Anybody else had a fake Windows Essentials Security alert?

[Curlypaul]

Got my father in laws laptop here and he's picked up this trojan from somewhere. When the system boots it shows me this system security alert saying there is trojan on the machine. When I click on 'clean' it is trying to install 'windows simple protector'.

I've been googling this all day and I have yet to find an answer to this. Seems to be a more advanced version than anybody has documented yet as it wont let TaskManager load, or cmd.exe, or msconfig, or regedit, or any installer of any kind and it wont let me view various folders where it might be hanging out. This thing also loads when in SAFE MODE??

Anybody got any ideas how to shift this thing?

Thanks

[AznKhmerBoi]

interesting i had the same issue happen to me. I was surfing the web and same crap happen.

My laptop became unbarely slow and would not let me launch any software to destroy it.

So all i did was run in safe mode then run your usually virus scanner or spam protection software.

And after 30minutes or so it actually found the trojan and i just deleted it and boot back to normal mode.

[fastbilly1]

typically, I would take the drive out, put it in an external bay, and run something like Malware Antibytes or Pandasoft on it from a secure machine. But if that is not an option, find out where it is, boot from a linux live cd and delete said file. There are lots of options if you know what not to delete from windows - Trinity Repair Kit and ERD Commander for example.

[Curlypaul]

I can actually boot into safe mode with command prompt, I can run regedit and whatever from there but it seems like this particular version randomises itself so I'm not sure what files I'm looking for.

I do know somebody with a 2.5 external caddy, so I could plug it into my pc like that and see where that gets me.

Does make me wonder how any of this is actually possible in the first place.

[Hatta]

Once you're owned, you're owned. Code could be hiding anywhere. Even if you remove the visible malware, there could be a rootkit hiding in there invisible through the filesystem just waiting to be activated. The only safe thing to do is reinstall. Don't keep any files from the compromised system unless you're sure (use checksums!) the files haven't been altered.

[AznKhmerBoi]

any suggestion for a good free software to rid it?

[Hatta]

Format C:

[AznKhmerBoi]

Wow thats lil drastic there

Format C:

[jinn]

First try http://www.freedrweb.com/livecd/?lng=en
make sure you are connected to the Internet to update the Data base.
After you are done scanning, install Spybot Search & Destroy, update and Run Scan.

[Hatta]

Like I said, once you're owned, you're owned. Unless you're running a host based IDS (e.g. OS Sec) which monitors the checksums of every file on your system there is no way to be certain that you have cleaned everything up. Rootkits can hide anywhere, collecting data (passwords, credit card numbers, etc) without your knowledge. Anything short of a full reinstall is negligent.