Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake anti-virus warning; Now PC will not load Windows


  • Please log in to reply
3 replies to this topic

#1 brian_m_a

brian_m_a

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:08:13 AM

Posted 10 February 2010 - 10:27 PM

My parents clicked the “Infect my computer” button on a pop-up. The PC will not completely boot into Windows XP (not even safe mode). When you press the power button the Windows failed to load properly...... Boot in safe mode etc menu appears. It doesn't matter which option you choose, as soon as the Windows desktop background appears, the Windows is shutting down screen appears and the computer shuts off.

Using a Ubuntu live CD I accessed their cookies and found the last entry was buy-internet-security-10(1).txt

I used an Avira rescue CD in “Action at malware discovery: Protocol malware record only”.

Avira reports:

U.exe <<<is the Trojan horse TR/Dldr.FraudLoad.wxvl.18

(TR/Dldr.FraudLoad.wxvl.18) is reported in many other places as well as:

TR/Crypt.ZPACK.Gen
TR/Crypt.XPACK.Gen2
TR/Rootkit.Gen

What is the best course of action?

Thank you in advance.

Edited by Orange Blossom, 10 February 2010 - 10:37 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 brian_m_a

brian_m_a
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:08:13 AM

Posted 12 February 2010 - 12:34 PM

More Info:


In the process of backing up documents (using ubuntu) I found: Internet Security 2010 is also present -> C:\Program Files\Internet Security 2010



--Brian

#3 brian_m_a

brian_m_a
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:08:13 AM

Posted 13 February 2010 - 10:34 AM

Update:

1. All documents modified since last backup have been copied to dvd
2.All files marked as threat by avira recovery cd have been removed
3.Used windows recovery console to end Logon/Logoff loop
4.booted into Windows Safe Mode
5.Downloaded and installed Malwarebytes.
6.Unable to perform full scan with Malwarebytes: system locked
7.Quick scan with Malware bytes removed 13 threats
8.Subsequent full scan with Malwarebytes revealed no malicious threats
9.Fresh install of Spybot found no threats
10.Boot into windows normal
11.Fresh install of SuperAntiSpyware removed Trojan.Unclassified/Loader -Suspicous


MBAM

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 5

Folders Infected: 1

Files Infected: 3

egistry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> No action taken.



Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> No action taken.



Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.



Folders Infected:

C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> No action taken.



Files Infected:

C:\Program Files\InternetSecurity2010\IS2010._xe (Rogue.InternetSecurity2010) -> No action taken.

C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\userinit.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.




Although MBAM log shows No Action Taken, I know I selected FIX. Items tagged by MBAM do not show on system any more.

#4 brian_m_a

brian_m_a
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:08:13 AM

Posted 04 March 2010 - 08:31 PM

Formatted and re-installed OS. I have posted anew request for assistance on a different, unrelated PC. Please consider this topic closed to avoid confusion.

--Brian




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users