Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I was infected with XP Smart Security, now I have a 'pop up' issue.


  • This topic is locked This topic is locked
42 replies to this topic

#1 Antheaa

Antheaa

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 25 April 2010 - 07:42 AM

About a week ago, I was infected with 'XP Smart Security'.
After manually removing the infection using SpywareRemove.com's "XP Smart Security 2010 Removal Guide" and everything was fine again.
Today I just noticed I had been getting more pop ups than usual, and that they were all similar.

I get a webpage open every hour or so which begins as an advertisement but soon directs me to "Google.com/webhp" and also when i search something on google and i click on one of the search results it redirects me to another, unrelated page.
Today I ran MBAM and i'll post the log below.
What shall I do now?


*****************************************************************************
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

25/04/2010 10:54:15 AM
mbam-log-2010-04-25 (10-54-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 183843
Time elapsed: 50 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Antheaa, 25 April 2010 - 07:51 AM.


BC AdBot (Login to Remove)

 


#2 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 25 April 2010 - 12:58 PM

Hi there,

I would first run TFC by Old Timer which will help clean out any temp files, but make sure you follow the instructions on this page on to use it.

Don't forget to update MBAM before you run it as it looks like you are using 1.41 and I think 1.45 is out now. You can download it here.

I would then run SUPERAntispyware and please the logs you get from that too.


Let me know if you have any questions.

#3 Antheaa

Antheaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 25 April 2010 - 08:19 PM

QUOTE(certifiedgeek @ Apr 26 2010, 03:28 AM) View Post
Hi there,

I would first run TFC by Old Timer which will help clean out any temp files, but make sure you follow the instructions on this page on to use it.

Don't forget to update MBAM before you run it as it looks like you are using 1.41 and I think 1.45 is out now. You can download it here.

I would then run SUPERAntispyware and please the logs you get from that too.


Let me know if you have any questions.


Hello,
Sorry if I sound diffucult, but I was just wondering if TFC completely 'safe'.
After scrolling through the TFC comments and researching a little, i came across a few people having issues such as it not rebooting correctly or even Internet Explorer not working after the scan.

Of course I still will run it if neccessary, but is there anything in particular I should do to avoid these outcomes?

Edited by Antheaa, 25 April 2010 - 08:20 PM.


#4 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 25 April 2010 - 10:07 PM

No worries! There are other ones we can use and if it will make you feel better, than I'm all for it! smile.gif We will use ATF instead of TFC and then try to proceed with the temp file removal followed by the SUPERAntispyware. I posted some better instructions for SUPERAntispyware for you as well. Use the ATF tool in safe mode too right before you use SUPERAntispyware.

Please download ATF Cleaner by Atribune & save it to your desktop.

* Close all open browsers before using, especially FireFox. <-Important!!!
* Double-click ATF-Cleaner.exe to run the program.
* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.


Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

#5 Antheaa

Antheaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 26 April 2010 - 12:53 AM

Thankyou for your help, I'll try that.. but before I can do so I need to find another way to get into safemode.
I have never been able to reboot my computer into safe mode using the F8 method, so how should I go about getting into safemode? smile.gif

Edited by Antheaa, 26 April 2010 - 12:54 AM.


#6 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 26 April 2010 - 09:09 AM

Yes, there are other ways to get into safe mode, but I don't recommend them so please don't try. What happens when you try using the F8 method?

Feel free to do the SAS scans and updated MBAM scans in normal mode as well as using the ATF cleaner.

Please post the logs when you have a moment. smile.gif

#7 Antheaa

Antheaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 27 April 2010 - 01:44 AM

Okay, I'll run the scans in normal mode and post the logs once they're done smile.gif
and when i press 'F8' during startup, nothing happens. The normal startup process just occurs.

#8 Antheaa

Antheaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 27 April 2010 - 04:30 AM

Okay, well i ran the ATF cleaner, then SAS followed by MBAM.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2010 at 04:59 PM

Application Version : 4.35.1002

Core Rules Database Version : 4855
Trace Rules Database Version: 2667

Scan type : Complete Scan
Total Scan Time : 00:19:37

Memory items scanned : 468
Memory threats detected : 0
Registry items scanned : 6522
Registry threats detected : 0
File items scanned : 17597
File threats detected : 0
*****************************************************
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/04/2010 6:35:33 PM
mbam-log-2010-04-27 (18-35-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 184854
Time elapsed: 44 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#9 Antheaa

Antheaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 27 April 2010 - 06:53 AM

Oh my god, i was just reinfected with XP smart security about 10 minutes ago.
I'm not sure if the old virus was somehow ressurected or if i somehow managed to download it again.
But i wasnt sure what to do, do I just ran SAS whilst i had the virus and it detected and removed some things.
then i restarted my computer and ran MBAM which found even more viruses (i'll post the logs to both below)

My problem now is that when I go to open any 'exe' file (Such as internet explorer) a box comes up saying 'Open with".
For example; i double-click the IE icon, 'Open with' pops up, i select 'open with IE', the window opens for about one or two seconds, then a popup saying 'Do you want to run or save this file? iexplorer.exe' comes up and when i click run the process just repeats itself.

The only way to get things to open is to right click on the file and click 'start'

So now i have more problems,
1. i got reinfected which i hope is now gone
2. i cannot open any exe files without right clicking and selecting 'start'
3. i still have my original hourly pop-up and redirect issue.

************************************************************************
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2010 at 09:04 PM

Application Version : 4.35.1002

Core Rules Database Version : 4855
Trace Rules Database Version: 2667

Scan type : Quick Scan
Total Scan Time : 00:05:36

Memory items scanned : 516
Memory threats detected : 1
Registry items scanned : 492
Registry threats detected : 0
File items scanned : 5376
File threats detected : 38

Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE
C:\WINDOWS\Prefetch\AVE.EXE-3B335A0B.pf

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@imrworldwide[3].txt
C:\Documents and Settings\User\Cookies\user@serving-sys[1].txt
C:\Documents and Settings\User\Cookies\user@bizzclick[1].txt
C:\Documents and Settings\User\Cookies\user@ads.bleepingcomputer[2].txt
C:\Documents and Settings\User\Cookies\user@emediatrack[1].txt
C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
C:\Documents and Settings\User\Cookies\user@collective-media[2].txt
C:\Documents and Settings\User\Cookies\user@bs.serving-sys[1].txt
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\User\Cookies\user@msnportal.112.2o7[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bridge2.admarketplace[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@admarketplace[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@sensismediasmart.com[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media.sensis.com[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@videoegg.adbureau[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz9.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@xm.xtendmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.gossipcenter[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediatraffic[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
***************************************************************************************************
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/04/2010 9:32:18 PM
mbam-log-2010-04-27 (21-32-18).txt

Scan type: Quick scan
Objects scanned: 111342
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Antheaa, 27 April 2010 - 07:06 AM.


#10 Antheaa

Antheaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 27 April 2010 - 07:12 AM

Okay, sorry about all that confusion but things seemed to have gotten slightly better.
After running MBAM which detected several viruses and removed them, i restarted my computer.

The latest MBAM scan corrected my 'exe' error, so now all exe programs work normally.
I don't know where to go from here, i'm not sure whats happening with my computer at the moment.

#11 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 27 April 2010 - 10:01 AM

Update your MBAM since it looks like you are using old definitions. When you start MBAM, look for the update tab, then you can update them from within the program. Then rerun the MBAM scan using the full scan.

Also, please do a quick BitDefender online scan.

Also, when you restart your computer, start tapping F8 pretty much immediately after beep, and don't stop pushing it until you see white text on a black screen that should allow you to select safe mode without networking. If you see the Windows XP screen with the scrolling bar, you've missed it so it's before that. If you can get into safe mode, then do a full SAS scan.

Then post the logs, please.

#12 Antheaa

Antheaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 10 May 2010 - 05:29 AM

Okay, I'm so sorry for now replying in such a long time.. but i was away from home.
But I'm back now, and I seem to have another problem. (Then never seem to end)

Urgent, anyones help will be appreciated!
I somehow maganed to get another virus i think, i'm pretty sure its from all these pop-ups/ google search result redirecting.
But anyways, whenever I go to run any 'exe' file. I get this error message,
"Security Warning:
Application cannot be excecuted. The file ****.exe is infected. Do you want to activate your antivirus software now?"

I keep clicking no, but now I'm not sure what to do. I'm even too scared to restart my computer, because right now the programs I already have open are thankfully working Internet, Windows Live Messenger, Microsoft Word)
and as I'm a student, I need the internet & microsoft word on a daily basis so i'm just worried that they'll be unavaliable for a while.

Update- i'm not sure what i did, or if i accidently clicked 'yes'.
But now whenever i go to open an .exe file, nothing happens. Like, the popup doesnt appear anymore. It just doesn't open.

Where shall i go from here?

Edited by Antheaa, 10 May 2010 - 05:50 AM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:23 PM

Posted 10 May 2010 - 09:46 AM

Hi, certifiedgeek is currently unavailable and asked me to take this topic over.

Since it sounds like you need to get rid of this ASAP, lets not waste time to get tools to work in either normal or safe mode, but just do it another way smile.gif

I am moving this topic to the appropriate forum.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Antheaa

Antheaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 11 May 2010 - 02:13 AM

I downloaded both programs, but now I still have the problem what i cannot run ISO burner.
The "Application cannot be executed" error as stated previously come up whenever i try to run it.

I've tried to run it multiple times, and a few times the program comes up but within a second or two it's closed and the error message comes up.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:23 PM

Posted 11 May 2010 - 02:46 AM

Please try to download and run this file first and see if that fixes the problem: http://download.bleepingcomputer.com/reg/a...2010/FixExe.reg

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users