Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

XP Security 2011 Infestation

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: XP Security 2011 Infestation

Unread postby Cypher » March 24th, 2011, 4:04 pm

Hi.
Just follow all my instructions then report back once done :)
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Re: XP Security 2011 Infestation

Unread postby Denske » March 24th, 2011, 8:43 pm

Cypher,

With regard to deleting the malware icon from the system tray, I can't seem to do it. It doesn't show up in /start/all programs, it doesn't appear in control panel add/remove programs and a right click on the icon only gives me the chance to delete, only "open" or go to "Microsoft Security Center." As it is presently disabled, I don't want to do anything to wake it up until we get the threats eliminated. There appear to be 19 of them, as you will see from the log file listing below. The computer seems to be working normally at the moment.

Denske

ESET Online scan log output:

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=4d1188704647d945be2db8ce255c65ee
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-25 12:11:03
# local_time=2011-03-24 08:11:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 15829967 15829967 0 0
# compatibility_mode=1797 16775141 100 93 0 37412245 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=40064
# found=19
# cleaned=0
# scan_time=3121
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\11\3c8cd8cb-7101ab13 Win32/Adware.SystemSecurity.AD application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\20\1a579fd4-7d0e7e0e a variant of Win32/Kryptik.LVA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\5\5435e05-18444ad7 a variant of Win32/Kryptik.LWJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\56\664fddf8-1f4a2386 a variant of Win32/Kryptik.LXI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\gxx.exe.vir a variant of Win32/Kryptik.LXI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\krj.exe.vir a variant of Win32/Kryptik.LXI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\nsi.exe.vir a variant of Win32/Kryptik.LWJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\psu.exe.vir a variant of Win32/Kryptik.LWJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP66\A0006561.rbf Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP66\A0006566.rbf a variant of Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP66\A0006567.rbf a variant of Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP66\A0006568.rbf probably a variant of Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP89\A0009873.exe Win32/Adware.SystemSecurity.AD application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP90\A0010099.exe a variant of Win32/Kryptik.LVA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP90\A0010100.exe a variant of Win32/Kryptik.LVA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP90\A0010262.exe a variant of Win32/Kryptik.LWJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP90\A0010263.exe a variant of Win32/Kryptik.LWJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP90\A0010706.exe a variant of Win32/Kryptik.LXI trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP90\A0010707.exe a variant of Win32/Kryptik.LXI trojan (unable to clean) 00000000000000000000000000000000 I
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Denske » March 24th, 2011, 8:46 pm

[quote="Denske"]

With regard to deleting the malware icon from the system tray, I can't seem to do it. It doesn't show up in /start/all programs, it doesn't appear in control panel add/remove programs and a right click on the icon only gives me the chance to delete, only "open" or go to "Microsoft Security Center."



Should have said: doesn't give me the chance to delete
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 25th, 2011, 2:38 pm

Hi Denske.
What the ESET scan found will be dealt with later when i give you final instructions.
That just leaves us with the system tray icon.
Please check the folder below and see if XP Security 2011 is listed, if it is delete it then reboot your computer.
C:\WINDOWS\All Users\Start
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 25th, 2011, 9:28 pm

Hi Cypher,

Good news/bad news. Well, mostly good, I think.

The file was buried quite a bit deeper than you suggested, but I found it deleted and then rebooted. The interesting thing is that the disabled icon still appears in the system tray, but the file still appears to be gone, so that's good. Anyway, I think I'm ready for the next step.

Denske
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 26th, 2011, 6:25 am

Hi Denske.
The interesting thing is that the disabled icon still appears in the system tray.

Lets try the following to see if we can disable it.

Please download CCleaner from Here and save it to your Desktop.
When the file has been saved, go to your Desktop and double-click on ccsetupxxx_
Follow the prompts to install the program.

Now launch CCleaner and click Tools > Sartup.
Highlight the offending icon in the list and click Disable then reboot your computer.
Let me know if that worked.
You can keep CCleaner to clean out temp files.
CAUTION: Please do NOT use the "Registry" button in the left pane.
This is a built-in registry cleaner. Removing certain entries can render your computer inoperable!
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 26th, 2011, 9:59 am

Cypher,

I downloaded, installed and ran CCleaner, but I don't see what you described in your last post.

The program is version 3.05.1408.

When I run it and click on tools > startup, the window that opens does not include icons. It is a list of programs, none of which look like the "security" malware. There is an option to create a text file, so I did that and am pasting it below. I have a screen shot showing the open CCleaner window and the icon in the system tray if you want me to send it.

Denske


Following listing is text output of CCleaner v3.05.1408, selecting tools > startup

Yes HKLM:Run RTHDCPL RTHDCPL.EXE
Yes HKLM:Run EDS C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
Yes HKLM:Run IgfxTray C:\WINDOWS\system32\igfxtray.exe
Yes HKLM:Run HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
Yes HKLM:Run Persistence C:\WINDOWS\system32\igfxpers.exe
Yes HKLM:Run SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Yes HKLM:Run DMHotKey C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe
Yes HKLM:Run BatteryManager C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
Yes HKLM:Run MagicKeyboard C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
Yes HKLM:Run avgnt "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes Startup Common Bluetooth.lnk C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Yes Startup User OpenOffice.org 3.1.lnk C:\Program Files\OpenOffice.org 3\program\quickstart.exe
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 26th, 2011, 11:26 am

Hi Denske.
Can you post a screen shot of the icon in your system try please.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 26th, 2011, 12:19 pm

Hi, Cypher,

Screenshot is attached. It includes the open CCleaner window showing what I described in the previous post.

The offending icon is the shield-shaped one between the wi-fi and the bluetooth icons. When it was active it had Windows-like colors. Now if I stop the cursor arrow over it a label opens: "Windows Security Alerts." If I right-click on it the label says:

Open Security Center
Go to Microsoft Security Web Site


Denske
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 26th, 2011, 12:52 pm

Hi.
There doesn't seem to be a screen shot attached.
Lets try reinstalling malwarebytes to see you can update it and run a Full scan this time.

Uninstall programs
  • Click on Start.
  • All programs.
  • Accessories.
  • Run.
  • In the open text box copy/paste appwiz.cpl Then click Ok.
  • Uninstall the following
Malwarebytes' Anti-Malware

Now reboot your PC.

Next.

  • Download and run This utility
  • it will ask to restart your computer (please allow it to).

Next.

Please download RogueKiller.exe and save it to your desktop.

  • Now quit all running programs.
  • Double click RogueKiller.exe to run it.
  • When prompted, type 1 and hit Enter.
  • A RKreport.txt should appear on your desktop.
  • Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
  • Please post the contents of the RKreport.txt in your next Reply.

Next.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click the Random named-setup.exe then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 26th, 2011, 5:59 pm

Cypher,

It seems that everything ends up more complicated than expected. This link http://mbam.malwarebytes.org/program/random.php (copied from your post) yielded a "Not Found" page. Does it matter that the new Malwarebytes comes from a particular link or can I get it from the Malwarebytes site?
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 27th, 2011, 5:46 am

Hi Denske.
Sorry about that.
Try downloading it from This link
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 27th, 2011, 9:31 am

Hi Cypher,

That worked better. Thanks. Here are the requested files. Mbam did find files in the C:\system volume information folder, and I left them alone, as requested.

Denske

RogueKiller V4.3.4 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: user [Admin rights]
Mode: Scan -- Date : 03/26/2011 13:12:36

Bad processes: 0

Registry Entries: 0

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6182

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/27/2011 8:34:08 AM
mbam-log-2011-03-27 (08-34-08).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 179466
Time elapsed: 16 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\user\application data\Sun\Java\deployment\cache\6.0\5\5435e05-18444ad7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\Sun\Java\deployment\cache\6.0\11\3c8cd8cb-7101ab13 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\Sun\Java\deployment\cache\6.0\20\1a579fd4-7d0e7e0e (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\Sun\Java\deployment\cache\6.0\56\664fddf8-1f4a2386 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\user\local settings\application data\gxx.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\user\local settings\application data\krj.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\user\local settings\application data\nsi.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\user\local settings\application data\psu.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{20176d02-4ad7-40fd-8f7b-bf65468fad41}\RP66\A0006567.rbf (Adware.WidgiToolbar) -> Not selected for removal.
c:\system volume information\_restore{20176d02-4ad7-40fd-8f7b-bf65468fad41}\RP90\A0010099.exe (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{20176d02-4ad7-40fd-8f7b-bf65468fad41}\RP90\A0010100.exe (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{20176d02-4ad7-40fd-8f7b-bf65468fad41}\RP90\A0010262.exe (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{20176d02-4ad7-40fd-8f7b-bf65468fad41}\RP90\A0010263.exe (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{20176d02-4ad7-40fd-8f7b-bf65468fad41}\RP90\A0010706.exe (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{20176d02-4ad7-40fd-8f7b-bf65468fad41}\RP90\A0010707.exe (Trojan.FakeAlert) -> Not selected for removal.
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 27th, 2011, 10:06 am

Hi Denske.
Let me know if the tray icon is still there after doing the following.

SC Reset:

  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad: <-- Start >> Run... type in notepad and select OK
  • Do not include the word Code:
Code: Select all
net stop winmgmt
rd %systemroot%\system32\wbem\repository
net start winmgmt
  • Go to File >> Save As
  • Save File name as "reset.bat" <-- Make sure to include the quotes.
  • Change Save as Type to All Files and save the file to your Desktop.

Double click on reset.bat. A command window will open, when prompted type in Y then hit the enter/return key.

When completed the command window will close. Reboot your computer. <-- Make sure you do this.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 27th, 2011, 2:16 pm

Hi, Cypher,

Another goodnews/badnews story.

When I ran the "reset.bat" file it made the shield icon in the system tray disappear, but when I shut down the computer and then rebooted, it was back again. Still disabled.

By the way, the intended attachment of the screenshot didn't work a few posts back because the file was too large. I think you probably know what shield I have been talking about (judging by the reset batch file) but the attached .jpg will show you what I am seeing in the tray.

Denske
You do not have the required permissions to view the files attached to this post.
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 299 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware