How To: Clean “Your internet access is going to get suspended” Virus
I was recently sent a copy of the “Your internet access is going to get suspended” virus. Which is really annoying since my Bit Torrent and P2P use is limited to Magnatune and downloading ISOs of Linux/BSD systems.
So, seeing a lack of responses from the big companies on how to remove it, I sacrificed my one Windows machine to it in an attempt to figure out how to fix it. This is a down and dirty fix, but it worked.
Installing the Virus is easy, download the ZIP file, open it, then run the .EXE file inside.
The Virus installed a new winlogin.exe file. Unluckily this can’t just be removed. After pulling the network cable to keep the machine from reinfecting itself, boot into safe mode. At the command prompt, delete the Winlogin.exe file, along with krnlcab.sys, cabpck.dll, and k86.bin from the System folder.
At this point follow these directions to extract a new winlogin.exe from the original install CD. Remove tmp/msi_setup/* then reboot the computer and double check that the three files above are still gone, and the winlogin.exe has the new date.
Plugin the network cable and immediately do a software update. I found that SP3 had to be reinstalled, but it worked fine.
This is down and dirty, only worked on XP, and is potentially system breaking. If you are not confident in the directions above, wait for the Anti-Virus vendors to create an official fix.