I'm working on a PC that was infected by XP Security 2011, and went through the "normal" steps to remove the infection. I have done the same on several other PCs infected by this virus, but this time it seems to have gotten a bit more advanced.
First, I logged on in Safe Mode under the Administrator account, used Registry fix file to allow .Exe's to run, ran renamed rKill, then updated and ran Malwarebytes full scan. Removed selected with Malwarebytes, rebooted in Normal Windows mode, repeated process on User Account.
So, no more popups now from the fake Security Center, but there are a few lingering complications that I can't figure out. First, Avast keeps popping a "Malicious URL Blocked", originating from C:\WINDOWS\System32\svchos
ts.exe, the URL it's directing to varies each time the pop up is launched. Second, IE is still semi-hijacked, it keeps redirecting when clicking links from Google, and will not allow access to Microsoft Update. I am not able to turn on Automatic Updates either.
HijackThis log is attached. hijackthis.log