Hello all. Please let me start this off with a big thank you - I first came across this site last night (while in the midst of a frenzy with this XP Internet Security virus) and it looks like a great resource, so props to everyone involved.
On to the problem. The affected computer is a laptop that uses Windows XP and generally has not had viruses/problems since my mom is the main user and she tends to use the computer more for Microsoft Word, photos, etc. (though she does still regularly use Internet Explorer). When she is on the web, she usually sticks with a few trusted sites, so the computer has generally been pretty clean. I believe the computer uses wireless Internet.
As far as I know, I used these two applications last before I got the virus:
1) Minesweeper - I sincerely doubt this had anything to do with anything, but I'm trying to include everything I remember.
2) Internet Explorer - went to tetrisfriends.com (a trusted Tetris site that I have used very much in the past) and the first google match on keywords "seven reasons why the world will end in 2010" (because I wanted to show my mom, since she hadn't heard of this yet).
Basically the only thing I can think of is that this "seven reasons why the world will end in 2010" site gave me the virus because I can't think of anything else that could've gotten me infected. However I am also sure I've been to that exact same site before, as I tend to click on the first match Google gives me, and while rereading the text on the site with my mom, I definitely recalled reading it earlier.
However, perhaps we inadvertently clicked on some ad on the site - we're both not quite clear, but I simply remember having a "computer scan" begin from "Windows Security Center" and "XP Internet Security" windows that popped up while we were on the site, and they looked quite legitimate - the Windows logo and up-to-date design.
From an XP Internet Security icon in the tray on the bottom right of the screen, bubbles would periodically pop up warning me that the computer was infected with viruses and that I needed to buy XP Internet Security now. I am not including the exact errors because the affected computer is currently shut down (for reasons I will explain as I get there), but you can take a look at the top half of this bleepingcomputer page for some of the exact text or images on the virus:http://www.bleepingcomputer.com/virus-remo...irus-vista-2010
(The virus goes by many names, so while the one in the page is called "Antivirus Vista," that is the same virus as "XP Internet Security.")
We soon found that our beginner-level attempts to remove the virus would not work - Task Manager, System Restore, and regedit were all disabled. (An error would pop up saying that they had been disabled by an administrator or by Group Policy Editor.)
I first reenabled the Task Manager, I think by typing the following into the Run: box:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
(Sorry for any uncertainties - I made innumerable Google searches and tried many different things, so I am doing my best to recall exactly what worked in the end.)
This worked, so I could now view the Task Manager.
I went on to try to get System Restore to work again, using the steps on this site:http://techsalsa.com/re-enable-the-disabled-system-restore/"1. Go to System Properties -> System Restore tab and uncheck the box reading "Turn off System Restore on all drives" (if checked)."
I attempted this but found that the System Restore tab was missing from System Properties. Attempts to remedy this (via info on http://www.pcreview.co.uk/forums/thread-107410.php
) failed - I could not try the first method, which involved having an XP CD, and when I tried to go the Group Editor Policy (gpedit.msc) route (included in brackets are my notes):"1. Run the Group Policy Editor (gpedit.msc)
2. Go to Computer Configuration / Administrative Templates / System /
3. Set Turn off System Restore and Turn off Configuration to Disable [had previously been Not configured]
4. Right click on My Computer
5. Select Manage
6. Go to Services and Applications / Services
7. Scroll down to System Restore Service
8. Set it for Automatic [was already set to Automatic]
9. Click on the Start button to start the service [failed here - could not proceed. See below.]
10. Close down this window
11. Go back to the Group Policy Editor and configure both to Not
12. Now when you right click on My Computer, there should be a tab for
I got down to Step 9 with no issues, but at that point, the System Restore Service would begin briefly and then pop up with an error saying "The System Restore Service service on Local Computer started and then stopped" and that it was probably because services stop if they have no work to do.
Thus, I could not get the System Restore tab back on the System Properties window, and I could not see if the "Turn off System Restore on all drives" was checked or not.
On to the second method to re-enable System Restore:"2. Another method to enable and disable the Windows XP's System Restore feature is to use the registry. Type regedit.exe in the Run box."
Regedit, as I mentioned earlier, was disabled. I believe the error message said that it had been disabled by Group Policy Editor, but I'm inclined to not pay much attention to this, as it previously said System Restore was disabled by Group Policy Editor (which I will now abbreviate as GPE) as well, yet I had noticed while using the GPE that System Restore was NOT disabled: it was set to Not configured. Perhaps the virus was throwing inaccurate errors, or perhaps it was disabled in some other way that I didn't know about.
On to the third method:"3. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore and verify that the key on right DisableSR has a value of 0.
4. If the key is not there then create one DWORD value with the same name DisableSR and give it a value 0 to enable else 1 to disable."
I am not really familiar with keys so I did not know how to do this. Further Googling seemed to suggest this required something to do with regedit, but anyway, I did not really pursue this as I found a comment that said the virus is smarter now and will disable System Restore again if you ever manage to set the value to 0.
On to the fourth and final method to re-enable System Restore:" Go to the Group Policy Editor by typing gpedit.msc in the Run box
2. Navigate to Computer Configuration -> Administrative Templates -> System -> System Restore
3. Set the following entries to Not Configured
Turn off System Restore
Turn off Configuration
The System Restore feature will be enabled."
I tried this again, but I knew it wouldn't work, as I'd already gone into GPE and found that the two entries had already been "Not Configured."
It was only at this point, I believe, that I finally went about trying to find out specific ways to remove the virus, rather than trying to access System Restore. It was only now that I realized the XP Internet Security warning messages was actually the virus, and that all the viruses it came up with were fabricated. This was actually somewhat of a relief, since its fake "scan" had made me think the computer was filled with many different viruses - now I realized there was just the one. I had not entered any information into their "Registration page" (the virus was written to get people to think they needed to buy an antivirus package, so they were advertising a nonexistent product in the attempt to get money), so I hadn't fallen for the scam - which was very lucky because by this time I think I was on the verge of giving up and buying this product. Good thing I looked up the virus at this point!
Thus, I went to the aforementioned bleepingcomputer.com's page (again: http://www.bleepingcomputer.com/virus-remo...irus-vista-2010
) and followed the steps to remove the virus (listed about halfway down the page):"1. For the first part of this removal guide you will need to use a different computer than the infected one. This is also a tricky rogue to remove, so please follow the instructions carefully. If you are concerned about whether or not you can do this, do not be, as I have made these instructions easy to follow for people of any computer expertise.
2. From another computer, please download Malwarebytes' Anti-Malware, or MBAM, and the reg files from the following locations and save it to an external media such as an external hard drive or a USB flash drive. We will then use the external drive or flash drive to to transfer these files to your infected computer. If you do not own a USB flash drive, you can get one from any local or online computer store for a small price. An example of a good and cheap one can be found at Newegg. The files that you should download onto this device are:
Malwarebytes' Anti-Malware Download Link - Everyone should download this
FixExe.reg - Everyone should download this
3. Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected your computer so it can access them.
4. On the infected computer make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.
5. Now open the drive that corresponds to the removable media that you copied the programs from step 2 onto. Once open, double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button. [steps continue, but this step failed so I could not continue.]"
Since this was a .reg file and regedit was disabled, I got another error message informing me of this fact. At this point, since the disabled regedit seemed to be a recurring issue, I tried to fix this issue. Side Note: The fact that this page specifically on removing XP Internet Security (2010, no less) did not address the fact that regedit was disabled made me suspect my version of the virus was somewhat smarter - more on that later.
Two short detours before I tried to address the regedit issue:
First, I went to http://www.greyknight17.com/spyware.php
, which is a general page on preventing/removing viruses. So I downloaded and used the ATF Cleaner, which removes all sorts of temp files from the computer, as the site instructed. Then, when I went to download the recommended AVG Anti-Virus Free Edition program, I believe I was able to download the file that you double-click to install the program, but when I did so, nothing happened. I realized later that, as said on the bleepingcomputer page, this was because the virus will execute itself whenever you try to execute another .exe program (or something along those lines - sorry if that's not exactly precise, but that's the gist I think).
I believe this is when the Internet Explorer on the affected computer began to have problems. Instead of the normal homepage, it would open up to a mature site and when I tried again and again to get to the AVG page, it would say the site was "unsafe" and keep me on the mature site. This is a listed symptom of the virus - when it figures that you want to get .exe files that may threaten it, it blocks the site (under the pretense of protecting you). I believe it was around this time that I turned off the Internet, since I was also worried the virus might send information about the computer online or something like that. However I did turn it on and off afterward as well, particularly when the computer would freeze or otherwise be uncooperative - this is probably silly, but I figured maybe the virus was "mad" that I disconnected it from the Internet because it could not longer do whatever it was it wanted, so it was making the computer fail while offline. I turned the Internet back on now and then to see if it would "appease" the virus and have it make the computer work better. (I'm sure this had no effect on anything.
Second, I tried to find another site on how get rid of this virus:http://www.2-spyware.com/remove-internet-security-2010.html
(about halfway down the page, under the title "Internet Security 2010 manual removal")
These were the first couple of steps:"Kill processes:
IS2010.exe 41.exe winlogon86.exe winupdate86.exe [I could ONLY find IS2010.exe, none of the next three - again, this suggested that my virus might be a slightly updated version.]
how to kill malicious processes [and here they linked me to a help page]
Delete registry values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security 2010"
how to remove registry entries [linked to another help page]"
Again, I didn't really know how to access registry keys or whatnot, but luckily they had a link posted right there as to how to remove them. It sent me to another page with steps on how to do this, but the first step was to run regedit, which of course I couldn't do, so I was again pushed to try to get regedit to work.
On to trying to enable regedit (finally! In hindsight I should have done this much earlier...I suppose this is how we learn
First I went to this site: http://www.pchell.com/support/registryeditordisabled.shtml
---"Method 1 - Enabling the Registry with VBScript
Doug Knox, a Microsoft
Most Valuable Professional, has created a VBScript
that enables or disables the Registry Editor based on the following location in the registry. Of course, since the registry editor is disabled, you can't change it manually, so Doug wrote a Visual Basic Script to accomplish the task.
Visit Doug's page [http://www.dougknox.com/security/scripts_desc/regtools.htm] and download Registry Tools VBScript to your desktop
, double-click on it to run it, then reboot your computer and try to open the Registry Editor."
I went ahead and downloaded the VBS Script (http://www.dougknox.com/security/scripts/regtools.vbs
) to a .txt file (it did this automatically) on a healthy computer, as I had previously done with the first few steps on the bleepingcomputer page (FixExe.reg and mbam-setup). I put this onto a memory card and transferred it onto the affected computer's desktop, where I realized double-clicking on it didn't seem to run anything, since it just opened a Notepad. I searched online and someone said to drag it onto Internet Explorer, which I did. A warning message came up asking if I wanted to let the page run the script, and I clicked yes, so I believe it worked. However, since an error message is supposed to show up if regedit is indeed disabled and nothing showed up, I wasn't convinced it succeeded. I dragged the .vbs file into IE once more to see if it would do anything. No warning message came up or anything this time, so I'm not sure if it ran again or not. Either way, still no error message was brought up. Just in case, I dragged it in a third time (just in case it is on "toggle" and the second time reversed the first time).
I restarted the computer for the first time since getting the virus (through Start --> Turn off --> Restart, not by holding the power button) as instructed to do after running the .vbs script. (My mother had also restarted once or twice before I began trying to fix the problem.) Regedit still failed to work.
"Method 2: Use Symantec's tool to reset shell\open\command registry keys
Sometimes worms and trojans will make changes to the shell\open\command registry entries as part of their infections. This will cause the virus to run each time you try to run an .exe file such as the Registry Editor. In these cases, visit Symantec's website [http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99] and download the UnHookExec.inf file [http://securityresponse.symantec.com/avcenter/UnHookExec.inf] to your desktop. Right-click on it and choose Install. Restart your computer and then try to open the Registry Editor."
I got the .inf file onto the affected computer via the memory card, but I did not know how to run it. There was no Install option when I right-clicked on it.
---"Method 3: Rename Regedit.com to Regedit.exe
Some viruses and other malware will load a regedit.com file that is many times a zero byte dummy file. Because .com files have preference over .exe files when executed if you type REGEDIT in the run line, it will run the regedit.com instead of the real regedit.exe file.
Delete the regedit.com file if its a zero byte file to restore access to REGEDIT. In some cases, such as the W32.Navidad worm, you'll need to rename the REGEDIT file to get it to work."
Here I began to run into problems - the computer began to freeze up or auto shut down* before I could get to do anything, e.g. open a search to try to find "regedit.com" files or pretty much anything else that required more than perhaps 20 seconds of actual unfrozen computer time to do anything. From what I recall, I did not ever search for regedit.com files, perhaps because I realized the search would take too long. I did get to the fourth and final method on this site, though.
*By the way, just to describe what it looks like whenever the computer boots up: It goes through the starting up stuff pretty normally right until your desktop is about to be loaded - then, I get an error saying I need a computer scan, and I can click OK or cancel - I've clicked either, since the virus will go ahead and do whatever it wants anyway. More warning messages will pop up, the desktop background will be changed to another warning message, and the desktop files will be cleared away for sometimes a minute or more at a time, but usually they all show up again. Generally I must wait a short while for me to be able to click anything - I can move the mouse but the screen is unresponsive, probably because the computer is so preoccupied with loading what the virus wants.
---"Method 4: Windows XP Professional and Group Policy Editor
If you have Windows XP Professional and access to an administrative user account, you could change the registry editor options in the Group Policy Editor.
1. Click Start, Run
2. Type GPEDIT.MSC and Press Enter
3. Go to the following location
* User Configuration
* Administrative Templates
4. In the Settings Window, find the option for "Prevent Access to Registry Editing Tools" and double-click on it to change.
5. Select Disabled or Not Configured and choose OK
6. Close the Group Policy Editor and restart your computer
7. Try opening REGEDIT again"
I found that "Prevent Access to Registry Editing Tools" was already set to Not Configured or Disabled - I can't remember which, but I am certain it was NOT set to Enabled. I did not bother restarting, since I had not changed anything in the GPE, though I'm sure the computer auto shut down sometime shortly afterward anyway.
I went to a second site with ideas on how to re-enable regedit: http://sidsuniverse.blogspot.com/2009/03/e...g-has-been.html
Of its four methods, I had already tried #2 and #3 (since they had also been on the first site). The fourth involved using a file that ended in .reg so I assumed that also would not work. This left me with Method #1:"Method 1: Using the REG.EXE console tool
1. Click Start, Run and type this command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Now, you should be able to launch the Registry Editor."
I suspect this would have worked, since in hindsight this looks similar to what I typed to get Task Manager to work. However, whenever I would just manage to get this typed in and hit enter, the computer would shut down - I am not completely sure if this was a result of what I just entered or not, but I don't think it was related, since the first time, the computer shut down before I finished even typing it.
I figured this was because the computer was overheating - it generally does not have this auto shut down problem, but my mom said that sometimes overheating will make it do this. I went to bed to let it cool down.
This morning I went back to the problem, hoping to get to use that REG add etc. command to get regedit working again. However, the computer booted up with the usual error messages but was frozen for a long time and I literally had no chance to click on anything (barring superhuman speed). After many minutes of "thinking," the computer suddenly began to run an Antivirus "Trial Period" program that I am 99.999% sure was part of the XP Internet Security virus. I held the power button and shut the computer off while this "Trial Period" program was initializing (it looked like something that would take about 30 seconds to a minute to load completely), in fear that letting it load would usher in a second, much worse wave of the XP Internet Security conquest.
Possibly it is already too late, if the Trial Period will run every time I start up the computer again, but I have not had the courage to try to boot the affected computer up again. I sincerely hope someone can help me, or perhaps even assign me someone in the area to meet me and take a look. It's my mom's computer and, like I'm sure many other people have, she has saved a lot of personal photos and other important documents on here, and I would feel pretty terrible if she lost them all.
Thank you very, very much in advance, and hope you can help!