XP Antivirus 2011 has infected me

I’m using the free version of avast and it’s currently up-to-date.

This virue/malware/trojon/POS, has infected me. I cannot download anything, I can’t browse to any websites, nothing. The most I can do is run avast, which is currently not finding anything…

I am working off another un-affected machine. I need help fast. ARGH!

Follow this guide
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

doesn’t help. I go through the motions and the setup for the malware program is “corrupt”

are you doing what is suggested in step 4-5 ?

When I had that, the only thing that helped me was Hitman Pro. Nothing else worked.

they usually dont bother to read the guide before they start…they see the picture of MBAM and that is where they start

I have been going step by step. I’ve worked in the computer industry for the last 20+ years.

I did the regedit step, the rkill step, and installed the malware step.

All that happens when I d-click on malwarebytes program is nothing. it just sits there. no program launches.

the Rkill program doesn’t find anything to do on the machine, it doesn’t kill any processes.

Is this program morphing in the wild? Shouldn’t Avast be able to detect it and stop the install?
What about the behavior shield - isn’t this the kind of thing it’s supposed to prevent?
Not even automatic sandbox would catch it?

nope. didn’t see it, nor prevent it.

Also, the rkill program did find a program called nof.exe and killed it.

the malwarebytes program still won’t launch.

Hitman Pro 3 - Second Opinion Malware Scanner http://www.surfright.nl/en/hitmanpro
Hitman Pro in Force Breach Mode http://hitmanpro.wordpress.com/2010/03/16/hitman-pro-in-force-breach-mode/

after starting hitman in force breach mode try malwarebytes again…

if no success then Essexboy is next

hitman pro found and delted nof.exe

malwarebytes won’t start.

Where do I find Essexboy?

Where do I find Essexboy?
here tomorrow at 8:00am - 11:59am UK time

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log ) save OTS log as ANSI

heh. I thought it was a program to try.

I’m EST time zone. hitman wants to reboot to finish the job. gonna try that.

If possible please add the suspicious files in your disk to avast chest[please add nof.exe], then submit to virus lab. Thanks

I would love to, but hitman removed it.

Right now, the system seems to be going ok. it’s not redirecting webpages, not popping up any antivirus crap. just that malwarebytes doesn’t load.

Also, I’ve had to re-enable all disabled services. Most notably was the alert, security center, windows firewall, etc.

xp antivirus 2011 disabled them.

I like Malwarebytes’ and it has helped me save a few computers but I have had problems with it too. I re-installed vista on my friends machine, and I downloaded Malwarebytes’ and it just didn’t work. I tried re-downloading and re-installing and still, nothing. His machine had to be clean I have sanitized, flattened and reformatted on alot of PC’s before. Sometimes it wouldn’t launch and sometimes it displayed a message saying that the installer was corrupt. It eventually worked but that was about two or three weeks later. Weird.

Try it in safe mode with networking.

Hi there - unless you have allready reset the problem areas please do the following

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Try it in safe mode with networking.
[/quote]
It didn’t work in ‘Safe Mode’ either.

thanks to all on this thread.
I got this virus on my computer yesterday and now believe I am rid of it.

I could see from the task manager that nty.exe was an alien process, when I deleted it I could pretty much run no programs even with a reboot. Getting the ‘is not a valid win 32 application’ error

I followed the steps in
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

I downloaded the files on a clean computer and transferred them by usb stick ( as I pulled the internet conection out as soon as I saw the fake XP antivirus 2011 screen).
I put the nty.exe back, so that I could actually do something.

Fixncr.reg sorted out the registry and allowed programs to start again. I did have to do it twice as the fake virus scanner activates when the regedit tried running. I left the fake virus scanner there whilst running fixncr the second time.

Side note: it felt like the program was adapting to me.
Before finding this site etc, I ran regedit manually once but then it would not let me again. it was the same with msconfig.

RKill( eXplorer.exe) found and killed off the process nty.exe running but the file was still in the
Documents and settings[youruser]\Local settings\ApplicationData directory
with hidden properties

Malwarebytes on a quick scan found 3 registry entries to delete, related to microsoft security centre notificaions being disabled, but not nty.exe, so I copied and deleted it.
After that I connected the internet and allowed Malwarebytes to update and then ran a full scan and it found the copy of nty.exe to remove.
There is another file in the same directory that may be related which is also hidden and named with a long string of characters.

I hope the above helps someone else if they get struck by this virus. Good Luck.