Keylogger/XP Defender Virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by randyh43, Apr 1, 2010.

  1. randyh43

    randyh43 Private E-2

    Hi - my computer has the keylogger/XP defender virus. My antimwalare icons don't work. I had contacted you guys a couple of years ago and had forgotten your name. (because you did such a good job removing my problem, I didn't have to write to you again.) I made the mistake of calling Geeks Mobile which only removed the problem temporarily. It keeps coming back. In some cases I'm not able to open any executable files and I keep getting those nasty pop ups trying to get me to buy XP Defender or Windows security programs etc. I finally found an old e-mail I received from major geeks on my old computer. You guys were great the last time. Please help me! :)
     
    randyh43, Apr 1, 2010
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    DavidGP, Apr 2, 2010
    #2
  3. randyh43

    randyh43 Private E-2

    Hi Halo- I ran through all of the Read me first instructions. The only problem I had was running combofix. I have a 32 bit system. I tried to thoroughly disable Mcafee, SuperAntiSpyware, Antimalware, I deleted a free trial version of Spydoctor that I had, I disabled my windows & mcaffee firewall. I did not see any other programs I needed to disable before running combo fix. When I ran combo fix I got to the point where I received the pop up window saying " Congratulations!!! The Microsoft Recovery Console was successfully installed" I hit Yes and it started running Combofix. A short time after I received the "blue screen of death" saying Windows encountered a problem BAD_POOL_CALLER. Windows needs to shutdown. At this point I hit the off button and restarted the computer. Upon reboot Mcafee detected what it called a Trojan virus and my Combofix Icon on my desktop disappeared. I skipped Combofix at this point. I was able to run rootrepeal and MGtools without any problems. My computer seems to running fine however when I reboot I'm getting a Mcafee message about a possible unwanted program called prcviewer - mcafee does not seem to be able to delete this and I'd like to get rid of this message. Since I was unable to run combofix, I'm not certain if my computer is completely clean. Looking forward to your kind advice. :)
     
    randyh43, Apr 2, 2010
    #3
  4. randyh43

    randyh43 Private E-2

    Halo - I forgot to mention that I have not turned off my computer at this point because
    I still need your help to make sure that I have no hidden viruses locked into to my system restore point. Since I had trouble with Combofix and prcviewer, I wanted your advice on this before disabling or my system restore point.
     
    randyh43, Apr 2, 2010
    #4
  5. randyh43

    randyh43 Private E-2

    Halo - sorry..... attached please find my Mglogs.zip file and my SAS log file.
    Thank you! :)
     

    Attached Files:

    randyh43, Apr 2, 2010
    #5
  6. randyh43

    randyh43 Private E-2

    Keylogger/Xp defender Virus -

    I'm sorry I accidentally posted the below problem in the welcome forum instead of under the Malware forum. I attached my SAS log and Mglops zip file on the welcome forum thread. It did not allow me to attach it again on this new thread. Sorry I'm new. :-o Below please find my issues.

    Hi Halo- I ran through all of the Read me first instructions. The only problem I had was running combofix. I have a 32 bit system. I tried to thoroughly disable Mcafee, SuperAntiSpyware, Antimalware, I deleted a free trial version of Spydoctor that I had, I disabled my windows & mcaffee firewall. I did not see any other programs I needed to disable before running combo fix. When I ran combo fix I got to the point where I received the pop up window saying " Congratulations!!! The Microsoft Recovery Console was successfully installed" I hit Yes and it started running Combofix. A short time after I received the "blue screen of death" saying Windows encountered a problem BAD_POOL_CALLER. Windows needs to shutdown. At this point I hit the off button and restarted the computer. Upon reboot Mcafee detected what it called a Trojan virus and my Combofix Icon on my desktop disappeared. I skipped Combofix at this point. I was able to run rootrepeal and MGtools without any problems. My computer seems to running fine however when I reboot I'm getting a Mcafee message about a possible unwanted program called prcviewer - mcafee does not seem to be able to delete this and I'd like to get rid of this message. Since I was unable to run combofix, I'm not certain if my computer is completely clean. Looking forward to your kind advice. - I forgot to mention that I have not turned off my computer at this point because I still need your help to make sure that I have no hidden viruses locked into to my system restore point. Since I had trouble with Combofix and prcviewer, I wanted your advice on this before disabling or my system restore point.
     
    randyh43, Apr 2, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach the log from MBAM and you attached the wrong log from SUPERAntiSpyware. Per the READ & RUN ME, you should only have run scans once. Attaching logs that are obtained after you were already cleaned up does not provide us with any useful information. We need to see what was found and removed.

    Please attach the below 3 logs.
    Code:
    C:\Documents and Settings\Randy H\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\
Apr  2 2010        1110  "SUPERAntiSpyware Scan Log - 04-02-2010 - 00-14-55.log"
C:\Documents and Settings\Randy H\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\
Apr  2 2010        2363  "mbam-log-2010-04-02 (08-18-39).txt"
Apr  1 2010        2843  "mbam-log-2010-04-01 (15-43-03).txt"

    Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
    "%userprofile%\Desktop\TDSSKiller.exe" -v
    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
    Also uninstall J2SE Runtime Environment 5.0 Update 6 as requested in the READ & RUN ME.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Apr 2, 2010
    chaslang, Apr 2, 2010
    #7
  8. randyh43

    randyh43 Private E-2

    Hello Chaslang - Attached are 4 of the 6 files you requested. The other two will be sent shortly when I run "The Avenger". Thanks for your help and most of all your patience! :)
     

    Attached Files:

    randyh43, Apr 2, 2010
    #8
  9. randyh43

    randyh43 Private E-2

    Dear Chaslang,

    Attached are the two other files you requested. Below are some events that happened while following your instructions below. Specifically during and after running "The Avenger".
    1. After I ran The Avenger, Mcafee popped up saying it quarantined or removed a Trojan virus. I didn't catch the name it flashed quickly.
    2. After The Avenger asked me to reboot and during the actual reboot, I received a message saying that Windows could find file ccleanup.exe. I hit ok and then the computer finished booting up.
    3. After I rebooted - I also got the same Mcafee warning about a possible unwanted program PRCViewer. Maybe this is a program you guys use in your clean up tools?
    4. Should I still worry about possibly having a virus in my System restore point?
    5. Since I ran the original Read me first instructions, the computer seems to be fine however I will probably still be fearful about its condition until I see the system behaving normally for at least three to four days in a row. You guys did not fail me in the past..... I don't expect you will fail me this time either!
    6. Let me know if you found any other issues in the files I sent you.

    All the best :)
     

    Attached Files:

    randyh43, Apr 2, 2010
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    PrcViewer is not a problem. It is a valid program used by many tools. Ignore McAfee.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 3, 2010
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds