XP INTERNET SECURITY 2012 virus

[anature]

My laptop got "XP INTERNET SECURITY 2012" virus. It took over every programs that I tried to run in regular mode and SAFE mode. :(   

Please help, thanks!

[Corrine]

Hi, anature.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

1)  Please download the following two files.  In the event you are blocked by the malware from downloading, it will be necessary to go to an uninfected computer and then transfer the files to the infected computer via CD/DVD, external drive, or USB flash drive.

FixNCR.reg
Bleeping Computer Downloads: RKill

2)  Insert the removable device into the infected computer and open the folder the drive letter associated with it. Double-click the FixNCR.reg file to fix the Registry on your infected computer.

3)  Copy the downloaded RKill file to the desktop of the infected computer.

• Double-click rkill to run.
  
• A command window will open then disappear upon completion, this is normal.
  
• Please leave rkill on the Desktop until otherwise advised.
  
• Do NOT restart your computer after running rkill as the malware program(s) will start again.

Notes:

If you you receive security warnings about rkill, please ignore and allow the download to continue.

4)  You should now be able to update MBAM. 

• Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
  
• Once the update has been installed and the program has loaded, select Quick scan
  
  • When the scan is complete, click OK, then Show Results to view the results.
    
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
    
    
  • Click Remove Selected.
    
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
    
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    
  • Please post contents of that file in your next reply.
  ** Note **
  
  If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  
  In addition to the MBAM log, please return to the "Log Posting Instructions" topic and provide the requested logs from that topic, noting that it may take more than one reply.
  
  Thank you.

[anature]

Hi Corrine,
Thank you so much for your helpful advise. I Followed your detailed instruction and the result was successful. :dance: 
My husband will think I am a hero! :laughing:

Here is MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6863

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/15/2011 2:37:34 PM
mbam-log-2011-06-15 (14-37-34).txt

Scan type: Quick scan
Objects scanned: 210531
Time elapsed: 11 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\828002960 (Trojan.ExeShell.Gen) -> Value: 828002960 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\peter zari\local settings\application data\inu.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

[winchester73]

Three registry items show "Not selected for removal" ...  :o

Run MBAM again (update first in case there is a new definition file released), this time "Perform Full Scan", tick the items found to remove, and post the resulting log please.

[anature]

From Malwarebytes Forum posted by tetonbob:

PUM means potentially unwanted modification. Spyware can disable the security center or some power users decided to disable it on their own. If you haven't disabled security center monitoring yourself, then we would recommend fixing it. Or, if you have disabled security center monitoring, you can choose to ignore those, or "show in results list but do not check for removal" on the Scanner Settings.               
PUM is a new classification in our 1.50 release of entries we were already monitoring and reporting in previous versions.

More detail here:
http://forums.malwarebytes.org/index.php?s...mp;#entry353243


So, I ignored PUM.

[winchester73]

Those registry changes are usually set by corporate IT departments, less commonly by individual users unless their antivirus or firewall software does it ... but if you disabled the security center monitoring yourself on purpose, then it isn't a case where the infection you had disabled it.  MBAM reports the detection because many of the rogues change the settings.

[Corrine]

Hi, anature.

Seeing that you are still using Internet Explorer 6, if you wish advice on how you can properly secure your computer, please follow through with the previous request:

please return to the "Log Posting Instructions" topic and provide the requested logs from that topic

[anature]

Hi Corrine,

I/we don't use IE. Firefox is the the main browser. Just recently tried CHROME a couple of times. IE software is still there, just in case some website only runs under IE. 

[anature]

Hi winchester73,

My dh, hates-computer-uses-computer, never read the messages that pop up on the screen. He just hit any key his finger chose and yelled at the screen. When I was called to solve the mess, I never knew what was going on. He trests me as his biggest enemy if I ask for more information. I, a weary always-search-internet-for-help person, disabled the Windows XP Security Center for his laptop.  :winchesty73:

Should I reactivate it? Thanks!

[anature]

After 20 minutes, dds.scr still running. Should I stop it?

[Corrine]

Yes, try cancelling it.  dds.scr should have completed by now.  Try running it again after a restart.

[anature]

After 20 minutes, dds.scr still running. Should I stop it?

HELP!  can't stop dds, laptop frozen, can't shut down.

[Corrine]

You will have to do a hard shutdown -- pushing the power button and  holding it until the computer shuts down.

[anature]

Thanks Corrine,

Shut down, restarted, ran dds and same thing happened again. I won't try it anymore. It must be something wrong with this old laptop. Someday(next month) when I have totally control of this machine I will continue this task.

[Corrine]

Since DDS does not do anything other than produce a log, I think you're right.  However, you would be advised to do a full system scan of your laptop after updating your antivirus software.  

It would also be a good idea to scan with the Microsoft Safety Scanner.  I've posted instructions here:  How to Use the New Microsoft Safety Scanner.

Were you able to run SecurityCheck?  That would provide additional information on advising you of needed updates. 

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.