Help removing XP Home Security 2011 - fake malware

Bokeh

One of my users found this on her computer when she turned it on this am. Scan with Norton found nothing. Cannot install MalwareBytes or HiJack This (blocking .exe files). I Googled this thing to death, and I am not finding anything in the registry that I supposedly would find, and nothing in program files, hidden files, etc.

She did not click on it, just came running when she saw the screen.

So I could use some suggestions to get rid of this PITA program.

Claymoore

Social Engineering - because there is no patch for human stupidity. Include 'Security', 'System Tools', or 'Anti-Virus' in the name and users will happily click away to install it. If they had bothered to read the pop-up they would have noticed the typos and bad grammar and got a bad feeling about this friendly, helpful software.

I prefer to burn down infected systems and rebuild, but I bet she needs the data off the PC, right? You'll need something that can boot from CD and perform an offline scan. I use the Standalone System Sweeper from the DaRT CD, which is part of the Microsoft Desktop Optimization Pack, but anything reputable with updated signatures should work.

gosh1976

I am currently running scans on a computer with this and I was able to install super anti-spyware as well as malware bytes from a USB thumbdrive. Have you tried installing them in safe mode?

mattlee09

Bokeh wrote: »

Cannot install MalwareBytes or HiJack This (blocking .exe files). I Googled this thing to death, and I am not finding anything in the registry that I supposedly would find, and nothing in program files, hidden files, etc.

Try using RKill to stop the virus processes RKill - What it does and What it Doesn't - A brief introduction to the program

It comes in several different packages, so you should be able to at least run it. After that, try installing Malwarebytes and doing the scan again. I've had a 90% success rate with RKill + Malwarebytes.

Some viruses simply block "mbam.exe", so if you change the name to "explorer.exe" or something you know is allowed, might work.

CodeBlox

Can you boot into safemode? Are you presented with a desktop while in safemode(explorer.exe)?

SteveLord

I just removed this from a Windows 7 machine at work. "Internet Antivirus 2011" or something. Malwarebytes installed and did it. But NOD32 took 2 reinstalls to get working. It's folder was completely deleted by the malware. And then the first install left the real time protection disabled, with no way to enable it.

Half an hour of work (3min scan by Malwarebytes). All done. I've been toying with rogue software for years, but this is the first one in the Windows 7 era that I've had.

Next door, a guy's laptop was hit by it. But it had XP on it and supposedly he lost a lot more. Luckily there was an image from a few weeks ago that easily put it back in good shape.

My staff member said he was on a weather site. This may be where he got hit with the ad to install it. Last year, one of our local news stations and the paper...both had this garbage coming through their ad banners.

Alif_Sadida_Ekin

Not sure if you have this option, but I usually just run a system restore and choose an earlier snapshot of the system before the virus got installed. Do that and you're done in 15 minutes.

For completely hosed systems I just load up an ubuntu live cd, backup the user's docs, pictures, music, etc. and then just reformat.

odysseyelite

We run into this malware all the time at work.

We use Microsoft Security Essentials on a MS-DART cd. After it removes it the system is usually pretty good.

This malware sticks itself inside the user's profile. So sometimes you can rename the profile, log back onto the system as the user, setup their mail, copy their favorites, desktop, documents over. Then delete the old profile.

Bokeh

Well I am just ending up nuking this computer. Put a spare in its place, and going to town on it now. So DBAN is running, then will pull the image and restore. Thanks for everyone's suggestions.

Devilsbane

Try renaming the mbam setup file to logon.exe and running it. I've used this with effectiveness before.

newmove

If you can get to Safemode with networking, download malwarebytes from there,update it and scan. Easy peasy!

steve13ad

I'd just do a System Restore on that puppy.

Bokeh

Renaming malwarebytes did not do the trick. It would not allow any .exe files to run that were not on the machine already, and everytime you opened IE, it would close it. So to be sure that we got rid of it, I nuked it with DBAN, and did a complete reinstall of everything.

-Foxer-

Download Rkill, but get the version name iexplore.exe. That way the malware on the system will allow it to run because it thinks is internet explorer.

Once that finishes, download and run combofix.exe.

After that run a regular anti-virus/malware program.

Those three things will most likely get rid of it. I've done it many times with great success.

N2IT

Reimage it's faster than poking around with malware tools.

Psoasman

I have had success with booting into safe mode and then running a system restore to get rid of those kinds of malware.

gosh1976

I've always thought doing a system restore to get rid of malware was a bad idea. Although it may get you to place where scans can be run it shouldn't be the only step. In fact generally one the last things I do when cleaning up an infected machine is to either turn system restore off- reboot and then turn it back on or to just delete the system restore points depending on the OS.

ConradJ

-Foxer- wrote: »

Download Rkill, but get the version name iexplore.exe. That way the malware on the system will allow it to run because it thinks is internet explorer.

Once that finishes, download and run combofix.exe.

After that run a regular anti-virus/malware program.

Those three things will most likely get rid of it. I've done it many times with great success.

Quoted for truth! RKill will stop the processes, combofix will remove it the do a cleanup with MBAM. Simples

hex_omega

At work I have a USB SATA docking station where I can quickly just take the dirty drive, hook it up, and scan it with NOD32. ESET makes excellent AV software and it has always recognized and deleted the offending file(s).

And even if you can remove it, these things always tend to corrupt/change registry settings, and weird things happen as a result. OP mentioned not being able to open exe files. Here is a fix:

Can't open EXE files

wastedtime

Personally, I have never had to do this in a computer service support setting. I have had to do it before. I always recommend wiping the disk and reinstalling the OS. The software may put additional dll hooks or wrappers in there that may not be taken care of. This may lead to re-infection or system instabilities even after it looks like it is gone.

Monkerz

I know it is going to sound noobish, but I have has a ton of luck with Avast's boot-time scanner. Usually when I have a "slow pc" or "possible virus" call, I install avast and run the boot-time scanner. After that, I install Malwarebytes and run, which usually doesn't find much because Avast picked up everything.

Devilsbane

N2IT wrote: »

Reimage it's faster than poking around with malware tools.

Not only is this true, but it is also the only way to guarantee success.

But sometimes it is just fun to try and outsmart the dang thing.

SteveLord

Devilsbane wrote: »

Not only is this true, but it is also the only way to guarantee success.

But sometimes it is just fun to try and outsmart the dang thing.

IF you're in the position to reimage and you have nothing you care to lose from the current system.

Devilsbane

SteveLord wrote: »

IF you're in the position to reimage and you have nothing you care to lose from the current system.

Files can be backed up with minimal risk of reinfection. Save them on an external device, run them through a couple virus scans, and call it a day. You can even extract your program serial numbers if that is your concern.

I usually try to clean things up, but I also consider the usage of the computer. I would never check banking information or anything like that again from a computer that was once heavily infected. But I also rarely run into a heavily infected system because I have antivirus software installed that runs several times a week and gets updates, and more inportantly... I don't click on stupid things, which is how you land yourself into this problem 99% of the time.

Armor149

It seems like these come in waves at work. I can go for months with no infected users and then out of nowhere desktops get infected.

I normally use Rkill and Malwarebytes. This gets it most of the time, providing the user was smart enough to call as soon as they get it and not wait for weeks.

On occasion for those really stubborn infections, I have been booting the infected desktops using Ubuntu from a flash drive with Avast loaded. This works really nice.

Bokeh

Well after talking to the person who's machine was infected, it seems she went on whitepages.com to cross reference a phone number to an address, and this PITA popped up a minute later.

I just backed up her documents, pst, and then wiped it all out and reinstalled from scratch.

molliegooch82

Sometimes malwarebytes no longer works due to c rogues that neutralizes Rkill why there is a utility that fixes the problem.
Step No. 1 - Download rkill
- You can find the download on beeping computer. Sometimes a link does not work, so in order to download from the following link (different format).
Step No. 2 - Disable the resident module of the antivirus and antispyware than is preferable.
Step No. 3 - start rkill
- XP: Double-click the downloaded file rkill to launch the tool. Vista and 7: right click on the downloaded file rkill and choose "Run as Administrator" to launch the tool.
- A black window will appear briefly, then disappear, along with some files are created. Once the window closed, blocking harmful process utilities will be neutralized.

Hypntick

We usually do a combofix and malwarebytes combination on the system. If that doesn't clear it up, it's more cost effective all around to wipe and re-image.

gosh1976

malware-bytes has been disappointing lately. Super Anti-Spyware has been better with finding infected files lately.

brad-

I have ran into this a couple of times. This is what fixed it:

1-You have to find the .exe in taskmanager and end it. Make note of the name...it has typically been some random 3 letter string .exe

2-Do a search for just the 3 letter string, include hidden folders, and delete

3-In the registry, do a find for the same 3 letter string. Delete.

4-Empty recycle bin

ally_uk

few dirty ways to deal with this, Boot Up a linux distro mount the NTFS partition and Go to town on it with virus removal.

Trinity Rescue kit boot it up run the Scans.

Lastly Ultimate Boot CD or some form of Win Pe run malware remover from the PE environment

Take the HD out hook it up to a isolated machine and do what you gotta do

Boot Up System Rescue CD

Few tools I use to deal with malware