TechSpot

Antivirus XP

By tommy2k8
Aug 18, 2008
  1. Yesterday, a client of mine rang me and said he's clicked on the greeting card email - the scam that's going round at the moment, and he clicked on the link. Needless to say, AntiVirus XP downloaded itself, and the fake antivirus program popped up with 672 fake 'infections' found. This then tries to dial-up (he uses a SpeedTouch 330) every two minutes. I tried to remove it by following the instructions on 2-spyware.com, so I went into Safe Mode.
    The mouse refused to work (it's a wireless mouse) when attempting to go into Safe Mode, so I installed USB mouse, and even that didn't work.
    Is this a side-effect of Antivirus XP?
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes it can be
    And unless you are very good with keyboard commands (which can be fully utilized)
    You may need to plug in a PS2 Mouse

    You can also remove the internal HardDrive, and mount it in another computer (swapping out the CD/DVD Drive cable) and scan from there.

    If you do get the mouse to work follow the New Preliminary Removal Instructions , and attach the requested logs:

    1) Malwarebytes Anti Malware log
    2) SuperAntiSpyware log
    3) Hijackthis log
     
  3. tommy2k8

    tommy2k8 TS Rookie Topic Starter Posts: 70

    No ps2 ports!

    Unfortunately, his computer doesn't have any ps/2 ports!

    I tried a Windows Repair, but (even with the Windows XP SP2 in, it says it cannot find 'asms' ? Nor can I!
    I can't do what Microsoft say either as I can't access the Registry! Or can I, from the Recovery Console?

    I'm running out of ideas!
     
  4. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Hey sorry kim I want to see a HJT log

    * Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Come back here to this thread and Attach the log in txt format your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes and whilst you're at it, use the axe to break the lock on the shed to get the axe out !

    As for registry scan outside Windows, I put a lot of research into this a while back. After many hours spent on how to do it, I found out that it's not worth it!

    Scan as a Slave (in another computer)
    Remount back to master (back again)
    Hopefully you will then be able to start Windows with mouse support

    Otherwise backup (whilst mounted as Slave)
    And then install Windows Clean (Hdd back again :) )
    Or learn all the keyboard shortcuts
     
  6. patrick713

    patrick713 TS Rookie Posts: 56

    :haha: ok, i had to laugh at that one.....
     
  7. tommy2k8

    tommy2k8 TS Rookie Topic Starter Posts: 70

    Its turns out that the virus did wipe out the mouse. But I managed to repair it by copying the files from the i36 folder.
    Now I've got the system up again, it's time to attack!

    I managed to get the USB back, and I ran a Windows Malicious Software Removal Tool, which found nothing. However, while it was scanning I got four BSOD's:

    PAGE_FAULT_IN_NONPAGED_AREA

    GUS_DRIVER

    NIX_STACK_SWITCH

    SYSINTERNALS_GREAT_SITE

    I cannot find the minidump folder either!
     
  8. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    can you run hijackthis from above and attach a log
     
  9. tommy2k8

    tommy2k8 TS Rookie Topic Starter Posts: 70

    I'll do that tomorrow when I resume work on it

    Sorry for the delay in replying; I've been ill.

    First of all, here is the MalWareBytes AntiMalware Log:

    Malwarebytes' Anti-Malware 1.25
    Database version: 1071
    Windows 5.1.2600 Service Pack 2

    14:33:37 20/08/2008
    mbam-log-08-20-2008 (14-32-41).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 103459
    Time elapsed: 1 hour(s), 7 minute(s), 27 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 5
    Registry Data Items Infected: 0
    Folders Infected: 14
    Files Infected: 11

    Memory Processes Infected:
    C:\WINDOWS\system32\blphcjmjj0el85.scr (Trojan.FakeAlert) -> No action taken.

    Memory Modules Infected:
    (No malicious items detected)

    Moderator Edit:
    Pasted logs removed
    You must attach the logs


    After that I took action, after which the log was clean, but I forgot to save that one! and as I'm not at my client's house now, I can't take one!


    rdable answer is a rebuild

    Here is the AntiSpyware Log

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/20/2008 at 04:58 PM

    Application Version : 4.15.1000

    Core Rules Database Version : 3541
    Trace Rules Database Version: 1530

    Scan type : Quick Scan
    Total Scan Time : 00:20:04

    Memory items scanned : 376
    Memory threats detected : 0
    Registry items scanned : 429
    Registry threats detected : 0
    File items scanned : 8835
    File threats detected : 0

    Moderator Edit:
    Pasted logs removed
    You must attach the logs


    Here is the HiJack This log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:24:57, on 20/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Moderator Edit:
    Pasted logs removed
    You must attach the logs



    Another problem has arisen now. After all those scans, and deleting the files, I rebooted. Everything was fine, until I did a Windows Update, after which it wouldn't startup properly. I dad a Repair which worked fine. Then it wouldn't recognise the CD drive, so I followed a procedure from Microsoft, rebooted, then it recognised it again.
    On Sunday night, John turned it off, and it said it was installing an update on shut down (the same update it had installed twice before) and on Monday morning it just crashed on the initial loading screen again.

    I think it is going to be quicker, and more affordable for him, for me to do a rebuild.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    The key word in that post was: attach !! (ie using the paperclip symbol [​IMG]
    Not to worry, us Techs have argued this point before, new members not "attaching" their logs (some users just miss this part, and no one has worked out how to make it more clearer)

    Anyway the HJT Log
    I'm no expert on HJT logs (in actual fact xxdanielxx would be ideal here, but because I ridiculed him, he might not reply here!)

    This one:
    O4 - HKLM\..\Run: [SMrhcnmjj0el85] C:\Program Files\rhcnmjj0el85\rhcnmjj0el85.exe
    You stated was actually fixed by Malwarebytes
    But it still shows in your log (running!!)

    I think you are best to do another (updated) scan with Malwarebytes, except this time fix everything found
     
  11. tommy2k8

    tommy2k8 TS Rookie Topic Starter Posts: 70

    Logs

    I did another Hijack This! when I finished doing a MalwareBytes scan when I took action. However, I didn't save a copy of that one!
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    So it's now ok?
     
  13. tommy2k8

    tommy2k8 TS Rookie Topic Starter Posts: 70

    For a couple of days it was okay, til this happened

    Another problem has arisen now. After all those scans, and deleting the files, I rebooted. Everything was fine, until I did a Windows Update, after which it wouldn't startup properly. I dad a Repair which worked fine. Then it wouldn't recognise the CD drive, so I followed a procedure from Microsoft, rebooted, then it recognised it again.
    On Sunday night, John turned it off, and it said it was installing an update on shut down (the same update it had installed twice before) and on Monday morning it just crashed on the initial loading screen again.

    I think it is going to be quicker, and more affordable for him, for me to do a rebuild.

    like I said before

    Before it crashed, scans were clean

    I wonder whether it is the Update that's causing the problem, and if I should do another Repair
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...