My mom's computer has been infected with "XP Anti-Spyware 2012." Unfortunately she's 900 miles away and not very computer literate. I had her reboot into safe mode to see if the infection would run there but it did. I do have a sister that I could email files to and have her run them but things like logs might be difficult to obtain (dear Sis is only somewhat more savvy than Mom).
Can anyone help?
Thanks!
Hi, Adam444.
Your Mom raised you and your sister. I suspect that she is much more competent that you realize. :)
Seriously, I will provide instructions for removing the rogue but without having logs to examine, we will not be able to determine if the computer is indeed clean or what steps may be needed in order to protect the computer from further infection. Keep in mind also that there are instances of this infection where it is not possible to download the needed files and it is necessary to transport the files to the infected computer.
With that, following are the instructions to get started:
1) Please download the following two files to the desktop. In the event you are blocked by the malware from downloading, it will be necessary to go to an uninfected computer and then transfer the files to the infected computer via CD/DVD, external drive, or USB flash drive.
It may also be possible to download the files in Select
Safe Mode with Networking. (To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.)
FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
Bleeping Computer Downloads: RKill (http://www.bleepingcomputer.com/download/anti-virus/rkill)
2) If downloaded to the desktop, double-click the FixNCR.reg file. If transported to the infected computer, insert the removable device into the infected computer and open the folder the drive letter associated with it. Double-click the FixNCR.reg file to fix the Registry on your infected computer.
3) Again, if downloaded to the desktop, proceed as shown below. Otherwise, copy the downloaded RKill file to the desktop of the infected computer and proceed:
- Double-click rkill to run.
- A command window will open then disappear upon completion, this is normal.
- Please leave rkill on the Desktop until otherwise advised.
- Do NOT restart your computer after running rkill as the malware program(s) will start again.
Notes: If you you receive security warnings about rkill, please ignore and allow the download to continue.
4) Please download
Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware - Click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, be sure Quick scan is selected, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FMBAM_SR.png&hash=38adbab18bc0003ecf543fafb564e34dadece253) - Click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Please post contents of that file in your next reply.
** Note **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click
OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
In addition to the MBAM log, please return to the "Log Posting Instructions (http://www.landzdown.com/index.php/topic,423.0.html)" topic and provide the requested logs from that topic, noting that it may take more than one reply. This is necessary as explained above in order to determine what other steps are needed.
Thank you.
Hi, Adam444.
The reason I recommend excluding System Restore is that while attempting to clean an infected restore point, more often than not, the program ends up damaging that restore point, making it useless. Should something go wrong in the cleanup process, having an infected restore point to restore is better than none, even though it means starting the cleanup process over again.
After the computer is clean is the time to create a new restore point and remove all the other restore points with the disk cleanup tool.
You're welcome, Adam.
If you cannot get logs for me to review, at least check that your Mom's computer has old, vulnerable versions of Java removed and updated to the latest version. The same goes for Adobe Reader and Adobe Flash. To check if her system is missing security updates or has insecure applications, install Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) or, alternatively, visit http://secunia.com/software_inspector/ . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
- Detects insecure versions of applications installed
- Verifies that all Microsoft patches are applied
- Assists you in updating your system and applications