Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post Removal Problem


  • Please log in to reply
7 replies to this topic

#1 Norm@Home

Norm@Home

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 June 2010 - 12:51 PM

A friend of mine running XP Home ended up with that fake "Security Center" Trojan AV, despite the fact that she was running NOD32 4.2.40 which is the latest.

I followed the instruction found here to remove it but there still appears to be a problem. This is a family computer and it has five different users on the initial login screen. Four of the users have no problem at all running any program or accessing the internet. But the one user who is the one that I believe allowed the Trojan in is not capable of running any programs. When you attempt to run any program you get a dialog with the message "Choose the program that you want to use to open this file" and then a list of currently installed programs. As I have seen this problem before I located the registry fix for it:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

and when I double click on this, I am able to add it to the registry but it does not fix the problem and even after a reboot that user is still not able to run any programs.

Also when logged in as the user, the task manager was disabled "The administrator has disable access to the task manager" (or something like that) and I also found the registry fix for that and in this case it worked and Task Manager was enabled.

I have logged in as one of the other users with administrative access and ran a number of programs such as SpyBot Search & Destroy, GMer's RootKit detector and remover and as far as I can tell the system is now clean but I can't figure out how to fix this one users profile.

Does anyone have an idea about what I can do to correct this?

Thanks,

- Norm

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:53 PM

Posted 08 June 2010 - 01:26 PM

Hi Norm,

Give one or both of these a try:

Please download exeHelper to your desktop.
If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan)
Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ).



Download SREng
  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:

    Posted Image

  • Close SREng now.
Let me know how the system is afterwards.

BBPP6nz.png


#3 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 June 2010 - 06:23 PM

Hi Starbuck,

I tried both of those things, since the user login that has this problem can't run any program I logged in as one of the other users. Both programs ran without any errors and SREng did not report any errors in the status column of the file association tab.

Thanks,

- Norm

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:53 PM

Posted 09 June 2010 - 03:25 AM

Hi Norm,

ran a number of programs such as SpyBot Search & Destroy, GMer's RootKit detector

Did you enable the 'TeaTimer' in Spybot when you installed it?
If so, please disable it.

Please disable Spybot S&Dís TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.

Reboot the computer.

Have you tried running 'SuperAntiSpyware' from one of the other accounts?
It should also clean the others.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Please reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
You will need to use the 'keyboard arrow keys' to navigate on this menu.
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Then choose your usual account.

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If this doesn't work, have you tried making a new account for the infected user?
If that works, remove the infected account.

BBPP6nz.png


#5 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 09 June 2010 - 12:54 PM

Hi Starbuck,

Thanks for the reply, actually I'm happy to report that I managed to fix the problem. I had noticed that while the user was blocked from running any type of program, startup programs (appearing in the system tray) did not appear to be affected. So I took a long shot and edited the registry from one of the other users accounts and added an entry for exeHelper to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key and rebooted and logged in as the problem user. As I expected exeHelper ran on startup and it was able to run and fix the problem for that user.

I'm still doing a little testing but I'm optimistic that this has solved the problem.

Thanks so much for your help,

- Norm

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:53 PM

Posted 09 June 2010 - 02:12 PM

Hi Norm,

Thanks for keeping us informed.

I'm still doing a little testing but I'm optimistic that this has solved the problem.

Don't hesitate to come back if you need any more help.

BBPP6nz.png


#7 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 17 June 2010 - 06:53 PM

Starbuck,

Again, I'd like to thank you for your help on this problem.

If it's not too much trouble, I'd like to ask you another question regarding this. During the course of the week, five other people I know (not including this one) who have XP x32, Xp x64, Vista x32 have called me with similar issues: i.e. infected with Privacy Center, Defense Center and another similar one that I can't recall off the top of my head. The guides here, plus your tips have helped me get these back up and running but these people all have had NOD32 4.0.x or 4.2.35 or ESS 4.0.x and they were not protected from this attack. Up until now NOD32 which I've recommended to my friends and family (and I do use it myself) has never let me down, but this is the worst I've ever seen it and even friends of friends are calling me (and they use Norton, McAfee etc) with this problem. As far as I can tell, all these systems were fairly up to date with their Windows updates, had Java 6 update 18 or higher, a recent version of flash 10.0.x.x (most people I know haven't updated to 10.1 yet) and the anti-virus which is updated almost daily but still this garbage managed to get on these systems.

Do you have any idea how these things are managing to slip themselves onto these systems? Is it as simple as something that pops up in the web browser that people click on that the anti-virus doesn't stop or is it something else? Any advice on how to help people avoid this?

Thanks,

- Norm

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:53 PM

Posted 21 June 2010 - 03:03 PM

Hi Norm,

Sorry for the delay in replying, i'm working away at the moment and have limited internet connection.

Is it as simple as something that pops up in the web browser that people click on that the anti-virus doesn't stop or is it something else?

Yes it can be as simple as that.
The bad guys are infecting all sorts of legit sites now.

I'm a firm believer in using:
Firefox
For added security, add the NoScript extension to this browser:
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
also consider adding:
WOT - Safe Browsing Tool

Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.

These 2 addons will help.
NoScript takes a bit of getting used to as you have to allow certain things for each site.
But it's a great safety net.
WOT will warn you of sites ... even when doing a search.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users