Page 1 of 1

Remove Security Essentials 2011 malware

PostPosted: Sat Jan 22, 2011 7:32 pm
by stephen
I had a PC that was infected with Security Essentials 2011
It is a fake anti-virus which scans your computer and reports fake virus warnings and then wants you to buy.
It installs a rootkit file in c:\Documents and Settings\All Users\Application Data it is a folder with a randomly generated name and in the folder is an executable file of the same name as the folder. This directory and file cannot be removed.

How I fixed the virus infection,
1. Remove the Hard Disk and go to another working PC
2. On this other PC install Acronis backup software
3. Perform a backup of the infected disk Using the Backup My Disks otion and specify the acronis backup file to a drive which has enough free space to hold the image of the infected disk. If you do not have any free disk space, then find a hard drive that has space, it can be an external USB drive,

4. Perform a diagnostic format of the infected disk eg on my Western Digital Disk I downloaded the Western Digital Diagnostic program and wrote zeros to start and end of disk.
5. Use Acronois to restore from the backup file to the now original disk which you just formated.
6. After the restore browse to the \Documents and Settings\All Users\Application Data and delete the folders with the names like fKpOp01843 These are the folders where the virus exists.
7. Now return the restored drive back to the original PC and you will have removed the Security Essentials 2011 fake anti-virus program.

Notes.
I found that if I did not zero fill the infected drive with the Hard Drive Diagnostic Program, then after I restored the backup the drive would not boot as it reported errors. (Possibly because of the rootkit virus infection)

I actually tested the process by using a new disk to restore from backup to verify that it would work, which it did perfectly. Then when I used the infected disk to do the restore that is when I found that I needed to do a diagnostic format, to clear the infected disk before the restore.