XP Home Security 2011 ano.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by Hyru, Apr 13, 2011.

  1. Hyru

    Hyru Private E-2

    Hi all,
    hoping for some help on my main computer, as Im posting this from my laptop.

    My OS: Windows XP

    A few days ago, out of no where, my computer started giving me fake popups about "XP Home Security 2011." These began to increase, and would start to shut down any programs I was running at the time.

    They currently wont let me run any programs, even the ones mentioned in the sticky (even when renamed). When I do try and run them, I simply get the XP Home Security 2011 popup again, and I also notice a ano.exe in the task manager which shows up.

    I have tried running things in safe mode, but to no avail. Same thing happens - The programs wont open, and the popup shows up. Ive tried downloading the files onto a USB and running it off there, and again, nothing.
    Even when I try to run RKill, I get the "Windows Security Center" and "XP Home Security Center 2011" popups

    An important side note...
    This virus wasnt this extreme yesterday. I was actually able to get into safe mode and run Malware Megabytes, which found a number of things. When I told it to clean it, it asked me to restart, which I did. When I restarted, before Id get to the Windows screen, I would get a blue screen of death with the following message:

    OXOOOOOO7B
    COXF78A2524
    OXCOOOOO34
    OXOOOOOOOO
    OXOOOOOOOO

    This message also comes up sometimes when I try to get into safe mode recently, but other times, it lets me in (although the popups remain, and I still cant run programs). The only way I was able to fix this was to select the option (when pressed F8) to go back into the last known good configuration. However, the virus does remain when windows pops up (I assume because its using old configuration that hasnt been cleaned, which I cant clean because when I restart I get the above error).

    Also, when I try and do a system restore, it goes through the process, and when my computer restarts to complete the process, it tells me that it wasnt able to restore to that point, and to try another date. None of the other dates work either, all giving the same message.

    Appreciate any help I can get
    - Hyru
     
    Hyru, Apr 13, 2011
    #1
  2. Hyru

    Hyru Private E-2

    just to confirm, I am able to start my computer and run in safe mode at at the moment. Its just when I do a malbytes clean that results in the above blue screen error.

    However, at the moment, I cant get any programs to run (be it in safe mode or not)
     
    Hyru, Apr 13, 2011
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try and get this to run however you can but preferably with the way the instructions provided!

    Please download RogueKiller.exe and save it to your desktop.
    • Now quit all running programs.
    • Double click RogueKiller.exe to run it.
    • When prompted, type 1 and hit Enter.
    • A RKreport.txt should appear on your desktop.
    • Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
    • Please post the contents of the RKreport.txt in your next Reply.

    Now are you able to run anything of the READ & RUN ME FIRST. Malware Removal Guide :) ?
     
    Kestrel13!, Apr 13, 2011
    #3
  4. Hyru

    Hyru Private E-2

    Hey,

    thanks for the reply.
    Before your post, I was able to find a rkill that worked... it was from another post which had similar issues to mine. Someone posted 4 different types of Rkill's... and I was able to get 1 of them to work.

    The problem is, however, that after I run any of the malware programs, like malware bytes or even SuperAntiSpy, I get a blue screen when I restart (also when I try to get into safe mode). The only option I have is to go back into "last known good configuration"... In which case, Windows loads, but the virus is still there.

    It seems like what is being cleaned by the malware programs is something that is required by my computer to start up.... and thats when it spits out the above BSOD OXOOOOOO7B code.

    Any ideas? Should I post the malwarebytes logs?
     
    Hyru, Apr 14, 2011
    #4
  5. Hyru

    Hyru Private E-2

    Here is what was terminated by rkill in safe mode:
    C:\WINZOWZ\Explorer.EXE
    C:\WINZOWZ\System32\rundll32.exe
    C:\WINZOWZ\System32\runonce.exe
    C:\WINZOWZ\system32\grpconv.exe


    Ill also attach the mbam log...
    Im gona go ahead and restart now, but I suspect it will send me with the above BSOD error and require me to load with "last known good configuration" again.


    Edit: wow... no blue screen. So far no signs of virus... we'll see. Any suggestions?
     

    Attached Files:

    Last edited: Apr 14, 2011
    Hyru, Apr 14, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run everything from the link that I gave you in post # 3 IF you can. See how far you can get, if something does not work, skip it and move onto next step. :)
     
    Kestrel13!, Apr 14, 2011
    #6
  7. Hyru

    Hyru Private E-2

    Hi,

    The virus came back,

    I was able to get SuperAntiSpy working, and it finished and rebooted my computer.
    I next ran malbytes, which found 3 files, and asked me to reboot. When I rebooted, it gave me the blue screen with the error from the 1st post. I had to select "last known configuration" to get back into windows.
    I completed the remainder of the steps with no issues...

    Attached the logs also.
    Thanks for your help... I hope I can get this thing clean!
     

    Attached Files:

    Hyru, Apr 15, 2011
    #7
  8. Hyru

    Hyru Private E-2

    Here is:
    # MGlogs.zip


    Thanks! :)
     

    Attached Files:

    Hyru, Apr 15, 2011
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    For your information, files like the below should not be stored in the program files directory.

    • c:\program files\hdaudio_1.00.00.59_xp_vista_win7.exe
    • c:\program files\VP-Female_Install-1.exe
    • c:\program files\MorphVOXPro4_Install-1.exe
    • c:\program files\FVsetup.exe
    • c:\program files\mbam-setup.exe
    • c:\program files\rkill.com
    • c:\program files\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    • c:\program files\iTunesSetup.exe
    • c:\program files\veetle-0.9.17.exe
    • c:\program files\vlc-1.0.3-win32.exe
    • c:\program files\DTLite4355-0068.exe
    • c:\program files\TunaticSetup.exe
    • c:\program files\spybotsd162.exe
    • c:\program files\186283_510503817_6009856_n.jpg
    They should be in a folder of their own somewhere else.

    Java(TM) 6 Update 18 <--- Outdated, uninstall.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

c:\winzowz\Hpogoc.bin
c:\program files\ComboFix(2).exe
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Application Data\CD06.DA1
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\1064911305
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\1381293257
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\1690083585
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\176u5ye3ex5ry35el1eh8m2h48
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\2106004185
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\2665300149
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\3597912054
C:\Documents and Settings\All Users.WINZOWZ\Application Data\1064911305
C:\Documents and Settings\All Users.WINZOWZ\Application Data\1690083585
C:\Documents and Settings\All Users.WINZOWZ\Application Data\176u5ye3ex5ry35el1eh8m2h48
C:\Documents and Settings\All Users.WINZOWZ\Application Data\2106004185
C:\Documents and Settings\All Users.WINZOWZ\Application Data\2665300149
C:\Documents and Settings\All Users.WINZOWZ\Application Data\3597912054
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\1064911305
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\1381293257
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\1690083585
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\176u5ye3ex5ry35el1eh8m2h48
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\2106004185
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\2665300149
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\3597912054
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Desktop\CommyFix.exe
C:\WINZOWZ\Fgupeboyob.dat
Folder::
c:\documents and settings\All Users.WINZOWZ\Application Data\iJo28258fLkKm28258
c:\documents and settings\All Users.WINZOWZ\Application Data\lGe31001oFoNk31001
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! :)
     
    Kestrel13!, Apr 16, 2011
    #9
  10. Hyru

    Hyru Private E-2

    Hi again,

    thanks so much for your help.
    Here are the documents requested.

    So far the computer is running fine, although it usually takes a couple days for the virus to return. Hopefully this time it wont at all.

    Please let me know if there are any other steps I should take.

    Thank you :)
     

    Attached Files:

    Hyru, Apr 16, 2011
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I apologise there was a fault in my script so the bad files were not removed.

    Please complete the below:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\winzowz\Hpogoc.bin
c:\program files\ComboFix(2).exe
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Application Data\CD06.DA1
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\1064911305
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\1381293257
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\1690083585
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\176u5ye3ex5ry35el1eh8m2h48
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\2106004185
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\2665300149
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Local Settings\Application Data\3597912054
C:\Documents and Settings\All Users.WINZOWZ\Application Data\1064911305
C:\Documents and Settings\All Users.WINZOWZ\Application Data\1690083585
C:\Documents and Settings\All Users.WINZOWZ\Application Data\176u5ye3ex5ry35el1eh8m2h48
C:\Documents and Settings\All Users.WINZOWZ\Application Data\2106004185
C:\Documents and Settings\All Users.WINZOWZ\Application Data\2665300149
C:\Documents and Settings\All Users.WINZOWZ\Application Data\3597912054
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\1064911305
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\1381293257
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\1690083585
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\176u5ye3ex5ry35el1eh8m2h48
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\2106004185
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\2665300149
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Templates\3597912054
C:\Documents and Settings\Milad.MILAD-0F77F1C94\Desktop\CommyFix.exe
C:\WINZOWZ\Fgupeboyob.dat
Folder::
c:\documents and settings\All Users.WINZOWZ\Application Data\iJo28258fLkKm28258
c:\documents and settings\All Users.WINZOWZ\Application Data\lGe31001oFoNk31001
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Apr 17, 2011
    #11
  12. Hyru

    Hyru Private E-2

    Not a problem...

    here are the new logs. :)
     

    Attached Files:

    Hyru, Apr 17, 2011
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete this file and then tell me what problems remain if any.

    C:\Documents and Settings\All Users.WINZOWZ\Application Data\1381293257
     
    Kestrel13!, Apr 18, 2011
    #13
  14. Hyru

    Hyru Private E-2

    Hi,

    all seems to be well, except now Im getting a error sound, but there is no message. I only hear the sound. It happens randomly, even when no ones at the computer

    any ideas?
     
    Hyru, Apr 19, 2011
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run this and attach the results.

    Using ESET's Online Scanner

    Then do this one more time.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Apr 20, 2011
    #15
  16. Hyru

    Hyru Private E-2

    Hi,

    sorry for the delayed response - was out of town.
    I seem to have a new problem after removing the malware... my internet connection gets dropped at least once a day, and wont come back unless I restart my computer. This only happens on this particular computer (which is connected directly, not wireless). My modem remains on (and is not the cause of the dropped connection), and all other computers have no problems.
    Also, I am still getting popup tabs in firefox that go to random sites... seems like malware still.

    Here are the requested files
     

    Attached Files:

    Hyru, Apr 30, 2011
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
     
    Kestrel13!, May 2, 2011
    #17
  18. Hyru

    Hyru Private E-2

    Hi!

    Here is the file...
    Im also getting a weird Win32 popup error... It points me in the direction of these files when I click on "get detail"
    C:\DOCUME~1\MILAD~1.MIL\LOCALS~1\Temp\WERc7dc.dir00\svchost.exe.mdmp
    C:\DOCUME~1\MILAD~1.MIL\LOCALS~1\Temp\WERc7dc.dir00\appcompat.txt

    Any ideas?
     

    Attached Files:

    Hyru, May 2, 2011
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Now with what TDSSKiller found, all should be well again now. Please describe briefly how things are running.
     
    Kestrel13!, May 2, 2011
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds