Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Antivirus 2012


  • Please log in to reply
5 replies to this topic

#1 btfanusa

btfanusa

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 13 July 2011 - 05:48 AM

Hello everyone.

First, a bit of background: I am on Windows XP, and I have Avast! (the free version) as my antivirus program.

Two days ago, I got the XP Antivirus 2012 malware and I found this site and the instruction on how to remove it. I downloaded RKill, which is great. It stopped all the problems temporarily so I could continue trying to get rid of the source. However, I have a problem when I reach the final step of the guide where I am supposed to do a full scan using MalwareBytes. After a few minutes of scanning, the program would freeze and stop responding. Eventually I would have to power off my PC because it is the only way to quit the program. During the scan I would also get the Avast trojan warning and siren telling me a trojan was found and asking me what to do with it.

I decided to look on other sites and they recommended similar programs for the job such as Spybot and Hitman. I tried them all but they all ended up having the same issue. They would stop/freeze/get stuck during the scan and eventually it would stop responding and I would have to force close them.

Right now the malware is thankfully not a huge issue since I can use RKill to shut it down every time I boot up my PC, but it would be great if I can get rid of it completely.

Thank you everyone sincerely in advance for your help.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 AM

Posted 13 July 2011 - 08:31 AM

Before doing anything further, if you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. If that occurs there may be no option but to reformat and reinstall the OS or perform a full system recovery. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Malwarebytes Anti-Malware is designed to remove malware as effectively with a Quick Scan as it will with a Full Scan which takes much longer to complete. Both scans use heuristics that bypasses polymorphic blackhat packers & encryption, MD5 Hash, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple other malware checks which are not discussed in public to safeguard the program from malware writers who would use that information for nefarious purposes.

If you cannot run Malwarebytes Anti-Malware or complete a scan in normal mode, then try performing a Quick Scan in "safe mode".

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Malwarebytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of Malwarebytes but sometimes there is no alternative but to do a safe mode scan. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions through the program's interface (preferable method) and try rescanning again.


Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
Be sure to print out and follow the instructions for performing a scan. Alternate instructions can be found here.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
  • Alternatively, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 btfanusa

btfanusa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 13 July 2011 - 01:02 PM

Hi there. Thank you for your reply. Here is what happened tonight.

- After I got home from work, I booted up my PC, and when Windows started, Spybot began an automatic scan. I decided to let it run to see if it would freeze again. This time, it actually ran smoothly (although the whole scan took about an hour). It found about 20 malicious files under the Fake Antivirus category (including the nys.exe file I recognize from the XP Antivirus 2012) and I chose Remove Files. I thought that would solve the problem but to my dismay, the XP 2012 thing popped right back up after I entered Windows. At that point, I used RKill to kill it again and came to the forum to read your reply.

- After reading everything you wrote, I rebooted my system in Safe Mode and tried to run MalwareBytes Quick Scan again. In safe mode, the scan worked and didn't freeze! It found the infected files, and I chose to remove all the problems. I then rebooted and entered Windows again under Normal Mode. The malware is gone!

- I decided to run MalwareBytes again in Normal Mode just to make sure everything is ok, but again, it would get stuck on a certain file (windows/system32/drivers/wpdusb.sys).

- I downloaded the TDSSKiller you posted also and tried a scan with that. When the progress bar got near the end (on the 201st file), it got stuck on a file called Windows/system32/drivers/znoagivb.sys. I had to stop the scan, but there were no infections found in the 200 files it did scan.


Now that the fake antivirus program is seemingly gone, I have noticed 2 new abnormalities:

1. In the bottom right tray of Windows (next to the clock), I now have a red shield that has a white cross in the middle. I am pretty sure this is the legit Windows security center shield and not the fake antivirus shield. Anyway, the shield is red because it says I have Automatic Updates disabled. However, I have already set it to check for updates to "every day" at "12pm", but it still says I have Auto Updates Off. What is wrong here?

2. Also, now the Malwarebytes security center also located in the bottom right tray would occasionally pop up a bubble that says "Successfully blocked access to a potentially malicious site at 222.186.51.97 - Incoming". This message pops up maybe every 10 minutes while my computer is just sitting there with no actviity. Is this a big problem?

I would like to thank you again for your help and your time. I can't express how much of a life saver you guys are on this forum.

Edited by btfanusa, 13 July 2011 - 01:05 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 AM

Posted 13 July 2011 - 01:42 PM

IP Protection (malicious website blocking) is part of the Protection Module and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert. Some legitimate programs on your computer have access to the Internet and that action can also trigger an IP alert. These events are stored in the "protection-log". Your firewall should be able to give you a list of such programs so you can confirm if they are legitimate. IP Protection is also designed to block incoming connections it determines to be malicious. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Hackers use "port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Malwarebytes is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts.

Information that explains IP Protection feature can be found in the Malwarebytes Anti-Malware IP Protection FAQs.

What does IP Protection do?
IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges...

What does this notification mean?
This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address...

Other FAQs about IP Protection
How does it do this?
How does it inform you?
I got an alert and I wasn't even surfing, how's that happen?
I received a notification on a safe site, why?
How do I disable this?
I got an alert for an IP or website I think is safe, how can I report it?
Does the IP Protection replace my firewall?
Where do I find the IP Protection logs?
How can I add an IP so it won't be detected and can access a site I need to?[/b]


You can investigate IP addresses and gather additional information at:
If you are using peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BitLord, BitLord, BearShare, Azureus/Vuze, etc) or an (IM) client, be aware they can trigger alerts. Why? Because these kind of programs are a security risk which can make your system susceptible to a smörgåsbord of malware infections and remote attacks. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications.

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 btfanusa

btfanusa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 14 July 2011 - 10:28 PM

Thanks again. I meant to reply earlier, but I have been unable to run the Eset Online Scan for 2 straight days. Every time I press "start", it tries to load but eventually times out and shows a Page not found screen.

My computer is sympton free now except I get the red shield at the bottom right tray. Previously I said I thought it was the legit Windows Security Center, but on another website, it says it is fake so I have no idea now. It looks like this (I am linking to their picture, hope this is ok):

http://3.bp.blogspot.com/-yYkS5oK0uHU/Te5xAJIpOYI/AAAAAAAABfU/tbyCKFIsPp0/fakeSC.jpg

At the bottom however mine does not show "XP Antivirus 2012". Mine says Internet Option, Firewall, and Automatic Update instead.

Is this still part of the malware?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 AM

Posted 15 July 2011 - 07:17 AM

At the bottom however mine does not show "XP Antivirus 2012". Mine says Internet Option, Firewall, and Automatic Update instead.

These are example scrennshots of the legitimate Windows Security Center:
If you are seeing a red shield in the bottom right corner. The color of the shield depends on your security settings. Red indicates Your computer might be at risk as shown in Fig 01 here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users