Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post "xp antivirus pro 2010" infection problems


  • Please log in to reply
2 replies to this topic

#1 Atomizer

Atomizer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 15 February 2010 - 04:17 PM

I am currently using Windows XP SP2, Internet Explorer 7.

I recently had the "xp antivirus pro 2010" fake antivirus but was finally able to remove it with Spyware Doctor, though I still have a few problems.

Here are the steps I took:

I first saw the infection when my browser (I.E. 7) closed and I got a message saying that it was infected.

Task manager showed the "av.exe" process as well as about 25 "smss32.exe" processes, so I knew that those were obviously the virus.

I tried using Malwarebytes, then Avast, but found that both were blocked.

Because I could not start my browser correctly, I used a different computer, and found a solution which recommended the use of "msconfig" to block smss32 on startup, then going into the C:\WINDOWS\System32 folder and deleting smss32.exe, winlogon32.exe, helper.dll, and 41.exe.

I tried the above solution, and when the computer booted back up after the use of msconfig, I found that my wireless internet adapter could not see any networks, and that my task manager had been disabled. I then used Hijackthis to kill anything related to smss32, then went into the system32 folder and deleted the smss32.exe, winlogon32.exe, helper.dll, and 41.exe files, then rebooted again.

After the reboot, I got stuck in the logon-logoff loop, which I eventually fixed with a solution I found online that used BartPE to edit the userinit registry file. I also deleted some clearly virus files structured as: <innocuous filename><x number of spaces>.exe

After successfully logging back in, I found that the fake antivirus was still there. I reenabled my internet connection by restarting windows wireless zero configuration, which had apparently been what the virus disabled. I was able to use Malwarebytes after renaming mbam.exe to mbam.com, however, the only thing I was able to use it for was to reenable the task manager. The task manager showed that apparently smss32 was gone, so I was partially successful.

At this point I used Spyware Doctor to remove the fake antivirus successfully, after which I was able to use my computer somewhat normally.

However, I have found 2 problems:

1) Windows firewall is not working, and I can't find a way to enable it. The security center tells me to use "Windows Firewall" to reenable the firewall, however, all options in Windows Firewall are greyed out, so I can do nothing.

2) Also, for some reason, all .exe files are now described as "secfile", though they had previously been described as "application", I think. I checked the registry, and found that under HKEY_CURRENT_USER\Software\Classes\.exe, (Default)=secfile and Content Type=application/x-msdownload
Will simply changing "secfile" to "application" fix the .exe file problem or is there something else I need to do?

Edited by Atomizer, 15 February 2010 - 04:33 PM.


BC AdBot (Login to Remove)

 


#2 Atomizer

Atomizer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 16 February 2010 - 08:50 AM

Update - I noticed some other strange occurrences:

1) Internet explorer sometimes freezes when I try to close it, and I am forced to use task manager.

2) Programs minimize themselves for no apparent reason.

3) Avast gripes about a file called KBDSOCK.DLL in the C/WINDOWS/system32 folder, but cannot remove it. Should I try to manually remove it?

4) Several programs have had multiple executables placed in their folders, which vary only by the number of spaces between the filename and the .exe - Daemon tools in particular has this problem, but I can't determine which file is real - one is larger than the others, has the standard daemon tools icon, but has the greatest number of spaces.

Please help me fix this soon, thanks.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:46 PM

Posted 20 February 2010 - 03:22 PM

Hello,

I would suggest following the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce some of the logs, please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users