Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Antivirus 2011


  • Please log in to reply
12 replies to this topic

#1 ehpohnim

ehpohnim

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 24 March 2011 - 09:05 PM

Hi, thanks in advance for any help rendered on the topic at question.

Today, whilst surfing on the net, I was prompted a couple of times by some pop-up boxes saying that I had a virus which needed to be removed. I believe its the usual scam of trying to get one to purchase a bogus anti-virus software.

The pop-up name which appeared was "XP Antivirus 2011". My internet worked, but otherwise, I could not use my Internet Explorer(IE) or my Mozilla Firefox(MF). My control panel's Firewall was blocked by the same scam, so I couldn't change the settings to reactivate (turn on) my Firewall.

I was able to change my LAN settings, but was unable to get back onto IE or MF. So what I did next was to do a scan using AVG Free antivirus and illSAS(not the most updated version). I rebooted my computer after having checked all items on SAS findings after a scan, but I believe that the virus is still at large in my laptop.

I need help, please and thank you!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:44 PM

Posted 24 March 2011 - 09:25 PM

Hello run these and post back the MBAM log,after update your SAS and scan.
For the connection try these...

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and click the LAN settings option.

Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Now check if the internet explorer is working again.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 John Bane

John Bane

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 25 March 2011 - 03:17 PM

Saved my my life. Thank you.

#4 ehpohnim

ehpohnim
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 25 March 2011 - 07:24 PM

To "To INSANITY and BEYOND !!"

I will be following the steps shortly. Thank you for your patience and great help!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:44 PM

Posted 25 March 2011 - 07:42 PM

Cool post the logs... This is actually the only important step "To INSANITY and BEYOND " :thumbup2:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 ehpohnim

ehpohnim
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 26 March 2011 - 03:50 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6173

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/26/2011 4:49:10 PM
mbam-log-2011-03-26 (16-49-10).txt

Scan type: Quick scan
Objects scanned: 177665
Time elapsed: 15 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Value: svchost -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\EHPOH\Local Settings\Application Data\ilb.exe" -a "C:\Documents and Settings\EHPOH\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\EHPOH\application data\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\EHPOH\local settings\Temp\explorer.com (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Edited by ehpohnim, 26 March 2011 - 03:51 AM.


#7 ehpohnim

ehpohnim
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 26 March 2011 - 03:52 AM

pls and thx boopme!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:44 PM

Posted 26 March 2011 - 10:47 AM

Hi, this is good. we need to clean the Yemp files and do an online scan and we should be good.
Did you update SAS prior to running?

What version of JAVA,if any, is running?
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).


Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 ehpohnim

ehpohnim
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 30 March 2011 - 08:45 PM

Hi Boopme, thanks for your patience, i didn't get a pop-up for the log file, but the ESET program did detect 4 items. I uninstalled application on close. Do I need to redo the thing?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:44 PM

Posted 30 March 2011 - 08:59 PM

No,is it quarantined or removeed them it won't find them again,at least they are gone. Probably helped a lot too.
So Any more popups or redirecting?

One more and hopefully we are done.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


What version of JAVA,if any, is running?
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 ehpohnim

ehpohnim
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 30 March 2011 - 11:16 PM

Java:
Java™ 6 Update 3 (1.6.0.30)
Java™ 6 Update 11 (6.0.110)

If that helps with the Java, let me know what else i should describe it with. thanks. the below is the log of the MBAM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6222

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/31/2011 12:09:42 PM
mbam-log-2011-03-31 (12-09-42).txt

Scan type: Quick scan
Objects scanned: 175011
Time elapsed: 16 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\ehpoh\Local Settings\Application Data\ilb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\ehpoh\Local Settings\Application Data\ilb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\ehpoh\Local Settings\Application Data\plw.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\ehpoh\local settings\application data\brn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\ehpoh\local settings\application data\rex.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Thanks Boopme!

#12 ehpohnim

ehpohnim
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 30 March 2011 - 11:22 PM

PCs running fine, but I've been attacked with the same virus twice after having followed ur instructions. I followed ur procedures, so its still functioning well.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:44 PM

Posted 31 March 2011 - 09:23 AM

OK,good. Now to be sure there are no traces we'll post a DDS log. It will be a couple days for a reply but they will reply.
Since you are running well it would be a good time to do this and avoid any more comebacks.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the GMER step.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users