xryckaxx Posted March 18, 2010 ID:216542 Share Posted March 18, 2010 Hello. i need help. my pc was infected by fake virus "xp security" i think i deleted it. but now i have same virus called "xp defender" everything is same as "xp security" and process in task manager ave.exe but name changed to "xp defender" i cant update any antivirus and malwarebytes. i think its cause Virus. I tried everything to update this. i need help please :) Link to post Share on other sites More sharing options...
noknojon Posted March 18, 2010 ID:216550 Share Posted March 18, 2010 Hi -This topic lists removal details for PC Defender (a similar infection) - Your screen seems to show the program has not been updated for some time - Try this first and then I will add more if you are not able to remove the infection -Thank You - EDIT - Try these steps next Please do the following to see if it corrects it:Step 1: Verify Internet Connectivity of Internet Explorer:Backup the Registry:Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.Please download ERUNT from hereERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.Double click on erunt-setup.exe to Install ERUNT by following the prompts.Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process. Choose a location for the backup. Note: the default location is C:\Windows\ERDNT which is acceptable.[*]Make sure that at least the first two check boxes are selected.[*]Click on OK[*]Then click on YES to create the folder.Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exeOnce you've done your backup, please do the following:Click on Start and select RunIn the Run box copy and paste the text in the following code box exactly as written and press Enter or click on OK:REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /fTry updating again and if it does not work then please proceed to Step 2Step 2: Exclude Malwarebytes' Anti-Malware's Files and Folders From Other Active Security Programs:For Windows XP:C:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Malwarebytes' Anti-Malware\zlib.dllC:\Program Files\Malwarebytes' Anti-Malware\mbam.dllC:\Program Files\Malwarebytes' Anti-Malware\mbamext.dllC:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.refC:\Windows\System32\drivers\mbam.sysC:\Windows\System32\drivers\mbamswissarmy.sysFor Windows Vista or Windows 7:C:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Malwarebytes' Anti-Malware\zlib.dllC:\Program Files\Malwarebytes' Anti-Malware\mbam.dllC:\Program Files\Malwarebytes' Anti-Malware\mbamext.dllC:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.refC:\Windows\System32\drivers\mbam.sysC:\Windows\System32\drivers\mbamswissarmy.sysFor 64 bit versions of Windows Vista or Windows 7:C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\zlib.dllC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.dllC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dllC:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.refC:\Windows\System32\drivers\mbam.sysC:\Windows\SysWoW64\drivers\mbamswissarmy.sysNote: If using a software firewall besides the built in Windows Firewall you'll need to exclude them from it as wellThis FAQ area contains examples of setting file exclusions for some known AV products. Now try updating Malwarebytes' Anti-Malware once more and if it does not work then please proceed to Step 3Step 3: Verify Your Internet Connection Settings:Open Internet Explorer Note: It MUST be Internet Explorer, not Firefox, Opera, Chrome or any other internet browser[*]Click on Tools at the top and select Internet Options Note: If you do not see Tools, press the Alt key on your keyboard and it will show up[*]Click on the Connections tab[*]Click on the LAN settings button[*]Under Automatic configuration make sure that the box next to Automatically detect settings is checked, if it is not, then click the box next to it to check it[*]Under Proxy server make sure that the box next to Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections). is not checked and if it is, click the box next to it to uncheck it[*]Click on the OK button to close the Local Area Network (LAN) Settings window[*]Click on the OK button to close the Internet Options window[*]Try updating Malwarebytes' Anti-Malware again to see if it now works correctly -THIS will show you the last steps - Link to post Share on other sites More sharing options...
xryckaxx Posted March 18, 2010 Author ID:216555 Share Posted March 18, 2010 that virus looks like http://www.removevirus.org/images/xp-inter...curity-2010.jpg but name is xp defender. only name changed.REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /fthis says operation complete sucefully but it dissapears fast. update isint working Link to post Share on other sites More sharing options...
noknojon Posted March 18, 2010 ID:216556 Share Posted March 18, 2010 The code is only a "flash code" -This topic covers the 2010 infection - It is noted in several forms but the 2010 series are all related -You can try this or I can direct you to our experts area for review by them - Link to post Share on other sites More sharing options...
xryckaxx Posted March 18, 2010 Author ID:216559 Share Posted March 18, 2010 Still cant update. I think i need already updated version to download where i can find it? or updated files. Link to post Share on other sites More sharing options...
noknojon Posted March 18, 2010 ID:216561 Share Posted March 18, 2010 You can read Issue #4 from this link below - It will show how to get a 'recent' updated CD -http://forums.malwarebytes.org/index.php?s...ost&p=49525In the next edition (out soon) this should be easier - Link to post Share on other sites More sharing options...
xryckaxx Posted March 18, 2010 Author ID:216562 Share Posted March 18, 2010 Wow. Sorry for double post (dont know how to edit).i found 12 infections still scannin with the link u give me about "2010" Link to post Share on other sites More sharing options...
xryckaxx Posted March 18, 2010 Author ID:216564 Share Posted March 18, 2010 Registry Keys Infected:HKEY_CLASSES_ROOT\potdll.potgo (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uvkftj (Worm.Downadup) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgrhvkvs (Rootkit.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrom (Trojan.Patched) -> No action taken.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> No action taken.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\kotvm.dll (Worm.Downadup) -> No action taken.C:\WINDOWS\system32\xdva279.sys (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\drivers\OLD32.tmp (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\drivers\hpzid412.sys (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\drivers\hpzipr12.sys (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\drivers\hpzius12.sys (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\drivers\lhldtswn.sys (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\drivers\dtofb.sys (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\drivers\WDICA.sys (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\dllcache\cdrom.sys (Trojan.Patched) -> No action taken.C:\WINDOWS\system32\drivers\cdrom.sys (Trojan.Patched) -> No action taken.C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.delete them all? Link to post Share on other sites More sharing options...
noknojon Posted March 18, 2010 ID:216566 Share Posted March 18, 2010 That is OK - There are times that we prefer extra details - If you think you are badly infected please follow the details below to see an expert -Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here. One of the expert helpers there will give you one-on-one assistance when one becomes available.After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post - The experts in this area are a bit busy so it will take a while for a response -Thanks - Link to post Share on other sites More sharing options...
noknojon Posted March 18, 2010 ID:216567 Share Posted March 18, 2010 DELETE ALL_ Version 3879 is the current one - How close are you ?? Link to post Share on other sites More sharing options...
xryckaxx Posted March 18, 2010 Author ID:216568 Share Posted March 18, 2010 Deleted. Now regedit is working. i think virus is gone. TFU TFU TFU. but still scanning. later i will go to my cousin to get updated files. Link to post Share on other sites More sharing options...
xryckaxx Posted March 18, 2010 Author ID:216569 Share Posted March 18, 2010 3861 version203244 finger prints.by the way. when u gonna release lithuanian language at malwarebytes? Link to post Share on other sites More sharing options...
noknojon Posted March 18, 2010 ID:216570 Share Posted March 18, 2010 I will pass that on to management - First we need a translator that can understand the program - Not always easy -Your version is only about 3-4 days old - Near enough - Link to post Share on other sites More sharing options...
xryckaxx Posted March 18, 2010 Author ID:216571 Share Posted March 18, 2010 i am from lithuanian. i could help you translating. Link to post Share on other sites More sharing options...
noknojon Posted March 18, 2010 ID:216574 Share Posted March 18, 2010 I thought we had a Lithuanian one - But we can check -Thank you - I will pass it to the boss -Will leave it for now and contact later - Thank You - Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2010 ID:216678 Share Posted March 18, 2010 @xryckaxxThis system has multiple infections, including rootkits.You have a thread open in Malware removal http://forums.malwarebytes.org/index.php?showtopic=43642Make all replies in that one.I am closing this topic. Link to post Share on other sites More sharing options...
Recommended Posts