Need to remove 'Win 7 Security 2011' virus from Sony Vaio

I placed an ad in a local newsletter and got a paying tech support project, yea! I'm taking on the task of removing this 'Win 7 Security 2011' from a Sony Vaio. He's has Kaspersky on here and supposedly he's kept it up to date, but he was still infected.

I found a link that says this can be removed simply by ending some tasks, deleting the application from command prompt and deleting some registry entries. But the instructions don't give me the names of the tasks to end or the name of the application. Apparently the tasks and the application are given random names. (http://www.remove-virus.net/win-7-security-2011/).

How can I safely remove this virus?

If I need to run any outside tools I'll need to burn them to a CD. (can't find usb stick)  So I'd prefer a solution that I can do without downloading a removal tool.

I'm unfamiliar with Windows 7, so you may need to explain how to find things on here!
LVL 12
Missus Miss_SellaneusAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hunartCommented:
Try this http://www.virusremovalguru.com/?p=6901.

Also, if your Internet is working, download http://www.malwarebytes.org/ and install on the machine and then scan it.
AmickCommented:
Kaspersky should remove it as well, but you must do a deep scan.

Also see:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fDefmid

BUT REMEMBER it is not going to be completely removed with a quick scan.
younghvCommented:
Before starting the repair, you have to effect some registry changes, then run a 'rogue process' stopper, then Malwarebytes.

Read the instructions at these links:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

EE Articles:
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Missus Miss_SellaneusAuthor Commented:
Amick,

In Kaspersky Anti-Virus 2011, if I select Scan, I have 2 options, "Run Full Scan" and "Run Critical Areas Scan'.  Both of those scans were run yesterday and didn't find anything.
younghvCommented:
@hunart,
The recommendation in the link you posted to run the repairs in "Safe Mode" is not only incorrect, it is probably impossible.

One of the registry changes this infection makes is to disable "Safe Mode" booting.

I generally find it best to only offer advice that I have personally used - and know to work.
younghvCommented:
Miss_Sellaneus,
You are not going to be able to repair this infection with an anti-virus program.
You need to use the tools developed to help - and "Kaspersky" is not going to do the job.

The three tools mentioned can all be downloaded and burned to CD - and use this to manually download the updater tool for Malwarebytes.

http://data.mbamupdates.com/tools/mbam-rules.exe
AmickCommented:
Did you update the Kaspersky sig file before running the scans?

I recently removed this for a friend with Microsoft Security Essentials, because that it what she had on her computer.  It required the latest update and a deep scan, but the problem was solved and it has not returned.  I doubt that Kaspersky can't fix what Microsoft can.  Most of the anti-virus vendors share information in order to provide the most complete coverage to emerging threats.
AmickCommented:
One point that may matter is that you should run your deep scan from an account other than the one that was infected.

To add to the suggestions of alternative programs, http://www.pcrisk.com/removal-guides/5943-internet-defender-removal has a removal tool, and Microsoft has tools that are referenced at the bottom of the encyclopedia article I referenced in my first post.

This can be a very difficult bug, so good luck.
younghvCommented:
Actually, this is not a very difficult bug.
Is is one of the "name changers" and the three steps for repairing this are well documented.

Kaspersky is NOT going to repair this. It can't correct the registry modifications that have been made, nor stop the rogue processes that are running.

The steps outlined in my first post is a well-known and well-tested procedure for making this repair.
Missus Miss_SellaneusAuthor Commented:
@younghv -
Per the instructions on your link, I ran FixCNR and RKill without a problem.

But I have a problem with Malwarebytes. I downloaded it to a smartcard and installed onto the laptop.

After installing Malwarebytes on the laptop, I receive the message:

"The database is outdated by 111 days."

I cannot connect to the internet from the laptop, therefore I cannot update the Malwarebytes database.
younghvCommented:
"and use this to manually download the updater tool for Malwarebytes.
http://data.mbamupdates.com/tools/mbam-rules.exe "

Go ahead and use your smartcard (USB/thumb drive?) to download on a clean computer, then copy it to the desktop of the infected one.

Just double-left-click on it after it is copied over.
Missus Miss_SellaneusAuthor Commented:
@younghv,
Sorry, you mentioned that earlier, I should have noticed.  Smartcard, I thought that was what it's called, it might be, but it says CompactFlash on it.  It's an old camera card which is now in a USB reader.  It came in handy, as I can't find my USB stick and don't want to burn a CD.

The scan is running now........  hope it works.
younghvCommented:
"Full Scan" (I hope)...the default is "Quick Scan".
If you have started the Quick - no big deal.
Either let it finish, then do a Full - or stop it and re-start.
Your call.

Smart move to use the CompactFlash - I wouldn't have thought of that.
younghvCommented:
Oh, and for the record...the absolute best way to copy files from a clean computer to an infected one is via a CD.

The various USB externals are subject to infection fairly easily and CD's are not.
[Just thought I would mention that :)]
Missus Miss_SellaneusAuthor Commented:
Yes, I ran the full scan. It just finished. It didn't find anything! What now? I'm reluctant to reboot.



younghvCommented:
Post the logs from RogueKiller or Rkill and Malwarebytes.
Missus Miss_SellaneusAuthor Commented:
Missus Miss_SellaneusAuthor Commented:
younghvCommented:
Testing post
younghvCommented:
Not sure what happened, but I was getting an error message every time I tried to post.

OK...

Have you deleted this file:
C:\Users\mike\AppData\Local\dkq.exe

That appears to be the culprit.

MBAM should have found "Trojan.FakeAlert" - and identified that file for removal.

If you have to, manually delete it - then reboot and see if you still get the pop-up.

Sorry for the delay.
Missus Miss_SellaneusAuthor Commented:
I went out to command prompt to that folder.  It's hidden.  "attrib dkq.exe" does show the file and it's SH, but when I use "attrib -h-s dkq.exe", I get "invalid switch". How do I delete it?
Justin OwensITIL Problem ManagerCommented:
Put a space between the switches and the file name first:

attrib dkq.exe -s -h

DrU
Missus Miss_SellaneusAuthor Commented:
Removed. Thanks.
younghvCommented:
DrU - thanks for covering for me on the attrib question.
younghvCommented:
Miss_Sellaneus -
I see that you have closed this question.
Are you sure that the symptoms are all gone?
You've re-booted the computer and accessed various applications - and the Internet with no problem?
Justin OwensITIL Problem ManagerCommented:
No problem... Always happy to help.
Missus Miss_SellaneusAuthor Commented:
Yes, I rebooted, all appeared well, just couldn't connect here at home, but I thought that might have to do with his settings being incompatible with the network here. I took it to my customer's home, he got online with no problem. Got my requested rate plus a tip! :-)
younghvCommented:
OK - thank you for confirming.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.