XP Antivirus 2012 and possibly more

OS: Windows XP Home SP3
CPU: AMD Sempron 3000+ 2.00 GHz
RAM: 1.93 GB
HD: 28.9 GB free / 69.1 GB


Happy Holidays!
Another family member's computer here. Trying to run any program usually results in this message:

I uninstalled Java, but could not run the new Java installer due to the aforementioned problem with running programs.

Cannot run MSCONFIG for the same reason.

No installers would run in Normal Mode, so I booted into Safe Mode.

In Safe Mode, suddenly XP Antivirus 2012 popups appearred!

Installed and ran SAS.
SAS completed: 29 things found, quarantined, and removed. Restart required. Rebooted into Normal Mode.
Rerunning SAS to save the log, Comodo asked for permission to run SAS and to give SAS Debug privileges. I granted permission on both.
Similarly for SSUpdate.

Installed MBAM. Comodo asked to allow MBAM to be installed, and to allow MBAM to launch regedit.exe and notepad.exe. I granted permissions on those as well.
MBAM completed: 8 things found, and selected for removal. Restart required. Rebooted into Normal Mode.
Upon restarting:

I clicked OK.

ComboFix, RootRepeal, and MGTools all produced the same error:

I clicked OK.

What logs I could get are attached.

Obviously, an XP Antivirus 2012 infection is present. I'm not sure if disabled .exe files are part of that or not. I didn't want to deviate from your instructions, so here we are. I suppose everything will have to be run from Safe Mode, or something that isn't an .exe would have to be used? I'm trying to learn some, but you guys are the experts.

 

I re-enabled Comodo before connecting to the Internet. Oddly, once I did that, .exe's were able to run just fine. However, I didn't run anything other than what you had asked. I've attached the log from MBRCheck.

It may be worth noting that neither Firefox (9.0.1) nor Chrome (16.0.912.63 beta-m) have a "Run" option for file downloads until after you have selected "Save" and saved the file to disk. I had to use IE (9) to follow your instruction to "Run" without saving the file to disk.

Thank you for your assistance during this busy time of year!

 

If you're running Mac, Linux, or you've somehow managed to uninstall IE (some people do this), then you don't have IE, but I digress. I just felt that it might not be something that some users would notice, and they might then ask "There's no 'run' option. How do I...?", which increases back-and-forth and thread completion time.

Yes, I have a Windows XP Home disc. What will I need it for?

So, start the entire READ & RUN ME FIRST process from the beginning again in Normal Mode with Comodo enabled? What should I do for ComboFix where the instructions state to disable Comodo (read: completely exit the program) or during application reboot steps where the application tries to run before Windows fully boots and Comodo isn't running (like MBAM did earlier)? And why the heck does enabling Comodo allow .exe files to run again anyway? The only thing I can think of would be because they get launched through Comodo instead of whatever the default action is.

Once again, thanks for your assistance!

 

I'm not able to be back at that computer just yet, so I've got some questions to clear up before I travel to it. Better to clear things up now so that I can get right to work on it once I'm there.

Should I do that before or after the READ & RUN ME FIRST, or should I not do it until you explicitly say to? Also, the computer still has the Recovery Console installed courtesy of ComboFix the last time I had to work on this computer. Can I use that instead of booting to a disc, or is booting to a disc necessary for fixing the MBR?

Oh, your last message confused me, then, I read it as "You need to run ALL of the READ & RUN ME FIRST now (run everything), and then attach the logs from below that were not run (attach only logs from the 3 programs that didn't run).":

Hmm, let me think about and recall the order of operations...

When I first was doing scans, Comodo wasn't even started on the machine. Like all other EXE programs, it wasn't able to be started manually either. When I boot into Safe Mode, it didn't start up. I ran SAS, rebooted in Normal Mode when it asked for a reboot, and then Comodo automatically started up. The instructions in neither the READ & RUN ME FIRST nor Windows XP Malware Removal/Cleaning Procedure state to disable antivirus/firewall, so I didn't. MBAM ran okay, until after it had asked for a reboot, at which point it didn't complete its pre-Windows-fully-booted action. Comodo may or may not have automatically started up at this time. If it did, I probably disabled it when trying to use ComboFix, which means that I also unplugged its Internet connection at that time. None of the other EXE files would run, and then I made the thread. Later, when you instructed that I run something from the Internet, I turned on Comodo (not sure how that worked if nothing else would) before reconnecting the Internet connection. Then, EXE files began to work again.

I honestly have no idea if the EXE file assocation is correct. I believe that both SAS and MBAM had log entries regarding EXE files though, and I had set both to fix the issues that they found. Unfortunately, the SAS and MBAM logs are not very clear about what was wrong with the registry values and to what they changed the values. Perhaps they got changed again when Comodo started itself automatically? I can check the HKCR\.exe registry key when I'm back at the machine. Anything specific you'd like to know about it or do with it?

Sorry for my lengthy reply, and thanks again for all of your help here.

 

That's what I figured, but wanted to ask anyway.

The computer is running an older version of CIS. I did not see it in the system tray, and it was not giving me prompts when I tried to run things. However, I can't be 100% sure that none of its processes were loaded.

I meant that at that point (running SAS and MBAM) it had not stated to disable the Comodo AV/Firewall. I should have been more specific. My apologies.

I'll note this for the future, as I would typically disconnect machines from the Internet completely for scans. I am admittedly a bit paranoid of them getting worse from having no protection or of their infection spreading to other machines on the local network. Perhaps the READ & RUN ME FIRST could have a note somewhere that you "recommend remaining connected to the Internet throughout the entire procedure so that the applications can receive automatic updates." ?

Maybe someone who knows what they are doing could mention that to the SAS authors?

Right then. It seems that I won't have access to this particular computer till tomorrow, so I'll resume work on it then.

Slight tangent: the SAS instructions aren't quite accurate for the recent 5.0 version of SAS. Most of it can be related, but the layout of the program and settings, as well as the installer, are a bit different. I wasn't sure where to mention this, so I thought I'd just mention it now before I forget.

Thanks again for your patience and assistance.

 

I have access to the computer again. To recap and confirm, I need to:

1. Disable/Exit Comodo.
2. Reconnect to the Internet.
3. Run ComboFix, RootRepeal, and MGTools.

What should I do if EXE files won't run once I disable Comodo? Should I run an EXE file association fix from here, or do you have something else in mind?

Thanks again.

 

I exited Comodo and reconnected to the Internet. ComboFix started to run okay, but while it was extracting files, it presented me with this error:

What should I do for this warnings and warnings like it?

Thanks!

 

I ran steps #1-3 that I noted in my post here.
The ComboFix uninstaller and the latest ComboFix installer both run into the same problem. RootRepeal and MGTools have returned to producing this error message:

 

MGtools.exe is in the root folder of the Windows boot drive at C:\MGtools.exe

Using Firefox, Rkill.exe saves, but doesn't run. Rkill.com and Rkill.scr won't save. I get the error:

When I choose to save to another directory, the error message does not appear, but the file does not get saved.

Rkill.pif returns a 404 error.

Using IE, I got Rkill.com and Rkill.scr to download, but neither of them will run. They both produce the same error as before when trying to run executable files.

I've had Comodo shut off through all of this (as was previously advised). When Comodo is running, EXE files seem to be able to run. Should I just re-enable Comodo for specific steps?

 

Okay, so now:

1. Re-enable Comodo.
2. Run Rkill.
3. Skip ComboFix? (as we shouldn't/can't run it while an AntiVirus/Firewall is active?)
4. Run RootRepeal.
5. Run MGtools.

Is that correct, or should I skip Rkill?

Also, is there a way of setting exceptions/permissions in Comodo for RootRepeal and MGtools in advance so that those programs run smoothly? Or should I just try to give permissions as they are running?