Jump to content

Hit by XP Security 2012


Recommended Posts

Hi and help,

My XP laptop got hit by a virus/malware identifying itself as XP Security 2012. The process shows up in task mgr as ewf.exe.

Reading another post here I was able to run TDSSKiller and have the log. Rebooting the problem is still there.

I've included the log as a file attachment. So what should be my next step? Note I am posting this from an alternate computer - I've discoed my laptop from the net.

Thanks in advance, Jim

TDSSKiller.2.5.9.0_06.07.2011_00.45.45_log.txt

Link to post
Share on other sites

Hello and :welcome:

Lets see if the following tool will be able to get rid of this infection.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Hi,

Thanks for helping. Note that I am running combofix now.

One thing - I just got a popup saying that PEV.exe has encountered a problem and needs to close.

I do not recognize this process. Is it part of combofix or part of the infection?

I have not clicked to either send or not send the error report to MS and combofix still appears to be running - it has gone through stage 50 and is now deleting files - one of which is the ewf.exe I mentioned.

Link to post
Share on other sites

Hi,

I've attached the combofix log file.

I booted up and no problem but am curious that Windows updates says it found 1 update and wants me to install it. Does Windows log these from the past because my laptop is not connected - so how could Windows find an update? Unless it happened when I reconnected so that combofix could download MS recovery console.

So what does my combofix log tell you?

Link to post
Share on other sites

Hi,

I've attached the combofix log file.

I booted up and no problem but am curious that Windows updates says it found 1 update and wants me to install it. Does Windows log these from the past because my laptop is not connected - so how could Windows find an update? Unless it happened when I reconnected so that combofix could download MS recovery console.

So what does my combofix log tell you?

Sorry - here is the log file for real.

Combolog.txt.txt

Link to post
Share on other sites

Reinstalled Malwarebytes and did a quick scan. While memory was clean, it did find a registry key for Firefox/shell/safemode/command as follows:

"c:\documents and settings\master\local settings\application data\ewf.exe" -a "path-to-firefox\firefox.exe"

Malware took no action. Should I have Malwarebytes remove it?

Also checking the directory where the registry key says ewf.exe is, I can see that it is not there but there is an 11k file with a long cryptic name but no file extension with a date modified that is shortly before I got hit. Any harm in deleting it?

Link to post
Share on other sites

Hi, yes, please remove that detected item with MBAM; it is a hijack that would cause the rogue process to pop up whenever you would attempt to start firefox. The actual file is deleted, but this registry entry needs to go too.

It looks indeed like Windows Update worked while combofix was running; I see evidence combofix recreated part of the update service. You can safely install this update.

Also checking the directory where the registry key says ewf.exe is, I can see that it is not there but there is an 11k file with a long cryptic name but no file extension with a date modified that is shortly before I got hit. Any harm in deleting it?
Yes, you can delete this.

Can you now rerun TDSSkiller and post me the new log?

Link to post
Share on other sites

Hi, yes, please remove that detected item with MBAM; it is a hijack that would cause the rogue process to pop up whenever you would attempt to start firefox. The actual file is deleted, but this registry entry needs to go too.

Can you now rerun TDSSkiller and post me the new log?

I deleted that entry.

Then reinstalled Avast Free and ran a full scan. I've attached a screenshot of the results.

I ran TDSSkiller again and have attached the log file.

So what's your verdict?

post-86935-0-20944300-1310049140.jpg

TDSSKiller.2.5.9.0_07.07.2011_09.24.28_log.txt

Link to post
Share on other sites

Hi,

Been sidetracked much of the day so can only say that I've no problems yet. Have not yet tried to use Firefox. Am now installing Windows updates. Looks like the updates will take some time.

I downloaded Avast to a clean usb drive from this machine. Uninstalled Avast on the infected laptop and reinstalled with Avast downloading updates.

Don't recall where the code::blocks tutorial came from. Once updates are done I'll find out for you. Note that I am now using Eclipse and can say that I prefer it as an IDE for C++.

Thanks again for your help.

Link to post
Share on other sites

Hi again, lets also get a bit more information here.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

Hi again,

UPDATE XP

--------------

Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.

Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 26 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-6u26-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Finally, please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

Hi Elise,

Did install SP3 which turned out to be something of a pain. Been going through trying to recover some of the large amounts of disk space that disappeared. Scariest part was it took a couple reboots to get connected to the net again.

Note I'm still using my netbook to conduct this discussion.

I've attached the mbam log per your request.

So what do tou think - fo I get a clean bill of health?

Thanks again, Jim

mbam-log-2011-07-09 (13-10-16).txt

Link to post
Share on other sites

That log loosk good! :)

Do you have any problem left after the SP3 installation? If so, please let me know what (in case the disk space is an issue, can you give an indication of how much space was used?)

Lets run one last scan before calling it clean.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Hi,

Attached is the scan log from ESET. 3 threats found, one being in the Code::blocks tutorial previously identified.

I did a fair amount of cleaning up Windows directories from the SP3 install and other Windows updates to regain disk space (recovered 1Gb so now 1.6Gb free).

The problem is now my laptop's performance sucks eggs (runs fine but then has periods lasting 5-20 seconds of non-responsiveness with hard drive activity (happened 2 times during the course of writing this note)). I blame MS for this since performance was fine after the several steps of disinfecting that we went through and after which I saw no evidence of the original malware infection. My drive is fragmented so perhaps the SP3 install and other updates is so fragmented that it accounts for the problem. I've tried to use Task Mgr to identify the source process but nothing reveals itself.

Any ideas?

Thanks again for all your help.

ESETscanlog.txt

Link to post
Share on other sites

No computer will run well with only 1,60 GB free space. Windows needs at least 25% of free disk space in order to run fine. I recommend you remove unnecessary programs, and move away personal data like pictures or music.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, and TDSSkiller.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Hi Elise,

No computer will run well with only 1,60 GB free space. Windows needs at least 25% of free disk space in order to run fine.

I would not make that blanket statement - especially using a percentage because that means that if I swap out a 100 Gb drive (with 25Gb being needed for Windows to run fine) for a 500 Gb drive, Windows will suddenly need an additional 100 Gb (the size of the original drive!) in order to run equally well.

Prior to updating, I was regularly running with between .5Gb and 1Gb of free space with no problem. Note that my drive is only 60Gb (state of the art at the time I bought it along with its Pentium M processor). In computer years my laptop is ancient having been in continual service since 2004! I will be buying a new laptop soon since my graphics card in this laptop does not support OpenGL 3 - which I need.

Thanks for all your help in getting my laptop cleaned. If you're every in Schaumburg IL let me know and I'll treat you to a coffee or frappuccino at the local Starbucks.

Thanks again, Jim

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.