Page 1 of 2 12 LastLast
Results 1 to 15 of 26
  1. #1
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    665
    Thanks
    8
    Thanked 38 Times in 37 Posts

    Win XP Home hit with virus (Format HDD) :)

    My sister-in-law, I'll call her Deb called and asked me to take a look at her PC, it was "acting funny" she could not get IE or Outlook to work. When I got there it was discovered that this has been going on for over a week.
    She could not stop this software from scanning and finding viruses. "Privacy Protection" was running her computer. Went to Malwarebytes to see how to handle it. Well, I thought it would be easy to follow their instructions but evidently "PP" has been updated and MalwareBytes has not. As soon as MB starts up even after renaming it to "Explorer" it gets shut down and blocked from being accessed again until uninstalled and reinstalled to a different location.
    I do not have a Windows XP Home install CD to attempt a "Repair", I am actively looking for one but not with much confidence that it will help.
    This one is beating me and I don't like it.
    I have made a boot CD with AVG and scanned the HDD removing most of the virus, but there remains a 'Trojan' somewhere that keeps adding a service that I cannot stop or prevent. It's name consists of 234987.459265.exe or similar as it changes on each boot. I see it in Task Manager but can not stop it or prevent it from starting.

    I have tried "autoruns", "ccleaner", "spybot s&d" two different utilities for "killing" processes. It always seems to be one step ahead of me.

    Any ideas are welcome.
    Last edited by RussB; 2011-12-05 at 09:45.
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  2. #2
    4 Star Lounger
    Join Date
    Dec 2009
    Location
    Hillsborough (San Francisco Bay area), California, USA
    Posts
    572
    Thanks
    5
    Thanked 54 Times in 53 Posts
    ??Have you tried deleting it in safe mode??

    Zig

  3. #3
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,287
    Thanks
    130
    Thanked 1,154 Times in 1,063 Posts
    I would second Zig's advice - boot in safe mode, usually these apps do not start in safe mode.
    If safe mode doesn't solve it, try a boot disk from one of the AV manufacturers:

    http://windowssecrets.com/windows-se...maged-windows/

  4. #4
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    5,446
    Thanks
    128
    Thanked 495 Times in 455 Posts
    I would make an attempt to kill the processes from within safemode as well. Kill any and all processes that look amiss.
    Use Process Explorer as well as taskmanager to ID & their root locations and kill processes.
    You also need to go into the services section (services.msc) to identify anything amiss.
    To delete a service use: "sc delete servicename" from an elevated command prompt.

    Malwarebytes Anti-Malware Portable
    To make Malwarebytes' Anti-Malware portable is more difficult, as it does NOT run from a USB-Stick by just copying the application directory! Two system files (mbam.sys & mbamswissarmy.sys), two registered libraries (mbamext.dll & ssubtmr6.dll) and one registered ActiveX control (vbalsgrid6.ocx) are mandatory!

    Malwarebytes Anti-Malware execution behavior:
    Three objects have to be registered: mbamext.dll, ssubtmr6.dll and vbalsgrid6.ocx
    To do so, use the command regsvr32.exe "path\file" (use switch "\s" for 'silent')
    (The files are located in the application directory)Two system files have to exist:
    C:\WINDOWS\system32\drivers\mbam.sys
    C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    (These files are copied there during install and you have to take them with you)Necessary directories are created automatically:
    %ALLUSERSPROFILE%\Application Data\Malwarebytes\
    %ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\
    %USERPROFILE%\Application Data\Malwarebytes\
    %USERPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\
    %USERPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\
    %USERPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\Necessary files (definitions) are created upon update:
    %ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\ignore.dat
    %ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\news.txt
    %ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
    (Further files like logs are created during operation)Settings are saved in registry (HKCU\Software\Malwarebytes' Anti-Malware)
    Making Malwarebytes Anti-Malware portable:
    InstallCopy application directory to any location you likeCopy mbam.sys & mbamswissarmy.sys from "C:\WINDOWS\system32\drivers\" anywhere you like, to take them with you (eg. the copied application directory)UninstallRemove the uninstall files (unins000.dat, .exe & .msg) from the copied application directory if you likeTake the application directory anywhere you likeOn the host machine copy mbam.sys & mbamswissarmy.sys to "C:\WINDOWS\system32\drivers\"On the host machine run:
    regsvr32.exe "DRIVE:\PATH\mbamext.dll"
    regsvr32.exe "DRIVE:\PATH\\ssubtmr6.dll"
    regsvr32.exe "DRIVE:\PATH\\vbalsgrid6.ocx"
    (You will be notified about registration success (or errors), use switch "/s" for silent registration.)
    (You need admin rights for registration to succeed. Do this from an admin account or with elevated rights)Run "mbam.exe" from the application directory (not mbamgui.exe)
    Batch to automate the necessary preparation on the host machine:
    (Assuming that all mentioned files, including the batch, are located in the same directory)
    Code:

    COPY "%CD%\mbam.sys" "C:\WINDOWS\system32\drivers\mbam.sys"
    COPY "%CD%\mbamswissarmy.sys" "C:\WINDOWS\system32\drivers\mbamswissarmy.sys "
    regsvr32.exe "%CD%\vbalsgrid6.ocx"
    regsvr32.exe "%CD%\ssubtmr6.dll"
    regsvr32.exe "%CD%\mbamext.dll"
    (Remember: Administrative rights needed. Use switch "/s" for silent registration)

    Traces left on host system and how to clean up:
    Malwarebytes' definition files, logs etc. are quite small (below 2MB) wich is small enough, but the system files and settings in registry should be removed anyway and the registered objects should be unregistered in any case!
    This leaves us for complete clean-up with:
    DELETE: "%ALLUSERSPROFILE%\Application Data\Malwarebytes"DELETE: "%USERPROFILE%\Application Data\Malwarebytes"DELETE: "C:\WINDOWS\system32\drivers\mbam.sys"DELETE: "C:\WINDOWS\system32\drivers\mbamswissarmy.sys"DEL ETE: HKCU\Software\Malwarebytes' Anti-MalwareUNREGISTER: regsvr32.exe /u "DRIVE:\PATH\vbalsgrid6.ocx"UNREGISTER: regsvr32.exe /u "DRIVE:\PATH\ssubtmr6.dll"UNREGISTER: regsvr32.exe /u "DRIVE:\PATH\mbamext.dll"
    Batch to automate clean-up:
    (Assuming that the batch is located in the same directory as the registered objects. WinXP cmd only! Use DELTREE in DOS instead of RMDIR.)
    Code:

    RMDIR /S /Q "%ALLUSERSPROFILE%\Application Data\Malwarebytes"
    RMDIR /S /Q "%USERPROFILE%\Application Data\Malwarebytes"
    DEL "C:\WINDOWS\system32\drivers\mbam.sys"
    DEL "C:\WINDOWS\system32\drivers\mbamswissarmy.sys "
    REG DELETE HKCU\Software\Malwarebytes' Anti-Malware /f
    regsvr32.exe /u "%CD%\vbalsgrid6.ocx"
    regsvr32.exe /u "%CD%\ssubtmr6.dll"
    regsvr32.exe /u "%CD%\mbamext.dll"
    (Remember: Administrative rights needed. Use switch "/s" for silent unregistration)
    The above may be attempted, although it looks like a complicated process.


    Consider a clean install if system is completely hosed.

  5. #5
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,625
    Thanks
    161
    Thanked 931 Times in 852 Posts
    A repair install will probably not clear the virus. If the safe mode options do not work, a clean install may be in order. Discuss with your sister-in-law about not clicking on these pop ups. Instead, use the Task Manager to close these uninvited pop ups. Quite often the X in the corner has been reprogrammed to activate the nasty.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  6. #6
    2 Star Lounger
    Join Date
    Jun 2011
    Location
    Hampshire (the old one)
    Posts
    143
    Thanks
    2
    Thanked 15 Times in 15 Posts
    This might be of interest.


    JScher2000 Note: That page's download button downloads "STOPzilla", which you can read about here: http://www2.stopzilla.com/
    Last edited by tonyl; 2011-11-16 at 13:08.

  7. #7
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Calif
    Posts
    182
    Thanks
    0
    Thanked 14 Times in 13 Posts

    Lightbulb BleepingComputer Uninstall Guide

    Hi Russ : I recommend you try the procedure recommended by the highly regarded BleepingComputer Site specifically located at http://www.bleepingcomputer.com/viru...acy-protection .
    For the BEST in what counts in Life :

    http://www.ctftoronto.com

  8. #8
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    665
    Thanks
    8
    Thanked 38 Times in 37 Posts
    Thank you all VERY much for the help in removing this thing.
    The majority of the virus/malware is gone or can not be identified.
    However, there is a NASTY after-taste in that this PC cannot access the internet and what good is a modern PC with that problem?

    I learned that the original "Privacy Protection" virus had been running for over a week before I was involved. I was asked to help when the Internet could no longer be used. Now it has become a challenge that I don't want to lose.

    Anyway. This thing was even in partial control during Safe Mode. What I ended up doing is to make a boot CD with AVG freeware scanning SW. This found a couple dozen Trojans and Worms of which one of the trojans was in nlsbl.dll (IIRC) which is used in networking. I deleted it and eventually replaced it from a clean location.
    The original system still however had a problem as task manager still showed a "234xxxxxx.347xxxxxx.exe" that was VERY persistant. Then used a boot CD from Kasperski and scanned, found two more trojans. After which I could properly boot the original back to WinXP Home without the "persistent file" in Task Manager. From here Microsoft Security Essentials was re-installed and manually updated. On the first quick scan with MSE it killed 2 more trojans finally a full scan came up clean. Then XP Service Pack 3 was re-installed to replace the deleted file(s) and clean it up a little more (I hoped).
    Now on to getting the internet back:
    The boot CD has Firefox on it and that works fine in Linux so I KNOW the problem is software related.

    Some of what has been done in an effort to get to the internet from this thing.

    I have reset Winsock, flushed DNS, IP and TCP. Updated the NIC driver.
    The HOSTS file is at original and fine.
    It is plugged into the same router as my desktop and I can ping between them.
    Re-installed IE8 and reset everything to defaults.
    Turned off the firewall.
    Plus many things that I can't recall right now, anyway here are the symptoms hopefully someone will give me the silver bullet.

    I noticed that after updating the NIC driver Windows Update said that it was downloading (GREAT) it is fixed. NOT! After a few seconds it was gone again.
    I did get an Error that wanted to report back to Master MS, I said go for it. This came back.
    RunErrorRpt_D.jpg So, how did that get through?
    Each time the Network is reset the Update Icon shows for about 15-20 seconds.
    Something is turning it back off.
    Here are a couple more screen shots that may bring an idea to someone with more knowledge than I.

    IPConfig_D.jpg Ports_SIW.jpg
    This & open ports report above is from SIW free version.
    Network_SIW.jpg NetStats_D.jpg

    Thanks for looking, Deb & I will be very happy when this is done.
    Last edited by RussB; 2011-11-29 at 13:33.
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  9. #9
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,287
    Thanks
    130
    Thanked 1,154 Times in 1,063 Posts
    Does it make sense to consider an XP repair install: http://michaelstevenstech.com/XPrepairinstall.htm ?

  10. #10
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    852
    Thanks
    13
    Thanked 56 Times in 56 Posts
    If Rui's suggestion doesn't work, a full clean install is seriously recommended.

    You've spent 14 days or so trying to remove malware when a clean install would have taken a couple of hours.

    Sometimes you just need to bite the bullet and take it from there.

  11. #11
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    665
    Thanks
    8
    Thanked 38 Times in 37 Posts
    Quote Originally Posted by Browni View Post
    If Rui's suggestion doesn't work, a full clean install is seriously recommended.

    You've spent 14 days or so trying to remove malware when a clean install would have taken a couple of hours.

    Sometimes you just need to bite the bullet and take it from there.
    Very true, that would be the easy way out, just not there yet. BTW I have less than 4 hours total working on this so far.
    I do lots of other things too.
    And as stated this has become a bit of a challenge, man vs. bit, geek vs. hacker.
    Last edited by RussB; 2011-11-29 at 17:35.
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  12. #12
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    4,751
    Thanks
    67
    Thanked 545 Times in 493 Posts
    Verify that the virus did not set up a proxy server. Go to Control Panel > Internet Options > Connections tab> Lan Settings button and verify "use a proxy server...." is not checked. Also verify that there is nothing in your Hosts file. You can find it at c:\windows\system32\drivers\etc\ . Open it with notepad. You should only see a local hosts entry.

    Jerry

  13. #13
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    852
    Thanks
    13
    Thanked 56 Times in 56 Posts
    Quote Originally Posted by RussB View Post
    Very true, that would be the easy way out, just not there yet. BTW I have less than 4 hours total working on this so far.
    I do lots of other things too.
    And as stated this has become a bit of a challenge, man vs. bit, geek vs. hacker.
    LOL, I do understand the challenge and I will battle like heck to remove the intruder!

    I've not seen anybody mention TDSS Killer yet, maybe worth a try?

  14. #14
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    4,751
    Thanks
    67
    Thanked 545 Times in 493 Posts
    TDDSS Killer is definitely worth trying as is SuperAntiSpyware and Microsoft Standalone System Sweeper .

    Jerry

  15. #15
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by vandamme View Post
    My solution to relatives that just can't stop clicking on bad stuff is to install the appropriate flavor of Linux on their machines. All they want to do is surf the web, send email and type letters, without getting tons of viruses, defragging,, crashing, and slowing down. Show them how to run their "new" windows, and you won't hear from them again until you get a Christmas card. Well, you might get email forwards, but that's better than frantic calls to fix their machines.
    Until said relatives try to install any software from the High Street....Don't get me wrong, Linux is great; but in the hands of inexperienced users, I have found it even more of a challenge to support than Windows.


    TDDSS Killer is definitely worth trying as is SuperAntiSpyware and Microsoft Standalone System Sweeper .
    I does sound like rootkit and TDSS Killer is a good place to start. Use it in Safe Mode, without networking, wireless turned off or ethernet unplugged. Also look at Sophos AntiRootKit too.

    Before all else though, run a System Restore (in safe mode without networking) to a time before the infection - remember to reboot into safe mode to complete the system restore. Then use the tools to clean up the left overs. Only connect to the internet when you are reasonably happy the beast is under control.
    Last edited by Deadeye81; 2012-02-25 at 07:15. Reason: Removed reference to Vandamme quote

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •