Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xcm.exe - Odd behavior after removal


  • This topic is locked This topic is locked
15 replies to this topic

#1 Mead

Mead

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 19 May 2011 - 09:44 PM

After searching Google Images, my computer became infected. I updated MBAM, manually unconnected the computer from the internet (Unplugged ethernet cable), and scanned.

MBAM found 7 things wrong. The virus was a rogue antivirus program, with registry entries. I would post the log, but my problem is this:


I can't open any .exe files.


Suppose you are trying to open a file you don't have file association for- it's like that.


'Choose the program you want to open 'regedit.exe' with'
'Choose the program you want to open 'notepad.exe' with'
'Choose the program you want to open 'firefox.exe' with'
'Choose the program you want to open 'rundll32.exe' with'


I am afraid I won't be able to do anything! I tried to access system restore, but I can't run it. I can't run ANYTHING.


I am pretty much screwed. Please help! There are a lot of files on the computer I need, so hopefully a method where I won't have to compromise them.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 PM

Posted 19 May 2011 - 09:56 PM

Please download FixExe.reg and save it to your Desktop.
  • Double-click on that file to run.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Choose "Yes" when prompted to add it into the registry.
  • Once that is completed you should be able to run other programs.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Mead

Mead
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 19 May 2011 - 10:24 PM

Alright, thank you very much!

Is the computer safe to use now? Should I post my MBAM log?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 PM

Posted 20 May 2011 - 05:05 AM

Should I post my MBAM log?

Yes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Mead

Mead
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 20 May 2011 - 10:38 AM

Here is the log:

Spoiler



Another question ~ There is a balloon saying 'Your computer might be at risk' for Windows Security center, the warning because automatic updates are turned off. If I turn them on, it still won't leave. How can I make this go away?


Thanks!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 PM

Posted 20 May 2011 - 01:20 PM

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.[/color][/i]
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Mead

Mead
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 20 May 2011 - 05:44 PM

MBAM Log:
Spoiler



ESET Log:
Spoiler



Now what? Thanks!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 PM

Posted 20 May 2011 - 06:30 PM

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder for quick execution later and better performance. Both legitimate and malicious applets, malicious Java class files are stored in the Java cache directory and your anti-virus may detect them as threats. The detection can indicate the presence of malicious code which could attempt to exploit a vulnerability in the JRE. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache manually to ensure everything is cleaned out:
Also be aware that older versions of Java have vulnerabilities that malicious sites can use to exploit and infect your system. That's why it is important to always use the most current Java Version and remove outdated Java components.Even Java advises users to always have the latest version of the Java since it contains security updates and improvements to previous versions.

The latest Java version contains important enhancements to improve performance, stability and security of the Java applications that run on your machine. Installing this free update will ensure that your Java applications continue to run safely and efficiently.

Why should I upgrade to the latest Java version?
Why should I upgrade to Java 6?

You can verify (test) your JAVA Software Installation & Version here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Mead

Mead
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 20 May 2011 - 08:07 PM

Great, thanks. Now what can we do about the security button regarding automatic updates?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 PM

Posted 20 May 2011 - 10:03 PM

Check you anti-virus settings or read the vendor's user guide. It is not uncommon for security programs (as well as malware) to disable the Windows Security Center in order to take control and manage that feature.

For example NOD32 manages the Security Center by default and provides an orange alert icon when Windows updates are available. See these ESET Knowledgebase articles:
That's why tools like Malwarebytes Anti-Malware and Spybot may at times alert you about the disabled status and then its up to you to investigate further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Mead

Mead
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 20 May 2011 - 10:11 PM

Should have been clearer ~ It's not my AV program, it's windows security center itself.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 PM

Posted 21 May 2011 - 06:04 AM

I understand its Windows Security Center. Although you turned on WSC, if your AV has taken control of it for management, there may be a problem with the settings within the AV which need to be corrected...so check their first.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Mead

Mead
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 21 May 2011 - 02:34 PM

I've checked both MBAM and MSE. To be heard, I'm not quite sure what I'm looking for. AFAIK nothing is wrong.

I think it has something to do with these registry keys, detected in the first MBAM scan:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 PM

Posted 21 May 2011 - 08:14 PM

As I said, it is not uncommon for security programs (as well as malware) to disable these keys and other security tools like Malwarebytes to detect and let you know they have been disabled. So if a scan is showing these entries and there are no other signs of infection, then it's likely that you or one of your security program has disabled them. If that's the case, then adding them to Malwarebytes's Ignore list (by right-clicking) will prevent the detections from showing in future scans. If you are still experiencing symptoms of malware, do not use other security programs and did not disable them yourself, then further investigation is warranted as there is no way to specifically tell how or by what something became disabled.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Mead

Mead
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 21 May 2011 - 11:37 PM

Thank you for your help, topic has been posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users