Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"XP Total Security" infection


  • Please log in to reply
3 replies to this topic

#1 redryder4

redryder4

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 05 June 2011 - 11:02 PM

Hi there... Long time, no infection... I

Well, it appears as though I got a virus posing as a "XP TOTAL SECURITY". The infected PC is a laptop running Win XP. My wife was on Facebook the first time the "scan" started.

It has shut of my McAfee AV and any attempt to reactivate it in Windows Security Center starts up "XP TOTAL SECURITY" and a series of simulated scans/infections.

I did get a seemingly legitimate McAfee message stating "C:Docs&Settings\Rhonda\Local Settings\app data\FGB.EXE" is attempting to access the internet - allow, block, etc.. I chose block (hopefully it was a real message).

I tried finding FGB.EXE in the stated path and did not see it. I attempted to install/run "unhide" from a thumb drive, but "XP TOTAL SECURITY" blocks it.

I also tried to run "flash dis-infector.exe" with no success (XP Total Security starts up - does it's scan, etc).

Please help!!

Thanks in advance,

Paul

BC AdBot (Login to Remove)

 


#2 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:03:32 AM

Posted 06 June 2011 - 12:15 AM

Hi there... Long time, no infection... I

Well, it appears as though I got a virus posing as a "XP TOTAL SECURITY". The infected PC is a laptop running Win XP. My wife was on Facebook the first time the "scan" started.

It has shut of my McAfee AV and any attempt to reactivate it in Windows Security Center starts up "XP TOTAL SECURITY" and a series of simulated scans/infections.

I did get a seemingly legitimate McAfee message stating "C:Docs&Settings\Rhonda\Local Settings\app data\FGB.EXE" is attempting to access the internet - allow, block, etc.. I chose block (hopefully it was a real message).

I tried finding FGB.EXE in the stated path and did not see it. I attempted to install/run "unhide" from a thumb drive, but "XP TOTAL SECURITY" blocks it.

I also tried to run "flash dis-infector.exe" with no success (XP Total Security starts up - does it's scan, etc).

Please help!!

Thanks in advance,

Paul



hello paul my name is herg62123 (or Rob for short)

sorry to hear the issue you are having.....question for you does the program look like this on the link: XP Total Security Removal Guide

if it does towards the bottm of this article there is hope at the end of the tunnel.....lol

look for the heading called: "Automated Removal Instructions for XP Anti-Virus 2011, Vista Total Security 2011, and Win 7 Home Security using Malwarebytes' Anti-Malware:" make sure scroll down to find this heading.

this will give you step by step on how to remove this nasty bug.

also after Malwarebytes finishes a text file will open.

Please post the log when done

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply.

Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

i promise it can be removed by following the instructions on that guide removal i posted above.

Edited by herg62123, 06 June 2011 - 12:18 AM.

Posted Image

#3 redryder4

redryder4
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 06 June 2011 - 11:18 PM

herg62123 (aka Rob) :wink:

Sorry for lacking the patience to thoroughly search the site for the removal instructions... :blush:
Yes, the link you provided sounds exactly like what I have...


I downloaded FixNCR.reg, RKill & mbam to a flash drive from an unaffected PC.

FixNCR worked as described.

RKill worked as described and created the following log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 06/06/2011 at 20:26:12.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\verclsid.exe


Rkill completed on 06/06/2011 at 20:26:28.


mbam installed fine, but I unchecked the update button (yes, I'm guilty of not fully reading the instructions). Upon launching mbam, it said files were ~168 days old, do I want to update? I chose "yes" and a "connecting to server" window popped up, but there was no progress being made. The update program froze and could not be shut down by any means (end task, End-it-all, etc), so I was forced to hold the power button down until the laptop shut off.

Upon sucessfully reboot, I re-ran FixNCR and Rkill. I re-installed mbam and this time left the "check for updates" button checked. Again, a new "connecting to server" window opened, no progress was made, and the window hung up. Had to power down PC again to close the prog.

Downloaded a newer version of Mbam (1.51) from unaffected PC to flash drive.

Booted up laptop and re-ran FixNCR and Rkill. Uninstalled old mbam. Re-installed new mbam. Did not update this time as file was only 6 days old. An mbam trial window popped up and i selected "start trial" rather than "decline". My cursor turns to an hourglass and Mbam hangs..

I attempted to access the internet using IE, but no page would open, no timeout messages, nothing. My wireless connection shows "excellent" with 54Mbps.

Yesterday I was still able to get on the web. Today, I just get "connecting" and a blank white page. It appears that every time mbam needs to connect to the internet, it locks up as well.

I've tried to be as detailed as possible in my undertakings.. please advise..

Thanks,

Paul

#4 redryder4

redryder4
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 08 June 2011 - 01:03 PM

Rob,

Ok, so I tried something different.. Upon booting up totay, I did not run FixNCR or Rkill. I'm thinking the later is preventing me accessing the internet??? I just launched Mbam and it not only updated sucessfully, it also performed a full scan... 5 issues were found:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6810

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/8/2011 10:47:30 AM
mbam-log-2011-06-08 (10-47-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 258104
Time elapsed: 1 hour(s), 29 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Rhonda\application data\Sun\Java\deployment\cache\6.0\15\d00bfcf-6ebf900d (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Rhonda\local settings\application data\fgb.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.



08:41:25 Rhonda MESSAGE Protection started successfully
08:41:34 Rhonda MESSAGE IP Protection started successfully
10:49:20 (null) MESSAGE Protection started successfully
10:49:30 Rhonda MESSAGE IP Protection started successfully


I hopefully all cleaned up now... Please have a look at the logs and let me know what you think.

Thanks Rob and BleepingComputer!!

Paul




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users