XP Security trojan/virus?

Janet S

Janet S

Messages
632
Name
Janet
Edit My Images
Yes
Hope someone can help with this!

When my son logs onto my PC on his own login, he has a very annoying XP Security popup that warns of various viruses etc, says it's running a scan and prevents him launching any programs, even when it's closed down.

I've done a full scan with McAfee, Malwarebytes etc, but nothing is found. I've spent a couple of hours googling and I'm absolutely overwhelmed by the amount of information on removing this nasty.

I'm a total PC numpty, so I'm very wary of trying any of the suggestions given.

Does anyone have any experience of this?

I could really use some help here!

Janet
 
You will need to tell us the exact name of whatever application pops up.
 
you need to get malware bytes software.....Dont know how much it is as i borrowed my mates....We got hit with the same virus yesterday and it infected 19 files ....try googling " malware Bytes"
 
If you read the OP's post, you will see that she has already tried Malwarebytes ;)
 
Thanks guys! I'm currently running another scan...when that's done I'll log on as my son and get the exact name of the offending program.

Janet
 
I had something similar on a laptop someone asked me to sort out the virus on. It was in so deep the only way was a fresh install.

Yours might be easier to fix but as said above the exact text of any message or pop up is needed to identify it.

Whatever happens getting a backup of all the files on the computer would be a sensible thing to get done. If you have a recent backup from before the virus keep that safe and backup any newer files to something else.
 
It sounds like one of these fake AV scarewares. I have removed lots of them (work) and Malwarebytes has never failed yet.
 
It's probably not letting your Malwarebytes work properly - download rkill. Start the PC in safe mode with networking so you have internet access (press F8 on startup to get boot options).

Once into windows run rkill; this stops any running malware proccesses. If a box pops up about rkill being a virus, ignore it, but leave the warning box open and run rkill again. It might take a minute, but a command window will open; just wait until it's done.

Now run Malwarebytes and update it - a quick scan is all you should now need to remove the malware.

If the downloaded version of rkill doesn't work, you can download other versions here - I've found the iexplore.exe version to be very successful - I just downloaded them all into a folder on my USB pen before trying any of them, so you have them all at hand if required.
 
You'll need to disable system restore before running anything.
 
I'm having an absolute nightmare of a time...my PC keeps shutting down...it loads up my screensaver and all my icons, and then when I try to select anything, just says bye-bye and switches off! It stopped half way through the scan that I was doing, then refused to play. I've since logged on no less than 19 times, each time with the same result...everything loads, then it just switches off.

I think I've cured it temporarily by the usual technical thing...I switched it off and then switched it on again, which seems to have worked (phew! what a relief!!!!) ...but for how long?

The program I was trying to remove was XP Total Security 2011, which also brings up a PC Repair Doctor page...I've taken some screenshots of the offending pages which I've saved as Word documents, but I can't figure out how to show them on here.

Sorry, but I'm not very good with this technical stuff!

Janet
 
Just do what I said above and it'll fix it.... switch off PC; switch on and keep pressing F8 until you get the boot options, then follow instructions above. :shrug:

Do you have another computer to download the rkill on?
 
Thanks Derek...I'll try that shortly.

One question though...I've had absolutely no problems on my own login and despite several scans and searches on my hard drive for known rogue file names, can't find anything relating to this XP Total Security. It's only when my son logs in on his account that it occurs.

Would simply deleting his user account get rid of it?

Janet
 
If it's only his that's the problem, deleting it and making him a new account might do it, although it's normally the computer that's infected, not a single user.... if he has files he wants to keep you'd need to copy them to a folder in your own account first, then scan the folder for possible nasties, and delete his account and associated files when prompted - nothing to lose by trying it.
 
Despite it's gimmicky name I've found superantispyware useful for removing nasties (free to download). It will also install & scan in safe mode (as will malwarebytes) if you get the kind of spyware that stops you installing anything in normal mode
Good luck removing it
 
If it's only his that's the problem, deleting it and making him a new account might do it, although it's normally the computer that's infected, not a single user....
Click to expand...

Thanks Derek...I understand what you're saying and I also thought it was the PC that was infected, but I can't find any references to this rogue program anywhere on my PC, despite several scans and searches for the relevant file names that I've found on Google. It's very scary, as I know it must be there somewhere...if he's getting these pop-ups then surely I should be getting them too if we're infected?

I thought McAfee was supposed to stop this sort of thing?

Janet
 
id do what derek said, boot it into safe mode then run the scan.

also bin off mcafree and install avast, its about the only anti virus that ive seen stop these. even microsoft security essentials let one through on the other halfs mums laptop.
 
Agree with Neil - the only AV/malware solutions I ever use now is Avast Free and Malwarebytes, and have had no problems on any systems they are on. Don't bother with bloated Internet Security suites, they just burn money and memory....
 
Have you tried a system restore to a previous date (before the virus appeared)?
 
Derek, I did all you suggested, but the problem was still there when I logged on with his ID, with the same annoying popups and no way of using any programs.

I've now deleted his account, run scans with Malwarebytes and McAfee and found no issues detected.

Do you think I'm now safe, or should I be scared?

Neil advised to get rid of McAfee...I'm not sure what to do. I've had absolutely no problems with McAfee over the past couple of years that I've been using it until today when my son told me of the problem he discovered last night.

I really find it very strange that it only happened on his login and not on mine also, as I thought if you were infected then it was the PC and not just the individual user?

I'm sure someone more technically minded than me will provide an explanation!

Janet
 
Deleting the user account will solve the problem. It's a pity you did this as it wasn't necessary :(

This is NOT a virus or Trojan but a fraud application. The fact it only appeared in one user account should have made this obvious. It was installed by the user clicking a link inviting it in. Then it invites the user to pay for some clean-up software. It also fashions itself on the OS installed. You saw XP Total Security but on another system it could have been Vista Total Security.

There's plenty of help via google to get rid of it. The key to it's removal is the file av.exe

Kill the process av.exe. Search for and remove all instances of av.exe in the Registry, then find and remove av.exe itself.

There are apps out here that will do this for you.
 
2blue4u said:
This is NOT a virus or Trojan but a fraud application.
Click to expand...

It doesn't matter what you want to call it, it's a form of malware/virus - Malwarebytes WILL remove this, but she needs to stop the process first by running rkill like I said earlier - Malwarebytes will then work as it should...
 
Too late now but you have to rename malawarebytes then run it in safe mode to get rid of this stuff.
 
i had this as well i did a deep scan that took about 37 hours to complete
i used rkill malwarebytes kaserspy scan cc cleaner
i now have the microsoft security icon in the taskbar that i never had before but not the dodgy one i hope
 
Mikesphotaes said:
Too late now but you have to rename malawarebytes then run it in safe mode to get rid of this stuff.
Click to expand...

I think that's a bit too far advanced for Janet....lol *sorry Janet, only kidding*

You could also download the portable version of SuperAntiSpyware (what a godawful name) and run that - it downloads as a .com file with a random prefix so that the nasties don't identify it....
 
Derek's advice is spot on but if malwarebytes either isn't working, or you think it's missing a piece of malware then you could also try Hitman Pro. The free scan should do the job.

I'd also recommend ditching McAfee - either Avira Antivir or Avast are much better and best of all, free :)
 
By the way, Superantispyware is falling way behind in the malware scanner stakes ;)
 
DekHog said:
I think that's a bit too far advanced for Janet....lol *sorry Janet, only kidding*

You could also download the portable version of SuperAntiSpyware (what a godawful name) and run that - it downloads as a .com file with a random prefix so that the nasties don't identify it....
Click to expand...

Aye, probably right but too late now in any case;)
 
Janet..... just as an aside, and regarding your Mcafee. Most, if not all, Anti Virus programs won't pick up or stop the installation of things like this; it's kinda outside their remit. Where they excel is at infected files being present/accessed/transferred. You need a dedicated malware scanner like the ones mentioned above to prevent this kind of infection.
 
This is NOT a virus or Trojan but a fraud application. The fact it only appeared in one user account should have made this obvious.
Click to expand...

I understand that, but whatever you choose to call it, it still blocked all access to any programs on his login. Call it what you like...it was a nasty piece of work...

Janet
 
Janet S said:
I understand that, but whatever you choose to call it, it still blocked all access to any programs on his login. Call it what you like...it was a nasty piece of work...

Janet
Click to expand...
And if that's all it was, a system restore to a point before you were infected would have sorted it... Only the third time I've said it in this thread ;)
 
neil_g said:
who are you? :shrug:
Click to expand...

lol :LOL: - you sound like that annoying little toad, Nikki, from big brother a few years back....

A system restore won't always fix these things, and it probably won't let you do it anyway.....
 
DekHog said:
lol :LOL: - you sound like that annoying little toad, Nikki, from big brother a few years back....

A system restore won't always fix these things, and it probably won't let you do it anyway.....
Click to expand...
You don't know that ;) :p especially if the program only boots on her son's login. If it is only on her sons account, it points to the program starting up either through his user registry settings or his Start->Startup folder. Restoring the system from a cold boot through Janets account would mean the program wouldn't even been started yet and a quick look through her sons startup folder would eliminate that as a source.

But it's all academic now anyway :D
 
neil_g said:
who are you? :shrug:
Click to expand...
A song by The Who from 1978.


I assume we're playing "Here's the answer, now what's the question?" :p :D
 
i now have the microsoft security icon in the taskbar that i never had before but not the dodgy one i hope
Click to expand...

Oh dear...I have a Microsoft security icon also, but I don't know if it's always been there or not! It has popped up a couple of times over the past few days with the following message... (I managed to do a screenprint using Gadwin Printscreen - a handy little program that someone told me about yesterday)



I've checked my PC, and the box for automatic updates IS ticked....is this something else I should worry about? Honestly, I'm getting paranoid now!

Thanks to everyone who's helped, both on the forum and behind the scenes (you know who you are and you're an absolute star!) I think everything's more or less back to normal now.

I've also now got Malwarebytes running, and it's informed me that it's blocked several things this morning - all I was doing was looking at photo's on Flickr...

I'm a bit worried about getting rid of McAfee and changing to Avast, so I think I'll wait until I can get my friendly tech guy to come and have a look, unless someone can assure me that it's something I can do myself? I'd be scared of stuffing something up! I won't be too happy about ditching McAfee after paying for it, but I'll do whatever it takes to stay safe and avoid this sort of problem again.

Once again, thanks!

Janet
 
Janet.....

Your security centre looks quite normal - it's in the taskbar due to the 'virus protection - not monitored' status. Just click the 'Change the way security centre alerts me' option at the left hand side and untick the warning options and it'll vanish from the taskbar.

The malwarebytes pop up is quite normal but can be annoying, so open Malwarebytes, click the protection tab, and untick the last option on the page about showing tooltip balloons to stop this from showing - it's just being a bit over enthusiastic about telling you everything it's doing.

Just keep the McAfee until it expires if you've paid for it, it'll do the basic job of file protection etc, good enough for you.

Automatic updates? I don't normally bother with them myself (if it's not broken, why fix it?) but they shouldn't do your system any harm. You certainly won't get any trojans/viruses from MS update, so leave it on if you wish.

Hopefully all is working fine now! :D (y)
 
Last edited:
Derek, you're an absolute angel...do you want to come and live with me?

I've done as you suggested, and the icon has now gone. I think I'll keep the Malwarebytes popup for the time being, as a reminder to be a bit more careful!

I've also noticed a few quarantined items in Malwarebytes...OK to just delete them?



Apart from the PC being horrendously slow to load anything this morning and the annoying popups which have now gone, yes, we seem to be working OK again!

I can't begin to tell you how grateful I am for all your help. I was at my wits end yesterday!

Janet
 
You must log in or register to reply here.
Back
Top