so i just got hit like a train with this virus all of a sudden, it was calling it self AC protection 2011 and was telling me my computer was at risk and all that usual trickery. however the agressive part of this virus was that i did not click any pop ups and it installed itself (i am on a different computer right now obviously) and while it was running it was nearly impossible for me to have any other program active on the desktop that was not the ac 2011 thing

i was able to shut it down with task manager, which would close itself within seconds every time i opened it so i had to be quick, my anti virus software (avast) was blocking repeated attempts to open a website so i disconnected my internet. the source of the files was in my roaming folder and i deleted any new files that had not been there half an hour ago (they had weird names too like: S2dkjadXjshfd. or whatever.) and that seemed to finally close the main pop up but ultimately i have not been able to delete the main exe. (that my antivirus warns me that is suspicous and asks me if i want to open it every 45 seconds) because windows won't let me shut down a program that is not running, and it isn't showing up in task manager.

so basicly the purpose of me posting this is a heads up for non tech savy people.

as well as asking for some help from some more tech savy people. for now i am keeping my infected computer disconnected from the internet.

Trojan Virus usually acts like a anti-virus software, would that be the case?

Honestly, I personally wouldn't feel the computer is "clean" until either an image was restored or I reinstalled the OS.

Anyway, usual cleanup tool recommendations of go in safe mode, only go online long enough to download definition updates for antivirus/antimalware programs, and scan with http://www.malwarebytes.org/, http://www.filehippo.com/download_superantispyware/, and http://www.emsisoft.com/en/software/antimalware/ as well as whatever AV you have installed.

Don't forget to also flush your DNS cache (in the command prompt type "ipconfig /flushdns") and make sure any rogue entries weren't added to your hosts file (%windir%\system32\drivers\etc\hosts). Flushing your arp cache isn't a bad idea either (in the command prompt type "netsh interface ip delete arpcache")

Some do, not all of them though. The ones that do are pretty much a scam to trick you into buying the "full version" of their "antivirus software" to remove the malware, when you've really just given up your credit card number to do absolutely nothing.

I had a pretty nasty one on my old computer a few years back similar to the one mirglof described. IIRC, I got rid of it through a combination of HijackThis (great program, but only use it if you really know what you're doing or know someone who does) and AVG, along with two different spyware scanners for good measure.

Looking back, I probably should have just reformatted, but I didn't have my windows install disk anymore.

EDIT: bah, 2 in the morning typos.

by image do you mean an image of the harddrive? cause i am pretty sure i don't have one of mine. and i have no idea how abouts to reinstall my OS but it sounds like it would wipe my hard drive clean... which i suppose would be the point but man would i loose ALOT of stuff.

but i did do the dns flush, not idea what that is or what it does but i trust the recomendation. as far as the arp cache i tried to flush it but that only prompted "requires evaluation (run as administrator) which as far as i know i already am.

In Windows Vista/7 you have to run the command prompt as administrator for certain actions. (type cmd into start menu > right click cmd.exe > run as administrator)

An investment in imaging is one of the best investments you can make. I was able to bring a computer that would kick a user off in normal mode, and in safe mode had all sorts of problems. Was able to restore it to pristine condition in 20 minutes by restoring an image. No worrying about if I got it all, no worrying about a corrupted file. You just can't beat those results.


If you have a brand-name computer you should have recovery discs or been prompted to make them. In other cases you should have the Windows install disc which can perform the same action. Oftentimes there is also a way to boot into the recovery partition to perform a factory default.

Obviously you back up all your data before performing an OS reinstall.


It means either you have UAC enabled (in which case you must right-click the command prompt launcher and select "Run as administrator") or the virus has been editing user permissions.

here are the results of my virus scan

3 threats found: two high severity, one has an error ("the system cannot find the path specified", probably because i deleted the folder it was in *the file name matched one that i deleted*)

the recomended actions were to "move to chest" but i chose delete, one was successfully deleted, the other was a repeat of the system cannot find path message.

the threat descriptions were: INI:cybot-gen [trj] (which i assume trj means trojan) and then the other was: NSIS:Startpage-AA [trj]

still cannot delete the dwme.exe which according to the system when i try to delete is still running "the file is open in dwme"

i wish i knew of a way to delete things even if they were running... seems like you'd be able to do that specificly in case a virus did take over your computer.

EDIT: ran command as administrator: interface ip delete arpcache. the response was "ok."

viruses will obviously try and stop you from deleting them, and when given enough permissions, they can be quite good at it. This is why safe mode is advised, as less stuff loads and you stand a better chance of removing them. In safe mode scan with all the tools I mentioned (install them if they aren't already installed)

from the command prompt (will be needed to be ran as administrator) you can try "taskkill /im dwme.exe /f" right before you try and and have your scanner remove the infection. The virus may be making use of the task manager impossible, but everything can be done by the command prompt if you know the right commands

thank you for the assistance (every one), that last command got rid of the exe. although i am to wary to consider the matter settled. i will follow up on your previous recomendations to make sure... and perhaps look into backing up my hardrive some how.

probably going to change all my passwords as well... which svcks, i have a notepad with all of them (which is written in my own gibberish code, i know other wise is insane because there are viruses that seek those txt. files out) but am considering do it all on paper.

my only concern is that apple/itunes has my credit card info (well debit actually but thats actually worse since its my money that potentially would be stolen opposed to the credit card company that would be defrauded), which i did through a different computer than the infected one, but still access that information from my email so i think it does not matter which computer i gave that information through...

Had me worried that there was an Air Conditioner virus going around. Never trusted those things...

btw... what is safe mode?

It's when Windows boots only the core processes. So for example, I have Steam, Open Office and Winamp launch on startup, in safe mode this doesn't happen. I'm sure you can imagine the implications.