Posted 28 January 2010 - 12:35 AM
This may not be the same virus but sounds similar to Antivirus 2010. I've dealt w/ Antivirus 2010 on a couple PCs over the last week. It appears to be profile specific, it drops a folder w/ an executable at C:\documents and settings\(username)\local settings\application data. the folder usually has a name that looks like a random string of letters. You will not be able to delete it if you are logged in under the infected profile.
Login under a different username and IMMEDIATELY go to Start->Run and enter msconfig. If you don't act quickly the popups will start under the new login profile and disable executables. Once in msconfig, go to the startup tab and look for anything being called from C:\documents and settings\(username)\local settings\application data\(unusual folder name). Notate the last folder name in the string. Uncheck the box next to that item. If you see any check boxes checked followed by a blank path, uncheck those too.
Reboot and go to the C:\documents.........\application folder and delete the folder that was listed under msconfig.
Go to www.malwarebytes.org, download and install the latest version. Update when prompted and run a full scan. When scan completes, click Show Infected Items, and then click Delete Selected Items. If you get a prompt that registry editing is blocked and asking if ok to enable editing, click yes. Reboot when prompted.
Once rebooted, try to browse the web. If you get Page Cannot Be Displayed error, in IE click Tools->Internet Options->Connection Settings tab->LAN Connections buttons. If the Use a Proxy box is checked in the bottom half of the window, click the Advanced button. AV2010 usually drops a proxy in to localhost or 127.0.0.1 (same thing) on port 5555. Clear these entries. If prompted that you are disabling the proxy connection, click ok. Click ok on all open windows and try to browse again. CAUTION: Some software packages such as parental control packages may set a proxy. If you remove any proxy settings notate the proxy location and port before deleting. If the proxy was set for a valid program yo umay need to re-enter it.