SOLVED virus XP SECURITY 2011 how to remove it?

[serkam]

Dear Sirs

I just infected my micro, when, inadvertently opened a file that was XP SECURITY 2011 virus. I did try to run Avast, but, after some time, it appears to freeze. I could identify the virus ( DBF.EXE ), but I am not sure if it self installed in other places.

How is the safe method to kill it?

In time, I can not run any *.exe. How can I restore this ability?

Best Regards

Sergio Kamakura

[essexboy]

Hi there - It just so happens we have a nifty tool to play with - do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again

Download RogueKiller to your desktop
 

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 1 and validate
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[Dieselman]

Easier then that. Download rkill but rename it prior to downloading. Rename it to some random name. Then download MalwareBytes AntiMalware. Run rkill and when its done install MalwareBytes,update and run a full scan.

http://www.bleepingcomputer.com/forums/topic308364.html

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

[serkam]

   Hi Dieselman

Good afternoon.

Yes, Rkill killed the XP SECURITY 2011 virus. At least, appears to. I renamed it as teste.com and I could run it under Windows XP infected. With name rkill.com, I couldn't.

I did the full scan with Malwarebytes, as you advised, and hundreds of malwares were detected and killed also. Most were from the same source. But, one, named grpconv.exe was found the system32 folder.

After this process, my Windows didn't open any *.exe program, complaining that didn't know how to open rundll32.exe. After googling a little, I found a program "exefix_xp.com" that fixed this issue instantly.

Looks like that now all is ok.

Thank you very much and to Essexboy also, for your kind support.

Best Regards

Sergio Kamakura

[Dieselman]

Your welcome. Its a good idea to keep rkill and the MalwareBytes install on a usb drive. That way there if you need them ever again your all set. You can rename rkill to something like "abc123.exe".

[Probzzie]

Although this is solved I would like to add additional information. I had a computer infected with this so bad all exe files and Internet Explorer were both down.
Now there IS a way too run your .exe files, Run them as administer if trying to open the regularly doesn't work.
I'm just sharing this information for anyone who may search for help regarding this infection. (Google brought me here upon searching for xp security 2011 removal)

[Commie]

A friend of mine just came over for help on this very issue. I can't even get his laptop to read my usb with a malware removal tool. And I'm leery of it connecting thru my own home network. What to do?

[essexboy]

Two options really

1.  Work outside of windows using OTLPE
2.  Allow him to connect to your network to download tools - but first ensure you have a secure password on the Router

I can help with either option..

I would recommend though working outside of windows, the USB drive should be recognised from the Reatogo desktop for copying the resultant OTL log 

Please print these instruction out so that you know what you are doing

Latest version: v3.1.46.0

OTLPEStd.exe
MD5=83A0648CCEDCB906DFC44DA275C3885C
Size = 98,078,016b / 93.5MB

• Download OTLPEStd.exe to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPEStd.exe and this will then open imgburn  to burn the file to CD
  
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads   
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

[Commie]

Hi: Thanks for the reply & sorry about the delay. I had to work a double shift. well here is the OTL log. Thanks again for your help.

[Commie]

I forgot to mention that I got to run rkill several times in administrator safe mode but when I got back to the regular user the infection was still there. MBAM worked a bit (just detected a handful of malware) . Didnt get a chance to try rogue killer though.

[essexboy]

Could yopu psot the MBAM log please - and on completion of this run let me know what problems remain

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3-HKU\Sam_ON_C\..\Toolbar\WebBrowser:(no name)-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}-No CLSID value found.
  
  :Files
  ipconfig /flushdns /c
  C:\Documents and Settings\Sam\Local Settings\Application Data\b40twd06vv
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[Commie]

Just want to clarify: do I re-run MBAM again , post the log and then run OTL as suggested, OR do I just post the old MBAM log and then run OTL?

[essexboy]

Run OTL to clear the remants and then an updated run with mbam to confirm that all is gone

[Commie]

1. Ran the Fix in OTL and then ran the quickscan(see log)
2. Rebooted into windows regular user and tried to run mbam but got popup to select a program to use to open the file.
3. Went back into safe mode- admin and ran mbam. 1 infection detected. see log.
4. went back into user and tried to run mbam , but again got the popup.

[Dieselman]

Most of today's malware writers know what MBAM is. So its best to uninstall it and then download a new version but rename the installer to a random name like xzy123.exe or what ever you want. You did not use rkill the way it was meant to be used. Malware is dormant in safe mode so using rkill is worthless. Rkill is used to terminate malicious processes in real time so you can run a scan or delete the malware. rkill will also produce a log telling you were the malware is hidden. Also keep in mind that rkill lately has had daily changes so you need to download the latest version. Hitman Pro is also another great free on demand scanner. Also that file MBAM detected was in your system restore folder. Make a new system restore point and delete your old ones. Run disk cleaner to do this.

http://www.surfright.nl/en


There is also Dr.Web Curit and Kaspersky's Virus Removal Tool.