Solved Please help with "XP Security Center" attack

[chuck825]

Here's the Background on the problem.


Computer: Custom-built (Jan 2006), Intel Celeron CPU 2.53 GHz, 736MB RAM, XP Home SP3

Users: Chuck (admin), Joey (limited), Lucy (limited), Teresa (limited), Guest (limited)

Browsers: IE7, Firefox 3.6.2, Google Chrome 4.1.249.1042 (Chuck only)

Situation:
Lucy was viewing Facebook pages on the afternoon of 03/26/2010 using Firefox when program boxes started opening, warning her about possible virus attacks. She called Chuck, who looked at the boxes which resembled Windows Security Center but referred to "XP Security" and talked about registering and installing updates to cure the attacks. Looked fishy to Chuck, who closed the boxes with the upper-right-corner x close. On another computer, Chuck googled "xp security" and came up with many references to "xp security center" as malware/scareware. The references stated that Malwarebytes' Anti-Malware could fix the problem. Chuck downloaded M-A-M on the problem computer under his admin login, installed it, and ran it, yielding the first M-A-M log attached (mbam-log-2010-03-27...). Chuck logged onto Lucy's account and relaunched Firefox. Again the malware program boxes opened, along with an icon in the system tray similar to that of Windows Security Center, warning of vulnerability to attack. Soon thereafter, AVG9 opened (Resident Shield?) and warned of trojan horses present and being quarantined. Chuck logged off from Lucy's account and left the computer untouched for the rest of the day.

The next morning (03/27/2010) Chuck logged on his admin account, ran AVG9 full scan, which found 2 trojan horses. Chuck moved these to the virus vault, then logged onto Lucy's account and found that none of the programs would start from the quick launch bar (Firefox) nor from the start menu -- the Windows "Open With" program box would launch, listing the selected program's exe file and asking what program to use to open the exe with. Chuck realized that the problem was far from solved (!!!). Chuck shut down the computer and told the other users not to mess with it. However, that evening Teresa apparently used the computer with no problems in her user account. Hence the infection seems to be confined to Lucy's user account.

On 03/28/2010 Chuck followed the 8-step process to yield the attached logfiles. Chuck also transcribed the AVG9 virus vault listings into a txt file, which is also attached for informational purposes.

This thread is being sent now from the problem computer under Chuck's admin user account.

I (Chuck) would appreciate all the help you can offer to clean up this situation. I look forward to your responses. Thanks in advance for your help.

 

[Broni]

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.[/LIST]

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[chuck825]

I ran all the recommended processes. Attached are the log files.

 

[Broni]

Combofix log looks good
How is the computer doing?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Restart computer.

=========================================================================

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

========================================================

Disable your antivirus program.
Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[chuck825]

Good morning Broni!

Thanks for your help so far -- we're not there yet!

The Lucy (limited) user account remains unresponsive as described originally. Please note that ALL the actions I have taken to date have been while logged on through the Chuck (admin) user account.

I uninstalled Combofix and ran TFC from the Chuck user account. The Kaspersky online scan has not been able to install after 4 attempts. It scans the computer initially to verify compatibility, enables the Accept button, which I then click, and next goes to the download step. Here it sits for 30-60 seconds, then pops up a warning box with the following message:

"Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program."

The Java icon is active in the system tray, and the wireless internet connection is open and stable. AVG9 Resident Shield and Link Scanner are disabled. So far I have left the Kaspersky connection open for 10 minutes at a time following the above message. I have looked in Task Manager while connected, the Applications tab shows Kaspersky running, yet the Processes tab shows System Idle Process at 99%. After I send this message I will repeat this again, and leave it connected until something happens or I receive a reply from you.

Again, thanks for your help. Looking forward to your next reply.

 

[chuck825]

Update to my post of earlier this morning (please read it above).

Kapersky continued to hang while trying to launch in Firefox. I opened IE6 and launched it from there -- and it opened completely! The run took 2+ hours but just finished.

The Kapersky log and HJT logs are atttached.

Again, thanks for your ongoing help.

 

[Broni]

Lucy's account may be simply corrupted.
You may need to create a new one.

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
C:\Program Files\Activision\Thps3\Skate3.exe
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[chuck825]

I downloaded OTM, ran it, and it called for a reboot. I rebooted and found the log file, the contents of which are pasted below:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\Activision\Thps3\Skate3.exe moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Chuck
->Temp folder emptied: 103068911 bytes
->Temporary Internet Files folder emptied: 498272 bytes
->Java cache emptied: 128130 bytes
->FireFox cache emptied: 16749825 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 434 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Joey
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Lucy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Teresa
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 102 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 115.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 03292010_130755

Files moved on Reboot...

Registry entries deleted on Reboot...


((((((( Chuck's comment here ------ nothing follows)))))))

 

[Broni]

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

=========================================================================

Disable Windows Defender, as it'll interfere with cleaning process:
- Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
- Click Tools
then...

++ Windows XP:
- Click General Settings
- Scroll down to Real Time Protection Options
- Uncheck Turn on Real Time Protection
- After you uncheck this, click on the Save button
- Close Windows Defender

++ Windows Vista:
- Click Options
- Under Administrator options, clear the Use Windows Defender check box, and then click Save.

Enable Windows Defender, when all cleaning is done.

=======================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE


4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chuck\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [unless you have paid version]
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [unless you have paid version]

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

 

[chuck825]

I ran OTC -- it removed much of the stuff on the desktop, although TFC.exe and Rkill.com still remain. Windows Defender was disabled. Ran Hijack This on Scan Only and placed all the checkmarks you indicated. Clicked on Fix Checked. Restarted the computer, then ran Hijack This again to produce the attached log.

 

[Broni]

Delete rKill. Keep TFC and run it weekly.


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[chuck825]

Thanks for all your efforts to clean up my computer.

Unfortunately, the Lucy account is still messed up. No applications can launch from shortcuts nor from the start menu.

Earlier you mentioned that the account could be corrupted and might need to be eliminated. I can do that, but my question is this: Do you foresee any problems with me recovering the files in her My Documents folder and from her Desktop before the account is eliminated?

 

[Broni]

You're welcome
Does everything else work fine?

You should be fine moving Lucy's data.
Check here: http://support.microsoft.com/kb/811151

Let me know.

 

[chuck825]

Thanks for the link -- it made the process much easier. The "new" Lucy account is set up with everything from the old. Now Lucy needs to read and heed the bleepingcomputer guidelines.

I believe we're done. Again, thanks jillions for all your help.

 

[Broni]

You're very welcome
Stay safe