XP Internet Security virus-worm

[polonus]

For additional removal instruction see here: http://www.bleepingcomputer.com/virus-removal/remove-total-security
Also read these instructions:
http://www.myantispyware.com/2010/03/17/how-to-remove-total-xp-security/

polonus

[Eowyn61Rox]

Thanks Polonus, but after doing everything it said on those two links, my mbam came up with NO infections.  Ugh!  I know they're there.  This is really crazy.   :'(

[Eowyn61Rox]

Can I fix this whole mess by just doing a system restore to a point before my pc was infected?

[essexboy]

your exe files were hijacked - so once this ots fix has run you should be able to get malwarebytes up and running

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> [AVG Safe Search]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-65476939-965908490-3720152516-500\] > -> HKEY_USERS\S-1-5-21-65476939-965908490-3720152516-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{EEE6C35B-6118-11DC-9C72-001320C79847}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-65476939-965908490-3720152516-500\] > -> HKEY_USERS\S-1-5-21-65476939-965908490-3720152516-500\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Reg Error: Key error.]
YN -> {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} [HKLM] -> http://download.abacast.com/download/files/abasetup161.cab [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\Grisoft\AVG Free\avgamsvr.exe" -> [C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe]
YN -> "C:\Program Files\Grisoft\AVG Free\avgcc.exe" -> [C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe]
YN -> "C:\Program Files\Grisoft\AVG Free\avginet.exe" -> [C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe]
YN -> "C:\WINDOWS\system32\svchon32.exe" -> [C:\WINDOWS\system32\svchon32.exe:*:Enabled:Unspecified]
< File Associations - Select to Repair > -> HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = exefile] -> "C:\Documents and Settings\NetworkService\Local Settings\Application Data\tsu.exe" -a "%1" %*
YN -> .exe [@ = exefile] -> "C:\Documents and Settings\NetworkService\Local Settings\Application Data\tsu.exe" -a "%1" %*
[Files/Folders - Modified Within 30 Days]
NY ->  2ai31mxo783730 -> C:\Documents and Settings\All Users\Application Data\2ai31mxo783730
NY ->  2ai31mxo783730 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\2ai31mxo783730
NY ->  giterdone.exe -> C:\Documents and Settings\Administrator\Desktop\giterdone.exe
NY ->  1298448245 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\1298448245
NY ->  1487563032 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\1487563032
NY ->  1298448245 -> C:\Documents and Settings\All Users\Application Data\1298448245
NY ->  1487563032 -> C:\Documents and Settings\All Users\Application Data\1487563032
[Files - No Company Name]
NY ->  1298448245 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\1298448245
NY ->  1487563032 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\1487563032
NY ->  1298448245 -> C:\Documents and Settings\All Users\Application Data\1298448245
NY ->  1487563032 -> C:\Documents and Settings\All Users\Application Data\1487563032
NY ->  2ai31mxo783730 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\2ai31mxo783730
NY ->  2ai31mxo783730 -> C:\Documents and Settings\All Users\Application Data\2ai31mxo783730
NY ->  2ai31mxo783730 -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\2ai31mxo783730
NY ->  wwwbatch.ini -> C:\WINDOWS\wwwbatch.ini
[Custom Items]
:Files
ipconfig /flushdns /c
C:\Documents and Settings\NetworkService\Local Settings\Application Data\tsu.ex
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[Eowyn61Rox]

okay Essexboy, here is what OTS gave me after I ran the fix...

on attached notepad.

[essexboy]

What problems are evident now ?