XP security virus help?
March 19, 2010 2:36 PM Subscribe
My Mom has an infected PC. I've been trying to debug it for an hour and a half now to no avail. It's apparently an updated version of the XP Security Center virus. Problem is: it's prohibiting either Firefox or Explorer from opening, so I can't d/l anything.
I've tried the obvious solution of uninstalling program files, but it isn't showing there. She has an outdated version of McAfee Virus that came with her PC, but it's not working either. From what I can tell, the prompts it's spitting up are classic variations of the virus/malware, but I'm kind of lost now on what to do. If you could step-by-step me through this, I'd be most appreciative. I'd really like to move on with my life.
I've tried the obvious solution of uninstalling program files, but it isn't showing there. She has an outdated version of McAfee Virus that came with her PC, but it's not working either. From what I can tell, the prompts it's spitting up are classic variations of the virus/malware, but I'm kind of lost now on what to do. If you could step-by-step me through this, I'd be most appreciative. I'd really like to move on with my life.
Honestly, backup data, reformat and reinstall. It will take you at least twice as long to clean up any reasonably modern virus infection (if you can even get it all) as it will to flatten the whole computer and start from scratch.
posted by pocams at 2:40 PM on March 19, 2010 [7 favorites]
posted by pocams at 2:40 PM on March 19, 2010 [7 favorites]
Download the full Microsoft SPs to another machine and burn to CD. Boot Mom's machine from a Windows install CD. Do not connect it to the network. Reinstall Windows. Then insert CD with new SPs and install them. Then connect to the network, download ClamAV or a similar free antivirus program and clean up.
posted by zippy at 2:40 PM on March 19, 2010 [1 favorite]
posted by zippy at 2:40 PM on March 19, 2010 [1 favorite]
Yeah I agree about the re-install. I'm sure there is some super fast super geek way of fixing the computer (or maybe there isn't). But a re-install gives you a fresh start.
From my experience any attempts I've made at fixing major infestations have been a total waste of time.
posted by sully75 at 2:43 PM on March 19, 2010
From my experience any attempts I've made at fixing major infestations have been a total waste of time.
posted by sully75 at 2:43 PM on March 19, 2010
Honestly, backup data, reformat and reinstall.
Best way to go. I'm an IT expert, and have cleaned many infected PCs for relatives. Even with special tools and boot disks, it takes days to completely remove the viruses. And then you have to go back and undo the damage they did (remove orphaned run keys, reset the name resolution providers, etc).
It's not worth the time. And I don't do it anymore. Just reinstall and be done with it.
posted by sbutler at 2:44 PM on March 19, 2010 [1 favorite]
Best way to go. I'm an IT expert, and have cleaned many infected PCs for relatives. Even with special tools and boot disks, it takes days to completely remove the viruses. And then you have to go back and undo the damage they did (remove orphaned run keys, reset the name resolution providers, etc).
It's not worth the time. And I don't do it anymore. Just reinstall and be done with it.
posted by sbutler at 2:44 PM on March 19, 2010 [1 favorite]
Would it be possible to download the removal tool from another computer and put it on a USB stick? I had this a while back, and managed to remove it in about an hour using the removal tool. I'm not sure why everyone is recommending the scorched earth policy. Reinstalling (unless you have a clean image with all your programs installed) takes a LONG time. It's hardly ever the quickest and easiest way.
posted by reformedjerk at 2:49 PM on March 19, 2010 [3 favorites]
posted by reformedjerk at 2:49 PM on March 19, 2010 [3 favorites]
Response by poster: Well, yippie fuck. I reckon I'll start the process of backing her stuff up and wiping it. That'll make for a fun night!
Thanks, folks that have more knowledge about this than I do.
posted by Ufez Jones at 2:50 PM on March 19, 2010
Thanks, folks that have more knowledge about this than I do.
posted by Ufez Jones at 2:50 PM on March 19, 2010
Response by poster: Hmm. That may be worth checking into, reformedjerk. I can give it a shot at least. Back in a bit....
posted by Ufez Jones at 2:51 PM on March 19, 2010
posted by Ufez Jones at 2:51 PM on March 19, 2010
My PRECIOUS laptop has been infected numerous times, some very aggressive ones. I really hate to have to reinstall my OS because I have everything tweaked the way I like it.
I will usually post to a forum such as:
bleepingcomputer.com
majorgeeks.com
malwarebytes.org
One of the resident supergeeks will have you run a number of scans to see what your exact problems are and lead you through every step, one by one. They've helped me get completely rid of all my viruses.
Sorry I'm no help myself, but I've survived this problem many times without having to do a complete teardown.
posted by keep it under cover at 2:56 PM on March 19, 2010
I will usually post to a forum such as:
bleepingcomputer.com
majorgeeks.com
malwarebytes.org
One of the resident supergeeks will have you run a number of scans to see what your exact problems are and lead you through every step, one by one. They've helped me get completely rid of all my viruses.
Sorry I'm no help myself, but I've survived this problem many times without having to do a complete teardown.
posted by keep it under cover at 2:56 PM on March 19, 2010
I think ComboFix and then SuperAntispyware from this thread might help. Download to USB stick from another computer.
posted by sharkfu at 2:56 PM on March 19, 2010
posted by sharkfu at 2:56 PM on March 19, 2010
If you have itunes installed on the computer, you can use Apple Software Update to download Safari. That shouldn't be pooched by the virus and would allow you to download whatever you might need to fight the bad code.
posted by inturnaround at 2:57 PM on March 19, 2010
posted by inturnaround at 2:57 PM on March 19, 2010
I second majorgeeks.com. If things are bad enough you'll probably be asked to download and install HijackThis then run it in safe mode. HijackThis is a tool for advanced users and shouldn't be used unless you are conversant with editing your registry. Probably not even then.
But someone on the forums will read the log it creates and walk you through manually deleting nasty stuff.
Good luck.
posted by Splunge at 3:09 PM on March 19, 2010
But someone on the forums will read the log it creates and walk you through manually deleting nasty stuff.
Good luck.
posted by Splunge at 3:09 PM on March 19, 2010
There's actually a pretty good howto in deezil's profile.
posted by zamboni at 3:11 PM on March 19, 2010 [3 favorites]
posted by zamboni at 3:11 PM on March 19, 2010 [3 favorites]
Google something called "combofix" and run it in safe mode.
posted by damn dirty ape at 3:12 PM on March 19, 2010
posted by damn dirty ape at 3:12 PM on March 19, 2010
Damnit, zamboni, that's my link ;-)
Yeah, check my profile, it's got the howitzer gun approach to killing that piece of crap software.
posted by deezil at 3:24 PM on March 19, 2010 [1 favorite]
Yeah, check my profile, it's got the howitzer gun approach to killing that piece of crap software.
posted by deezil at 3:24 PM on March 19, 2010 [1 favorite]
Reinstall the OS. Way to go, I know from many years and many PCs, reinstall.
posted by fifilaru at 3:27 PM on March 19, 2010
posted by fifilaru at 3:27 PM on March 19, 2010
I'm pretty sure this is the Virus that you have.
However, the guide in deezil's profile is pretty damn comprehensive, and should take care of whatever it is that ails your computer. RKill takes care of most viruses that prevent other programs from loading...
posted by schmod at 3:29 PM on March 19, 2010
However, the guide in deezil's profile is pretty damn comprehensive, and should take care of whatever it is that ails your computer. RKill takes care of most viruses that prevent other programs from loading...
posted by schmod at 3:29 PM on March 19, 2010
One method that has worked for me intermittently in the past that is a bit less amputative than the full nuke is creating a new user profile and deleting the one that the infection is in.
Assuming you're already an administrator and running XP:
Right-click My Computer, then click Manage (or Start -> Settings -> Control Panel -> Administrative Tools -> Computer Management).
Under Computer Management (Local), go to Local Users and Groups, then go into Users. On the menu bar, click Action, then click New User. Fill that out. It's pretty self-explanatory.
Once you've created a new profile, you might want to go to Groups and add that user to the Administrators group.
Now you can log out of the profile you're on and log back in as the user you just created. I feel like it's becoming more and more common for malware to only affect a certain user profile, and not the entire system.
Your mileage will vary, of course, but this might keep you from completely reinstalling, or it could get you into a clean profile in which to download tools and fight off the infection.
posted by BeerFilter at 5:02 PM on March 19, 2010
Assuming you're already an administrator and running XP:
Right-click My Computer, then click Manage (or Start -> Settings -> Control Panel -> Administrative Tools -> Computer Management).
Under Computer Management (Local), go to Local Users and Groups, then go into Users. On the menu bar, click Action, then click New User. Fill that out. It's pretty self-explanatory.
Once you've created a new profile, you might want to go to Groups and add that user to the Administrators group.
Now you can log out of the profile you're on and log back in as the user you just created. I feel like it's becoming more and more common for malware to only affect a certain user profile, and not the entire system.
Your mileage will vary, of course, but this might keep you from completely reinstalling, or it could get you into a clean profile in which to download tools and fight off the infection.
posted by BeerFilter at 5:02 PM on March 19, 2010
XP Security Center isn't the worst virus compared among the modern crop; I've killed a variant a couple times for other people. It's actually kind of funny from a certain point of view, as you watch it pop up these bogus warnings and attempts to dissuade you from removing it. Think of the "I'm melting, I'm melting" movie scene, as it screams about the corrupted software killing it, communicating via its sorta professional-looking popups. Ignore them, of course, except for their comic value.
Anyway, too many people think a virus is absolutely an automatic reinstall. It is a good idea to reinstall much of the time (less time and trouble), but for quite a few circumstances, you wind up investing far more effort getting your computer back working exactly as you want it to (assuming you ever do) than you would getting rid of what is a fairly simple infestation.
Do a one minute cost benefit analysis to decide which way to go, remembering that you can always reinstall if nothing else works. If it's not that much trouble to go the reinstall route, do it now and all's done. But if it is a lot of trouble to get the computer back the way you want, there are various means to kill the virus, without taking days of effort.
If you want to try removal, the copy from flash stick route, already mentioned, is a good start. Download one or more of antivirus tools on another computer to copy over using the stick. Select well-known antiviruses tools which are described as removing the virus you've identified, the ones mentioned here sound good. Run the tool and walk away until it's done, not much effort there.
In fact, I see the deezil profile mentioned goes into specific antiviruses in great detail. So I'll leave my lesser attempts unposted.
Nothing works or the virus blocks them all? Then less-automated removal may be needed, with more specialized tools. But first, consider that manual removal work changes the cost benefit ratio and can move a formerly good candidate for virus removal into the reinstall camp. Still worth it for a nontrivial number of infestations, but definitely a tougher row to hoe by yourself.
It is more difficult to walk you through a manual removal via an online forum like AskMe, because there can be a number of different steps to take and try. It's far more efficient as an interactive process. Otherwise, the forum post approach often does take a long time: try this and post the result. OK, try this and post result. Rinse and repeat, until computer is clean.
Regardless of method and outcome, have a short discussion with your mother about safe computing, and check the feasibility of not giving her full adminstrator rights on the computer. People who get viruses often re-virus until they've been instructed in simple protection. Or had it enforced.
Too, I'll repeat myself from past questions: I'll clean anybody's computer for free who can put it in my presence. Complete capitulation to the evil shits who write viruses is not yet a given. So far there hasn't been a virus which has won, although they are getting pretty damned nasty lately and it's only a matter of time. This virus, though, is not among the toughest of the bunch.
Bottom line: You don't "have to" reinstall to remove common viruses in a reasonable amount of time, although doing it yourself may not be worth it for your particular circumstance, and you may need outside help.
posted by mdevore at 5:24 PM on March 19, 2010
Anyway, too many people think a virus is absolutely an automatic reinstall. It is a good idea to reinstall much of the time (less time and trouble), but for quite a few circumstances, you wind up investing far more effort getting your computer back working exactly as you want it to (assuming you ever do) than you would getting rid of what is a fairly simple infestation.
Do a one minute cost benefit analysis to decide which way to go, remembering that you can always reinstall if nothing else works. If it's not that much trouble to go the reinstall route, do it now and all's done. But if it is a lot of trouble to get the computer back the way you want, there are various means to kill the virus, without taking days of effort.
If you want to try removal, the copy from flash stick route, already mentioned, is a good start. Download one or more of antivirus tools on another computer to copy over using the stick. Select well-known antiviruses tools which are described as removing the virus you've identified, the ones mentioned here sound good. Run the tool and walk away until it's done, not much effort there.
In fact, I see the deezil profile mentioned goes into specific antiviruses in great detail. So I'll leave my lesser attempts unposted.
Nothing works or the virus blocks them all? Then less-automated removal may be needed, with more specialized tools. But first, consider that manual removal work changes the cost benefit ratio and can move a formerly good candidate for virus removal into the reinstall camp. Still worth it for a nontrivial number of infestations, but definitely a tougher row to hoe by yourself.
It is more difficult to walk you through a manual removal via an online forum like AskMe, because there can be a number of different steps to take and try. It's far more efficient as an interactive process. Otherwise, the forum post approach often does take a long time: try this and post the result. OK, try this and post result. Rinse and repeat, until computer is clean.
Regardless of method and outcome, have a short discussion with your mother about safe computing, and check the feasibility of not giving her full adminstrator rights on the computer. People who get viruses often re-virus until they've been instructed in simple protection. Or had it enforced.
Too, I'll repeat myself from past questions: I'll clean anybody's computer for free who can put it in my presence. Complete capitulation to the evil shits who write viruses is not yet a given. So far there hasn't been a virus which has won, although they are getting pretty damned nasty lately and it's only a matter of time. This virus, though, is not among the toughest of the bunch.
Bottom line: You don't "have to" reinstall to remove common viruses in a reasonable amount of time, although doing it yourself may not be worth it for your particular circumstance, and you may need outside help.
posted by mdevore at 5:24 PM on March 19, 2010
I remove this virus often, for money. You can take what I'm saying to the bank.
First off, this virus infects restore points. Revering to a restore will not help you.
It used to be that to get rid of this virus you had to do a nasty ol' 17 hour or so long boot scan from one of several live CD's, or you could reformat and reinstall, which may or may not be ideal depending on the backup status of the system. Thanks to some recent opportunities in anti malware, it's gotten way easier.
1. Download SAS Portable to a flash drive (and CC Cleaner Portable as well)
2. Boot computer into safemode without network access. (f8 at launch)
3. Login as administrator (if they don't use the Admin account, the password SHOULD be blank. No instructions from me on how to wipe that pw, but logging in as the infected user will work too.
4. Run ccleaner, make sure it removes all temp files and empties recycle bin. You can also do this manually, but it's harder.
5. Insert the key, run SAS portable, and walk away.
6. Come back. Follow all instructions from the program to delete everything.
7. Remove network cable
8. Reboot into normal mode, normal user.
9. Run SAS portable again.
10. Let it run, remove anything, reboot, reinsert network cable, system fixed. Download and install all updates.
11. If you get the issue where .exe files won't run after the fix, you can go here and download the .bat file that will fix the registry and thus the problem. Here is another option. First link has instructions to do it manually.
12. You may elect after all this to go ahead and wipe, but it is not necessary. This will definitely make the system safe for backups (files, favorites, passwords, etc.)
I remove this virus (and its variants) DAILY.
posted by TomMelee at 6:42 PM on March 19, 2010 [4 favorites]
First off, this virus infects restore points. Revering to a restore will not help you.
It used to be that to get rid of this virus you had to do a nasty ol' 17 hour or so long boot scan from one of several live CD's, or you could reformat and reinstall, which may or may not be ideal depending on the backup status of the system. Thanks to some recent opportunities in anti malware, it's gotten way easier.
1. Download SAS Portable to a flash drive (and CC Cleaner Portable as well)
2. Boot computer into safemode without network access. (f8 at launch)
3. Login as administrator (if they don't use the Admin account, the password SHOULD be blank. No instructions from me on how to wipe that pw, but logging in as the infected user will work too.
4. Run ccleaner, make sure it removes all temp files and empties recycle bin. You can also do this manually, but it's harder.
5. Insert the key, run SAS portable, and walk away.
6. Come back. Follow all instructions from the program to delete everything.
7. Remove network cable
8. Reboot into normal mode, normal user.
9. Run SAS portable again.
10. Let it run, remove anything, reboot, reinsert network cable, system fixed. Download and install all updates.
11. If you get the issue where .exe files won't run after the fix, you can go here and download the .bat file that will fix the registry and thus the problem. Here is another option. First link has instructions to do it manually.
12. You may elect after all this to go ahead and wipe, but it is not necessary. This will definitely make the system safe for backups (files, favorites, passwords, etc.)
I remove this virus (and its variants) DAILY.
posted by TomMelee at 6:42 PM on March 19, 2010 [4 favorites]
Potential problem is if you have cascaded infestations, as isn't too rare once a backdoor is open, safe mode boot may not be available. However, we're probably getting beyond the scope of the question in its initial state. With any luck, the SAS Portable solution works here.
posted by mdevore at 7:24 PM on March 19, 2010
posted by mdevore at 7:24 PM on March 19, 2010
This thread is closed to new comments.
posted by radiosilents at 2:38 PM on March 19, 2010