Oddly enough, I'm hammering away at such a disaster as you (XP with 'Security Shield' on it). It may take me some time, as all my computers run Linux, and I find myself having to relearn all the bad habits of Windows (and Windows users). The only program, security-wise, he's updated on this thing has been the virus scanner (Avira) that does it automatically. Spybot, Java, Flash, Reader, etc., are all at least a year old, if not more.

Try looking at this to fix your problem.

barcode

I had that on one of my systems. It took starting in safe mode, running malwarebytes, spybot and antivirus. Took hours to get it gone. But it can be done.

I'd nuke and pave. then only restore data that is not executable...

I just had this one. It can disable MSE and Malwarebytes, and remap the .exe extentions. It also fubars your internet browser by hijacking the window.

I finally got rid of it by running Task Manager to find the services it was starting up when trying to do other things, killing the service, and deleting the executable it was using.

Eventually, you'll be able to get it not to run in Safe Mode, and can run some cleaners to muck it out a bit. You;ll also need to go into a registry editor to changle the .exe entry to map back to executable--info on doing that can be found by google-ing ".exe file extention remapped" and finding the article on the exact registry entries to fix.

Really ugly little virus/hostageware. More than a bit of a pain to clear out, and it just slipped in through normally strong protections. Hopefully MSE is updated to stop this one soon. I think I caught it through a rogue web ad on a legit forum site.

Rename Malwarebytes executable from mbam.exe to mbam.com and it will run. bleepingcomputer.com also has a .reg file to fix the executable remapping issue and combofix which will also remove this little devil.

One my grampa gave me from bleepingcomputer.com is called Rkill. It stops the .exe program from running. Once it kills the .exe start back up your antivirus and get rid of it. It's called the Sirefef.B virus, good luck getting rid of it completely as it's part of a larger more serious infection via rootkit virus. Mine came in through my adobe flash player somehow. I have Rkill on my desktop so I can shut the SOB down when it pops back up. It's hit me about 4 times already. I hate whoever made it and if I could find out who it was, I would have a serious 'conversation' with them. Also I'm sorry to say, if you can't get rid of it you will have to do a complete wipedown of your hard drive, reformat it and clean reinstall windows. I'm nearly at the point of having to do that myself -.-

I don't know if it helps, but I just remembered that the executable files it hid on my hard drive all used a cartoon-y panda head (detail view). Odd that they'd make it that easy to find when everything else was such a pain.

I've encountered several variants of this in the past two years and bleepingcomputer.com has been my friend for removal instructions. One observation I can make that will ease cleaning these up in the future is to use a limited user account. I have had a couple of my XP users pick it up and it was only able to infect their limited user account, and not my admin account. Made cleaning it up immensely easier. And if you are running windows 7, running as a limited user is nowhere near as big a pain in the ass as it used to be.

Just an update...

After four days, I finally emerged as the victor!

Thank {Diety/Dieties/FSM} for Bleeping Computer and h-online.com, otherwise it would've been another FFR.

[Monk]
Here's what happened...
[/Monk]

The fake security was just the tip of the iceberg. After getting rid of the major threats by slaving the drive to a clean PC, I threw it back into the comp and re-ran Avira/MBAM. At least, I tried to. After a few looks over at bleeping, I was able to fix most things via rKill, ComboFix, a reg key, and a rootkit scanner. After all that, I was still unable to get any internet connection. That is, if you brought up the task manager, it would tell you there were no adapters available. Yet, if I unplugged the cable, it promptly told me the cable was unplugged. WTF?

I gave up about halfway through day 3 of hammering on this thing, when I was browsing on my "never had so much as security hiccup" Linux box, and while looking at a Linux-related story from LinuxToday, a side bar caught my attention: it linked to h-online (a security site) about dissecting a TLD/ZeroAccess Rootkit. "Hey!", I thought, "That's what that @#$%ing computer had!" So, as the author was plotting out how the rootkit worked, there it was: TLD (and variants) like to hook themselves into a driver (network or atapi), so that it'll load in safe mode, too. So, if you remove the rootkit, it doesn't re-establish the correct vectors to re-enable the drivers - it stays vectored to a now missing file (dll, exe), and bombs the driver without Windows complaining.

Since I happened to have a working comp with the same version of XP as the target, I just spent some more time copying known good files in the system32 and drivercache directories over to the re-slaved drive. It took a couple of shots, but I finally got a fully working computer, and was able to apply all updates. Whew!

(Note: I did not have, nor did the user, any HP OEM XP SP2 CDs to run a non-destructive system restore.)

And RottenFruit, sometimes the user, after YEARS of being told to do so, will NOT have any backups, and force you into four-day cleanup marathons. That, and I actually like to find out what they got, how they got it, and how to get rid of it so that others don't suffer the same fate.

As near as I can figure out, he got most of his infections from a Java exploit (now patched with version 6.30), as well as some questionable downloading from Frostwire/Bearshare.

barcode

I had this on my computer at one time. The only way I could get rid of it was Malawarebytes. But in order to get it to run I had to go into my program files and open it from there.