Looking for help after PC Hijack

[Zork Nemesis]

A friend's computer of mine who runs Windows XP Media Center Edition was recently hijacked by a program that appears as a fake Microsoft-based malware removal program and i'm trying to help clean the computer without having to do a full-blown system wipe. I'm looking for some advice on the matter and will provide any information I can. This is what I know but I can find out more if needed. For the record, my friend is a responsible internet browser, and the malware likely came from a hijacked ad on a news site out of Florida.

The "program's" file is named something along the lines of vee.exe, it hides in a windows folder called PreFetch and replicates itself when deleted from the computer. Attempting to open ANY program will bring up this fake scanner, even while the computer is running in Safe Mode. The program also recognizes the anti-malware program MalWareBites and prevents it from opening or installing.

I know this isn't much, but maybe someone's had experience with something similar and knows what to do because i'm out of ideas and our resident computer expert has his hands full for the time being. Like I said i'll provide more information if I can as needed.

[One_Medic_Army]

Pull the hard drive and connect it to a clean computer already running an Anti Virus that can handle the specific malware, then clean the HDD from the second computer?
It sounds like booting from the drive is out of the question, if it's even screwing with safe mode boot.
Also might be a good idea to pull the net connection from the infected computer for the time being, prevent the malware from self-updating or sending out info.

Good Luck.

[metacide]

One_Medic has it right.
That is very bad. Especially if it's happening while in safe mode. I was going to recommend logging in under a different profile and wiping out just that profile but that seems unhelpful if the virus is running in safe mode.

Can you tell us what the fake anti virus calls itself? Is it something like "XP Anti Virus 2011"?

If you dont have a 2nd computer... Can you install Microsoft Security Essentials? Does it block that as well? What about Spybot Search and Destroy? (free version)

A few notes that dont help you now but might in the future... By default you log in as Administrator if you only have one account (super common with OEM machines). Create a second account that just has User access (or Power User for XP if you'd like) and us that account primarily. That way in case of virus infection it is quarantined to just that profile, much easier to deal with.

If all else fails, look on the bright side, this is a great reason to upgrade to Win7.

[Zork Nemesis]

Well, I appreciate it, but shortly after I posted, I managed to get the computer to run System Restore and pulled it's programming back to Sunday, before whatever the hell this was got in. From what it seems, there appears to be no trace left, but I'm having my friend run some precautionary malware and virus scans just to be safe. Thanks though.

And yes, "XP AntiVirus 2011" was exactly it

[booner]

Check out bleepingcomputer.com. Just about every spyware problem you can encounter is on there.

[Boss Llama]

Glad to hear you've got it in hand. The first of these things below will just be a "future reference" option. The second may be worth doing anyway.

The one time I ever had something like this, I was able to use the free version of Dr. Web Cure-It, which can boot in Safe Mode while simultaneously scanning and vetting everything else loading in Safe Mode, to block the hostile program from starting. From there it was able to create a quarantine that allowed me to boot in normal mode, and turn on the big boy anti-virus software, which previously was being blocked by the nastiness.

Another program I like, and use any time something is on my computer that I don't like, malware or not, is HijackThis!. HijackThis! is a very basic, but absurdly powerful, tool. It picks up every running process on your system, good or bad, and displays them on a list with a 2 digit code to indicate the general type of process. You can select whichever ones you like, and tell it to kill them, and it will. You want to make sure you know exactly what something is before you nuke it, because as mentioned before, it doesn't differentiate between good and bad, and will happily eliminate required system files if you tell it to. It's crazy good though, and is the best tool I've ever seen for getting rid of BHOs, toolbars, redirects, and other silliness, not to mention out of date drivers, unwanted run-on-starts, and bloatware.

[Aardvark Ratnick]

I fix computers for a living and have dealt with a lot of crapware. I have found these programs to be the most effective in cleaning infected machines.

Malwarebytes fully updated will kill that fake security program. The only difference between the paid version and the free version is real time protection. They function the same for simple scanning and threat removal.

http://www.malwarebytes.org

Spybot Search and Destroy is offering a bootable CD that will update itself. I have no clue as to the cost. But if you get Spybot Search & Destroy, Malwarebytes and a good Antivirus ( is there such a thing?) The two together can pretty much clean just about anything. It has a quasi real time protection feature called Tea Timer which can be difficult to use and decipher.

http://www.safer-networking.org

Hitman Pro 3 - Second Opinion Malware Scanner is a cleaning product. It offers no real time protection. Like Spybot and Malwarebytes you run it when you need it. It is not free. You can use it free for thirty (30) days after that it stops working until you buy it. Even if you uninstall it and reinstall, clean the registry, remove all traces of it from your computer it still knows that you have used it and won't work until you buy it. This thing gets rootkits (a form of viruses, quite nasty and difficult to remove) that others don't. It is quick but I have seen it miss things the others mentioned here have gotten.

http://www.surfright.nl/en/hitmanpro

Install Firefox with adblock plus and no scripts extensions. Browsing won't be as pretty or as easy but you won't get drive bys. I only say firefox because this what I am most familiar with. Google Chrome is supposed to be good also.

[<eVa> + Sarge +]

http://www.superantispyware.com/ has a free version. It also has a bootable option that changes it name so these programs can't detect and stop from running.

It worked great on the Thinkpoint Virus. Which is a lot like the one you described.

For future reference.