Hello there everyone, I need your immediate help. My relative's laptop just got infected by a rootkit in my opinion. He told me he was on a website and then the page just changed by itself and it took him to another page. Now here are the symptoms that I saw and what I did :

1. ) There was a balloon popup in the notification area of the system tray of the infamous XP Security tool coming up many times saying the computer was infected. | What I did --> I tried to open firefox to get windows defender as my relative didn't have it installed.

2. ) The "item" was preventing the OS from opening a browser. At first i kept trying to open it and when I tried to open IE 7 it would close it. And when I managed to open firefox after persistence, the "xp security tool" closed firefox and posted a dialog box saying that firefox was infected. | What I did --> I opened Task manager and closed the process which was running this "xp security tool".

After this the messages stopped popping up and then I could now open firefox and promptly downloaded Windows Defender. I downloaded it and scanned the computer but oddly enough, nothing was detected. Now after this "that xp security tool" has been preventing the computer from connecting to the wireless network we use. Every time now I even try to open the application which is a Dell Wireless tool, i get a notice saying the file rundll32.exe cannot be found. Now things get interesting after this.

That certain infection seems to have adapted to block connection. As i found it strange that no file was deleted by my relative and I cannot even connect to the internet. So I tried lookign around just seeing if I can spot some other symptoms. And very interestingly there are other symptoms as and here they are :

1. ) Everytime I try to open firefox or IE i get a dialog box asking me to select which application I would like to use to open firefox, so I choose firefoxon the list and then I get asked if I would like to save the application which was downloaded from "C:/windows..../firefox.exe . So i answer yes and I can open firefoxbut just to open any browser every time I have to do this.

2. ) I went to the Control panel to see if i can find what starnge software was installed in the list but I am not allowed to choose the "Install and Uninstall program" choice in the control panel. I get a message saying windows cannot locate the file rundll32.exe . So I have no access to that part of the system.

3. ) Windows defender cannot download the latest updates. When I open windows defender, I get a message at the top of windows defender in yellow saying Windows defender could not download updates and then I get this memory like address problem : 0x0000.... (I don'tknow it exactly). I have tried to google for info but oddly enough not anyone else has suffered these same symptoms.

So I need your help with that !! Please help !! I considered formatting the whole computer but I wanted that to be the last option as there are alot of files on there that may be of importance, maybe I am not sure. But this is it and so I ask you for help.

Oh and also, the system info is this :
- Windows Media center edition 2005
- 512 MB RAM
- Dell Inspiron

Thank you for reading this,
Jackson Konyango.

Hi, sorry you have waited so long for a response. Windows Defender is not the tool recommended to remove this XP Security infection, Malwarebytes' Anti-Malware is the one most recommended and the one most successful in doing so.
Follow these instructions from bleepingcomputer:

1.For the first part of this removal guide you will need to use a different computer than the infected one. This is also a tricky rogue to remove, so please follow the instructions carefully. If you are concerned about whether or not you can do this, do not be, as I have made these instructions easy to follow for people of any computer expertise.

2. From another computer, please download Malwarebytes' Anti-Malware, or MBAM, and the reg files from the following locations and save it to an external media such as an external hard drive or a USB flash drive. We will then use the external drive or flash drive to to transfer these files to your infected computer.

Malwarebytes' Anti-Malware Download Link

FixExe.reg
3. Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected computer so it can access them.

4. On the infected computer make sure XP Internet Security 2010is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.
# Now open the drive that corresponds to the removable media that you copied the programs from step 2 onto. Once open, double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.

5. Now you should be able to run the mbam-setup.exe file that you saved on your removable media in step 2. Double-click on this file to install MalwareBytes' on to your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box
7. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning.
When the scan is complete, click OK, then Show Results to view the results.
You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.

Once your computer has rebooted please post back here with the log which can be found in the program within the Logs tab. Simply double click that log and copy/paste that log here into a reply.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.