Hi! I'm Paul and I can build you a desktop better than the one you get from HP or Dell. That having been said, I built the two we have at home, and am the resident computer technician there. (I used to be a programmer until the jobs I used to get were mostly outsourced to India.)
The first time I encountered an infection like this, it was "Internet Security 2009" on a friend/client's home computer, and she had the benefit of having a subscription to Computer Associates Internet Security provided as part of her Cable TV/ISP package. So I called the cable company, who forwarded me to CA, and we spent a few hours connected by RAS using some tools the CA Tech provided, and got my friend's computer back up and running. This also provided me with the experience to handle it when a friend-of-my-GF's-brother got her computer infected with "Internet Security 2010."
I mention that experience in stark contrast to the "help" I did NOT get from the AV provider my GF has actually paid for a subscription to for the last three years: ZoneAlarm.
My above-mentioned GF was browsing when suddenly Firefox closed, and she got the dreaded "Your computer is infected..." from the infection itself: "Win 7 Antivirus 2012." She stopped what she was doing (as it happened, ZoneAlarm was scanning her computer, and that continued), let out a yelp, and called me.
I immediately recognized what was going on. I asked GF what she had been doing, and her description appeared to be nothing out of the ordinary: reading some text on a site she had visited many times previously, opening a PDF she had downloaded months previously and opened many times already. Normal stuff. So we shut her computer down, restarted in Safe Mode, and I fired up the laptop to have a chat with a 24/7 ZoneAlarm online technician.
Imagine my shock and surprise when, after describing the problem and the cause, I was told, *and I quote directly from the chat* "Sorry for the trouble Paul. That is a rougue [sic] malware program that unfortunately ZoneAlarm does not treat". WELL!! And the firewall component didn't do so well at blocking it, either! His NEXT sentence to me was (wait for it!...)
"There are removal guides for that at bleepingcomputer.com"
The rest of the chat was pretty pointless. He made excuses. I asked for a refund of my last subscription renewal.
And here I am.
Before actually getting here, I did some more reading, some downloading (on the laptop) and transporting to the infected desktop (via USB Flash drive) of MalWareBytes Anti-Malware tool (which I've run a few times, already). Most of the symptoms are gone, but there are some lingering effects still hanging around; the biggest of which manifests as WBM Login User ("") Authentication failures from that system at my router, which has been blocking internet access out.
When I first started working on the issue, Task Manager was blocked (along with any other .exe NOT right-clicked and "Run as Administrator"). An Anti-Malware article at the Microsoft site (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fFakeRean
) had an instruction to delete a ".exe" key from the registry, and having done that, I can once again run .exe programs straight up.
The first MalWareBytes run was in Safe Mode, and found and dealt with three infected files. No subsequent MalWareBytes scan has found any more infection. Even so, after removing the registry segment, I ran MalWareBytes again, and also ZoneAlarm, which found three entirely different infected files.
And finally, my question has to do with what could be causing the WBM Login failure? What scans do I need to do to generate logfiles that would shed some light on the matter?
I'm pretty sure that the safest, cleanest option for my GF's computer in the long run, is to take inventory of installed software, offload any doc, pic or data files and re-install Windows 7, etc. from scratch. All this is not helped by the fact that it's 6am on the day after Christmas ("Merry Christmas. Here's your virus infection!") and I'm about to go away for a week. I'm posting NOW to keep the details fresh. I probably WON'T be able to check back until at least next Saturday. Please do NOT close the topic before then. (When I get back home, I can monitor the posts more regularly.) Thank you for any help you guys can provide.