Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Internet Security 2011


  • Please log in to reply
No replies to this topic

#1 zuuf

zuuf

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 11 April 2011 - 09:51 AM

The guide on this site and on other sites did not quite work for me. Principally because they overlooked a few key details and/or the virus has changed since they posted their information.

I don't do torrents, I think it was a website that I visited and somehow it tranferred a file to my application data directory. Everyone should update their windows xp box, I suspect that this virus is taking advantage of unpatched systems.

Read my whole note before taking any actions. You might decide to do things a little differently with full knowledge.

Here's what 'fixed' me:
Download 2 tools on another system, if you do a google search you should find both of them:

rkill.exe
Malwarebytes’ Anti-Malware

Booted up the system from another CD and transferred the 2 files onto the server. (Don't think this step is necessary if you can access a USB stick in safe mode)

Boot up the infected system into safe mode with a command line. Do not use normal safe mode.
Do not use the start menu and try to navigate to anything. There are several registry entries that have been modified that will launch the virus even in safe mode if you try to access the start menu.
From the command line run rkill.exe
From the command line run Malwarebytes' Anti-Malware

Fully write down any registry entries that Malwarebytes finds infected. You'll want to go back in later and recreate these registry entries with appropriate data values. I did not do this and my system has some issues, i.e. it's running fine now but I can no longer do windows update.

Boot up the infected system into normal mode. Log in as a different user then the one originally infected. The other problem I ran into was that the Malwarebytes' I ran in safe mode was 110 days out of date so it did not have an updated virus signature and did not remove all of the infected files. One of the key files would have re-executed if I had logged into the original user. In safe mode with command line I was unable to update the virus signature since I had no net access. If you get an updated signature in the first place then system might actually be clean and you won't have to do the following.

Re-run rkill.exe
Re-run Malwarebytes' Anti-Malware
This time update Malwarebytes to the most up to date virus signature. And do a full scan. My full scan here identified the infected file and 4 registry entries.
The infected file is going to be a 3 letter (all randomly chosen).exe Mine was xki.exe. I had Malware remove the infected registry entries, which I think is why my microsoft update no longer works. It would probably be safer to fix those entries.

My system is clean, but once I back up the files I'm concerned with, I'm going to do a fresh install and migrate to windows 7 and getting rid of my last XP system.

After doing all of the above, there are 2 things I would do differently. Once I booted in safe mode with command line. I would have navigated to my infected users application directory and looked for the exe and deleted it straight away. Bear in mind that Application Data is a system folder and potentially hidden from you unless you have changed your view types under explorer.
The file for me was:
C:\Documents and Settings\bob\Application Data\xki.exe

So looking in the system folder Application Data under the suspected user would have been pretty easy to locate the only executable even if the name was randomly generated.

I also would have been more careful about letting the anti-virus software delete my registry entries.

Edited by Budapest, 11 April 2011 - 04:55 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users