system
20
thanks to all on this thread.
I got this virus on my computer yesterday and now believe I am rid of it.
I could see from the task manager that nty.exe was an alien process, when I deleted it I could pretty much run no programs even with a reboot. Getting the ‘is not a valid win 32 application’ error
I followed the steps in
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011
I downloaded the files on a clean computer and transferred them by usb stick ( as I pulled the internet conection out as soon as I saw the fake XP antivirus 2011 screen).
I put the nty.exe back, so that I could actually do something.
Fixncr.reg sorted out the registry and allowed programs to start again. I did have to do it twice as the fake virus scanner activates when the regedit tried running. I left the fake virus scanner there whilst running fixncr the second time.
Side note: it felt like the program was adapting to me.
Before finding this site etc, I ran regedit manually once but then it would not let me again. it was the same with msconfig.
RKill( eXplorer.exe) found and killed off the process nty.exe running but the file was still in the
Documents and settings[youruser]\Local settings\ApplicationData directory
with hidden properties
Malwarebytes on a quick scan found 3 registry entries to delete, related to microsoft security centre notificaions being disabled, but not nty.exe, so I copied and deleted it.
After that I connected the internet and allowed Malwarebytes to update and then ran a full scan and it found the copy of nty.exe to remove.
There is another file in the same directory that may be related which is also hidden and named with a long string of characters.
I hope the above helps someone else if they get struck by this virus. Good Luck.