Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Help to remove XP Antispyware 2011

Posted on 2011-04-18
21
Medium Priority
?
791 Views
Last Modified: 2012-08-13
I have now three computers that are infected at three different customers of mine.

So far I have not been successful to find anything to remove XP Antispyware 2011.

I tired SpyHunter recommended here http://www.wiki-security.com/wiki/Parasite/XPAntispyware2011 but it does not work.

Tried this link to manually remove XP Antispyware 2011 and I can't find the files that it suggests to remove
http://www.2-spyware.com/remove-xp-antispyware-2011.html

I have not tried the tool on the above site as I'm not sure if it is safe.

Does anyone have a suggestion for in how to remove XP Antispyware 2011?

Two sites are protected by Trend WFBS and one is protected by Apanda. All three sites have an Untangle firewall installed with the paid subscription and somehow XP Antispyware 2011 made it in to the network.
0
Comment
Question by:Gerhardpet
  • 6
  • 6
  • 3
  • +4
21 Comments
 
LVL 3

Expert Comment

by:TheTechMan
ID: 35419108
Use Task Manager 'Ctrl-Shift-Esc) to find the 'Process' that looks odd (bumch of letters, such as 'xdflksrifj.exe' then stop this process.  Find this file, and delete.  Also, delete the AntiSpyware folder created on your drive.  Lastly, clear out your Temp files (I use the free app SpybotSD with a lot of success at http://safer-networking.org' to do this and clear spyware).
0
 
LVL 11

Expert Comment

by:yarwell
ID: 35419141
I tend to go at these manually, boot into Safe Mode and use sysinternals autoruns.exe to list startup items where you can usually find the offending item, deselect it from running and go delete the files and/or folders still in safe mode.

Some of these programs are evident as desktop shortcuts, icons on the start menu or folders in Program Files which makes it easier. Otherwise you'll be looking in Temp files and Program Data and the like for the guilty party.

Once you stop the malware from starting up you can reboot and use the usual tools to check there are no other problems.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 35419168
There is no XP Antispyware 2011 folder that I can find on the drive
Nothing under processes that looks like a file with a bunch of letters

The one computer is complety highjaked...I can't open any programs or download anything
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 23

Expert Comment

by:Brian Gee
ID: 35419169
Here are some instructions to remove this malware infection...

http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

It does involve downloading and running Malwarebytes amongst other tools.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35419226
Download the tools you need to a clean computer and burn them to CD or USB stick.

Follow the instructions "yobri" linked to and review the details in this EE Article:

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

When your system gets hijacked to the point where you can't do basic functions, you need something that will stop the "Rogue" processes.

RogueKiller, Rkill or TheKiller will all perform that function.

About TheKiller
•Download TheKiller to your Desktop
http://www.osvemu.com/thekiller/explorer.exe

•Note that TheKiller is renamed as explorer.exe
•Run it by double click
•Press OK button after program finish
•Do not restart your system after this step, but immediately run the next scan: MalwareBytes, TDSSKiller - and post the logs that are generated.

We may ask you to run HitmanPro and Combofix also.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35420646
Use the TheKiller to kill processes before running other apps. Download the tools using another PC.

I wouldn't recommend HitmanPro at the moment.... Combofix as already suggested is a better choice.
Just run it once and attach the log.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Download and run it from your Desktop.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts. Only run ComboFix once.

When finished, it will produce a log. Please save that log and attach it in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 8

Expert Comment

by:stevepcguy
ID: 35428987
One suggestion I did not see was to get one of the infected drives, remove it from the system, and slave it to a good system. Then you can scan it using malwarebytes or similar software.

After doing the initial scan and "stopping the bleeding" as younghv would say, then you can try putting the drive back in the original system and booting from a CD or flash drive. Finally, you will need to boot from the hard drive and run a malwarebytes scan to clean out the registry.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35429115
@stevepcguy,
The reason you won't see that "Slave" recommendation here is that modifying/deleting files while the Windows OS is not running CAN create an unbootable system.

It may be one of those 'kitchen sink' things we all try when nothing else works, but this is a very well-know chunk of malware and the Asker has been given the step-by-step instructions for effecting the repair.
0
 
LVL 8

Expert Comment

by:stevepcguy
ID: 35429194
@Younghv:

Thanks. I've had a lot of success using the "slave" option and never created an unbootable HDD yet, but I'm always looking for best practices. I'll put those steps in my notes and use them next time.
0
 
LVL 11

Expert Comment

by:yarwell
ID: 35432940
can you not open programs in Safe Mode ?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35432974
@yarwell,
There is no need for "Safe Mode" to be used in repairing this infection - and there almost never is.

The tools designed to fix these problems are all developed to be run in "Normal Mode".
0
 
LVL 1

Accepted Solution

by:
Gerhardpet earned 0 total points
ID: 35436173
I used UBCDWIN4 to boot and then ran Spybot SD which did the trick.

After that I had to delete the user profile becuase Internet explorer did not work anymore.

I created a new profile. No more pop ups after that
0
 
LVL 38

Expert Comment

by:younghv
ID: 35436366
@Gerhardpet,
The method you describe did not "do the trick".
The reason Internet Explorer did not work is because "SpyBot" cannot repair this infection.

You were given the exact instructions for how to correct this situation and - for whatever reason - you decided to ignore the Experts telling you the proper way to address this.

I don't object to your closing this out, but future readers should understand clearly that UBCDWIN4 and Spybot SD are not the solution to be used.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 35436409
Well it did work for me. I already had 2 computers infected and both are ok now. Spybot even listed the malware as
Antispyware 2011
To use the UBCDWIN4 was recomended to me in another forum

Al I was loocking for is a easy way to fix this.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 35436785
@younghv
My question is...how do you know that UBCDWIN4 with SpyBot can not fix XP Antispyware 2011.

have you tried it without succes?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35436977
You and anyone else using "Boot CD's" are one system file modification away from having an unbootable computer.

No one should be using them unless all other efforts have failed.

As far as how do I know it didn't work?
Simple - it is in your own closing comment:

"After that I had to delete the user profile becuase Internet explorer did not work anymore.
I created a new profile. No more pop ups after that "

If you had properly repaired the infection (as instructed here):

1. Internet Explorer would have worked;
2. You would not have had to delete the old profile; and
3. You would not have had to create a new profile.

I have no way of knowing what "other" forum you are relying on, but the advice you're getting is not at the level you will get here on EE.

And one more thing - the director of research at SpyBot contacted me a couple of months ago and offered me some special incentives if I would start using (and recommending) SpyBot.

I posed some very simple questions for him about how SpyBot works compared to Malwarebytes and he (and the President of SpyBot) never responded.

Anyone who thinks SpyBot is in the same class as Malwarebytes simply doesn't know what they're talking about.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 35437048
What is your afiliation to Malwarebytes?

I have had great success with Boot CD's before and I will continue to use them.

And if you can prove to me that SpyBot does not work I will consider it. I'm asking you to try it and not base it on another source...

As far as having an unbootable PC I can fix that with windows repair option from the install CD which I have already done numerous times
0
 
LVL 38

Expert Comment

by:younghv
ID: 35437123
I have no affiliation of any kind with Malwarebytes - or any other developer.
My only goal here is to provide the best advice I can for members of Experts-Exchange.

You obviously have your own way of doing things, so I will go my own way and you can go yours.

/unsubscribe
0
 
LVL 11

Expert Comment

by:yarwell
ID: 35440160
@younghv  the author wrote "I can't open any programs or download anything"

so I suggested Safe Mode to get to a point where tools could be run in normal mode.

See you next tuesday.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35440175
"To use the UBCDWIN4 was recomended to me in another forum"

Actually, there isn't any reputable help-support forum that would actually suggest that unless it's the last option.

I concur with younghv, the simplest way to remove this infection would've been what's stated in Bleepingcomputer's 'name-changing' rogue tutorial.
Every Malware Experts, malware analysts and anti-malware developers will advise to clean infected PCs within Windows and in normal mode as tools these days are optimized to run from normal mode.
BootCDs are only suggested when all options have been exhausted, usually when the PC can no longer boot.

The infection may have been neutralized and the symptoms gone but that doesn't necessarily mean the system is clean. The fact that IE wasn't working properly afterwards proves that Spybot wasn't successful in completely cleaning the infection as younghv mentioned.

I guess you're accustomed to using BootCD in removing viruses....that way you don't have to know what kind of infections you're dealing with, and with the downside of making the PC unbootable you already have plan B to implement. That may be the long way home and more risky but if it works for you then good luck.
0
 
LVL 1

Author Closing Comment

by:Gerhardpet
ID: 35458553
Solve it with UBCDWIN4
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question