"AntivirXP08" Trojan and "Windows Security Alerts" Process

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pariah, Jul 29, 2008.

  1. pariah

    pariah Private E-2

    I'm on a friend's computer who felt it best (God knows why) to upgrade to XP. Not a week later, she gets this "antivirXP08" trojan that showed up hours ago. To get rid of it, she ended up downloading another fake anti-spyware finder called "Spyware Terminator" to get rid of it, which is a derivative of something called the "Crawler Toolbar." So now her security's been compromised and she's up to her ears in viruses, according to Spybot's TeaTimer.

    She's run XP's anti-virus a number of times but, foreseeably, this didn't help the problem.

    Before I used the anti-malware programs as suggested by the READ ME, I uninstalled any stray trojan or spyware detectors as well as Spybot so as to make sure I didn't leave the TeaTimer on. Thankfully, the original "antivirXP08" trojan that was showing up in my Control Panel is now gone, but for the life of me, I'm unable to remove this "Windows Security Center," which is obviously a fake anti-trojan/spyware program. "WSC" is also accompanied by a blue backdrop that says, "Warning! Spyware Detected on your computer."

    The shear tenacity of the trojan was able to keep me from running ComboFix even after I renamed it. What it did exactly is manifest a prompt labeled as a disclaimer for the ComboFix software. I changed ComboFix executable's name to something more esoteric and it seemed to work, but I had to get rid of the disclaimer box from the process manager before it was able to run. I hope that doesn't mean the log was screwed up.

    Aside from that, I was able to run the programs and I'm still having problems.
     

    Attached Files:

  2. pariah

    pariah Private E-2

    Rest of the logs.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's first address some of your comments which are incorrect.

    There is absolutely nothing wrong with using Windows XP.

    Spyware Terminator is not a fake antispyware program it is valid and is downloadable here at Major Geeks ( see Spyware Terminator ) . Also there is nothing wrong with Crawler Toolbar other than it may just be a toolbar that you don't need like hundreds of others including Google, Yahoo, McAfee, Norton/Symantec......etc. Years ago Crawler.com had some questions about it but that has long been resolved. Spyware Terminator provides some free protection and useful features. While not the greatest program it is useful especially since it is free and provides active protection.

    Windows XP does not have an antivirus program. If you mean XPantivirus, that is a rogue.

    Windows Security Center is part of Windows XP and will warn you when you have no antivirus (which you do not have) and will warn you when you have no firewall enabled.

    No this is not part of Windows Security Center. It is part of the Antivirus XP 2008 rogue tool that had been installed and will need to be cleaned up if it is still locked on the Desktop.


    What is the below program?
    Code:
    2008-07-21 17:07 . 2008-07-21 17:07 <DIR> d-------- C:\Program Files\Transparent

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

    After clicking Fix, exit HJT.





    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.





    Fixing Locked Desktop
    • Right click on your Desktop and select Properties.
    • Then click the Desktop tab
    • then click the Customize Desktop button.
    • Now in the next window that comes up click the Web tab.
      • Make sure at the bottom that Lock desktop items is unchecked.
    • Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too.
    • Then click OK.
    • Click Apply. And click OK.
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).





    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  4. pariah

    pariah Private E-2

    If it's not a trojan, then why won't it let me turn it off? I kept trying to end the process, but it just stayed on the desktop.

    That's just a folder for foreign language building software.

    I got the message that it successfully integrated itself into the registry.

    The desktop isn't locked anymore and I don't notice any suspicious looking processes. The CPU is nominal with no apparent lag.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If it was on the Desktop, it was not Windows Security Center. It was the rogue Desktop which appears to be gone now after unlocking the Desktop. Windows Security Center will put an icon in your tray which will be red and will have a balloon when you have disable protection from your AV or firewall or when they are out of date with updates. These can be turn off by telling Windows that you will do the monitoring of the programs yourself; however this is not recommended since most people do a poor job of doing this.

    Your logs are clean but you need to get this PC properly protected since it has none. The last step in the below will cover this. DO NOT things into folders like C:\Program Files\Anti-Malware Kit which will be viewed as fake or rogue. Install them into their normal default folders as suggested by the installation program.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combo-fix" /u
        • Notes: The space between the combo-fix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combo-fix folder from combofix.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. Go to add/remove programs and uninstall HijackThis.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds