For future reference, this malware usually installs a rootkit (not all variants do from what I've encountered) and can't just be fixed with a typical malware scan (meaning it'll come back eventually). Here's my removal steps off the top of my head:
1) Open RegEdit (Windows Key + R -> Type in "regedit" and hit enter) and navigate to: HK_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run (Also check RunOnce) and look for anything that points to C:\ProgramData or C:\Users\\AppData or C:\Documents and Settings\Application Data or C:\Documents and Settings\Local Data.
2) Remove any unknown shit from those locations, particularly ones with incomprehensible names. (This is done to help prevent shit from running under other user accounts)
3) Create a second user if you don't have another one you can log into. This can be done through command line (Windows Key + R -> Type in "cmd" and hit enter). The commands are "net user /add" followed by "net localgroup administrators /add"
4) Sign into said account.
5) Open up IE (I say IE because I know the shortcut) through run (Windows Key + R -> type iexplore.exe and hit enter) -- Alternatively get all this from alternate computer instead and run from thumb drive
6) Download/Install/Scan and run Malwarebytes [Removes basic shit] first. Then do the same with a program called Hitman Pro [Removes rootkits + extra shit] (Free 30 day trial for non-domain computers; no need to install/register). Finally do one called TDSSKiller [second opinion scanner] (no install) and you should be good.
7) Now download and run:
http://download.bleepingcomputer.com/grinler/unhide.exe
8) You can then go to open up your temp folder and retrieve your start menu (Windows Key + R -> type %temp% and hit enter) which is located in a folder called smtms or something similar (sort by date, makes it easier). On Windows 7 you want to copy it to C:\ProgramData\Microsoft\Windows\Start Menu\
9) Reboot into safe mode. Sign into your normal user account and download/run:
http://live.sysinternals.com/procexp.exe
10) Make sure you have no garbled shit attached to explorer.exe.
11) Open RegEdit (Windows Key + R -> Type in "regedit" and hit enter) and navigate to: HK_Current_User\Software\Microsoft\Windows\CurrentVersion\Run (Also check RunOnce) and look for anything that points to C:\ProgramData or C:\Users\\AppData or C:\Documents and Settings\Application Data or C:\Documents and Settings\Local Data.
12) Remove any unknown shit from those locations, particularly ones with incomprehensible names. Even though it likely points to nothing since the malware was deleted, it should be removed.
If that doesn't work (Usually does though), then I usually say
it and just reimage/rebuild the machine after backing stuff up. Actually removed this malware on a client machine today. One of the worse variants this time and I'm not sure who the
made that person a local administrator but I want to shoot them in the face. Turned into a 15 minute quick fix to a 1.5-2 hour fix. Would have reimaged it if they weren't 45 minutes away and not enough people in the office today.
