BleepingComputer.com: RKilled! XP Internet Security 2012

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

RKilled! XP Internet Security 2012 Thanks to the site, this one seems in the bag.

#1 User is offline   TripleJacknGA 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 19-July 11

Posted 19 July 2011 - 10:30 AM

Just a big thanks to the site, and the creator of RKill. I thought perhaps posting this may help others, as well as the creators of RKill, by seeing what I did, and what the software did.

A co-workers desktop, which is used for shipping, recently started having the 'XP Internet Security 2012' shenannigans, which was my introduction to it.

After much Googling on my laptop (since his was unable to do anything, including get online eventually), I read about RKill, and what it's designed to do. I downloaded RKill to a thumb-drive. I also downloaded Malwarebytes & Avast to the same thumb-drive.

First thing I did was install & run Avast 6. Interestingly enough, Avast found absolutely nothing, and just as interestingly, the virus allowed me to run it. I then tried running the existing install of Malwarebytes on the machine, but as expected, the virus prevented it from even starting.
I then ran RKill from my thumb-drive. When it finished running, I got the following log file:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 07/19/2011 at 8:38:20.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\AVAST Software\Avast\defs\11071800\Sf.bin


Rkill completed on 07/19/2011 at 8:39:38.

At first, I thought that the only thing RKill did was block Avast. I then tried running the existing install of Malwarebytes, and it started. It said it's last update was in 2009, so I tried to update it. The wireless connection was not working (not sure if this was also the virus or not), so I disabled, then enabled it, and got it connected. I proceeded to try and update Malwarebytes, but it gave me some odd error. I then decided to do a fresh install of Malwarebytes. When I finished that install, I had it update, and it did successfully.
I then ran Malwarebytes, and after about 47 minutes, it found 6 infections, which I removed. Here's the log from that:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7199

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/19/2011 10:05:15 AM
mbam-log-2011-07-19 (10-05-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 237700
Time elapsed: 47 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2791166363 (Trojan.FakeAlert) -> Value: 2791166363 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\drp.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


After deletng those, I then closed Malwarebytes, restarted the machine, and so far, it seems like it's gone, and the machine is back to it's slow, old self.

Again, a huge thanks, because my IT dept. is basically useless, and I know just enough to be dangerous. I have way too much to do running this place, and this put the kibosh on it.

Jack

#2 User is offline   SpySentinel 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 2,090
  • Joined: 23-February 07
  • Gender:Male
  • Location:The United States

Posted 01 August 2011 - 01:35 PM

Hi TripleJacknGA,

Welcome to Bleeping Computer :)


Glad to hear rKill was able to help you get Malwarebytes Anti-Malware to update and remove the infection!

Do you still require assistance? If you like, I can take a look to make sure the system is clean.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#3 User is offline   SpySentinel 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 2,090
  • Joined: 23-February 07
  • Gender:Male
  • Location:The United States

Posted 06 August 2011 - 04:38 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me a PM. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users