Now, there are a variety of sites out there that tell you how to remove this virus. However, from my searching, all of them only tell you how to remove part of the virus. This should help you remove all of it. Yes, it's more steps, but it helps you clean your computer up much better than what you find on the other sites. If you want, you can compare the instructions to see which parts are missed on the other sites. For example, removing the cached Java files where the virus hides, removing the macromedia cache files where the virus hides, and removing
One thing about this virus is that you don't need safe mode at all to remove it. Start your computer. Once you are on the desktop, right click on the taskbar and choose Start Task Manager. Go to the Processes tab and look for a 3 letter filename (like dyx.exe). You will have some legitimate ones (mdm.exe and jqs.exe are a couple legitimate ones). Take note of the filename because you will need it. Click on that filename and then choose End Process and say OK. The fake antivirus popup will be closed if it was open. Leave Task Manager open in case it comes back.
Next, you want to fix the EXE files. To do so, copy the following into Notepad on a different computer and save it as fix.reg (make sure it doesn't save as fix.reg.txt). Copy it to your infected computer and double click on it. If you named it correctly, it will ask if you want to import it to the registry. Choose Yes. Now all your EXE files will work again (and so will your web browsers).
(Copy what is between the ------- lines, without copying the ------- lines):
------
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]
@=""
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="C:\Program Files\Mozilla Firefox\firefox.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command] @="C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] @="C:\Program Files\Internet Explorer\iexplore.exe"
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\pezfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
----------
Before continuing, verify that the fake antivirus is still closed in Task Manager. If it opened again, End Process on it again.
Now open regedit (XP: Start Menu > Run > regedit > OK; Vista/7: Start Menu > type regedit in the box and hit enter). *** BE CAREFUL HERE -- Changing the wrong things in the registry can make Windows no longer work. ***
Do a search for the filename you found in Task Manager. Press Ctrl-F and type in the filename, for example dyx.exe . You're probably going to find it a lot. On the left side of regedit is a list of "folders" and the right side is what is in the folders. When it finds the file, look on the left side. If the folders appear something like this:
AHX
--> DEFAULT ICON
--> SHELL
--> OPEN
--> COMMAND
(The AHX will be a random set of 2 or 3 letters without a . in front of it. The folders in there should include SHELL > OPEN > COMMAND). If that's what you see, right click on the AHX folder (or whatever 2-3 letters are there) and choose Delete and say OK. If it's anything else, the right click on the highlighted item on the RIGHT side of the screen and choose Delete. Press F3 to continue your search. Repeat this for everything you find. Keep pressing F3 until it says it's done searching the registry. Note that there could be
The last thing to do in regedit is to re-enable your antivirus and firewall. Using the folder tree on the left side, go to:
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft
Then click on the Security Center folder (you don't need to expand it). On the right side, you'll see (Default) and then 6 items related to firewall and antivirus. Double click on the first one not counting Default (AntivirusDisableNotify). Press 0 (the number, not the letter) and press OK. Repeat for all items besides FirstRunDisabled. That should remain 1.
Next, go to the Start menu and click on Search. Choose All Files. Don't enter a filename, but click on the When Was It Modified and then select the date range of the current date. * If you first saw the fake antivirus before the current date, then select the date you first saw it. * So, if I saw this on 12/16/11, I'd enter that for the from AND to dates. Press Search and wait. It will take awhile to search. **Not everything that appears will be related to the virus, so don't start deleting everything!!**
Once the search finishes, start by looking for the filename for the virus (such as dyx.exe) and right click on it and choose Delete. ** Do not run it or you'll have to start over. ** Next, expand the columns so you can see the path really well. Look for anything that includes macrovision. Delete any that are listed there. Look through the filenames for anything that looks like a web address (especially to what sounds like a porn site). Delete all of those. If you know what you're doing, you can also check for other files that may be related to the virus. These vary, so it's not possible to just list everything you have to delete.
Finally, go to the Start Menu and click on Control Panel. Double click on Java. Under Temporary Internet Files, click Settings. Then click Delete Files. This is important because you could be reinfected by not removing these files.
* NEW: Go to the start menu and choose Run and type CMD and press Enter (for XP or older) or type CMD in the box at the bottom of the start menu and press Enter (Vista and 7). A black command prompt box will appear. Type the following commands. You should receive a successful popup after each command.
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 atl.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
That will re-enable your automatic updates that the virus most likely disabled.
You should now be free of the virus. I recommend also downloading and running SpyBot S&D. It's a free malware/trojan scanner. Just be careful with it as it can list legitimate items in its results. You can expand each item it finds to see the path. If the path is for something legitimate such as your antivirus software or some other program you use, then uncheck it before clicking Fix.
You should also delete all temporary files. Go to the Start Menu and click Run (for XP) or type in (for Vista/7): %temp% and press OK or hit Enter. Delete everything in there. If it says it can't delete something, just skip that item and continue deleting the rest. Then also open C:\Windows\Temp\ and delete all files in there. Again, if something can't be deleted, just skip it.
In most cases, this will fix your problems. But keep a very close eye on your computer for awhile to make sure it doesn't come back. This virus varies and can hide itself to a limited extent. Following instructions to remove it will work in most cases, but it is possible that you'll need someone who knows what they are doing to sit there and remove it directly.
I hope this helps people. One thing you might also want to do is to get an ad blocker addon for your browser such as Ad Block Plus for Firefox. Many of these kinds of viruses come from ads on legitimate websites. By blocking the ads, you have a lower chance of getting these kinds of viruses. Good luck everyone.
