System particulars: Win 7 Professional, SP1, 64 bit, 4GB ram, MicroElectronics
I am helping a friend with his computer. It started with a virus that appeared. After booting up and logging in, things would seem to startup normally and then the screen would get taken over by a large splash screen. The taskbar and desktop were gone. The screen had a lot of official text about national security and gave his IP address and quoted a lot of threatening legalese. It provided a link to go to in order to pay money to unlock the computer. I switched user to another account on his system with admin privs and this account did not have this problem. His main account also has admin privs I used Norton (which was already installed) to scan his computer and it found no problems.
I then installed and ran Spybot. It found and removed a few things but they didn't appear to be very serious.
I then installed and ran Malwarebytes and it found some serious things which I removed.
I then installed and ran AVG (whole system scan) and it found many serious things... 73. some of which it seemed to be able to handle and fix (green check marks) but others remained as threats and had X instead of checkmarks. The nature of these threats were Object name : idle and all were identified by Anti-rootkit. I clicked the button to 'remove all' and it said this required a reboot.
After rebooting and logging into this secondary account again, I had AVG do a whole system scan and right off the bat while it was displaying that is was scanning for Rootkit it flagged 59 threats. I aborted the scan after it seemed to be not finding any more and it had those same threats with X's on them. I clicked 'remove all' and again rebooted.
I again logged into the secondary account and I ran the same scan again with AVG and the same threats were back. If I chose 'remove all' and then started the scan again, without rebooting then it found more, something in the 60's as the number of threats. Again, I clicked 'remove all' and rebooted.
This time, I logged into the main account where the virus first made itself apparent. No more splash screen asking for money to unlock the computer. I ran AVG again (whole system scan) and this time it found 60-something threats, all with the X in front of them and all but one was Object:name: idle and Identified by: Anti-rootkit. The additional one, the first one in the list was Hidden Driver, path c:\Windows\System32\drivers, Identified by Anti-rootkit.
So, the system seems to be infected but can't be cleaned by the normal (for me) removal tools.
I tried one more round of 'Remove all', reboot, and now I've logged into the secondary account again.
This a serious virus? Not an artifact of having thrown so many tools at the problem?
Thanks for your help. I'm so glad I found this forum.