AntiVirus XP

Discussion in 'Malware Help (A Specialist Will Reply)' started by tommy2k8, Aug 18, 2008.

  1. tommy2k8

    tommy2k8 Private First Class

    Yesterday, a client of mine rang me and said he's clicked on the greeting card email - the scam that's going round at the moment, and he clicked on the link. Needless to say, AntiVirus XP downloaded itself, and the fake antivirus program popped up with 672 fake 'infections' found. This then tries to dial-up (he uses a SpeedTouch 330) every two minutes. I tried to remove it by following the instructions on 2-spyware.com, so I went into Safe Mode.
    The mouse refused to work (it's a wireless mouse) when attempting to go into Safe Mode, so I installed USB mouse, and even that didn't work.
    Is this a side-effect of Antivirus XP?
     
    tommy2k8, Aug 18, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    If something does not run, write down the info to explain to us later but keep on going.

    Do not assume that because one step does not work that they all will not.

    READ & RUN ME FIRST. Malware Removal Guide


    Note:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    Starting your computer in Safe mode

    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
    TimW, Aug 18, 2008
    #2
  3. tommy2k8

    tommy2k8 Private First Class

    I managed to get the USB back, and I ran a Windows Malicious Software Removal Tool, which found nothing. However, while it was scanning I got four BSOD's:

    PAGE_FAULT_IN_NONPAGED_AREA

    GUS_DRIVER

    NIX_STACK_SWITCH

    SYSINTERNALS_GREAT_SITE

    I cannot find the minidump folder either!
     
    tommy2k8, Aug 19, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to follow the directions and attach the requested logs. Are you having some problem doing this? Are you trying to run them in safe mode?
     
    TimW, Aug 19, 2008
    #4
  5. tommy2k8

    tommy2k8 Private First Class

    Here is the MalwareBytes Log:

    Malwarebytes' Anti-Malware 1.25
    Database version: 1071
    Windows 5.1.2600 Service Pack 2

    14:33:37 20/08/2008
    mbam-log-08-20-2008 (14-32-41).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 103459
    Time elapsed: 1 hour(s), 7 minute(s), 27 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 5
    Registry Data Items Infected: 0
    Folders Infected: 14
    Files Infected: 11

    Memory Processes Infected:
    C:\WINDOWS\system32\blphcjmjj0el85.scr (Trojan.FakeAlert) -> No action taken.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcnmjj0el85 (Rogue.Multiple) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\rhcnmjj0el85 (Rogue.Multiple) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcnmjj0el85 (Rogue.Multiple) -> No action taken.
    HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Casino (Adware.Casino) -> No action taken.
    C:\Program Files\rhcnmjj0el85 (Rogue.Multiple) -> No action taken.
    C:\Program Files\Microsoft Common (Trojan.Agent) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85 (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\Autorun (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\John\Application Data\rhcnmjj0el85\Quarantine\Packages (Rogue.Multiple) -> No action taken.

    Files Infected:
    C:\Program Files\rhcnmjj0el85\MFC71.dll (Rogue.Multiple) -> No action taken.
    C:\Program Files\rhcnmjj0el85\MFC71ENU.DLL (Rogue.Multiple) -> No action taken.
    C:\Program Files\rhcnmjj0el85\msvcp71.dll (Rogue.Multiple) -> No action taken.
    C:\Program Files\rhcnmjj0el85\msvcr71.dll (Rogue.Multiple) -> No action taken.
    C:\Program Files\rhcnmjj0el85\rhcnmjj0el85.exe (Rogue.Multiple) -> No action taken.
    C:\Program Files\Microsoft Common\emails.dat (Trojan.Agent) -> No action taken.
    C:\Program Files\Microsoft Common\log.dat (Trojan.Agent) -> No action taken.
    C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\blphcjmjj0el85.scr (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\lphcjmjj0el85.exe (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\phcjmjj0el85.bmp (Trojan.FakeAlert) -> No action taken.
     
    tommy2k8, Aug 20, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I believe I asked you to attach the log. ( HOW TO: Attach Items To Your Post)

    And there is also no point in running MalwareBytes if you don't have it fix what it finds.

    Please run it again and fix the issues, then attach the new log as well as the other three requested logs.
     
    TimW, Aug 20, 2008
    #6
  7. tommy2k8

    tommy2k8 Private First Class

    I think it'll be cheaper, and more affordable for him, if I do a rebuild
     
    tommy2k8, Aug 27, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It is up to you ......but rebuilding his computer could be costly......or do you mean do a reinstallation of the OS?

    We usually find it is quite costless to follow our procedures.
     
    TimW, Aug 27, 2008
    #8
  9. tommy2k8

    tommy2k8 Private First Class

    I mean a reinstallation of the OS.

    The other alternative is to do a Windows Repair, as Windows won't start up properly, and then find out which Update is causing the problem.

    Your procedures have worked so far, so there must be a script running at shutdown that executes the installation of the update.

    Shall I give him a choice of a rebuild or investigating which Update it is?
     
    tommy2k8, Aug 28, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Or the choice of attaching the requested logs and having us look to see what may be the cause.
     
    TimW, Aug 28, 2008
    #10
  11. tommy2k8

    tommy2k8 Private First Class

    Solved it guys! Thanks for your help.

    That AntiMalware program is very good.

    The virus disabled the Windows installer; so I just re-enabled it in Services

    One more quick question:

    it should be alright to put SP3 on shouldn't it?
     
    tommy2k8, Aug 28, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You keep asking questions that I can not answer because you are not doing what I ask of you. I have NO idea if you still have malware (or if you ever did), so I can not tell you if it is safe to install the updates.
     
    TimW, Aug 28, 2008
    #12
  13. tommy2k8

    tommy2k8 Private First Class

    I did a Malware scan; everything was clean. The malware that was in there disabled the Windows Installer, so I just enabled the service again and now it updates perfectly
     
    tommy2k8, Aug 28, 2008
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then it sounds like you are good to go ...safe surfing. :)
     
    TimW, Aug 28, 2008
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds