Mums managed to get an infection shes got XP, and uses the virgin media protection, however its clearly infected, and im trying to sort it.

Am trying to download malwarebytes and superantispyware, but as ive never had xp is there anything I can do to help, its trying to download malware bytes from majorgeeks but it keeps crashing, or taking an age. How would I get a copy of it onto my usb stick for her (I already have it on this laptop, but does it work that way?)

Um, help!

Right ive put it on the usb stick, but it says when i plug it into mums computer that the usb stick is infected (which its not) and wont let me install it.

Do I need to do it in safe mode?

Yeah, safe mode is worth a try.

Try googling for the exact message and symptoms you're seeing, that's normally a quick way of finding out how to sort it.

Yes! Always best to use safe mode if you can for virus removal as it's less likely to be running the virus at the time.

And please make sure your PC is protected before plugging that stick back into yours. :)

Its changed the wallpaper on the desktop to this "Your're (spelt that way) computer is infected blah blah blah" message

I've got malwarebytes and superantispyware on the usb stick now and am restarting hers in safe mode.

Installed MWB in safe mode, now doing SAS, it wouldnt let me update it cos it won't connect to the net at the mo, but i guess thats ok for now, and I can update it later?

Am I going to need to delete the virgin media antivirus, and reinstall it?

Ah, that one. I've seen it a couple of times this week -> http://www.bbc.co.uk/news/technology-12608651

MalwareBytes will sort it, that's what I used.

Yes, that one's quite common, and MalwareBytes will indeed sort it.

Safe Mode doesn't have networking support, which is why it can't connect. XP may have a 'safe mode with networking' boot mode, but I can't remember without rebooting the PC I'm typing this on.

Ta for that Burble and Mark, so I am running them both in safe mode now, will the virgin stuff need to go as well?

Any idea what its called so if it pops up on the scan I know i've got it? :)

Also she was trying to get a car insurance quote at the time, when it all started occuring, and is now paranoid (because she had punched in personal info like address, DOB etc) that it will have got hold of all of that data, can someone reassure her please (shes not listening to me)

Yes, that one's quite common, and MalwareBytes will indeed sort it.

Safe Mode doesn't have networking support, which is why it can't connect. XP may have a 'safe mode with networking' boot mode, but I can't remember without rebooting the PC I'm typing this on.

It did, but I kept it disconnected for now, will run the scan again in safe mode but try and get the updates. (does that mean it will find it this time round as I havent updated it?) Or will I need to boot it up in normal mode and then get the updates?

XP may have a 'safe mode with networking' boot mode, but I can't remember without rebooting the PC I'm typing this on.

It does.

Ta for that Burble, so I am running them both in safe mode now, will the virgin stuff need to go as well?

Any idea what its called so if it pops up on the scan I know i've got it? :)

No, the Virgin stuff can stay.

I can't remember what MalwareBytes detected it as, I think it must picked up the name of the executable which was a random bunch of letters.

It might be worth rebooting in safe mode with networking, updating and then scanning again.

With the ones I sorted it only appeared to affect a single user (despite the exe being in the 'all users' directory) so this one can be removed withotu safe mode if necessary.

Chances are reasonable that the virus will have disabled the antivirus software. You'll know for sure once you've got the infection cleaned up.

If it's not bang up to date you should certainly find something that is. I'm not sure what VM provide, so can't comment on whether it's any good. There's no immediate reason to uninstall it unless it's broken, however.

Also she was trying to get a car insurance quote at the time, when it all started occuring, and is now paranoid (because she had punched in personal info like address, DOB etc) that it will have got hold of all of that data, can someone reassure her please (shes not listening to me)

No need to worry. This spreads by infected/dodgy adverts and is purely there to tey and get £ for a removal tool. I ran a packet sniffer against one of the machines to see if it was trying to upload/obtain information but it didn't.

Thankyou both, there goes my Sunday!

I had to get rid of this on Windows 7 a few times this week, and for some reason Malwarebytes didn't work even though it was up to date. I had to do the following in the end:

- Boot in safe mode.
- Go into regedit.
- Browse into (I think) hkey_current_user\software\microsoft\windows\curre ntversion\run_once and delete the random entry. This prevents the virus starting at boot.
- Reboot into normal mode.
- Show hidden files and folders and browse to c:\Programdata.
- Delete the identically named folder as was in the registry.

Not sure if it's as easy on XP but if Malwarebytes sorts it then great. :)

Wheres regedit?

Can I have the above in blonde terms please? :p

Click Start. Click Run. Type regedit and click OK. Browse to that 'folder' and the entry is a string of characters and numbers at random.

Edit: XP won't have a c:\Programdata folder so it will be somewhere else. Make a note of the random string in the registry entry you delete, then search for the same on the computer to get the virus folder.

Click Start. Click Run. Type regedit and click OK. Browse to that 'folder' and the entry is a string of characters and numbers at random.

Edit: XP won't have a c:\Programdata folder so it will be somewhere else. Make a note of the random string in the registry entry you delete, then search for the same on the computer to get the virus folder.

I just did that on mine (Win7), and it didnt have any random folders, so that means I am clean on my laptop yeah?

Should be. The virus is just an exe file that sits in a folder named something like 'rt9po32jk'. As long as you have no folders in Programdata that are about that long in name and similarly random then it should be gone.

The malware bytes has been going for 46 mins so far and hasn't found a thing yet, fingers crossed it will, will do safemode and networking next, just thought something might have popped up by now.

In my experience MWB finds stuff in the first minute, or a few seconds before the scan is complete, and rarely inbetween!

So maybe it does need to grab the updates before it can find it?

If it's not had chance to update it might not find it, particularly if it's a recent thing. Persevere before messing with the registry. :)

On XP, the equivalent to C:\ProgramData is C:\Documents and Settings\All Users\Application Data

Scan finished. Rebooted, updated them both. Scanning again in safe mode. Bored now. Next option is to start it in normal mode now I've managed to get them installed I guess.

Yay, it found 3 things, one of which was in the registry (had this random bunch of numbers and letters in the name like Belmit said it would) so they've been removed, and its now booted up in regular mode, and scanning again.

If it hasn't reappeared within a minute of logging into the machine in normal mode then you should be clear of it.

That'll be the last of that. Fortunately this one doesn't seem as pernicious as some of the others have been. Some of these scareware things have been right sods to get rid of.

Do I still need to do the registry thing that Belmit suggested?

No, MalwareBytes would have done it for you.

Yay bug is gone, thankyou people for helping today, Mummy Maweeee says fank koo. Any of you who asks me for a drink at the wedding gets one. :)