Help removing XP Home Security 2011 - fake malware
One of my users found this on her computer when she turned it on this am. Scan with Norton found nothing. Cannot install MalwareBytes or HiJack This (blocking .exe files). I Googled this thing to death, and I am not finding anything in the registry that I supposedly would find, and nothing in program files, hidden files, etc.
She did not click on it, just came running when she saw the screen.
So I could use some suggestions to get rid of this PITA program.
She did not click on it, just came running when she saw the screen.
So I could use some suggestions to get rid of this PITA program.
Comments
-
Claymoore Member Posts: 1,637Social Engineering - because there is no patch for human stupidity. Include 'Security', 'System Tools', or 'Anti-Virus' in the name and users will happily click away to install it. If they had bothered to read the pop-up they would have noticed the typos and bad grammar and got a bad feeling about this friendly, helpful software.
I prefer to burn down infected systems and rebuild, but I bet she needs the data off the PC, right? You'll need something that can boot from CD and perform an offline scan. I use the Standalone System Sweeper from the DaRT CD, which is part of the Microsoft Desktop Optimization Pack, but anything reputable with updated signatures should work. -
gosh1976 Member Posts: 441I am currently running scans on a computer with this and I was able to install super anti-spyware as well as malware bytes from a USB thumbdrive. Have you tried installing them in safe mode?
-
mattlee09 Member Posts: 205Cannot install MalwareBytes or HiJack This (blocking .exe files). I Googled this thing to death, and I am not finding anything in the registry that I supposedly would find, and nothing in program files, hidden files, etc.
It comes in several different packages, so you should be able to at least run it. After that, try installing Malwarebytes and doing the scan again. I've had a 90% success rate with RKill + Malwarebytes.
Some viruses simply block "mbam.exe", so if you change the name to "explorer.exe" or something you know is allowed, might work. -
CodeBlox Member Posts: 1,363 ■■■■□□□□□□Can you boot into safemode? Are you presented with a desktop while in safemode(explorer.exe)?Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
-
SteveLord Member Posts: 1,717I just removed this from a Windows 7 machine at work. "Internet Antivirus 2011" or something. Malwarebytes installed and did it. But NOD32 took 2 reinstalls to get working. It's folder was completely deleted by the malware. And then the first install left the real time protection disabled, with no way to enable it.
Half an hour of work (3min scan by Malwarebytes). All done. I've been toying with rogue software for years, but this is the first one in the Windows 7 era that I've had.
Next door, a guy's laptop was hit by it. But it had XP on it and supposedly he lost a lot more. Luckily there was an image from a few weeks ago that easily put it back in good shape.
My staff member said he was on a weather site. This may be where he got hit with the ad to install it. Last year, one of our local news stations and the paper...both had this garbage coming through their ad banners.WGU B.S.IT - 9/1/2015 >>> ??? -
Alif_Sadida_Ekin Member Posts: 341 ■■■■□□□□□□Not sure if you have this option, but I usually just run a system restore and choose an earlier snapshot of the system before the virus got installed. Do that and you're done in 15 minutes.
For completely hosed systems I just load up an ubuntu live cd, backup the user's docs, pictures, music, etc. and then just reformat.AWS: Solutions Architect Associate, MCSA, MCTS, CIW Professional, A+, Network+, Security+, Project+
BS, Information Technology -
odysseyelite Member Posts: 504 ■■■■■□□□□□We run into this malware all the time at work.
We use Microsoft Security Essentials on a MS-DART cd. After it removes it the system is usually pretty good.
This malware sticks itself inside the user's profile. So sometimes you can rename the profile, log back onto the system as the user, setup their mail, copy their favorites, desktop, documents over. Then delete the old profile.Currently reading: Start with Why: How Great Leaders Inspire Everyone to Take Action -
Bokeh Member Posts: 1,636 ■■■■■■■□□□Well I am just ending up nuking this computer. Put a spare in its place, and going to town on it now. So DBAN is running, then will pull the image and restore. Thanks for everyone's suggestions.
-
Devilsbane Member Posts: 4,214 ■■■■■■■■□□Try renaming the mbam setup file to logon.exe and running it. I've used this with effectiveness before.Decide what to be and go be it.
-
newmove Member Posts: 108If you can get to Safemode with networking, download malwarebytes from there,update it and scan. Easy peasy!
-
Bokeh Member Posts: 1,636 ■■■■■■■□□□Renaming malwarebytes did not do the trick. It would not allow any .exe files to run that were not on the machine already, and everytime you opened IE, it would close it. So to be sure that we got rid of it, I nuked it with DBAN, and did a complete reinstall of everything.
-
-Foxer- Member Posts: 151Download Rkill, but get the version name iexplore.exe. That way the malware on the system will allow it to run because it thinks is internet explorer.
Once that finishes, download and run combofix.exe.
After that run a regular anti-virus/malware program.
Those three things will most likely get rid of it. I've done it many times with great success. -
N2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■Reimage it's faster than poking around with malware tools.
-
Psoasman Member Posts: 2,687 ■■■■■■■■■□I have had success with booting into safe mode and then running a system restore to get rid of those kinds of malware.
-
gosh1976 Member Posts: 441I've always thought doing a system restore to get rid of malware was a bad idea. Although it may get you to place where scans can be run it shouldn't be the only step. In fact generally one the last things I do when cleaning up an infected machine is to either turn system restore off- reboot and then turn it back on or to just delete the system restore points depending on the OS.
-
ConradJ Member Posts: 83 ■■□□□□□□□□Download Rkill, but get the version name iexplore.exe. That way the malware on the system will allow it to run because it thinks is internet explorer.
Once that finishes, download and run combofix.exe.
After that run a regular anti-virus/malware program.
Those three things will most likely get rid of it. I've done it many times with great success.
Quoted for truth! RKill will stop the processes, combofix will remove it the do a cleanup with MBAM. Simples -
hex_omega Member Posts: 183At work I have a USB SATA docking station where I can quickly just take the dirty drive, hook it up, and scan it with NOD32. ESET makes excellent AV software and it has always recognized and deleted the offending file(s).
And even if you can remove it, these things always tend to corrupt/change registry settings, and weird things happen as a result. OP mentioned not being able to open exe files. Here is a fix:
Can't open EXE files -
wastedtime Member Posts: 586 ■■■■□□□□□□Personally, I have never had to do this in a computer service support setting. I have had to do it before. I always recommend wiping the disk and reinstalling the OS. The software may put additional dll hooks or wrappers in there that may not be taken care of. This may lead to re-infection or system instabilities even after it looks like it is gone.
-
Monkerz Member Posts: 842I know it is going to sound noobish, but I have has a ton of luck with Avast's boot-time scanner. Usually when I have a "slow pc" or "possible virus" call, I install avast and run the boot-time scanner. After that, I install Malwarebytes and run, which usually doesn't find much because Avast picked up everything.
-
Devilsbane Member Posts: 4,214 ■■■■■■■■□□Reimage it's faster than poking around with malware tools.
Not only is this true, but it is also the only way to guarantee success.
But sometimes it is just fun to try and outsmart the dang thing.Decide what to be and go be it. -
SteveLord Member Posts: 1,717Devilsbane wrote: »Not only is this true, but it is also the only way to guarantee success.
But sometimes it is just fun to try and outsmart the dang thing.
IF you're in the position to reimage and you have nothing you care to lose from the current system.WGU B.S.IT - 9/1/2015 >>> ??? -
Devilsbane Member Posts: 4,214 ■■■■■■■■□□IF you're in the position to reimage and you have nothing you care to lose from the current system.
Files can be backed up with minimal risk of reinfection. Save them on an external device, run them through a couple virus scans, and call it a day. You can even extract your program serial numbers if that is your concern.
I usually try to clean things up, but I also consider the usage of the computer. I would never check banking information or anything like that again from a computer that was once heavily infected. But I also rarely run into a heavily infected system because I have antivirus software installed that runs several times a week and gets updates, and more inportantly... I don't click on stupid things, which is how you land yourself into this problem 99% of the time.Decide what to be and go be it. -
Armor149 Member Posts: 115 ■■■□□□□□□□It seems like these come in waves at work. I can go for months with no infected users and then out of nowhere desktops get infected.
I normally use Rkill and Malwarebytes. This gets it most of the time, providing the user was smart enough to call as soon as they get it and not wait for weeks.
On occasion for those really stubborn infections, I have been booting the infected desktops using Ubuntu from a flash drive with Avast loaded. This works really nice. -
Bokeh Member Posts: 1,636 ■■■■■■■□□□Well after talking to the person who's machine was infected, it seems she went on whitepages.com to cross reference a phone number to an address, and this PITA popped up a minute later.
I just backed up her documents, pst, and then wiped it all out and reinstalled from scratch. -
molliegooch82 Registered Users Posts: 1 ■□□□□□□□□□Sometimes malwarebytes no longer works due to c rogues that neutralizes Rkill why there is a utility that fixes the problem.
Step No. 1 - Download rkill
- You can find the download on beeping computer. Sometimes a link does not work, so in order to download from the following link (different format).
Step No. 2 - Disable the resident module of the antivirus and antispyware than is preferable.
Step No. 3 - start rkill
- XP: Double-click the downloaded file rkill to launch the tool. Vista and 7: right click on the downloaded file rkill and choose "Run as Administrator" to launch the tool.
- A black window will appear briefly, then disappear, along with some files are created. Once the window closed, blocking harmful process utilities will be neutralized. -
Hypntick Member Posts: 1,451 ■■■■■■□□□□We usually do a combofix and malwarebytes combination on the system. If that doesn't clear it up, it's more cost effective all around to wipe and re-image.WGU BS:IT Completed June 30th 2012.
WGU MS:ISA Completed October 30th 2013. -
gosh1976 Member Posts: 441malware-bytes has been disappointing lately. Super Anti-Spyware has been better with finding infected files lately.
-
brad- Member Posts: 1,218I have ran into this a couple of times. This is what fixed it:
1-You have to find the .exe in taskmanager and end it. Make note of the name...it has typically been some random 3 letter string .exe
2-Do a search for just the 3 letter string, include hidden folders, and delete
3-In the registry, do a find for the same 3 letter string. Delete.
4-Empty recycle bin -
ally_uk Member Posts: 1,145 ■■■■□□□□□□few dirty ways to deal with this, Boot Up a linux distro mount the NTFS partition and Go to town on it with virus removal.
Trinity Rescue kit boot it up run the Scans.
Lastly Ultimate Boot CD or some form of Win Pe run malware remover from the PE environment
Take the HD out hook it up to a isolated machine and do what you gotta do
Boot Up System Rescue CD
Few tools I use to deal with malwareMicrosoft's strategy to conquer the I.T industry
" Embrace, evolve, extinguish "