Virus started as XP Total Security now WindowSolved/Closed

Question

Hello, 



Configuration: Windows XP / Firefox 3.6.16

I recently inadvertently let in a virus that called itself XP Total Security. I am using Windows XP and was using Microsoft Security Essentials for Protection.OOPS!
After using another computer to search Bleeping Computer Forums, I managed to download RKill and Malwarebytes. I have ran both several times. Malwarebytes seems to remove the virus but when I re-boot it is back but with a different name. Now it is Windows Security Alerts. It has also hijacked by browser and will not let me do normal searches in my browser(Firefox) without re-directing to various other sites. I'm not sure what else to try. Now whatever the virus is - it is affecting non-web usage. While working on documents in Word or Excel, my computer will freeze and the only way I can move is to power down and then power back up. 

I have also now tried Spybot and AVG. Even though they say they find trojans to remove - I am still having massive problems. Most of the time I can not log onto the internet and when I try to use System Restore - it either doesn't open or I get a pop up box that says System Recovery will not help me and then it exits. Please can anyone help?

Ambucias · Answer

To help you, I must make a diagnostic and to do so, I require a log.

Open this link and download ZHPDiag : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 


Register the file on your Desktop. 

Double click on ZHPDiag.exe and follow the instructions. 

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step). 

Double click on the short cut ZHPDiag on your Destktop.  

Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

Close ZHPDiag. 


To transmit the report, click on this link : 

https://authentification.site 

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag). 

Select the file ZHPDiag.txt. 

Click on "upload » 

Copy the url and post it here 

Catch you and the viruses later

debbiewake · Answer

Below is the message I get every time I try to upload to Speedy Share - 

The connection was reset
     
 The connection to the server was reset while the page was loading.

    *   The site could be temporarily unavailable or too busy. Try again in a few
          moments.

    *   If you are unable to load any pages, check your computer's network
          connection.

    *   If your computer or network is protected by a firewall or proxy, make sure
          that Firefox is permitted to access the Web.

Ambucias · Answer

Debbie

Try it again, the problem seems to have been temporary.  Let me know

debbiewake · Answer

Tried again several times but still get same message. Is there another way to upload the report?

Ambucias · Answer

Debbie,

Try Rapidshare:

https://www.rapidshare.com/

Please advise me when you send the url to me in separate message, just in case I miss it.

debbiewake · Answer

I was able to upload with Rapid Share. Here is the url.

https://rapidshare.com/files/459759414/ZHPDiag.Txt

debbiewake · Answer

Here is the URL - https://rapidshare.com/files/459759414/ZHPDiag.Txt

debbiewake · Answer

I tried to paste it here but it kept saying syntax error. I uploaded to MegaVideo.
Try this link - http://www.megaupload.com/?d=DD9PUPUG

Hopefully this will work. It feels like the computer demons are trying to block my every avenue to get rid of them! :)

Ambucias · Answer

Dear Debbie

The log shows the following infections:

FakeAlert, BT, Rogue, Rootkit, spyware, adware.

The system was infected from the following site: www.ask.com and www.websearch.ask.com and possibly from Graboid Video PeerToPeer TV  and most likely from FrostWire Gnutella.

ask.com has been placed in Kioskea security expert's blacklist as a major source of infection.

Your system is badly infected to the point where we would need to run several tools and again do some manual operations in the registry.

I shall prescribe to you a very powerfull medicinal compound that is able to kill and send any virus to the glue factory. It is of very last resort and should not be abused of, as matter of a fact, once you have used it, I suggest you delete it from your system. 

To keep your system safe, you must follow the instructions hereunder to the letter: 

First step, boot your system in safe mode with networking

1. Download Combofix to your desktop. 

http://www.combofix.org/download.php 

2.Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. 

3. Double click on the ComboFix icon. 

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. 

4. Accept the disclaimer and the recovery 

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. 

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection. 

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. 

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. 

During the process, please do not mouse click nor must you tap on the keyboard.  Let the tool run.

5. Reboot the system and create a new restore point which you can name...let see...yes name it Ambucias.  This way you will know that it's a safe date to return to in case of problems.

Once you are done, report to me on how your system is behaving. 

Good luck 

Ambucias

debbiewake · Answer

Thank You! Things seem to be moving very well and my browser is no longer being hijacked. The small red shield icon is still in the tray on my desktop, however. It says it is Windows Security Alerts. I had never seen this icon before all of the problems started. Should I still be concerned?

Also, what do you advise as the best protection to prevent future problems? Currently I have Microsoft Security Essentials and also Malwarebytes. During this mess I tired Spybot, Avast, and AVG. I have deleted Graboid and will never again use Frostwire. Ask.com has been attached to other things but I will watch for it in the future and won't download anything that is associated with it.

Again - I can't thank you enough for taking the time to help me!

debbiewake · Answer

I was wrong! My browser page looked funny so I went to options and my home page was listed as ask.com. It is still lurking around!

Ambucias · Answer

Debbie,

Rerun Rkill in the following manner:

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever. 

To kill the processes: 

1. Download to your desktop and run Rogue Kill: 

https://download.bleepingcomputer.com/grinler/rkill.com 

2. You should now see a window that shows all of your desktop icons, including the rkill.com program. 

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. 

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running. 

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you! 

Download to your desktop Malwarebyte. 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ 

Once on your desktop, we must still outwit the virus. 

Right click on the MBAM icon and click on rename. Rename it kioskea.exe. 

Install Malwarebyte and launch it. From the second tab, update it. 

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

debbiewake · Answer

I have repeated this process multiple times. The first time rkill found nothing and malware found nothing. I rebooted my system and tried again. this time rkill found 9 items but Malware found nothing. I have not rebooted again since this. I ran again a couple of more times and each time rkill finds something but malware does not. The red shield is still showing in my tray and I have seen ask.com pop up again when I used internet explorer. What else can i do to get rid of this malicious infection?

Ambucias · Answer

Dear Debbie,

I don't think that this Trojan much harm at the present as rkill has terminated the evil process.  However some files may still exist and you must delete them manually:

1.Uninstall XP Total Security 2011 from Control Panel
Start > Settings > Control Panel > Add/Remove Programs. Double click to uninstall.

2.Delete XP Total Security 2011 registry entries: 

To open registry editor click Start > Run > type "regedit".

Please avoid errors ensure the entries match perfectly.  If you don't find the entry, Malwarebyte may have deleted them.

HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'

HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'

HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'

HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'

HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'

HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'

HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'

HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'

HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'

HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'

HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'

HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'

HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'

HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'

HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'

HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'

HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'

HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'

HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'

HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'

HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"

3.Search and delete these XP Total Security 2011 related files:

%AllUsersProfile%\t3e0ilfioi3684m2nt3ps2b6lru
%AppData%\Local\[random].exe
%AppData%\Local\t3e0ilfioi3684m2nt3ps2b6lru
%AppData%\Roaming\Microsoft\Windows\Templates\t3e0ilfioi3684m2nt3ps2b6lru
%Temp%\t3e0ilfioi3684m2nt3ps2b6lru


Let me know when you are done for further security advice.

debbiewake · Answer

I think I have made a HUGE mistake. The only things on the list I could delete were:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"

But now I can not access the internet without a box that says - Windows cannot open this file.
I tried to reopen registry edit but I get the same message and even when the internet does open at shell.windows.com anything I put in search is hijacked and won't let me go anywhere!

debbiewake · Answer

I can't open anything! Not add/delete programs in control panel, not malware, not Microsoft Word, Excel or any other program. i get the same message.

Windows cannot open this file. To open Windows needs to know what program created it. 
Using the web search feature is the only way I can get to the internet at all and I can't Google ANYTHING without being redirected. The only way I can get here is because I have this page bookmarked.

debbiewake · Answer

I use Firefox as my browser but since I couldn't get it open today - I tried Internet Explorer. It opened to ask.com. I closed it immediately.

Ambucias · Answer

Looking at the number of infected files, I suspected that Murphy's law could come into play.  Your log showed over 300 infected files.

Lets start with the "what program created it"

1. Go to this site:

http://www.dougknox.com/

Download and run the XP, exe files association fix.

2. Go to this Navilog1 site and download the exe files:

http://il.mafioso.pagesperso-orange.fr/Navifix/download.htm

Navilog proceed in 2 steps.  It first looks for infected files and then proposes an automatic or a manual cleansing.

Launch Navilog and choose the language

Accept the license

In the window start now, pick ok

You will get a black window pick the letter e to search for infected files and enter.  It will inform you the search is terminated.  
Press on any key to go on

Once Navilog if fully installed, type 1 and enter.  The search may take 10 minutes.
Press any key to show the report

If you can note down the search "BlackLight Engine/F-Secure"

Double click on the desktop Navilog shortcut and repeat the above except, after the language choice, pick 2 for automatic clean-up.  After the clean,  your system will be rebooted.

If you system still shows signs of infection, we will start the procedure again but we will do a manual removal...

And this may not be the end of it...remember over 350 infected files.

debbiewake · Answer

I took care of the first problem - association of files and things seem to be moving along. As for the second part - I went to Navilog and downloaded the exe files but once I launch it, i choose the language and then I am shown 3 more screens where the only option is "hit any key to continue". then I get "please wait" and nothing happens. Please wait has been on my screen for over 2 hours.

Ambucias · Answer

Well at least we got the program thing fixed.

I wish you would not spend so many hours in front of your screen.

Please, close navilog, use alt+crtl+del to end the task if necessary.

Now, to recapitulate, do you still have that virus showing?

Can you now access the add/remove program in the control panel ?

If not, Click right on start, and left on Explorer.  


Opened: Tools > Folder Options > View tab > Advanced settings: > Checked: SHOW hidden files and folders > Click: OK.

In the left pane, go down to program files, click on it.  In the right hand pane see if you can locate XP total security and delete it. 

If you don't find it in program files, go to:

c:/documents and settings/all users/application data/10176254 (may be another similar number)
and delete that file.  if you see similar files ending with a number delete them also.

If you did find the above, rerun MBAM
 
Reboot the system.

Virus started as XP Total Security now Window

21 responses

Similar discussions

Subscribe To Our Newsletter!