from a few days previous, that would be the first thing I'd try.

[oaties]

Quote:

Originally Posted by Hammock

Format C:\

But seriously though, can you boot into safe mode? If so, can you run things normally?

That fake antivirus shit is annoying, sometimes it's tricky sometimes it's super easy to get rid of.

Try doing a system restore from a few days previous, that would be the first thing I'd try.

Yes. I can run in safe mode. The thing is, regardless of how im running it, all anti malware processes get killed by this virus when I run them.

I think I disabled system restore quite some time ago.

[rodox]

Download rkill. Download the one that is named iexplore.exe so the malware doesn't try to kill it. Run it and let it kill the malware processes. Download either Malwarebytes or Superantispyware. I prefer Superantispyware. Update either before scanning. Remove what it finds. Optionally use Combofix to clean some things up after removing the malware. Do all of this in normal mode and not safe mode. That should get rid of it, if not check out that Bleepingcomputer site for a specific tutorial.

[SomeOldGuy]

First, temporarily disable system restore.
If you need it, instructions are here:
http://support.microsoft.com/kb/310405

I've had some success before by renaming the Malwarebytes mbam.exe to something else, then just running the renamed mbam.exe in safe mode.

For running superantispyware, here is the various howto options:
http://www.superantispyware.com/supp...ay.html?faq=71


Then I'd do as rodox said and after the renamed Malwarebytes run do Superantispyware followed by combofix to do a more thorough cleaning.

Google for the particular fake a/v that was downloaded to see if there are specific instructions on how to get rid of it.

Once clean, then re-enable system restore.

But I have to say that in the long run regardless of what you do you may have to do a clean install of Windows to get rid of it.

[Deadly Furby]

Here are instructions for manual removal that you can find at the 2-spyware site: http://www.2-spyware.com/remove-vist...rity-2012.html

Remove Vista Internet Security 2012


Delete registry values:
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open \command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\o pen\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'


Delete files:

%AllUsersProfile%\U3F7PNVFNCSJK2E86ABFBJ5H %LocalAppData%\ppn.exe %Temp%\U3F7PNVFNCSJK2E86ABFBJ5H

%LocalAppData%\U3F7PNVFNCSJK2E86ABFBJ5H %AppData%\TEMPLATES\U3F7PNVFNCSJK2E86ABFBJ5H

[Icculus]

Quote:

Originally Posted by rodox

Download rkill. Download the one that is named iexplore.exe so the malware doesn't try to kill it. Run it and let it kill the malware processes. Download either Malwarebytes or Superantispyware. I prefer Superantispyware. Update either before scanning. Remove what it finds. Optionally use Combofix to clean some things up after removing the malware. Do all of this in normal mode and not safe mode. That should get rid of it, if not check out that Bleepingcomputer site for a specific tutorial.

^^ This.

We run into that virus at work a lot and the stuff Rodox listed works great to clean it out. We use MBAM though. I haven't tried Superantispyware.

-Icculus

[zE]

I had one of those virus that blocked all my anti virus and spywares programs, and renaming the Malwarebytes did worked for me D :