Whenever I rebooted, this bogus virus scanner popped right back up, so I rebooted into safe mode and used msconfig to look at what was starting. I found the offending program, which was C:\Documents and Settings\All Users\Application Data\defender.exe. I deleted it from startup, as well as the file itself. When I rebooted, everything seemed okay, but after an hour or so the bogus scanner started again, and defender.exe was back. At that point I deleted it again, and used Malwarebytes to do a quick scan. It found a lot of infected files (I think it was around 20). I let Malwarebytes remove them, and activated Enable Protection and Website Blocking from within Malwarebytes. With the computer sitting idle, every few minutes Malwarebytes would alert that it "blocked access to" or "blocked access from" various IP's. Some said "type: incoming" and some said "type: outgoing". Some of those IP's were:
At that point I deleted some registry keys that someone on a different forum suggested to someone with a similar problem, ran the Microsoft Malicious Software Removal Tool, turned on the Windows firewall (there hadn't previously been a software firewall running), and started Microsoft Security Essentials. I may have taken other steps as well that I don't recall. In any case, the "blocked access to" messages stopped. The "blocked access" messages stopped, and the bogus virus scanner hasn't returned. It's been about 12 hours.
So, what should I do to make sure my system is now clean and safe? Thanks.
Edited by MarkBuckley, 22 June 2011 - 04:33 PM.