5 Hours of Complete Pain XP Security 2011

[Probzzie]

I have been trying to remove XP security from a family members computer by way of remote connection. She is runnin an HP dv2000 Laptop with windows XP Professional,... Complete pain, xp security loads in safe mode and every exe opened, opens xp security

The files i have noticed that play a part are
Sf.bin pops up, ppd.exe is xp security 2011. rarfx0.1 and rarfx2 are added too temp during the xp security opening (also found by rkill.exe)
I have tried roguekiller, renaming it before tranfering it or directly downloading, same with rkill, tried online scanners and xp security shuts browser down and loads itself.
Rkill loads... ppd.exe replicates a dozen times, and even if I leave it alone rkill gets stuck on the temp files mention stating the files or location does not exist.
Msconfig does not work, however regedit does, not sure if its the real registry but I did get it running.

Avast right now is running boottime scan...
if avast doesnt find anything, where can I find these files for manual deletion, or where do I go from here!!

UPDATE: I haven't tried to run dds for a log, so tomorrow when I come back from work I'll post it, providing it works, every program that runs in the CMD tends to make xp security go crazy

[Pondus]

read it all before you start

Remove XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011 (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

[Probzzie]

I understand, but rkill was unsuccessful in removing the rogue.
She does not have a secondary computer in which these files could be transfered from. Regardless I had the above mentioned file running,  and it closed due too an error with locating or deleting from temp (rarfx01, 02)

[Pondus]

rKill will not remove the rogue as it is a Malware Process Terminator.... you run it to help starting Malwarebytes if blocked

Part 1  http://www.brighthub.com/computing/smb-security/articles/59807.aspx
Part 2  http://www.brighthub.com/computing/smb-security/articles/59799.aspx

[Probzzie]

I know that, I know it just removes the process, I have used rkill numerous times before.
But It will not even remove the process for me too try to disinfect anything. See what i'm saying?

Malwarebytes is blocked, when i run rkill.exe or even eXplorer.exe or one of the many other file names they have to offer (including renaming it before download)It still errors indicating it cannot find the files in the tempfolder that is  C:/Owner/localsettings/temp

[Pondus]

OK, are you able to run OTS ?


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs HERE in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach (  OTS log )


I will notifie Essexboy so he will look at this when he arrive here later

[Probzzie]

Thank you pondus, I will attempt an ots log, It right now is lagging its way through a boot time scan,
which so far has only found win32-kryptik-agv so far is the only found infection and it is at 40%, now i'm curious, will avast find this?

[Probzzie]

OTS seems to freeze on first object scanned: cd drives settings, even disconected the remote connection and the pc being unused the program doesnt seem to want to respond.

Mdnsresponder.exe
SMagent.exe, other files that may be associated with aboved infection

[Probzzie]

found ravmon.exe on her mp3 player, also when trying rkill.exe again net.exe and net1.exe showed up until rkill displayed Cannot readC:/LOCAL~DOCUME~TEMP!RKSlog.tsk

So OTS was unsuccessful and when trying to walk her through safe mode she says when trying to run combofix it says "A device connected is not functioning properly" Even when file is on tje disc

RKILL: Works if i end ppd.exe task a few times (initiating the rkill program executes numerous copies of ppd.exe)
Ending a few of these results in the program booting up, it then scans for malware processes and cannot read the temp files and stops the scan with no processes terminated.

[Probzzie]

Ok i have a pic of a folder I found running the most of these little .exe files
C:\32788R22FWJFW
I have a picture of the files in this folder, is this a legit program or the culprit? notice the circled registry.


EDIT: I now know this is combofix

[Probzzie]

Okay, Rogue killer loads and removes 4 processes
3 of them being teamviewer and one being combofix which was frozen.

[essexboy]

Hi the programme you ran was it called roguekiller or RK ? as both programmes are slightly different

This one will on the first run identify what it believes to be malware and stop all processes.  Thereby enabling you to run OTS.  If you still have problems running OTS then use option 2 on roguekiller and it will delete what it believes to be malicious.  If it makes an error we can restore the file   

Download RogueKiller to your desktop
 

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 1 and validate
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 

Please post the contents of the RKreport.txt in your next Reply.

THEN

Run OTS and attach the log

[Probzzie]

I tried both, Rkill, couldnt access temp file rarfx0.1

and Roguekiller Found four processes and three were teamviewer processes and one being a combofix.exe (whixh had froze before I loaded Rogue killer)

Running in safe mode and double clicking brings up open with...
and run as brings up access is denied

[essexboy]

Download this Programme to your desktop, right click and select install, nothing will appear to happen it will just do its job 

Then try to run OTS from safe mode

[Probzzie]

Download: Run program and then RESTART in safe mode? or run program and then otl all in safe mode?