Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What have I done wrong ?


  • Please log in to reply
3 replies to this topic

#1 tarnlad

tarnlad

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 03 February 2010 - 05:07 PM

Hi everybody,

Just joined today as their seems to be a welth of clued up people here.

At 7pm ish today my system was infected by the fake Antivirus program " XP 2010 " it did not do as much damage as I think it could have because as the pop up appeared I disconnected my laptop from the router upon which 27 CMD boxes opened all trying to open ports and download to various addresses and 30 svchost's appeared in the process box of task manager, however it has took me until 9ish to undo many of the things it did do.

Examples : No Task Manager : Unable to install or update Spyware removers with " local policy has prevented installation " : No CMD prompt : Regedit Not Loading : EXE files requesting a program to open with ...... All of the above applied to Safe mode also.

It also disabled my anti-virus and firewall.

So WHAT did I miss ?

I have Symantec End Point Protection installed with Virus & Spyware protection / Proactive Threat Protection / Network Threat protection all enabled with no exceptions. My last update was today at 4pm.

All I did was GOOGLE for red hat linux ( I am curious about it and have an old base unit to try it on ) clicked on the 2nd choice of google that offered tutorials and general setup information ... and whilst I was reading the general info, all looked well constructed, the POP UP BLOCKED appeared at the top of my IE7 window then IE7 closed and the XP 2010 Window opened pretending to do a Virus Scan .. I Disconected from the Lan .. Ran Task Manager and stopped running task.

I thought I had caught it but 5 mins later whilst I was checking Msconfig ( Nothing Their ) the whole process started again and then multiple cmd windows opened, Task manager and msconfig closed ( I did see multiple svchosts appear ) .. and their I was infected.

My XP Pro installation is SP3 it was updated this morning at 11pm as it is every day.

Any thoughts or obvious " You Forgot to do this " would be welcome

Thank you.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:16 AM

Posted 03 February 2010 - 05:52 PM

Welcome to BC

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 tarnlad

tarnlad
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 03 February 2010 - 06:08 PM

Thank you for your reply.

My point is First I could no longer connect to the internet and USB Drives, CD/DVD would not allow installation of any program with the " Group policy Denied Action Restriction ), even changing names and file extensions did not work ..

Task Manager, CMD, Regedit, Msconfig all would not work and all local EXE files would not run BUT asked for a program to launch them.
Administrative Tools - Services would not run etc etc ...


My point is How did it get down from an IE7 Page when I had a Full Security System installed and up to date .. What did I mis ?

Many thanks.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:16 AM

Posted 03 February 2010 - 08:56 PM

I had a Full Security System installed and up to date .. What did I mis ?

It is nothing you did/didn't do
It's just the cat and mouse game the malware developers and the security play constantly

If you can access your BIOS and change the boot order, You can try one of these rescue disks
=================================


If you cannot bootup normally, cannot transfer required tools to the infected machine and cannot download anything while in safe mode, then your options are limited to what security tools you have on your computer. If those tools do not work, then your options become even more limited.

Vipre rescue disk
http://live.sunbeltsoftware.com/


Have you tried using System Restore from a command prompt in Safe Mode to return to a previous state before your problems began?

If that doesn't work. these are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Note: In order to use a rescue disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computerís BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users