Help
Hi there... Long time, no infection... I
Well, it appears as though I got a virus posing as a "XP TOTAL SECURITY". The infected PC is a laptop running Win XP. My wife was on Facebook the first time the "scan" started.
It has shut of my McAfee AV and any attempt to reactivate it in Windows Security Center starts up "XP TOTAL SECURITY" and a series of simulated scans/infections.
I did get a seemingly legitimate McAfee message stating "C:Docs&Settings\Rhonda\Local Settings\app data\FGB.EXE" is attempting to access the internet - allow, block, etc.. I chose block (hopefully it was a real message).
I tried finding FGB.EXE in the stated path and did not see it. I attempted to install/run "unhide" from a thumb drive, but "XP TOTAL SECURITY" blocks it.
I also tried to run "flash dis-infector.exe" with no success (XP Total Security starts up - does it's scan, etc).
Please help!!
Thanks in advance,
Paul
Page 1 of 1
"XP Total Security" infection
Back to top
#2
- Forum Regular
-
- Group: Members
- Posts: 336
- Joined: 23-May 11
- Gender:Male
- Location:USA
Posted 06 June 2011 - 12:15 AM
redryder4, on 05 June 2011 - 11:02 PM, said:
Hi there... Long time, no infection... I
Well, it appears as though I got a virus posing as a "XP TOTAL SECURITY". The infected PC is a laptop running Win XP. My wife was on Facebook the first time the "scan" started.
It has shut of my McAfee AV and any attempt to reactivate it in Windows Security Center starts up "XP TOTAL SECURITY" and a series of simulated scans/infections.
I did get a seemingly legitimate McAfee message stating "C:Docs&Settings\Rhonda\Local Settings\app data\FGB.EXE" is attempting to access the internet - allow, block, etc.. I chose block (hopefully it was a real message).
I tried finding FGB.EXE in the stated path and did not see it. I attempted to install/run "unhide" from a thumb drive, but "XP TOTAL SECURITY" blocks it.
I also tried to run "flash dis-infector.exe" with no success (XP Total Security starts up - does it's scan, etc).
Please help!!
Thanks in advance,
Paul
Well, it appears as though I got a virus posing as a "XP TOTAL SECURITY". The infected PC is a laptop running Win XP. My wife was on Facebook the first time the "scan" started.
It has shut of my McAfee AV and any attempt to reactivate it in Windows Security Center starts up "XP TOTAL SECURITY" and a series of simulated scans/infections.
I did get a seemingly legitimate McAfee message stating "C:Docs&Settings\Rhonda\Local Settings\app data\FGB.EXE" is attempting to access the internet - allow, block, etc.. I chose block (hopefully it was a real message).
I tried finding FGB.EXE in the stated path and did not see it. I attempted to install/run "unhide" from a thumb drive, but "XP TOTAL SECURITY" blocks it.
I also tried to run "flash dis-infector.exe" with no success (XP Total Security starts up - does it's scan, etc).
Please help!!
Thanks in advance,
Paul
hello paul my name is herg62123 (or Rob for short)
sorry to hear the issue you are having.....question for you does the program look like this on the link: XP Total Security Removal Guide
if it does towards the bottm of this article there is hope at the end of the tunnel.....lol
look for the heading called: "Automated Removal Instructions for XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security using Malwarebytes' Anti-Malware:" make sure scroll down to find this heading.
this will give you step by step on how to remove this nasty bug.
also after Malwarebytes finishes a text file will open.
Please post the log when done
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply.
Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
i promise it can be removed by following the instructions on that guide removal i posted above.
This post has been edited by herg62123: 06 June 2011 - 12:18 AM
#3
- Member
-
- Group: Members
- Posts: 25
- Joined: 15-June 09
Posted 06 June 2011 - 11:18 PM
herg62123 (aka Rob) 
Sorry for lacking the patience to thoroughly search the site for the removal instructions...
Yes, the link you provided sounds exactly like what I have...
I downloaded FixNCR.reg, RKill & mbam to a flash drive from an unaffected PC.
FixNCR worked as described.
RKill worked as described and created the following log:
mbam installed fine, but I unchecked the update button (yes, I'm guilty of not fully reading the instructions). Upon launching mbam, it said files were ~168 days old, do I want to update? I chose "yes" and a "connecting to server" window popped up, but there was no progress being made. The update program froze and could not be shut down by any means (end task, End-it-all, etc), so I was forced to hold the power button down until the laptop shut off.
Upon sucessfully reboot, I re-ran FixNCR and Rkill. I re-installed mbam and this time left the "check for updates" button checked. Again, a new "connecting to server" window opened, no progress was made, and the window hung up. Had to power down PC again to close the prog.
Downloaded a newer version of Mbam (1.51) from unaffected PC to flash drive.
Booted up laptop and re-ran FixNCR and Rkill. Uninstalled old mbam. Re-installed new mbam. Did not update this time as file was only 6 days old. An mbam trial window popped up and i selected "start trial" rather than "decline". My cursor turns to an hourglass and Mbam hangs..
I attempted to access the internet using IE, but no page would open, no timeout messages, nothing. My wireless connection shows "excellent" with 54Mbps.
Yesterday I was still able to get on the web. Today, I just get "connecting" and a blank white page. It appears that every time mbam needs to connect to the internet, it locks up as well.
I've tried to be as detailed as possible in my undertakings.. please advise..
Thanks,
Paul
Sorry for lacking the patience to thoroughly search the site for the removal instructions...
Yes, the link you provided sounds exactly like what I have...
I downloaded FixNCR.reg, RKill & mbam to a flash drive from an unaffected PC.
FixNCR worked as described.
RKill worked as described and created the following log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 06/06/2011 at 20:26:12.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\verclsid.exe
Rkill completed on 06/06/2011 at 20:26:28.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 06/06/2011 at 20:26:12.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\verclsid.exe
Rkill completed on 06/06/2011 at 20:26:28.
mbam installed fine, but I unchecked the update button (yes, I'm guilty of not fully reading the instructions). Upon launching mbam, it said files were ~168 days old, do I want to update? I chose "yes" and a "connecting to server" window popped up, but there was no progress being made. The update program froze and could not be shut down by any means (end task, End-it-all, etc), so I was forced to hold the power button down until the laptop shut off.
Upon sucessfully reboot, I re-ran FixNCR and Rkill. I re-installed mbam and this time left the "check for updates" button checked. Again, a new "connecting to server" window opened, no progress was made, and the window hung up. Had to power down PC again to close the prog.
Downloaded a newer version of Mbam (1.51) from unaffected PC to flash drive.
Booted up laptop and re-ran FixNCR and Rkill. Uninstalled old mbam. Re-installed new mbam. Did not update this time as file was only 6 days old. An mbam trial window popped up and i selected "start trial" rather than "decline". My cursor turns to an hourglass and Mbam hangs..
I attempted to access the internet using IE, but no page would open, no timeout messages, nothing. My wireless connection shows "excellent" with 54Mbps.
Yesterday I was still able to get on the web. Today, I just get "connecting" and a blank white page. It appears that every time mbam needs to connect to the internet, it locks up as well.
I've tried to be as detailed as possible in my undertakings.. please advise..
Thanks,
Paul
#4
- Member
-
- Group: Members
- Posts: 25
- Joined: 15-June 09
Posted 08 June 2011 - 01:03 PM
Rob,
Ok, so I tried something different.. Upon booting up totay, I did not run FixNCR or Rkill. I'm thinking the later is preventing me accessing the internet??? I just launched Mbam and it not only updated sucessfully, it also performed a full scan... 5 issues were found:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 6810
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/8/2011 10:47:30 AM
mbam-log-2011-06-08 (10-47-30).txt
Scan type: Full scan (C:\|)
Objects scanned: 258104
Time elapsed: 1 hour(s), 29 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Rhonda\application data\Sun\Java\deployment\cache\6.0\15\d00bfcf-6ebf900d (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Rhonda\local settings\application data\fgb.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
08:41:25 Rhonda MESSAGE Protection started successfully
08:41:34 Rhonda MESSAGE IP Protection started successfully
10:49:20 (null) MESSAGE Protection started successfully
10:49:30 Rhonda MESSAGE IP Protection started successfully
I hopefully all cleaned up now... Please have a look at the logs and let me know what you think.
Thanks Rob and BleepingComputer!!
Paul
Ok, so I tried something different.. Upon booting up totay, I did not run FixNCR or Rkill. I'm thinking the later is preventing me accessing the internet??? I just launched Mbam and it not only updated sucessfully, it also performed a full scan... 5 issues were found:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 6810
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/8/2011 10:47:30 AM
mbam-log-2011-06-08 (10-47-30).txt
Scan type: Full scan (C:\|)
Objects scanned: 258104
Time elapsed: 1 hour(s), 29 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Rhonda\application data\Sun\Java\deployment\cache\6.0\15\d00bfcf-6ebf900d (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Rhonda\local settings\application data\fgb.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
08:41:25 Rhonda MESSAGE Protection started successfully
08:41:34 Rhonda MESSAGE IP Protection started successfully
10:49:20 (null) MESSAGE Protection started successfully
10:49:30 Rhonda MESSAGE IP Protection started successfully
I hopefully all cleaned up now... Please have a look at the logs and let me know what you think.
Thanks Rob and BleepingComputer!!
Paul
Share this topic:
Page 1 of 1