Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


XP Security 2012 Virus

  • Please log in to reply
2 replies to this topic

#1 PatQ


  • Members
  • 1 posts
  • Local time:01:24 PM

Posted 17 August 2011 - 04:40 PM

First, I would like to thank the proprietors and members of this site; without your guidance and tools I would not have been able to rid myself of this nasty virus. I found this forum topic and this article particularly helpful. Because this virus so easily infected my computer (Win XP Pro Ver. 5.1.2600 SP 3 Build 2600; IE Ver. 8.0.6001.18702 Build 86001; Java Ver. 6 Update 21) and was so devastating, I am sharing my story as a cautionary tale. Also I used a slight variation on the removal instructions contained in the above forum topic and article to rid myself of this virus. I should also mention that my computer is running Kaspersky Anti-Virus 6 ( with an upto date database. Kaspersky completely failed to detect or protect my computer from this virus. For what it was worth, Kasperksy's event log noted the virus' attempt to infect Kaspersky and that Kaspersky's self-defense feature protected it. But this bit of protection was not worth much, since Kaspersky was wholly worthless in the prevention and removal of this virus.

This started yesterday morning when I was searching for information on a fireproof safe. I did a Google search for "Safe Reviews". In the top five search results was a site with the url "safesblog.com". This was the infected website. I clicked on the link in the Google search results and was taken to the site. This was all it took for the virus to infect my computer. Once the website loaded my computer was infected; there was no clicking a link, false dialog box, control or other action required. The first sign of the infection was a small shield icon with the four Windows colors in the System Tray. The icon presented a warning bubble with a fake virus warning. Almost immediately thereafter the fake virus scanning window appeared (a picture of this window can be found in the article cited above). The virus had already altered the registry to prevent Windows Explorer from launching any exe files. The default action for all exe files was "Open". Malware Bytes exe was disabled altogether (Not even an Open dialog). Internet Explorer was also hijacked so that it presented a "virus" warning page.

Fortunately, I had access to another computer and I was able to locate this site and its advice and tools. I downloaded those tools to a thumbdrive and proceeded with the following steps to get rid of the virus:

1. Download the files identified in the above-cited article including the FixNCR registry export, xp_exe_fix registry export, all flavors of the Rkill program, and the Malware Bytes installer. Preferably to a thumbdrive using another computer if you have that option.

2. Shut down the infected computer and re-boot in Windows Safe Mode (My computer is on a network that requires domain authentication, so I used Windows Safe Mode with Network Support).

3. Insert the thumbdrive with the removal tools into a USB port on the infected computer.

4. Using Windows Explorer navigate to the thumbdrive (Windows Explorer is not Internet Explorer, it is the window that shows files and folders that opens when you click on a folder or the My Computer icon, etc.)

5. Right-click on the xp_exe_fix file. On the pop-up menu that appears click on Merge. This will apply the fix to the Windows registry for the problem Windows Explorer is having running exe files. This fix will not resolve the problem until you reboot the computer -- BUT DO NOT DO THAT NOW -- REPEAT DO NOT REBOOT YOUR COMPUTER AT THIS POINT. Applying this fix at this point appeared to correct an issue with the Malware Bytes installer launching Malware Bytes after installing it.

6. Right-click on the FixNCR file. This will apply further repairs to the Windows registry.

7. (This is where I deviate from the prior instructions) Minimize the Explorer window showing your thumbdrive. Click on the Start Button. On the Start Menu click on Run. In the Run dialog box type "command" (do not type the quotations marks). This will launch the Command prompt (DOS prompt for those of you old enough to remember).

8. In the Command prompt navigate to your thumbdrive, in my case it was drive f:. Do this by typing "f:" (do not type the quotation marks -- this is also true for later typing instructions as well) at the prompt and hitting the Enter key on your keyboard. If you thumbdrive has a different drive letter use that letter instead. To confirm your in the right location type "dir" and hit the Enter key. This should show a listing of the files on your thumbdrive, including the various rkill programs and mbam-setup.

9. At the Command prompt type the name of one of the rkill programs. I found that I had to use one of the pseudonym files, and I ran it twice in a row. Once Rkill has finished running close its log window.

10. At the Command prompt type the name of the Malware Bytes install program -- the name will be mbam-setup followed by a version number, type it exactly as it appeared in the directory listing above. This will launch the Malware Bytes install program follow its instructions and make sure it is set to launch Malware Bytes after finishing the install. If you already have Malware Bytes installed on your computer and do not want to install it again, then in the Command prompt window navigate to the Malware Bytes program folder -- likely c:\progra~1\malwar~1 and type mbam.

11. Have Malware Bytes perform a full scan and remove the infected files it finds.

12. Once Malware Bytes is done you may reboot your computer in normal mode. The virus should now be gone.

When I rebooted I found a condition where Windows Automatic Update was turned off and it could not be turned back on. I assume this was some left over registry damage from the virus. I used Microsoft's Fix It utility to repair this issue (MS Knowledgebase Fix It).

I hope that nobody else has to deal with this virus. But if you do I hope the above is helpful. Also, stay away from the "safesblog.com" website like the plague (pun intended).

Pat Q.

p.s. If anyone knows of the vulnerability this virus exploits to load itself by simply navigating to a website, I would be interested in hearing about. I have not had the courage to venture back to the infected website with a newer version of Windows (Vista or 7) or Internet Explorer 9.

BC AdBot (Login to Remove)


#2 TSalarek


  • Members
  • 135 posts
  • Gender:Female
  • Location:Kentucky and Florida, USA
  • Local time:01:24 PM

Posted 17 August 2011 - 05:48 PM

it's called a "Drive by Download", no direct user action is required. Most commonly seen with out-dated plugins (usually Java and Flash).

You mentioned you have Java 6_21...you may want to update to the latest version (6_26 as of this posting). You can verify your version and get updated at http://www.java.com/en/download/installed.jsp?jre_version=1.6.0_26&vendor=Sun+Microsystems+Inc.&os=Windows+Vista&os_version=6.0

Also patch Flash, Shockwave, and Adobe reader at www.adobe.com and Quicktime (required for Shockwave) at www.quicktime.com

uncheck any offered bonus software and/or toolbars if offered by the installers.

prevention suggestion: if one of those funky screens pops up in the future do NOT click ANYWHERE on it (sometimes even x-ing out will install the malware). press ctrl-alt-del together, select Task Manager, select the application matching the name as displayed in the top of the offending window, click on "end". Run a full system scan to make sure you haven't been bitten and feel free to come back to BC if you have any doubts.

Edited by TSalarek, 17 August 2011 - 05:48 PM.

#3 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,530 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:12:24 PM

Posted 17 August 2011 - 07:27 PM

Hello, actually Java SE Runtime Environment (JRE) is nowVersion Number: 7.0 updated updated 07/28/11

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system and they should be removed. :
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users