Posted 11 December 2011 - 04:10 PM
I thought I'd post this for others. A friend called with the dreaded "Windows 7 Antispyware 2012" malware that had totally taken over his Windows 7 system. He said he was unable to access anywhere on the Internet from his browser without those annoying pop-ups coming up.
I've got LogMeIn installed on his computer (he's had other problems before...). I figured -- aha! I'll just put MalwareBytes on my ftp site, then go there from Windows Explorer. But, aha!, this &*^*&%@%^$ malware totally takes over the keyboard. You can't run an exe or type anything in anywhere (run, search, nothing worked) without the popups stopping you.
So I next had him reboot to Safe Mode with Networking. Unfortunately, I couldn't use LogMeIn. The good news is he was able to access his browser and the Internet when it booted up. So I had him go to TeamViewer and install it for a quick connect. About halfway through the process, the malware was back -- but it seemed to take about a minute or so to establish itself in Safe Mode. It didn't allow access to TeamViewer after the install (which was successful, even though the malware said it stopped installation). So we tried one more boot to Safe Mode then immediately started TeamViewer. I was able to get access to his computer before the malware started up. Then did a file transfer from my machine to his of malwaebytes. I then right clicked on the program and Run As Administrator and it successfully installed, updated and came up to run the scan. I did a full system scan (with the usual warnings from the malware -- but it didn't stop the program from running).
Took about 30 minutes and removed 8 programs scattered around. I rebooted yet again and ran Malwarebytes one more time. No viruses. So it seems to be OK.
Took two hours. What a pain. But the take home message, I guess, is that you can do this for friends' & relatives' machines from your machine. One slight worry is that I'm unable to install AdAware (it hangs during install), but all seems well otherwise. I also ran rkill (?) and it didn't show any hostile processes running.