I’ve been having a few repair jobs in this week with a new variant of the Security tool “Vista 2012” fake Internet security tool trojan / virus.

This one, at least for now is a little trickier to remove as it is still active in ‘Safe mode’.

Symptoms are that the security program pops up every time you start a program and won’t go away

The virus is activated by being activated to the explorer.exe and browser .exe’s and also, annoyingly to the general exefile\shell\open and .exe\shell\open commands which means it is initialised every time a program is run including virus / malware removal tools.

in these cases (My jobs) the virus file was named fob.exe and was visible in task manager

manually removing fob.exe using a Win PE or Linux disk will stop the app running in Windows but then break the execution of  programs resulting in the ‘open with’ box each time an exe file is run

In my experience, starting a malwarebytes installation in ‘safe mode with networking’  using ‘run as administrator’  bypassed the problem, allowing it to install and run repairing the broken exefile registry values in the process

further virus scans and tmp file removal will be necessary to complete the removal

 

Shaun