Author Topic: Urgent: Malware Removal, Rogue XP Antivirus 2012  (Read 6965 times)

0 Members and 1 Guest are viewing this topic.

Chrismoskal

  • Guest
Urgent: Malware Removal, Rogue XP Antivirus 2012
« on: July 23, 2011, 10:48:08 AM »
Hey so my computer has what I believe is rogue xp antivirus 2012 and it is preventing me from accessing the internet (on any browser), so I cant download Malwarebytes Anti-Malware onto it. I tried to download it onto a clean computer, and then transferring it over with a usb, by only saving the setup file, but then my infected computer would not run the file, or it said that I did not have permission when I clicked "Run As..." and then I tried running through the setup on the clean computer and transferring all of those files over to my infected computer and then when I tried to run it, it said I was missing a file or a partfile that was needed for it to run.
What to I do?! ???

com155

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #1 on: July 23, 2011, 10:50:10 AM »
boot in safe mode
download mbam from here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

update it and do a full scan and remove if it finds the tic also post logs on next reply.
« Last Edit: July 23, 2011, 10:51:42 AM by com155 »

com155

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #2 on: July 23, 2011, 10:58:51 AM »
if the above isnt working try this:

download rkill from here:
http://www.bleepingcomputer.com/download/anti-virus/rkill

double click and run it allow it kill all the malware proccesses

after killing them it will generate a log post it here on next reply.

now try using mbam as i said.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #3 on: July 23, 2011, 11:00:49 AM »
@com155 as usuall you dont read before you post

Quote
and it is preventing me from accessing the internet (on any browser), so I cant download Malwarebytes Anti-Malware onto it




Quote
What to I do?!
wait for Essexboy to respond....
« Last Edit: July 23, 2011, 11:05:21 AM by Pondus »

com155

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #4 on: July 23, 2011, 11:04:40 AM »
well i read it thats why i told to boot in safe mode or try using rkill.

Chrismoskal

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #5 on: July 23, 2011, 01:03:21 PM »
Okay I ended up getting that program to work and it found like 28 Trojans and malware and such, is there any harm in clicking remove selected on all of them? Or is there a chance that it could screw things up terribly if it's attached to something important? I can attach the scan report in the morning, but our clean computer that can Still access the Internet  is in my brothers room and he's asleep now, (it's 6am where I live). Thank you guys for all your help :) I'll check back in a couple hours

com155

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #6 on: July 23, 2011, 01:29:13 PM »
sure go ahead and hit remove selected....

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #7 on: July 23, 2011, 02:18:25 PM »
Hi lets have a look for the remaining miscreants, do you still have internet access problems ?

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in

%USERPROFILE%\..|smtmp;true;true;true /FP
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT


  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

Chrismoskal

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #8 on: July 23, 2011, 09:50:25 PM »
It Worked! ;D All the warnings stopped, and I can access the internet again, Thank you!
And Here is the log from OTS

http://www.megaupload.com/?d=75OCUQYR


Chrismoskal

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #9 on: July 23, 2011, 09:54:07 PM »
I'm Not Sure if you want this too, but it's the virus log from MBAM

http://www.megaupload.com/?d=0S9NS75S


Thank you guys so much!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #10 on: July 23, 2011, 10:07:38 PM »
A few remnants to clear

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\3gka7qed.default\prefs.js
YN -> network.proxy.http -> "127.0.0.1"
YN -> network.proxy.http_port -> 61636
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-583907252-1326574676-682003330-1003\] > -> HKEY_USERS\S-1-5-21-583907252-1326574676-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-583907252-1326574676-682003330-1003\] > -> HKEY_USERS\S-1-5-21-583907252-1326574676-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Nzijeq" -> [rundll32.exe  "C:\WINDOWS\ipiner.dll",Startup]
< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup
YY -> ~EmptyValue -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup\17b8d016c8.dat
YY -> ~EmptyValue -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup\17dba54f16c8.dat
[Files/Folders - Modified Within 30 Days]
NY ->  1q3w02a0081j0itg2kw0cccblwwvqskv6d -> C:\Documents and Settings\Owner\Local Settings\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d
NY ->  1q3w02a0081j0itg2kw0cccblwwvqskv6d -> C:\Documents and Settings\All Users\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d
[Files - No Company Name]
NY ->  1q3w02a0081j0itg2kw0cccblwwvqskv6d -> C:\Documents and Settings\Owner\Local Settings\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d
NY ->  1q3w02a0081j0itg2kw0cccblwwvqskv6d -> C:\Documents and Settings\All Users\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Chrismoskal

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #11 on: July 24, 2011, 09:13:27 AM »

All Processes Killed
[Registry - Safe List]
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 61636 removed from network.proxy.http_port
Registry value HKEY_USERS\S-1-5-21-583907252-1326574676-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_USERS\S-1-5-21-583907252-1326574676-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Nzijeq deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\17b8d016c8.dat moved successfully.
File ~EmptyValue not found.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\17dba54f16c8.dat moved successfully.
File ~EmptyValue not found.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\Owner\Local Settings\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d moved successfully.
C:\Documents and Settings\All Users\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d moved successfully.
[Files - No Company Name]
File C:\Documents and Settings\Owner\Local Settings\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d not found!
File C:\Documents and Settings\All Users\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d not found!
[Empty Temp Folders]
 
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33664 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32879046 bytes
 
User: Owner
->Temp folder emptied: 783314296 bytes
->Temporary Internet Files folder emptied: 47253636 bytes
->Java cache emptied: 3565567 bytes
->FireFox cache emptied: 230391097 bytes
->Google Chrome cache emptied: 67478135 bytes
->Flash cache emptied: 164013 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 44701231 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 174971171 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 229136142 bytes
 
Total Files Cleaned = 1,542.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: NetworkService
 
User: Owner
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07242011_000047

Files\Folders moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M5CJIZQC\background_button_green_full[1].png moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9Q1A6V1L\api[6].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9Q1A6V1L\api[7].html moved successfully.
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Chrismoskal

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #12 on: July 24, 2011, 12:15:32 PM »
Quote
It Worked! ;D All the warnings stopped, and I can access the internet again, Thank you!

Problem = solved (unless essexboy tells me I have to something else lol)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #13 on: July 24, 2011, 12:27:02 PM »
Nope the last bits are now gone - the wierdly named folders contained backup copies of the malware
Quote
C:\Documents and Settings\Owner\Local Settings\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d moved successfully.
C:\Documents and Settings\All Users\Application Data\1q3w02a0081j0itg2kw0cccblwwvqskv6d moved successfully.

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

Run OTS and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

SPRING CLEAN
 
Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave:

chris0hiebert

  • Guest
Re: Urgent: Malware Removal, Rogue XP Antivirus 2012
« Reply #14 on: January 06, 2012, 06:23:06 AM »
if the above isnt working try this:

download rkill from here:
http://www.bleepingcomputer.com/download/anti-virus/rkill

double click and run it allow it kill all the malware proccesses

after killing them it will generate a log post it here on next reply.

now try using mbam as i said.

I just want to go on record here, i tried everything from microsoft to IT friends about removing this XP Antivirus 2012 form an XP Pro box and nothing worked until I tried Rkill and Mbam, this information was fantastic and I can't thank you enough. Avast needs to update with ways to catch these kinds of malicious programs...