My poor, innocent computer is being held hostage by a malevolent virus. Please help!
April 8, 2011 7:11 PM Subscribe
Can anyone tell me how to remove the XP Security 2011 virus from my home computer?
My computer became infected with this &%$#! virus earlier this week. At present I can only browse the internet with add-ons disabled and cannot download anything from the net nor use any of my computer programs, from Word to solitaire. I haven't been able to access my work email. (I was on vacation this past week.) For a time I had even less functionality than that, but when I entered a code from a "how to get rid of the XP Security 2011 virus" web page, the virus backed off somewhat because it thought I had paid the $60 in registration fees it was demanding to "protect my computer from viruses".
I have been checking out some of the many, many "how to delete" instructions on the net and nothing else has worked so far. Here's what I tried:
- Some people report success by using anti-virus software, but I cannot use the anti-virus software I already have installed and can't download any other software.
- Other people report success deleting virus program files manually, but when I search on my hard drive for files by those names I cannot find them.
- Still others say they have run a system restore to take their computer back to a pre-infection state and that it worked, but I can't do it because I only have the one account on my computer (one with my own name), and I need to do this from an Administrator account. But when I try to create a new account, nothing happens. I think it's the virus again.
I'm still exploring other web pages of instructions but I wondered if anyone could give me an effective way to resolve this problem using just my computer. There's apparently an option of using a second computer to download some anti-virus software onto a CD and then using the CD to run the program on my infected computer. I'll be able to try this next week when I'm back at work, but ideally wouldn't have to involve my work computer at all.
My computer became infected with this &%$#! virus earlier this week. At present I can only browse the internet with add-ons disabled and cannot download anything from the net nor use any of my computer programs, from Word to solitaire. I haven't been able to access my work email. (I was on vacation this past week.) For a time I had even less functionality than that, but when I entered a code from a "how to get rid of the XP Security 2011 virus" web page, the virus backed off somewhat because it thought I had paid the $60 in registration fees it was demanding to "protect my computer from viruses".
I have been checking out some of the many, many "how to delete" instructions on the net and nothing else has worked so far. Here's what I tried:
- Some people report success by using anti-virus software, but I cannot use the anti-virus software I already have installed and can't download any other software.
- Other people report success deleting virus program files manually, but when I search on my hard drive for files by those names I cannot find them.
- Still others say they have run a system restore to take their computer back to a pre-infection state and that it worked, but I can't do it because I only have the one account on my computer (one with my own name), and I need to do this from an Administrator account. But when I try to create a new account, nothing happens. I think it's the virus again.
I'm still exploring other web pages of instructions but I wondered if anyone could give me an effective way to resolve this problem using just my computer. There's apparently an option of using a second computer to download some anti-virus software onto a CD and then using the CD to run the program on my infected computer. I'll be able to try this next week when I'm back at work, but ideally wouldn't have to involve my work computer at all.
I believe ComboFix with a followup scan by Super Antispyware (links in Deezil's profile) were what fixed it when my friend's computer got infected.
posted by sharkfu at 7:32 PM on April 8, 2011
posted by sharkfu at 7:32 PM on April 8, 2011
Standard advice is to nuke it from orbit (i.e. reinstall) If you really want to try cleaning this yourself, what you can do is search for .exe files and .dll files that were modified at the time the virus got installed. So just use windows search and search for files with that modified date. Then delete those. You can also search in the registry to see where those files are being referred too and delete those keys.
If you boot up, even in safe mode the thing might stick around. Definitely burn a Knoppix CD and use that to delete the files. You'll definitely want to back up all your files though.
Some advice for the future, though: 1) Keep all your files and programs on separate partitions, so you wont loose anything if your system drive dies or gets wiped. You'll just need to reinstall windows and go. and 2) Always make backups! XP doesn't have the good backup system that exists in Vista and Windows 7.
posted by delmoi at 7:37 PM on April 8, 2011
If you boot up, even in safe mode the thing might stick around. Definitely burn a Knoppix CD and use that to delete the files. You'll definitely want to back up all your files though.
Some advice for the future, though: 1) Keep all your files and programs on separate partitions, so you wont loose anything if your system drive dies or gets wiped. You'll just need to reinstall windows and go. and 2) Always make backups! XP doesn't have the good backup system that exists in Vista and Windows 7.
posted by delmoi at 7:37 PM on April 8, 2011
I personally like Malwarebytes as it runs quite well in safe mode.
Find an uninfected computer, download the application and copy it to a flash drive or burn it to a CD.
On the infected machine, boot into safe mode by hitting F8 right before the windows loading screen. You should see a menu that allows you to select safe mode.
Once in safe mode, run the Malwarebytes application and do a full scan. If it finds anything, it will give you the option to clean it.
If this works and you're able to use your antivirus software again (once you've gone back in your standard Windows session) make sure you update it fully prior to running another full scan.
Good luck.
posted by purephase at 7:55 PM on April 8, 2011 [6 favorites]
Find an uninfected computer, download the application and copy it to a flash drive or burn it to a CD.
On the infected machine, boot into safe mode by hitting F8 right before the windows loading screen. You should see a menu that allows you to select safe mode.
Once in safe mode, run the Malwarebytes application and do a full scan. If it finds anything, it will give you the option to clean it.
If this works and you're able to use your antivirus software again (once you've gone back in your standard Windows session) make sure you update it fully prior to running another full scan.
Good luck.
posted by purephase at 7:55 PM on April 8, 2011 [6 favorites]
I recently fixed this exact virus, following purephase's exact instructions, FWIW.
posted by SuperSquirrel at 8:23 PM on April 8, 2011
posted by SuperSquirrel at 8:23 PM on April 8, 2011
Response by poster: Hah! I have discovered that my computer was infected Tuesday, April 5 at 10:59 p.m. I deleted some .exe files created then, and when I rebooted, my SuperAntiSpyware program had actually started to work and zeroed in on another little bugger, ngh.exe. However, neither of my anti-virus programs or I can delete or quarantine this file - I get an "access denied" message. How can I get rid of this file?
posted by orange swan at 8:24 PM on April 8, 2011
posted by orange swan at 8:24 PM on April 8, 2011
Boot into Safe Mode?
posted by SuperSquirrel at 8:31 PM on April 8, 2011
posted by SuperSquirrel at 8:31 PM on April 8, 2011
My profile. Get there.
posted by deezil at 8:51 PM on April 8, 2011 [2 favorites]
posted by deezil at 8:51 PM on April 8, 2011 [2 favorites]
I get an "access denied" message. How can I get rid of this file?
Again, knoppix! Even if you're in safe mode viruses can still get themselves loaded at boot. I don't even want to talk about how I learned this, but it's definitely true.
Get on another machine and burn a knoppix CD or DVD. Your system will boot off the CD and you'll be in Linux. It has a GUI and a graphical file manager.
Other then that, if you have windows install CDs you can boot off of them and go into a recovery console. You can also install the recovery consoleWrite down the path of the file. So let's assume the full path is C:\windows\system32\ngh.exe
then in the recovery console you would type "del C:\windows\system32\ngh.exe"
But, a lot of PCs are sold with windows pre-installed, and knoppix will let you use a GUI to delete the files.
IIRC, you might need to mount the drives as read/write in knoppix in order to delete files. I think you can right-click the drives to do that. (it's been a while since I've used it)
posted by delmoi at 8:55 PM on April 8, 2011
Again, knoppix! Even if you're in safe mode viruses can still get themselves loaded at boot. I don't even want to talk about how I learned this, but it's definitely true.
Get on another machine and burn a knoppix CD or DVD. Your system will boot off the CD and you'll be in Linux. It has a GUI and a graphical file manager.
Other then that, if you have windows install CDs you can boot off of them and go into a recovery console. You can also install the recovery consoleWrite down the path of the file. So let's assume the full path is C:\windows\system32\ngh.exe
then in the recovery console you would type "del C:\windows\system32\ngh.exe"
But, a lot of PCs are sold with windows pre-installed, and knoppix will let you use a GUI to delete the files.
IIRC, you might need to mount the drives as read/write in knoppix in order to delete files. I think you can right-click the drives to do that. (it's been a while since I've used it)
posted by delmoi at 8:55 PM on April 8, 2011
I had just this with the Vista virus, if you can google, try to find if someone has a registration number that you can put in to make it go away, it worked for me. However, I was still able to go on most sites, the virus would just keep popping up once in awhile.
According to http://www.2-viruses.com/remove-xp-security-2011 one of the codes is 1147-175591-6550 This way it will think you paid the $$$.
posted by greatalleycat at 9:01 PM on April 8, 2011
According to http://www.2-viruses.com/remove-xp-security-2011 one of the codes is 1147-175591-6550 This way it will think you paid the $$$.
posted by greatalleycat at 9:01 PM on April 8, 2011
Er, that post was a little incoherent. Let me try again.
Basically, windows isn't letting you delete the file because it's in use. That probably means the program is running. In order to delete it, it can't be running. But it's set to run whenever windows boots.
You could disable it using msconfig. But, since it's running, it could set itself to start again, automatically. (and there are some ways to get a system to run programs that might not show up in msconfig)
So what you need to do is boot off of something that's not the windows install that's infected. You could take the hard drive out and boot a completely different PC. Or you could boot off some other OS. It could be a windows recovery console or it could be off of a knoppix CD. Either way, the program shouldn't be running. The Knoppix CD will be a lot more user friendly.
posted by delmoi at 9:03 PM on April 8, 2011
Basically, windows isn't letting you delete the file because it's in use. That probably means the program is running. In order to delete it, it can't be running. But it's set to run whenever windows boots.
You could disable it using msconfig. But, since it's running, it could set itself to start again, automatically. (and there are some ways to get a system to run programs that might not show up in msconfig)
So what you need to do is boot off of something that's not the windows install that's infected. You could take the hard drive out and boot a completely different PC. Or you could boot off some other OS. It could be a windows recovery console or it could be off of a knoppix CD. Either way, the program shouldn't be running. The Knoppix CD will be a lot more user friendly.
posted by delmoi at 9:03 PM on April 8, 2011
For the file that is coming back with "access denied" a couple things could be going on here:
- The ownership/permissions on the file are stripped to prevent access
Solution: Right-click on the file in explorer, go to properties then security. Under the advanced button you can assign your account ownership and grant full permissions.
- Another process has the file hooked in memory
Solution: Download and run Undll which is great at unlocking files in use. It is normally used for dlls but will work fine or a .exe or any other type of file.
Also, check Deezil's profile and grab HiJackThis, which can help you clean up your startup items...create a backup within the program if unsure.
posted by samsara at 9:03 PM on April 8, 2011
- The ownership/permissions on the file are stripped to prevent access
Solution: Right-click on the file in explorer, go to properties then security. Under the advanced button you can assign your account ownership and grant full permissions.
- Another process has the file hooked in memory
Solution: Download and run Undll which is great at unlocking files in use. It is normally used for dlls but will work fine or a .exe or any other type of file.
Also, check Deezil's profile and grab HiJackThis, which can help you clean up your startup items...create a backup within the program if unsure.
posted by samsara at 9:03 PM on April 8, 2011
Just did this 2weeks ago with my sister's XP machine. Of course there are quite possibly major differences, but give it a try.
First I booted in safe mode.
I entered the code that you mentioned, in the activate box. The popup will continue to appear but not as frequently. I opened Task Manager and then the processes window and every time I saw that three letter process appear (nge.exe apparently for you, in my case it was PMA.exe) I ended the process tree. Kept Task manager open and kept monitoring it. I then ran my Anti-Virus software (F-secure) and it took care of the problem.
Hope it works for you.
posted by Neiltupper at 12:14 AM on April 9, 2011
First I booted in safe mode.
I entered the code that you mentioned, in the activate box. The popup will continue to appear but not as frequently. I opened Task Manager and then the processes window and every time I saw that three letter process appear (nge.exe apparently for you, in my case it was PMA.exe) I ended the process tree. Kept Task manager open and kept monitoring it. I then ran my Anti-Virus software (F-secure) and it took care of the problem.
Hope it works for you.
posted by Neiltupper at 12:14 AM on April 9, 2011
Definitely deezil's profile. Also wanted to chime in that the BitDefender Rescue CD is a freely available live Linux CD (like Knoppix) with a pretty good virus scanner built in. To burn the iso file to CD you would need a functional computer and program like ImgBurn.
posted by sockpup at 12:16 AM on April 9, 2011
posted by sockpup at 12:16 AM on April 9, 2011
If you've got some spare hardware around, there may be a way of getting around all that extra safe-moding. The last time I caught a virus before I switched to Linux for good, I dealt with it in this fashion:
Unplug the afflicted hard disk from your machine. Scrounge a spare hard disk and install it as the primary drive. Install Windows on this disk.
Now, install Avast! on the new Windows install. Set Avast! to run a boot-time scan of all installed hard drives. Instead of rebooting, shut the system down.
Now, install the infected disk as slave. When you next turn the computer on, Avast! starts before the Windows boot process and before the virus can activate. When that finishes, use the new primary OS install to copy everything you need off of the old drive, nuke it, then replace the files on your new dedicated storage partition.
This way, if you somehow get a virus in spite of your new antivirus install, you can just nuke the separate OS disk and save your documents.
As has been said before, however, nuking it from orbit remains the most viable option, preferably after removing your vital files via Linux live-cd, (Knoppix, Ubuntu, etc.) Better still, just install a Linux desktop in dual-boot and use it for working online- it'll be familiar, as a browser's a browser, no matter the platform, and you can't get Windows malware on a Linux install.
posted by fifthrider at 7:25 AM on April 9, 2011
Unplug the afflicted hard disk from your machine. Scrounge a spare hard disk and install it as the primary drive. Install Windows on this disk.
Now, install Avast! on the new Windows install. Set Avast! to run a boot-time scan of all installed hard drives. Instead of rebooting, shut the system down.
Now, install the infected disk as slave. When you next turn the computer on, Avast! starts before the Windows boot process and before the virus can activate. When that finishes, use the new primary OS install to copy everything you need off of the old drive, nuke it, then replace the files on your new dedicated storage partition.
This way, if you somehow get a virus in spite of your new antivirus install, you can just nuke the separate OS disk and save your documents.
As has been said before, however, nuking it from orbit remains the most viable option, preferably after removing your vital files via Linux live-cd, (Knoppix, Ubuntu, etc.) Better still, just install a Linux desktop in dual-boot and use it for working online- it'll be familiar, as a browser's a browser, no matter the platform, and you can't get Windows malware on a Linux install.
posted by fifthrider at 7:25 AM on April 9, 2011
If you are not completely fixed yet, and if you have not yet contacted Deezil, you seriously need to. He is extraordinarily knowledgeable, helpful, and nice. He saved me from some god-awful thing I got using Stumble Upon a few weeks ago.
posted by SLC Mom at 9:54 PM on April 9, 2011
posted by SLC Mom at 9:54 PM on April 9, 2011
Response by poster: Virus is gone! Here for posterity is a run down of what I did that worked:
1) Entered a code that fooled the virus into thinking I'd paid the $60 in extortion money to register, which restored some functionality.
2) Manually deleted some .exe files that were installed at time of infection. My anti-spyware program actually got back into action at this point and helped me find another virus file. The virus seemed to be gone at this point but my computer programs still weren't operating quite normally, i.e., I couldn't get into the programs via icon or start menu, and had to browse the net without add-ons.
3) Emailed the wonderful Deezil. He told me to download and run the files at this site:
http://www.dougknox.com/xp/file_assoc.htm
I did so (had to download the files at work).
4) Then I ran my Symantec and Norton Ati-Spyware (free version), which got rid of quite a lot of other viral files. And after that my computer worked better than it had for months.
5) Profit!!!
Thanks all!
posted by orange swan at 8:44 PM on April 26, 2011
1) Entered a code that fooled the virus into thinking I'd paid the $60 in extortion money to register, which restored some functionality.
2) Manually deleted some .exe files that were installed at time of infection. My anti-spyware program actually got back into action at this point and helped me find another virus file. The virus seemed to be gone at this point but my computer programs still weren't operating quite normally, i.e., I couldn't get into the programs via icon or start menu, and had to browse the net without add-ons.
3) Emailed the wonderful Deezil. He told me to download and run the files at this site:
http://www.dougknox.com/xp/file_assoc.htm
I did so (had to download the files at work).
4) Then I ran my Symantec and Norton Ati-Spyware (free version), which got rid of quite a lot of other viral files. And after that my computer worked better than it had for months.
5) Profit!!!
Thanks all!
posted by orange swan at 8:44 PM on April 26, 2011
This thread is closed to new comments.
posted by jadepearl at 7:23 PM on April 8, 2011