Anybody else had a fake Windows Essentials Security alert?

[jinn]

If that the case, then he would need to replace the RAM.

[AznKhmerBoi]

well in my case situation-

i got rid of the pop ups and what not.
The computer seems to be running at normal pace.

But im kinda scared that the root file is floating around somewhere.

[ChuChu Flamingo]

Boot to safe mode.

Download rkill onto a USB. There are many different extensions to run it, just use one that works.

Scan with anti virus.



http://www.bleepingcomputer.com/downloa ... irus/rkill

[CRTGAMER]

A recent post: http://www.racketboy.com/forum/viewtopi ... 14#p389714



In case you ever get this one the MANUAL fix.

AntiVirus AntiSpyware 2011 Manual Removal

Kill processes:
AntiVirus AntiSpyware.exe securitymanager.exe mscjm.exe recf.exe securityhelper.exe

Delete registry values:
HKEY_CURRENT_USERSoftwareAntiVirus AntiSpyware 2011
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionUninstallAntiVirus AntiSpyware 2011
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerBrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "AntiVirus AntiSpyware 2011"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "AntiVirus AntiSpyware 2011 Security"

Delete files:
AntiVirus AntiSpyware.exe, securitymanager.exe, AntiVirus AntiSpyware 2011.lnk, mscjm.exe, recf.exe, securityhelper.exe [random].exe

Delete directories:
%APPDATA%AntiVirus AntiSpyware 2011

[YoshiEgg25]

A recent post: http://www.racketboy.com/forum/viewtopi ... 14#p389714

CRT, this is a COMPLETELY different program. Fixes aren't universal.

[CRTGAMER]

A recent post: http://www.racketboy.com/forum/viewtopi ... 14#p389714

CRT, this is a COMPLETELY different program. Fixes aren't universal.

Instead of flaming when help is offered try comprehending the replies.

In case you ever get this one the MANUAL fix.

[YoshiEgg25]

A recent post: http://www.racketboy.com/forum/viewtopi ... 14#p389714

CRT, this is a COMPLETELY different program. Fixes aren't universal.

Instead of flaming when help is offered try comprehending the replies.

In case you ever get this one the MANUAL fix.

And it's not that one.

For me, I can't say, given the information, what to do. This is a case where you have to know exactly what's happening on the screen at a given time. In this case, at my job, I would go out to take a look at the computer. I can't do that.

So, given the fact that Safe Mode wasn't seeming to work either, I can't hand out any specific help. However, that doesn't mean I go spouting off info almost completely unrelated to the topic at hand.

[pakopako]

typically, I would take the drive out, put it in an external bay, and run something like Malware Antibytes or Pandasoft on it from a secure machine.

I do know somebody with a 2.5 external caddy, so I could plug it into my pc like that and see where that gets me.

As always, the external solution to an internal problem is the best method. Just make sure the computer you're connecting to is well protected.

But if that is not an option, find out where it is, boot from a linux live cd and delete said file. There are lots of options if you know what not to delete from windows - Trinity Repair Kit and ERD Commander for example.

Also, booting from a Live CD (Knoppix is preferred, although I personally use the totally unsecure-but-Windows-friendly Puppy) you can still go online and scan your PC from there using Linux AV or Anti-Malware softwares. The Windows-based virus shouldn't do anything outside of its native environment. (Like replicate.)

I can actually boot into safe mode with command prompt, I can run regedit and whatever from there but it seems like this particular version randomises itself so I'm not sure what files I'm looking for.
...
Does make me wonder how any of this is actually possible in the first place.

How the virus randomizes itself like an adaptive survival mechanism? Freaky programmers. Generally it doesn't actually randomize, but rather leaves behind a renamed file when the user tries to delete it. You can tell the system to delete it, but you'd have to find the random-name file (fiGYYrasdr.ZIP) or the sneaky-renamed (explorer.exe... located in my Games folder??)