Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RKilled! XP Internet Security 2012


  • This topic is locked This topic is locked
2 replies to this topic

#1 TripleJacknGA

TripleJacknGA

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 19 July 2011 - 10:30 AM

Just a big thanks to the site, and the creator of RKill. I thought perhaps posting this may help others, as well as the creators of RKill, by seeing what I did, and what the software did.

A co-workers desktop, which is used for shipping, recently started having the 'XP Internet Security 2012' shenannigans, which was my introduction to it.

After much Googling on my laptop (since his was unable to do anything, including get online eventually), I read about RKill, and what it's designed to do. I downloaded RKill to a thumb-drive. I also downloaded Malwarebytes & Avast to the same thumb-drive.

First thing I did was install & run Avast 6. Interestingly enough, Avast found absolutely nothing, and just as interestingly, the virus allowed me to run it. I then tried running the existing install of Malwarebytes on the machine, but as expected, the virus prevented it from even starting.
I then ran RKill from my thumb-drive. When it finished running, I got the following log file:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 07/19/2011 at 8:38:20.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\AVAST Software\Avast\defs\11071800\Sf.bin


Rkill completed on 07/19/2011 at 8:39:38.


At first, I thought that the only thing RKill did was block Avast. I then tried running the existing install of Malwarebytes, and it started. It said it's last update was in 2009, so I tried to update it. The wireless connection was not working (not sure if this was also the virus or not), so I disabled, then enabled it, and got it connected. I proceeded to try and update Malwarebytes, but it gave me some odd error. I then decided to do a fresh install of Malwarebytes. When I finished that install, I had it update, and it did successfully.
I then ran Malwarebytes, and after about 47 minutes, it found 6 infections, which I removed. Here's the log from that:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7199

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/19/2011 10:05:15 AM
mbam-log-2011-07-19 (10-05-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 237700
Time elapsed: 47 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2791166363 (Trojan.FakeAlert) -> Value: 2791166363 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\User\Local Settings\Application Data\drp.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


After deletng those, I then closed Malwarebytes, restarted the machine, and so far, it seems like it's gone, and the machine is back to it's slow, old self.

Again, a huge thanks, because my IT dept. is basically useless, and I know just enough to be dangerous. I have way too much to do running this place, and this put the kibosh on it.

Jack

BC AdBot (Login to Remove)

 


#2 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:12:45 PM

Posted 01 August 2011 - 01:35 PM

Hi TripleJacknGA,

Welcome to Bleeping Computer :)


Glad to hear rKill was able to help you get Malwarebytes Anti-Malware to update and remove the infection!

Do you still require assistance? If you like, I can take a look to make sure the system is clean.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#3 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:12:45 PM

Posted 06 August 2011 - 04:38 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me a PM. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users