Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008 Infection


  • Please log in to reply
5 replies to this topic

#1 RShea

RShea

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 31 July 2008 - 06:42 PM

I have a computer that is infected wih Antivirus XP 2008. It is running Windows XP Pro (SP2) and had Norton Anti-virus software on the system. There was a email message stating something about an Eticket in the subject. At first this Antivirus XP 2008 did not display- the only symptoms were the computer would boot but no software applications at all would launch and run. Could only check the services or start run cmd would get to a prompt.

Tried a scan of the hard drive outside the system (with another system that had Norton Anti-virus on it) and it did not detect anything at all. Also tried a system restore to 2 days back when the system was working fine....

All attempts to install utilities on this unit- even in safe mode results in the same thing- the installed starts but never completes, so all tools like HiJackThis, Malwarebytes, and other spyware utilities can't even launch. So it appears that the Windows will not run any .EXE programs at all.

I will be trying a few scans with the hard drive outside the unit. Anyone else see this Antivirus XP 2008 not allow any software at all to load? No logs or HiJackThis reports can be posted yet... due to the issues.

Any other ideas short of a complete reformat and reload of the software?

Edited by Orange Blossom, 31 July 2008 - 06:44 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:50 AM

Posted 31 July 2008 - 07:09 PM

Hello ,please try Grinler's tutorial here...

How to remove Win Antivir 2008 and Win Antivirus 2008 (Uninstall Instructions)
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 31 July 2008 - 09:17 PM

Hello ,please try Grinler's tutorial here...

How to remove Win Antivir 2008 and Win Antivirus 2008 (Uninstall Instructions)


Thanks for the reply, however I am 100% sure that this system is infected and I have read a number of sites discussing the removal. Step number 4 works and I was able to save the file. When I launch the installation then the system does not complete the installation. As I stated in the message, Internet Explorer, and most every .EXE program will not run and start up properly.

Not sure if this is a new variation on the Antivir 2008 but this one clearly shuts down access to most all tools out there.

I scanned the drive outside the system with Spybot Search and Destroy and it reported:

--- Search result list ---
PSGuard: [SBI $5FD238A5] Temporary folder (Directory, nothing done)
C:\Documents and Settings\Bob\Local Settings\Temp\awtmp\

Win32.Agent.pz: [SBI $B00BA4EA] Executable (File, nothing done)
C:\WINDOWS\system32\\ntos.exe

Win32.Agent.pz: [SBI $689A946A] Library (File, nothing done)
C:\WINDOWS\system32\\wsnpoem\audio.dll

Win32.Agent.pz: [SBI $B74832EE] Program directory (Directory, nothing done)
C:\WINDOWS\system32\\wsnpoem\

Win32.Agent.pz: [SBI $D372DFBA] Library (File, nothing done)
C:\WINDOWS\system32\\wsnpoem\video.dll

Win32.Agent.pz: [SBI $5DB5BCF4] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=...C:\WINDOWS\system32\ntos.exe,...

Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID

Smitfraud-C.gp: [SBI $994F0BCC] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\PE_C_Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{64ba30a2-811a-4597-b0af-d551128be340}

Smitfraud-C.gp: [SBI $1B40EACE] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Toolbar

EverestPoker: [SBI $19F64ADC] Picture (File, nothing done)
C:\Program Files\Everest Poker\data\shared\shared\bitmaps\check.art

Microsoft.Windows.System: [SBI $51373AEE] Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage

Microsoft.Windows.System: [SBI $51373AEE] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage

Delf.Spool.cn: [SBI $D357F13F] Executable (File, nothing done)
C:\WINDOWS\system32\\delself.bat

Zlob.Downloader: [SBI $8C1E0187] Data (File, nothing done)
C:\WINDOWS\system32\\stdole3.tlb

HitsLink: Tracking cookie (Opera 7+: SYSTEM) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


CoreMetrics: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Many of them are cookies, which I am not worried about. It is the ZLob, Smitfraud and others that probably not helping issues. They have all been removed after the scan of the infected hard drive on another computer.

Here is the malwarebytes report after the Spybot was run (also run outside the system since I could not get it installed):
Trojan.Downloader in the System restore files.... A0060619.exe

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:50 AM

Posted 01 August 2008 - 07:40 AM

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 August 2008 - 12:41 PM

Thanks for the suggestion, but I think it was probably all .EXE files (based on the fact that some line of business software would not run for on the system first) so, I took the drive and placed it in an enclosure and did 2 scans of the files on another PC- one with the Spybot and a second with Malwarebytes ANti-Malware. The drive then was placed back in the system, booted into safe mode and installed the utilities needed. Did a second scan with Malwarebytes after it was updated and it found some more files. Removed them and trying one more scan after a reboot into regular Windows mode.....

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:50 AM

Posted 01 August 2008 - 02:59 PM

Some malware infections target .exe files and without repairing that file association your .exe files will lose functionality.

The first thing to try is to check your file association for .exe files. Open the "File Types" dialog box in Windows Explorer or My Computer. Go to Tools > Folder Options > File Types tab. Scroll down to where .EXE would be in the alphabetical order and make certain .EXE is not there. If it is, then edit it there by changing the association to Application. Select the New button, type in EXE for the extension and select the Advanced button. From the list pick "Application."

If that does not resolve the problem, try downloading EXE File Association Fix and save to your Desktop. Extract (unzip) xp_exe_fix.zip and double-click on xp_exe.fix.reg and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.

Also see:
"Unable to Start a Program with an .exe File Extension"
"Fix or Restore Broken .EXE .LNK .COM Association Caused by Virus"

Note: Some of these steps involve making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users