Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Defender, fake antivirus thing


  • Please log in to reply
4 replies to this topic

#1 mattsbury

mattsbury

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:09:59 PM

Posted 13 April 2010 - 06:17 PM

Yeah this XP Defender piece of crap has come up on my laptop gahhh...got through my AVG and now has disabled my task manager and also wont let me open MBAM. Someone really helped me on here when I last had problems so I thought I would come here before risking damaging my netbook and get help from an expert.

Any help would be greatly appreciated.

Thanks,

Matt

BC AdBot (Login to Remove)

 


#2 mattsbury

mattsbury
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:09:59 PM

Posted 14 April 2010 - 02:15 PM

well i followed someone elses advice and ran the registry key thing, and then i managed to get mbam on and running...and this is my log, it said they couldnt all be removed though...my log is below.


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3987

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

14/04/2010 20:11:18
mbam-log-2010-04-14 (20-11-18).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 160381
Time elapsed: 1 hour(s), 0 minute(s), 6 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\Documents and Settings\Matty\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuauclt1ac.exe (Trojan.FakeAV) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: regnav.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matty\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matty\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matty\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\regnav.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Matty\Local Settings\temp\wuauclt1ac.exe (Trojan.FakeAV) -> No action taken.
C:\WINDOWS\system32\spool\prtprocs\w32x86\152C.tmp (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll (Rootkit.Trace) -> No action taken.
C:\WINDOWS\system32\msls50.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Matty\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 14 April 2010 - 03:57 PM

Hello, sometime the "No Action Taken " in the log means you did not click the "Remove Selected" button,did you?

We need to do a few more things now.

Please run TDDS Killer///
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.




Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 mattsbury

mattsbury
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:09:59 PM

Posted 14 April 2010 - 06:06 PM

Hi Boopme, many thanks for helping me with this, it's much appreciated.

I had definitely clicked to remove the nasty stuff, now the XP Defender thing isnt popping up anymore since.

I did another MBAM scan before I saw your reply, just a quick scan, so I thought I had better show the log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3987

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

14/04/2010 20:42:37
mbam-log-2010-04-14 (20-42-37).txt

Scan type: Quick scan
Objects scanned: 111926
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: regnav.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\regnav.dll (Trojan.Vundo.H) -> Delete on reboot.



And here is the TDSS log



00:00:51:078 3408 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
00:00:51:078 3408 ================================================================================
00:00:51:078 3408 SystemInfo:

00:00:51:078 3408 OS Version: 5.1.2600 ServicePack: 3.0
00:00:51:078 3408 Product type: Workstation
00:00:51:078 3408 ComputerName: MATT
00:00:51:078 3408 UserName: Matty
00:00:51:078 3408 Windows directory: C:\WINDOWS
00:00:51:078 3408 Processor architecture: Intel x86
00:00:51:078 3408 Number of processors: 2
00:00:51:078 3408 Page size: 0x1000
00:00:51:093 3408 Boot type: Normal boot
00:00:51:093 3408 ================================================================================
00:00:51:093 3408 UnloadDriverW: NtUnloadDriver error 2
00:00:51:109 3408 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
00:00:51:296 3408 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
00:00:51:296 3408 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:00:51:296 3408 wfopen_ex: Trying to KLMD file open
00:00:51:296 3408 wfopen_ex: File opened ok (Flags 2)
00:00:51:296 3408 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
00:00:51:328 3408 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:00:51:328 3408 wfopen_ex: Trying to KLMD file open
00:00:51:328 3408 wfopen_ex: File opened ok (Flags 2)
00:00:51:328 3408 Initialize success
00:00:51:328 3408
00:00:51:328 3408 Scanning Services ...
00:00:52:312 3408 Raw services enum returned 342 services
00:00:52:328 3408
00:00:52:328 3408 Scanning Kernel memory ...
00:00:52:328 3408 Devices to scan: 2
00:00:52:328 3408
00:00:52:328 3408 Driver Name: Disk
00:00:52:328 3408 IRP_MJ_CREATE : F760EBB0
00:00:52:328 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
00:00:52:328 3408 IRP_MJ_CLOSE : F760EBB0
00:00:52:328 3408 IRP_MJ_READ : F7608D1F
00:00:52:328 3408 IRP_MJ_WRITE : F7608D1F
00:00:52:328 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
00:00:52:328 3408 IRP_MJ_SET_INFORMATION : 804F4562
00:00:52:328 3408 IRP_MJ_QUERY_EA : 804F4562
00:00:52:328 3408 IRP_MJ_SET_EA : 804F4562
00:00:52:328 3408 IRP_MJ_FLUSH_BUFFERS : F76092E2
00:00:52:328 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
00:00:52:328 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
00:00:52:328 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
00:00:52:328 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
00:00:52:328 3408 IRP_MJ_DEVICE_CONTROL : F76093BB
00:00:52:328 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : F760CF28
00:00:52:328 3408 IRP_MJ_SHUTDOWN : F76092E2
00:00:52:328 3408 IRP_MJ_LOCK_CONTROL : 804F4562
00:00:52:328 3408 IRP_MJ_CLEANUP : 804F4562
00:00:52:328 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
00:00:52:328 3408 IRP_MJ_QUERY_SECURITY : 804F4562
00:00:52:328 3408 IRP_MJ_SET_SECURITY : 804F4562
00:00:52:328 3408 IRP_MJ_POWER : F760AC82
00:00:52:328 3408 IRP_MJ_SYSTEM_CONTROL : F760F99E
00:00:52:328 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
00:00:52:328 3408 IRP_MJ_QUERY_QUOTA : 804F4562
00:00:52:328 3408 IRP_MJ_SET_QUOTA : 804F4562
00:00:52:375 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:00:52:375 3408
00:00:52:375 3408 Driver Name: atapi
00:00:52:375 3408 IRP_MJ_CREATE : F741B6F2
00:00:52:375 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
00:00:52:375 3408 IRP_MJ_CLOSE : F741B6F2
00:00:52:375 3408 IRP_MJ_READ : 804F4562
00:00:52:375 3408 IRP_MJ_WRITE : 804F4562
00:00:52:375 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
00:00:52:375 3408 IRP_MJ_SET_INFORMATION : 804F4562
00:00:52:375 3408 IRP_MJ_QUERY_EA : 804F4562
00:00:52:375 3408 IRP_MJ_SET_EA : 804F4562
00:00:52:375 3408 IRP_MJ_FLUSH_BUFFERS : 804F4562
00:00:52:375 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
00:00:52:375 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
00:00:52:375 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
00:00:52:375 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
00:00:52:375 3408 IRP_MJ_DEVICE_CONTROL : F741B712
00:00:52:375 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7417852
00:00:52:375 3408 IRP_MJ_SHUTDOWN : 804F4562
00:00:52:375 3408 IRP_MJ_LOCK_CONTROL : 804F4562
00:00:52:375 3408 IRP_MJ_CLEANUP : 804F4562
00:00:52:375 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
00:00:52:375 3408 IRP_MJ_QUERY_SECURITY : 804F4562
00:00:52:375 3408 IRP_MJ_SET_SECURITY : 804F4562
00:00:52:375 3408 IRP_MJ_POWER : F741B73C
00:00:52:375 3408 IRP_MJ_SYSTEM_CONTROL : F7422336
00:00:52:375 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
00:00:52:375 3408 IRP_MJ_QUERY_QUOTA : 804F4562
00:00:52:375 3408 IRP_MJ_SET_QUOTA : 804F4562
00:00:52:484 3408 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
00:00:52:484 3408
00:00:52:484 3408 Completed
00:00:52:484 3408
00:00:52:484 3408 Results:
00:00:52:484 3408 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
00:00:52:484 3408 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:00:52:484 3408 File objects infected / cured / cured on reboot: 0 / 0 / 0
00:00:52:484 3408
00:00:52:484 3408 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
00:00:52:484 3408 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
00:00:52:484 3408 KLMD(ARK) unloaded successfully

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 14 April 2010 - 07:53 PM

Great!! Now do the file cleaner and SAS and we should have it all.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users