I got a laptop yesterday from a client and when I turned it on, up popped another rogue security application. I can’t remember the exact name of the phony malware, but this one looked very like a Microsoft program because it had the Microsoft logo in the top left hand corner and the writing “genuine Microsoft” in the bottom left hand corner (see photo above).
These fake security programs are getting nastier and nastier and I had to go into my “bag of tricks” in order to remove it. Here is what I discovered and what I eventually did:
1) I could boot into Safe Mode but I couldn’t use it to do anything (the rogue program had rendered it useless).
2) I could not use System Restore (the rogue program had blocked it).
3) I could not open the Windows Task Manager ( disabled by the rouge program).
4) I could not access my flash drive because the rogue program had hidden all files and folders and I therefore couldn’t see anything.
Sounds bad huh? Well, good will always prevail over evil! Keep reading:
1) I booted up the machine from my Trinity Rescue Kit 3.4 CD.
2) I updated and ran BitDefender Antivirus (from the virus scanning menu on the Trinity Rescue disc).
3) Rebooted into normal mode and apparently the virus was under control but I had no icons nor taskbar on the desktop (did have a desktop photo). I couldn’t do anything!
4) I pressed Ctrl+Alt+Del and saw that Task Manager came up. I clicked on “File”>”New Task”> and typed “desktop” in the “Create New Task” box>”OK”. The desktop and icons reappeared (but I would lose them again every time I restarted the computer).
5) After rebooting, I repeated #4 again in order to restore taskbar and icons. I then ran an updated Trojan Remover and removed all infections and system modifications.
6) Upon reboot, icons and taskbar reappeared normally and permanently. Just for good measure I ran SUPERAntiSpyware and deleted anything found. Done!
Professor Randy says: Don’t be fooled by these fake programs. When these rogue windows pop-up, don’t click on anything! If you do however, the solution can be found by following the above procedure. You’ll be up and running soon!