I get a lot of experience removing computer viruses as a computer repair technician but rarely do I get to see a virus actually infect a computer “in the wild”. Two days ago my main computer, which is a fully updated Windows 7 PC with up-to-date antivirus, was infected by a drive-by virus (specifically the very nasty TDSS rootkit virus). The following is how the virus infected the computer and how I removed it.
I was downloading a file from Megaupload and another browser window popped open and started playing a video. The popup browser windows looked innocent enough but when I went to close it a warning dialog telling me to install up-to-date antivirus software immediately showed up in my system tray.
The best thing is that the warning misspelled the word Unauthorized as Unauthosrized:
Then I started getting a fake Windows Security Center window warning me that my computer had no anti-virus software installed:
The virus begins with a trojan virus that installs itself into the c:\Users\Username\AppData\Local\Temp directory. The trojan then downloads many more infected files including a rootkit that is set to install itself as soon as you reboot your computer.
Here is the actual trojan file that installed itself:
I immediately ran a full scan using Malwarebyte’s Anti-Malware which detected quite a few infected files (including the persistent TDSS rootkit) that the trojan attempted to install onto the computer.
This is what Malwarebytes detected and removed:
After I ran Malwarebytes I rebooted the computer, ran Malwarebytes again (it caught a few more infected files that tried to re-install themselves) and then I ran a full scan using AVG Free Anti-virus.
If you follow the above steps immediately after an infection you should be able to remove this virus with no problems.