Antivirus XP

Status
Not open for further replies.
T

tommy2k8

Posts: 70   +0
Yesterday, a client of mine rang me and said he's clicked on the greeting card email - the scam that's going round at the moment, and he clicked on the link. Needless to say, AntiVirus XP downloaded itself, and the fake antivirus program popped up with 672 fake 'infections' found. This then tries to dial-up (he uses a SpeedTouch 330) every two minutes. I tried to remove it by following the instructions on 2-spyware.com, so I went into Safe Mode.
The mouse refused to work (it's a wireless mouse) when attempting to go into Safe Mode, so I installed USB mouse, and even that didn't work.
Is this a side-effect of Antivirus XP?
 
Yes it can be
And unless you are very good with keyboard commands (which can be fully utilized)
You may need to plug in a PS2 Mouse

You can also remove the internal HardDrive, and mount it in another computer (swapping out the CD/DVD Drive cable) and scan from there.

If you do get the mouse to work follow the New Preliminary Removal Instructions , and attach the requested logs:

1) Malwarebytes Anti Malware log
2) SuperAntiSpyware log
3) Hijackthis log
 
No ps2 ports!

Unfortunately, his computer doesn't have any ps/2 ports!

I tried a Windows Repair, but (even with the Windows XP SP2 in, it says it cannot find 'asms' ? Nor can I!
I can't do what Microsoft say either as I can't access the Registry! Or can I, from the Recovery Console?

I'm running out of ideas!
 
Hey sorry kim I want to see a HJT log

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Come back here to this thread and Attach the log in txt format your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
Doubleclick on the HJTsetup.exe
Click to expand...
Yes and whilst you're at it, use the axe to break the lock on the shed to get the axe out !

As for registry scan outside Windows, I put a lot of research into this a while back. After many hours spent on how to do it, I found out that it's not worth it!

Scan as a Slave (in another computer)
Remount back to master (back again)
Hopefully you will then be able to start Windows with mouse support

Otherwise backup (whilst mounted as Slave)
And then install Windows Clean (Hdd back again :) )
Or learn all the keyboard shortcuts
 
Its turns out that the virus did wipe out the mouse. But I managed to repair it by copying the files from the i36 folder.
Now I've got the system up again, it's time to attack!

I managed to get the USB back, and I ran a Windows Malicious Software Removal Tool, which found nothing. However, while it was scanning I got four BSOD's:

PAGE_FAULT_IN_NONPAGED_AREA

GUS_DRIVER

NIX_STACK_SWITCH

SYSINTERNALS_GREAT_SITE

I cannot find the minidump folder either!
 
I'll do that tomorrow when I resume work on it

Sorry for the delay in replying; I've been ill.

First of all, here is the MalWareBytes AntiMalware Log:

Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 2

14:33:37 20/08/2008
mbam-log-08-20-2008 (14-32-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 103459
Time elapsed: 1 hour(s), 7 minute(s), 27 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 14
Files Infected: 11

Memory Processes Infected:
C:\WINDOWS\system32\blphcjmjj0el85.scr (Trojan.FakeAlert) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Moderator Edit:
Pasted logs removed
You must attach the logs

After that I took action, after which the log was clean, but I forgot to save that one! and as I'm not at my client's house now, I can't take one!


rdable answer is a rebuild

Here is the AntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/20/2008 at 04:58 PM

Application Version : 4.15.1000

Core Rules Database Version : 3541
Trace Rules Database Version: 1530

Scan type : Quick Scan
Total Scan Time : 00:20:04

Memory items scanned : 376
Memory threats detected : 0
Registry items scanned : 429
Registry threats detected : 0
File items scanned : 8835
File threats detected : 0

Moderator Edit:
Pasted logs removed
You must attach the logs

Here is the HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:57, on 20/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Moderator Edit:
Pasted logs removed
You must attach the logs


Another problem has arisen now. After all those scans, and deleting the files, I rebooted. Everything was fine, until I did a Windows Update, after which it wouldn't startup properly. I dad a Repair which worked fine. Then it wouldn't recognise the CD drive, so I followed a procedure from Microsoft, rebooted, then it recognised it again.
On Sunday night, John turned it off, and it said it was installing an update on shut down (the same update it had installed twice before) and on Monday morning it just crashed on the initial loading screen again.

I think it is going to be quicker, and more affordable for him, for me to do a rebuild.
 
kimsland said:
If you do get the mouse to work follow the New Preliminary Removal Instructions , and attach the requested logs:

1) Malwarebytes Anti Malware log
2) SuperAntiSpyware log
3) Hijackthis log
Click to expand...

The key word in that post was: attach !! (ie using the paperclip symbol
attach.gif

Not to worry, us Techs have argued this point before, new members not "attaching" their logs (some users just miss this part, and no one has worked out how to make it more clearer)

Anyway the HJT Log
I'm no expert on HJT logs (in actual fact xxdanielxx would be ideal here, but because I ridiculed him, he might not reply here!)

This one:
O4 - HKLM\..\Run: [SMrhcnmjj0el85] C:\Program Files\rhcnmjj0el85\rhcnmjj0el85.exe
You stated was actually fixed by Malwarebytes
But it still shows in your log (running!!)

I think you are best to do another (updated) scan with Malwarebytes, except this time fix everything found
 
Logs

I did another Hijack This! when I finished doing a MalwareBytes scan when I took action. However, I didn't save a copy of that one!
 
For a couple of days it was okay, til this happened

Another problem has arisen now. After all those scans, and deleting the files, I rebooted. Everything was fine, until I did a Windows Update, after which it wouldn't startup properly. I dad a Repair which worked fine. Then it wouldn't recognise the CD drive, so I followed a procedure from Microsoft, rebooted, then it recognised it again.
On Sunday night, John turned it off, and it said it was installing an update on shut down (the same update it had installed twice before) and on Monday morning it just crashed on the initial loading screen again.

I think it is going to be quicker, and more affordable for him, for me to do a rebuild.

like I said before

Before it crashed, scans were clean

I wonder whether it is the Update that's causing the problem, and if I should do another Repair
 
Status
Not open for further replies.

Similar threads

B
Windows XP keyboard and mouse won't work after boot up
Replies
4
Views
3K
Pete Williams
P
baldwindeb
Mouse and KB DOESNT work after recovery of windows 10
Replies
1
Views
1K
DelJo63
D
C
Windows Activation Blocking Login on Win XP and Vista PCs
Replies
3
Views
1K
Macho
Macho

Latest posts

Back