Just had a call from a mate.

He says he has been infected by a rogue anti-spyware suite called XP Security 2011.

Ok, that's not altogether unusual as there are plenty of the things crawling about the net. The problem is he has booted into safe mode so he can run anti-malware bytes, but this dodgy suite still automagically runs in safe mode and prevents execution of Anti-malware bytes and Microsoft Security Essentials!

I'll go and get rid of it obviously, but I've never seen one of these suites running in safe mode before. Intriguing.

A lot of them add the exe into the registry to boot even in safe mode.

I usually find killing the exe then a quick malwarebytes gets rid of it.

Out of curiosity, how do you kill the exe to do that? Just for future reference

If you open task manager when the rogue suite is supposedly running it's virus scan, you can identify which file it is through CPU usage.

I found that there where actually five executables, all with different names, so deleting one simply meant another ran the suite.

Very clever, and bloody annoying.

You can download a file called rkill.exe which will hunt them down, although XP security 2011 made that little more difficult by preventing executables from running. It resulted in the "open with" dialogue box popping up - so I just pointed it at the win.com file in the system32 folder.

After that cleaning up the system got a lot easier.

Needless to say, don't attempt a system restore or you'll re-infect the machine.

I was thinking of TM, but then I never understood what some of the process names meant, and Googling them often gave different opinions

Thanks for the info, good to know