BleepingComputer.com: After-effects of XP security tool 2010

Hello,

My computer (Windows XP) was infected with XP Security tool 2010 and I removed it following the instructions posted at: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010.

However, after removing the infection my internet browsers (Internet Explorer and Mozilla Firefox) and many other applications (including Microsoft Word) stopped working properly. From the administrator account, some of them work (for example, I can use Microsoft Word) but it seems none of the .exe files can be run from a non-administrator user account.

So, I tried to fix the problem (without any success) using the instructions at:
http://www.malwarehelp.org/xp-security-tool-2010-analysis-and-removal-2010.html

More specifically, I applied the following steps (this is from the above web link):

XP Security Tool 2010 Removal (How to remove XP Security Tool 2010)
When removed improperly, the left over registry entries messes up the opening of .exe files.

Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:

1.Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
2.MalwareBytes’s Anti-Malware
■ Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
■ Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
■ Turn System Restore off and on


Can anyone offer further help on fixing my problem?

See this:

http://filext.com/faq/broken_exe_association.php

You are probably seeing the effects of when a rogue tries to make you use a proxy server to go on the internet so that your browser will only go to specified sites. to fix this, in internet explorer, go to tools, internet options, connection settings, local lan, and uncheck use a proxy server for the lan. In firefox, go to connection, and find where it says proxy server, and say use no proxy. Then close and reopen firefox. You might have to repair the homepage of firefox by going to the general tab and typing in the address. For the registry settings in that your associations are messed up (which I believe they are for Win32/FakeRean maps the .exe file extension to itself so that all you can do is run the rogue), you're going to have to google Windows XP .exe file association fix, and mre than likely, you'll land on a site where you can download a file with the correct association. It will be another .reg file. Hope this helps.

Chromebuster

Budapest, on 10 March 2011 - 05:38 PM, said:

I changed the computer registry according to the instructions of the above website . However, although the registry file was merged successfully (and the lnk extension added to file types from 'My Computer'), the problem has not been fixed.

(I do not know if it is relevant to mention that on restarting the computer after the fixes, I find the lnk is still not listed in the list of extensions in the File Types of 'My Computer')

http://windowsxp.mvps.org/exefile.htm

Budapest, on 11 March 2011 - 01:10 AM, said:

I tried the above and it worked. All .exe applications are running. The only problem left was that the shortcut to Internet Explorer from the Start button (Start - Internet Explorer) was not opening the browser. However, the browser was working when I was opening it from the program list. So, I launched the browser from the program list (All Programs - Internet Explorer), deleted the old shortcut and replaced it with a new one (which is working fine). Mozilla Firefox did not show this problem and was ok immediately after applying the suggested fix.

Thank you very much for helping me with this issue.

Is there something else that I should do now to remove any potentially hidden problem?

Please download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  
• In the Main Menu, click the Preferences... button.
  
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
  
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes" and reboot normally.
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/12/2011 at 09:36 PM

Application Version : 4.49.1000

Core Rules Database Version : 6584
Trace Rules Database Version: 4396

Scan type : Complete Scan
Total Scan Time : 02:47:41

Memory items scanned : 253
Memory threats detected : 0
Registry items scanned : 6938
Registry threats detected : 0
File items scanned : 229812
File threats detected : 145

Adware.Tracking Cookie
C:\Documents and Settings\Mustafa\Cookies\mustafa@server.iad.liveperson[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@serving-sys[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@apmebf[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@liveperson[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@www.3dstats[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@casalemedia[2].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@mediaplex[2].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@doubleclick[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@richmedia.yahoo[2].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@collective-media[2].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@atdmt[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@ad.yieldmanager[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@content.yieldmanager[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@adinterax[2].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@in.getclicky[1].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@content.yieldmanager[3].txt
C:\Documents and Settings\Mustafa\Cookies\mustafa@tribalfusion[1].txt
.richmedia.yahoo.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2glid3q0.default\cookies.sqlite ]
sales.liveperson.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2glid3q0.default\cookies.sqlite ]
sales.liveperson.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2glid3q0.default\cookies.sqlite ]
.adcentriconline.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2glid3q0.default\cookies.sqlite ]
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@2o7[1].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@2o7[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@ads.vitalix[1].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@ads.vitalix[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@atdmt[1].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@atdmt[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@belnk[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@btg.btgrab[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@btg.btgrab[3].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@cliks[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@cliks[3].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@hotbar[1].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@msnportal.112.2o7[1].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@msnportal.112.2o7[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@mywebsearch[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@mywebsearch[3].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@mywebsearch[4].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@offeroptimizer[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@offeroptimizer[3].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@questionmarket[2].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@webpdp.gator[1].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@www.movieland[1].txt
C:\Documents and Settings\charles.basseha\Cookies\charles.basseha@www.movieland[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@112.2o7[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@2o7[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@2o7[3].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@2o7[4].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@accounts[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ad.yieldmanager[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@adopt.euroclick[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@adopt.hbmediapro[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ads.addynamix[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@adtech[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@adtech[3].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@advertising[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@advertising[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@as-eu.falkag[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@atdmt[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@atdmt[3].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@belnk[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@bfast[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@burstnet[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@certified-safe-downloads[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@dealtime[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@dist.belnk[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@doubleclick[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@doubleclick[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ehg-bestbuy.hitbox[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ehg-ctv.hitbox[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ehg-datamonitor.hitbox[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ehg-deltatre.hitbox[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ehg-nokiafin.hitbox[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@fastclick[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@fastclick[3].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@fortunecity[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@hitbox[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@hitbox[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@hitbox[3].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@hitbox[4].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@ieee.adbureau[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@m1.webstats4u[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@maxserving[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@media.fastclick[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@media.fastclick[3].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@mediaplex[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@mediaplex[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@msnportal.112.2o7[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@overture[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@overture[3].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@perf.overture[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@questionmarket[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@realmedia[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@revenue[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@revsci[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@saletrack.co[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@sel.as-eu.falkag[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@stat.dealtime[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@stat.dealtime[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@statcounter[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@statcounter[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@statse.webtrendslive[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@tacoda[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@tacoda[3].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@tacoda[4].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@tribalfusion[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@tribalfusion[2].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@valueclick[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@www.burstbeacon[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@www.smartadserver[1].txt
C:\Documents and Settings\fgalia1\Cookies\fgalia1@xiti[1].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@ad.yieldmanager[1].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@adinterax[1].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@ads.bleepingcomputer[2].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@ads.pointroll[1].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@atdmt[2].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@collective-media[2].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@content.yieldmanager[2].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@content.yieldmanager[3].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@doubleclick[2].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@invitemedia[1].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@pointroll[2].txt
C:\Documents and Settings\mmomen\Cookies\mmomen@statse.webtrendslive[1].txt
media.kyte.tv [ C:\Documents and Settings\Mustafa\Application Data\Macromedia\Flash Player\#SharedObjects\X7G3TZGF ]
msnbcmedia.msn.com [ C:\Documents and Settings\Mustafa\Application Data\Macromedia\Flash Player\#SharedObjects\X7G3TZGF ]
vitamine.networldmedia.net [ C:\Documents and Settings\Mustafa\Application Data\Macromedia\Flash Player\#SharedObjects\X7G3TZGF ]
.imrworldwide.com [ C:\Documents and Settings\Mustafa\Application Data\Mozilla\Firefox\Profiles\gyj1apld.default\cookies.sqlite ]
C:\Documents and Settings\selkha2\Cookies\selkha2@2o7[2].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@adtech[2].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@advertising[2].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@as-eu.falkag[2].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@atdmt[2].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@doubleclick[1].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@ehg-bskyb.hitbox[2].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@hitbox[2].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@insightexpressai[2].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@m1.webstats4u[1].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@msnportal.112.2o7[1].txt
C:\Documents and Settings\selkha2\Cookies\selkha2@questionmarket[2].txt

Trojan.Agent/Gen
C:\DOCUMENTS AND SETTINGS\MMOMEN\LOCAL SETTINGS\TEMP\IZOHORE.BMP

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

C:\WINDOWS\CSC\d1\80003600 Java/TrojanDownloader.OpenStream.NAC trojan cleaned by deleting - quarantined
C:\WINDOWS\CSC\d4\8000C7BB multiple threats deleted - quarantined

How's your computer running now? Any more problems?

I do not feel that there is any problem. So, if there are no more hidden problems, the computer is fixed. Thank you again for all the help.

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.

I have the following Java entries in the 'Add or Remove Programs':

Java™6 Update 21 Size: 90.49 MB Used: rarely
Java™6 Update 3 Size: 111.00 MB Used: rarely
Java™SE Development Kit 6 Size: 245.00 MB Used: rarely
Java™SE Runtime Environment 6 Size: 115.00 MB Used: rarely

Those Java entries are out of date. You should remove them and then get the latest from here:

http://java.com/en/download/index.jsp

Do you use the Java™SE Development Kit?