Link to home
Start Free TrialLog in
Avatar of Missus Miss_Sellaneus
Missus Miss_SellaneusFlag for United States of America

asked on

Need to remove 'Win 7 Security 2011' virus from Sony Vaio

I placed an ad in a local newsletter and got a paying tech support project, yea! I'm taking on the task of removing this 'Win 7 Security 2011' from a Sony Vaio. He's has Kaspersky on here and supposedly he's kept it up to date, but he was still infected.

I found a link that says this can be removed simply by ending some tasks, deleting the application from command prompt and deleting some registry entries. But the instructions don't give me the names of the tasks to end or the name of the application. Apparently the tasks and the application are given random names. (http://www.remove-virus.net/win-7-security-2011/).

How can I safely remove this virus?

If I need to run any outside tools I'll need to burn them to a CD. (can't find usb stick)  So I'd prefer a solution that I can do without downloading a removal tool.

I'm unfamiliar with Windows 7, so you may need to explain how to find things on here!
Avatar of Member_2_957366
Member_2_957366

Try this http://www.virusremovalguru.com/?p=6901.

Also, if your Internet is working, download http://www.malwarebytes.org/ and install on the machine and then scan it.
Avatar of Amick
Kaspersky should remove it as well, but you must do a deep scan.

Also see:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fDefmid

BUT REMEMBER it is not going to be completely removed with a quick scan.
ASKER CERTIFIED SOLUTION
Avatar of younghv
younghv
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Missus Miss_Sellaneus

ASKER

Amick,

In Kaspersky Anti-Virus 2011, if I select Scan, I have 2 options, "Run Full Scan" and "Run Critical Areas Scan'.  Both of those scans were run yesterday and didn't find anything.
@hunart,
The recommendation in the link you posted to run the repairs in "Safe Mode" is not only incorrect, it is probably impossible.

One of the registry changes this infection makes is to disable "Safe Mode" booting.

I generally find it best to only offer advice that I have personally used - and know to work.
Miss_Sellaneus,
You are not going to be able to repair this infection with an anti-virus program.
You need to use the tools developed to help - and "Kaspersky" is not going to do the job.

The three tools mentioned can all be downloaded and burned to CD - and use this to manually download the updater tool for Malwarebytes.

http://data.mbamupdates.com/tools/mbam-rules.exe
Did you update the Kaspersky sig file before running the scans?

I recently removed this for a friend with Microsoft Security Essentials, because that it what she had on her computer.  It required the latest update and a deep scan, but the problem was solved and it has not returned.  I doubt that Kaspersky can't fix what Microsoft can.  Most of the anti-virus vendors share information in order to provide the most complete coverage to emerging threats.
One point that may matter is that you should run your deep scan from an account other than the one that was infected.

To add to the suggestions of alternative programs, http://www.pcrisk.com/removal-guides/5943-internet-defender-removal has a removal tool, and Microsoft has tools that are referenced at the bottom of the encyclopedia article I referenced in my first post.

This can be a very difficult bug, so good luck.
Actually, this is not a very difficult bug.
Is is one of the "name changers" and the three steps for repairing this are well documented.

Kaspersky is NOT going to repair this. It can't correct the registry modifications that have been made, nor stop the rogue processes that are running.

The steps outlined in my first post is a well-known and well-tested procedure for making this repair.
@younghv -
Per the instructions on your link, I ran FixCNR and RKill without a problem.

But I have a problem with Malwarebytes. I downloaded it to a smartcard and installed onto the laptop.

After installing Malwarebytes on the laptop, I receive the message:

"The database is outdated by 111 days."

I cannot connect to the internet from the laptop, therefore I cannot update the Malwarebytes database.
"and use this to manually download the updater tool for Malwarebytes.
http://data.mbamupdates.com/tools/mbam-rules.exe "

Go ahead and use your smartcard (USB/thumb drive?) to download on a clean computer, then copy it to the desktop of the infected one.

Just double-left-click on it after it is copied over.
@younghv,
Sorry, you mentioned that earlier, I should have noticed.  Smartcard, I thought that was what it's called, it might be, but it says CompactFlash on it.  It's an old camera card which is now in a USB reader.  It came in handy, as I can't find my USB stick and don't want to burn a CD.

The scan is running now........  hope it works.
"Full Scan" (I hope)...the default is "Quick Scan".
If you have started the Quick - no big deal.
Either let it finish, then do a Full - or stop it and re-start.
Your call.

Smart move to use the CompactFlash - I wouldn't have thought of that.
Oh, and for the record...the absolute best way to copy files from a clean computer to an infected one is via a CD.

The various USB externals are subject to infection fairly easily and CD's are not.
[Just thought I would mention that :)]
Yes, I ran the full scan. It just finished. It didn't find anything! What now? I'm reluctant to reboot.



Post the logs from RogueKiller or Rkill and Malwarebytes.
Testing post
Not sure what happened, but I was getting an error message every time I tried to post.

OK...

Have you deleted this file:
C:\Users\mike\AppData\Local\dkq.exe

That appears to be the culprit.

MBAM should have found "Trojan.FakeAlert" - and identified that file for removal.

If you have to, manually delete it - then reboot and see if you still get the pop-up.

Sorry for the delay.
I went out to command prompt to that folder.  It's hidden.  "attrib dkq.exe" does show the file and it's SH, but when I use "attrib -h-s dkq.exe", I get "invalid switch". How do I delete it?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Removed. Thanks.
DrU - thanks for covering for me on the attrib question.
Miss_Sellaneus -
I see that you have closed this question.
Are you sure that the symptoms are all gone?
You've re-booted the computer and accessed various applications - and the Internet with no problem?
No problem... Always happy to help.
Yes, I rebooted, all appeared well, just couldn't connect here at home, but I thought that might have to do with his settings being incompatible with the network here. I took it to my customer's home, he got online with no problem. Got my requested rate plus a tip! :-)
OK - thank you for confirming.