Bloody Malware, Trojans and Viruses

09 Apr 2011

Let’s face it, computers are temperamental at the best of times, especially if you’re using Windows, but things get even more complicated for even hardened computer geeks when you throw Malware, Trojans and Viruses into the mix.

At one time all you’d get was some twat gluing your locks, egging your windows or slashing your tyres now you have some smartarse trying to screw up your computer. FFS they don’t even need to be anywhere near you to totally mess things up.

Take today as a case in point. My daughter thrust her laptop in my face saying she has this strange message on the screen. As soon as I looked at the message my gut feeling was Malware, Trojan or Virus. It was a very official looking application called “MS Removal Tool”. I immediately knew something was up because the McAfee shield was not present in the notification area. I tried opening McAfee, Task Manager and the Command Prompt but none of them worked. I right-clicked the taskbar icon and my suspicions were confirmed when the application was named iDp24512f0cJf24511.exe. Now call me suspicious but I’m sure a legitimate application developer would be hard pushed to call their application by that crazy name.

After a bit of research the actual removal was quite straightforward. A lot of the solutions I read about involved downloading further “spyware” removal tools which I was a bit dubious about since the sites were not what I would call mainstream but for me this was not required.

  • boot into safe mode with networking (keep pressing F8 when the PC starts then select safe mode with networking)
  • delete the folder C:\ProgramData\iDp24512f0cJf24511 which contains the file iDp24512f0cJf24511.exe - in your case it’ll probably be a different set of random characters
  • open the registry (regedit.exe) and find the following key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • there will probably be only 1 entry with a name of iDp24512f0cJf24511 and a data value of C:\ProgramData\iDp24512f0cJf24511\iDp24512f0cJf24511.exe - once again in your case it’ll probably be a different set of random characters - delete this key
  • some of the articles I read mentioned that the hosts file and/or the browser LAN settings may have been changed but neither were for me
  • I also deleted all browser cache & cookies as well as everything in the temp folder (C:\Users[YourName]\AppData\Local\Temp)
  • I ran a virus scan which came up clean

Job done, everything back to normal. I also took the liberty of downgrading the user account from Administrator to User.