Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Internet Security keeps comiing back!


  • Please log in to reply
3 replies to this topic

#1 gotinfected

gotinfected

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 02 February 2010 - 08:59 PM

Hello

About 3 or 4 days ago I got infected with a program called 'XP Internet security 2012' though it appeared whilst I was generally surfing, then suddently zonelabs zonealarm pops up and asks me if I wish to allow 'av.exe' to instal, I noticed it was being executed from my c: program files Temporary Internet Files. The first time I got it, I panicked a little and downloaded as many programs as I could do whilst it installed, not as though I could stop it, but lots of firefox tabs meant I downloaded the following:

pc tools spyware doctor
spybot search and destroy
adaware
microsoft security essentials
avg
super anti spyware
and updated my copy of Avast antivirus.

It was as the final Avast application downloaded that I lost my net connection. I then installed each in turn and scanned my system, needless to say all pretty much failed to find the program, never mind solve the problem. Spyware Doctor found it, then stopped it accessing the internet but I uninstalled it and it pretty much dumped it back on my system and then it reactivated itself. Long story short, I downloaded and ran Combofix from this site and vioila it uninstalled it. However, around about an hour ago, it came back. Once again executed from the same location as lasttime. I got rid of it via combo fix and malware bytes which I thought was successful. However, now it's back I am not so sure.

It's worth mentioning that I did delete my temporary internet files earlier today, so the pc then recreated it during the reboot process, so I know the program if it was lingering in there had been deleted, so I must have picked it up from one of the sites I frequented.

I am presently running combofix again now its taking a while again, is there any way to get this thing to use multiple cores to speed it up? As I rebooted the machine as Xp Internet Security was only just about a quater of the way through its install process, whilst the seems to think its dealing with a complete installation. So does this mean it will be checking all 6 of mny TB drives again? So I am looking at another 6 hours or so like lasttime? I only ask as the programme lasttime only created a log for the c: drive it didn't seem to wander anywhere else.

Also, any sure fire way of stopping the damn thing from infecting me?

Thank you for your time, and if you got this far down my post for taking the time to read it all - Thanks! :thumbsup:

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:19 PM

Posted 02 February 2010 - 10:22 PM

Hello, I am moving this from XP to the Am I Infected forum.

If combofix finishes and you still have your PC do not run it again.
Did it fix it? Since you have run it.

If not, you need to do a few things.
You may have too many things running and that can interfere with Malware removal.
You have 2 AV's running? Avast and AVG.. These will conflict. You can on;y have 1 active AV.

We need to disable Spybot S&D's "TeaTimer" if running.
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

Remove AdAware you will be using a better tool from these instructions ( free and you can keep it).

Please follow ALL the steps in our Removal Guide here How to remove XP Internet Security 2010

You will move to the Automated Removal Instructions for Internet Security 2010 using Malwarebytes' Anti-Malware:

After you completed that post your scan log here,let me know how things are.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 gotinfected

gotinfected
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 03 February 2010 - 01:23 AM

Hello, I am moving this from XP to the Am I Infected forum.


Thank you, I didn't realise I had put it into the incorrect forum - My apologies, I should have read the forum headers a little more in-depth.

If combofix finishes and you still have your PC do not run it again.
Did it fix it? Since you have run it.


I think it did, I woke up (it's early AM here in the UK) to find the log onscreen. It said the following:

http://paste2.org/p/646309 it seems I got quite lucky this time around, as it hadn't actually installed or even actually started obviously it was due to my rapid panicking and start\restart F8 reaction :flowers:



If not, you need to do a few things.
You may have too many things running and that can interfere with Malware removal.
You have 2 AV's running? Avast and AVG.. These will conflict. You can on;y have 1 active AV.


I removed everything earlier that I didn't have a need for, AVG didn't get a look in I had Microsoft Security Essentials, Spyware Doctor, Spybot and Adaware installed. Adaware and I fell out as it wasn't behaving itself, so that went first. Then Spyware Doctor - that's the one that dumped its content back on my system and reactivated the virus again, they won't be getting 40 off me this time around, not for just doing that, they could have provided a warning, not just dump me back in the crap like that without warning.

We need to disable Spybot S&D's "TeaTimer" if running.
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.


There was something wrong with Spybot, Combofix uninstalled it all lasttime. I think it was a 'copy' of the program, instead of it being legitimate. I drew that conclusion from the combofix.*whatever websites that make up the warning included in the program. I should have gotten it from cnet instead of relying upon the link that google threw me.


Please follow ALL the steps in our Removal Guide here How to remove XP Internet Security 2010

You will move to the Automated Removal Instructions for Internet Security 2010 using Malwarebytes' Anti-Malware:


Shall do, once again thank you for your support in this.

After you completed that post your scan log here,let me know how things are.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Yes here it is: http://paste2.org/p/646317

I'm fortunate in that I've a media centre to fall back on when things like this crop up, though this is only my 3rd virus in around 10 years so it's not too bad, shame it's caught me out on 3 separate occasions now though however - so maybe it should read 'my 6th infection in 10 years' - :thumbsup: I was able to take a timeout whilst Combofix was running lasttime and watched this: which calmed me down a little I must say.

What I can't get over however is the fact that it installs itself from my own Temporary Internet Files, even though I say 'NO' it then triggers Microsofts Security Center and actually uses that to install itself ON the system. It really shouldn't happen like that, it's almost as if it intercepts\hooks the ping or whatever it is that goes to Microsoft and it uses that as a 'gateway' to get INTO the system and emulate whatever it is that Microsoft thinks its program should be downloading.

What however is really strange, this assumes that it's being downloaded each time and not resident on my system somewhere, though I've removed any restore-points etc the lasttime, so it shouldn't be resident on my system. What's more I've removed ALL and ANY questionable programs from my various hard drives so I'm quite sure it shouldn't be due to that. It's seemingly being downloaded, the av.exe file first which is the springboard which then goes and download whatever else it needs. Anyway, the reason this is peculiar is after the first infection. I started using Sandboxie, I've been surfing with my browser Sandboxed! However, the infection still got through! My XP Pro install is patched and legitimate running SP3 fwiw with no updates left to install.

I'm not sure, but if you have any MSVP's knocking around these forums, perhaps they could pass that onto Microsoft and they could work out what's going wrong and possibly come up with a solution.

Thank you for once again getting back to me, my apologies once again for sticking my original post in the wrong part of the forums. I look forwards to your reply, hopefully I've provided as much information as you need or that I know. I'm going to get some sleep now before I fall down.

Oh yes and before I forget, I've taken to installing a VM on this system I'm going to bring it upto spec with updates SP3 etc and then I'll frequent a few sites again I'll report back on what I find if it's relevant I'll stick my VM'ed browser in a sandbox too so it will be exactly the same, it's a fresh install so I'll know one way or another whether it's dormant somewhere or whether it's a fresh download. I'll report back later on my findings.

Thanks again.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:19 PM

Posted 03 February 2010 - 03:32 PM

I got rid of it via combo fix and malware bytes which I thought was successful.

There is no way to know for certain what you were dealing with or what was removed without reviewing your logs. CF will not remove every piece of malware, only what it finds. However, its log provides detailed information about files, folders and registry keys some of which may be malicious. The only way to know is to see those logs and investigate them. If some of those malware related files are not found and removed, they can be responsible for downloading more malicious files when you connect to the net. Those files can be saved anywhere. CF logs are not permitted in this forum for analysis.

I suggest you read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log (along with the ComboFix.txt) in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users