Rogue "Security" virus

My Presario PC was recently infected with the virus called "System Security," and with the help of HP by linking your site, it was removed from my system.
http://www.bleepingcomputer.com/virus-remo...system-security

Unfortunately, within days, I have a similar infection using the Windows logo called "XP Internet Security-Unregistered Version" which is also shutting down all programs as soon as the system boots to desktop. Since the first virus was eliminated using your removal link as provided by HP tech service, please advise:

Whether this is indeed a virus or a legitimate Windows warning. (It is requiring me to PAY FOR registering, which is the big red flag.)

Currently, I can only access the Internet (or any other program) in SAFE MODE. This virus has also disengaged AVG and Malware virus protection from my desktop.

I hope your assistance will be as helpful as my prior bad experience and that you can provide me with a direct link to also remove this, if it is indeed another rogue virus pretending to be legitimate.

XP Internet Security is another rogue program. There are separate removal instructions here.

If you cannot use the Internet or download any required programs to the infected machine, you are going to need access to another computer (family member, friend, library etc) with an Internet connection. Save mbam-setup.exe to a flash (usb, pen, thumb, jump) drive or CD, transfer it to the infected machine, then install and run the program. If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive. If you cannot copy files to your usb drive, make sure its not "Write Protected". Some flash drives have a switch on the side which could have accidentally been moved to write protect.

Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware.

Thank you for your instructions on how to eliminate this problem. Since this is the second of these "security" viruses that have attacked my system in a one-month period, I'm frankly frustrated that once fixed, I'll just be the target for another one again.

Since my system is already older, I'm just going to salvage and transfer what I want or need from my existing saved files onto a CD and buy a new system. In the meantime, I can get by in safe mode. Even if I can't do that for some reason, it's no big deal for me, but I empathize with people who use their computers as a valuable working tool and have to put up with this.

Thank you again for your help. It's great to know there are such pros to turn to when these criminals attack.

You're welcome.

I'm just going to salvage and transfer what I want or need from my existing saved files onto a CD and buy a new system.

You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

• How and Where to backup your files in XP or Vista
• How to Backup and Restore in Windows 7
• How to use Ubuntu Live CD to Backup Files from your dead Windows Computer

Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

Since this is the second of these "security" viruses that have attacked my system in a one-month period, I'm frankly frustrated that once fixed, I'll just be the target for another one again.

Please read How Malware Spreads - How did I get infected. That should explain the most common ways malware is contracted and spread.

Even more valuable information! The link on file extensions was especially helpful for future reference. You guys are my new Guardian Angels!

Morgan

I don't know if we rate high enough to classify as Guardian Angels, but we do try to help.

Back again, angels.

The XP Security System virus was successfully removed, BUT now I can't acceess any of the shortcuts from my desktop except for IE. When I try to start/all programs and try to open anything from there, I get the message:

C:\Windows\system32\rundll32.exe
APPLICATION NOT FOUND

If I click on a destop icon (except for IE), I get the OPEN WITH window, instead of the file opening automatically.

I've tried several fixes, using my lame skills, and have thereafter run complete scans (I use AVG), but the scan will start messaging "system locked" once it gets to programs. Well, they're obviously NOT "locked," or I wouldn't be able to access them at all. Right?

Since the virus (which I suspect is still there, behind bars but not dead yet) isn't prohibiting me from accessing the Internet, this is more of an annoyance than anything. To feel comfortable, I still use safe mode for most of my meanderings just in case, but I can't access my printer from there.

Your able assistance is one again required.

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.