TechSpot

Xpantivirus2012/systemfix malware on xp

By tonightXtheXsky
Dec 3, 2011
  1. i picked up xpantivirus2012 initially (i think?), which was causing google redirects and constant pop ups, then something called system fix ate my start menu and desktop icons, i managed to get access of my task manager back along with the ability to download, but some .exe's still won't run and the majority of everything is still missing.
    also i was having issues with bsod (STOP: c000021a fatal system error the windows logon process system terminated unexpectedly with a status of: 0xc0000005) during shutdown and occasionally during start up.
    and i can't get dds to complete its scan without the system freezing up, but i finished the other two.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8289

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/2/2011 5:44:12 AM
    mbam-log-2011-12-02 (05-44-12).txt

    Scan type: Full scan (C:\|E:\|)
    Objects scanned: 113113
    Time elapsed: 1 hour(s), 59 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 17
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\sqlcsw32.dll (Trojan.Dropper) -> Delete on reboot.
    c:\program files\arcadeweb\arcadeweb32.dll (Adware.ArcadeWeb) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{78919608-B066-4B5A-B248-38E12A783E05} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9F531FB1-7C1F-4e1a-8C0C-E8D6177130E2} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{2A04A1D0-1969-400e-A53C-6A5433A4B658} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{21C1577D-B190-4F9D-8034-F26DE5F9F3C2} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AWGames.Addon.1 (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AWGames.Addon (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F531FB1-7C1F-4E1A-8C0C-E8D6177130E2} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9F531FB1-7C1F-4E1A-8C0C-E8D6177130E2} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9F531FB1-7C1F-4E1A-8C0C-E8D6177130E2} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{A670E878-A272-443D-BD19-ED0A9BFD3FD8} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{5F280841-8023-4BE6-9A4F-184D3E79A785} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ExplorerPlugin.Extension.1 (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ExplorerPlugin.Extension (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{78919608-B066-4B5A-B248-38E12A783E05} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78919608-B066-4B5A-B248-38E12A783E05} (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrayIcRun (Adware.ArcadeWeb) -> Value: TrayIcRun -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\sqlcsw32.dll (Trojan.Dropper) -> Delete on reboot.
    c:\program files\arcadeweb\arcadeweb32.dll (Adware.ArcadeWeb) -> Delete on reboot.
     
  2. tonightXtheXsky

    tonightXtheXsky TS Rookie Topic Starter

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-03 05:32:21
    Windows 5.1.2600 Service Pack 3
    Running: szwgq8o5.exe; Driver: C:\DOCUME~1\shawn\LOCALS~1\Temp\pxtdipow.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 784
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 551
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS00785.log 0 bytes
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS00786.log 0 bytes
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS00784.log 0 bytes
    File C:\WINDOWS\$NtUninstallKB304$\264730249 0 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594 0 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\bckfg.tmp 803 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\cfg.ini 208 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\keywords 198 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\L\dzvnsowr 75264 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\lsflt7.ver 5175 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\U\00000001.@ 1536 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\U\00000002.@ 224768 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\U\80000000.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB304$\609887594\U\80000032.@ 98304 bytes

    ---- EOF - GMER 1.0.15 ----
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll be glad to help with the malware,, but I don't have enough information yet.

    Most of the entries removed in Mbam came from the program ArcadeWeb I suggest that you uninstall this program if it's on the system.
    ================================================
    This infection is classified as a rogue anti-spyware program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. It scans then goes on to display a variety of fake security alerts and warnings that are designed to make you think your computer has a serious security problem.
    ==============================================
    Please do the following to help you run other programs:
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This will help bring 'missing' program, files, etc.. out of hiding, but it does not remove the malware itself- so please continue. If this will not run in Normal Mode, please include it right after you boot into Safe Mode.
    =========================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.
    ======================================
    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ===============================
    This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
      Save the log and paste in next reply.
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    To end the processes that belong to the rogue program:
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Do not reboot until instructed. as it will start the malware again
    ==================================
    You will run another scan with Mbam, Update it, but go to the scanner tab and select Perform Full Scan
    Click on the Scan button.


    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ========================================
    Do not reboot yet
    =====================================
    Please try the DDS scan again. It should run now and has entry/process information from your system which I need to help you.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Please include log from the following in your next reply.
    TDSSKiller
    RKill
    New Malwarebytes
    2 logs from DDS
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...