ALERT!!!! ~XP 2012 FAKE Antivirus Working Thread

page: 2
2
<< 1   >>

log in

join

posted on Dec, 11 2011 @ 03:18 PM
link   
I've dealt with a few variations of this, and so far (touch wood. Just wait until I get into work tomorrow and I get one which has nuked the entire PC...) have been sucessful in removing.


First of all, prepare a USB memory stick or CD with various utilities upon them. I *always* use a write-protected USB memory stick but, with these being a bit hard or expensive to find nowadays, an SD card (all of which have a write protect switch upon them, albeit with one caveat as you'll see...) and a *decent* USB memory card reader. I say decent as I have come across one "thrift shop" USB card reader that apparently ignores the write protect switch on the memory card. If in doubt, check on a clean PC first. As for the clean PC, the trick is to keep your USB memory updated with various utilities and always make sure it is write protected before you use it in the infected computer.

Anyway, a few essential utilities. First, Kaspersky TDSSKiller, an anti-rootkit utility,. I like to run this first, as if you are rootkitted, you can clean what you like, it'll only come back when you reboot the system...

A couple of utilities from the website Bleepingcomputer, home of Combofix amongst others. One partiular handy on is called Rkill, which checks for known malicious processes running in memory and kills them, handy to run before you get all Combofix upon its ass. If your particular infection prevents you from running this, or any .exe file for example, rename it with the extension .com or .scr or similar.

MBAM is good for mopping up afterwards as well. I've had a couple of infections that have prevented startup in Safe Mode, usually with a 7B BSOD. In thses ones, I've found an infected atapi.sys file. Boot from a Windows PE disk (UBCD for Win being a good one you can build yourself) and replace that file, or at least disable the startup entry for it. That should then allow you back into Safe Mode.

Links? We don't need no steenkin' links! Google if your friend. If you can't find references to all the above via Google, it might not be a good idea to start attacking the internals of your computer with the above software.. Seriously, it is quite easy to knacker the whole thing up with some of the above if you don't understand the full usage and capabilities of the above.

And so on. I'll post back with some more info if need be, but another few things to look for which are handy for this kind of thing.. The Sysinternals suite of software from Microsoft (Autoruns, process explorer and rootkit revealer being faves amongst that lot) and HijackThis! from Trend Micro.

Above all, have fun. Liken it to a battle of wits..




posted on Dec, 11 2011 @ 05:58 PM
link   

Originally posted by Komodo

Originally posted by Komodo
reply to post by Wrabbit2000
 


can't install, admin rights hi-jacked .. It's only my pc and I don't have admin account since it's only me on the pc .. any suggestions

hold that thought.. windows safety scanner actually did load and is scanning now..


edit on 11-12-2011 by Komodo because: (no reason given)
edit on 11-12-2011 by Komodo because: (no reason given)

Windows safety scanner found and removed 7 infections.. however, see my post above this one on my connection issues


Well, I suppose I'm both happy and concerned. I'm glad to hear you got clear of the infection. I had a feeling that would do the trick. On the other hand, I HATE it with something less than obvious and logical goes sideways in Windows networking. If you're on tonight you might want to drop a U2U and maybe we can continue that way or even shift to chat if you're getting on by laptop or something and near the problem machine. I'm more than happy to help with the various approaches I can offer, but it's getting into more detailed questions about what your set-up and config is in figuring out where to go....assuming this hasn't already worked itself out (I can hope)

If I don't hear from you, I hope the secondary issue gets worked out without too much additional trouble!



posted on Dec, 14 2011 @ 07:38 PM
link   

Originally posted by Wrabbit2000

Originally posted by Komodo

Originally posted by Komodo
reply to post by Wrabbit2000
 


can't install, admin rights hi-jacked .. It's only my pc and I don't have admin account since it's only me on the pc .. any suggestions

hold that thought.. windows safety scanner actually did load and is scanning now..


edit on 11-12-2011 by Komodo because: (no reason given)
edit on 11-12-2011 by Komodo because: (no reason given)

Windows safety scanner found and removed 7 infections.. however, see my post above this one on my connection issues


Well, I suppose I'm both happy and concerned. I'm glad to hear you got clear of the infection. I had a feeling that would do the trick. On the other hand, I HATE it with something less than obvious and logical goes sideways in Windows networking. If you're on tonight you might want to drop a U2U and maybe we can continue that way or even shift to chat if you're getting on by laptop or something and near the problem machine. I'm more than happy to help with the various approaches I can offer, but it's getting into more detailed questions about what your set-up and config is in figuring out where to go....assuming this hasn't already worked itself out (I can hope)

If I don't hear from you, I hope the secondary issue gets worked out without too much additional trouble!


thx Wrabbit, appreciate it.. at this point I've not done anything else to the system, but, to quelll my nagging that it 'could be' just my LAN cable, but, it's not.. it's in the h/w.. at least that's what i'm thinking..

I'm so frustrated at this point that I've halted on doing anything atm .. I'll see if I can catch you online



posted on Dec, 16 2011 @ 12:24 AM
link   

Originally posted by Wrabbit2000

Originally posted by Komodo

Originally posted by Komodo
reply to post by Wrabbit2000
 


can't install, admin rights hi-jacked .. It's only my pc and I don't have admin account since it's only me on the pc .. any suggestions

hold that thought.. windows safety scanner actually did load and is scanning now..


edit on 11-12-2011 by Komodo because: (no reason given)
edit on 11-12-2011 by Komodo because: (no reason given)

Windows safety scanner found and removed 7 infections.. however, see my post above this one on my connection issues


Well, I suppose I'm both happy and concerned. I'm glad to hear you got clear of the infection. I had a feeling that would do the trick. On the other hand, I HATE it with something less than obvious and logical goes sideways in Windows networking. If you're on tonight you might want to drop a U2U and maybe we can continue that way or even shift to chat if you're getting on by laptop or something and near the problem machine. I'm more than happy to help with the various approaches I can offer, but it's getting into more detailed questions about what your set-up and config is in figuring out where to go....assuming this hasn't already worked itself out (I can hope)

If I don't hear from you, I hope the secondary issue gets worked out without too much additional trouble!


hi wabbit....as of this reply i''m using the virtual keyboard on my wife PC...she's infected as well but so far, still has Internet ...I've used 7 different programs so far but nothing has worked ...malwarebytes does not restore nor has caught it all & neither does Avira which is a joke!

i m in desperate need of some expert IT experience!! my wife is running a home business & is desperate to get her system back ASAP........! we can NOT wipe the drive due to critical file & addresses of clients she must access !

i say again.....this virus is extremely rapid @ adapting to xp OS

im in xp safe mode on the admin acct because the virus is still active some how & will NOT allow me to input her pw EVEN IN SAFE MODE, & can NOT access her documents,EVEN inn safe mode & on admin account

my system is unable to access the internet still

i need step by step instruction ...plz thk U

edit on 16-12-2011 by Komodo because: (no reason given)



posted on Dec, 16 2011 @ 06:55 AM
link   
called avira support & for $169.00 they can fix it ....so much for that s/w ....going to return it for kapensky..full verison...i think..



posted on Jan, 21 2012 @ 07:03 PM
link   
Have you tried this removal guide from bleeping computer?

XP antivirus 2012

These virus infections are not to difficult to kill off if you know what you are doing but its very difficult to explain in a forum post. Im professional Windows tech support (MCP / MCTS / MCDST /MCITP) and could kill it if i had the computer in front of me. But there is often on 'easy' way to explain how to deal with it to someone with not much experience.

The problem with these kinds of virus infections is they take hold of your system and prevent you from using the system to get rid of them. As soon as you load up your system the virus is live and makes it almost impossible to destroy.

If it was on my system i would create a boot disk and load it full of virus scanners. That way you can can boot of the disk and bypass the infected system. Then when you run the virus scanners you have a much better chance of destroying it as the virus is not 'live'.

I use Hirens boot disk for this kind of task. It comes with a bunch of virus scanners already loaded on it but you can always load more on there.

Another way to deal with these kinds of virus is to remove the hard drive and install it as a second hard drive on another computer and use that computer to attack the infection. The chances of this virus jumping onto the second computer are very small. It works in the same way as using a boot disk, because the system containing the virus is bypassed the virus does not become live so its easier to destroy.

But even after the infection has been removed there is sometimes extensive damage done to the system that requires a large amount of repair or even a complete re-install.
edit on 21-1-2012 by PhoenixOD because: (no reason given)



posted on Jan, 22 2012 @ 07:48 AM
link   
Ok ive had a little look about concerning this infection and i hadn't realized this was a variant of the "rouge name virus".


Win 7 Antispyware 2012, Vista Antivirus 2012, and XP Security 2012 are all names for the same rogue anti-spyware program. This family of rogues is promoted in two ways. The first is through the use of fake online antivirus scanners that state that your computer is infected and then prompt you to download a file that will install the infection. The other method are hacked web sites that attempt to exploit vulnerabilities in programs that you are running on your computer to install the infection without your knowledge or permission. Regardless of how it is installed, once it is running on your computer it will install itself as a variety of different program names and graphical user interfaces depending on the version of Windows that is running. Regardless of the name, though, they are all ultimately the same program with just a different skin on it. This rogue goes by different program names, which I have listed below based upon the version of Windows that it is installed on:

Windows XP Rogue Name
XP Antispyware 2012
XP Antivirus 2012
XP Security 2012
XP Home Security 2012
XP Internet Security 2012



Here is a detailed removal instructions from PCRisk can be found here that includes several custom tools for destroying the infection. Its for windows 7 but might just work for xp as well.

I noted that on TechNet many people do have problems getting their internet connections to work even afetr they have got rid of the virus. Thsi may require you to re-write several registry settings.



Multi-Rogue virus is the fake anti-spyware program which upon successful penetration inherits its name depending on the installed operating system. So, if users have Windows XP, the virus name would contain “XP” in the beginning. The same principle is applied when nominating the virus brought and installed to other operating systems like Windows Vista or Windows 7. Understanding the need to help you remove this virus effectively and without the necessity to install any programs we have developed the manual removal guide for its deletion. Hence, please be so kind to follow the removal steps described in the section below. You must carefully follow them without exceptions. The video tutorial is provided for you to understand how exactly to remove the virus manually (deleting its files and registry entries).

In order to delete Multi-Rogue virus manually you first must reboot your PC in safe mode or into safe mode with networking. You may find more information about how to do it by clicking this link.
Multi-Rogue virus files to be removed for Windows 7 and Windows Vista operating systems:

%AllUsersProfile%[random]
%LocalAppData%[random].exe
%Temp%[random]
%LocalAppData%[random]
%AppData%TEMPLATES[random]

Multi-Rogue virus files to be removed for Windows XP Files:

%AllUsersProfile%Application Data[random]
%LocalAppData%[random].exe
%LocalAppData%[random]
%Temp%[random]
%UserProfile%Templates[random]



The location of registry entries to be removed:

HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerBrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand "(Default)" = '"%LocalAppData%[random].exe" -a "%1" %*'
HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand "(Default)" = '"%LocalAppData%[random].exe" -a "%1" %*'
HKEY_CLASSES_ROOT.exeshellopencommand "(Default)" = '"%LocalAppData%[random].exe" -a "%1" %*'
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand "(Default)" = '"%LocalAppData%[random].exe" -a "C
rogram FilesMozilla Firefoxfirefox.exe"'
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand "(Default)" = '"%LocalAppData%[random].exe" -a "C
rogram FilesMozilla Firefoxfirefox.exe" -safe-mode'
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand "(Default)" = '"%LocalAppData%[random].exe" -a "C
rogram FilesInternet Exploreriexplore.exe"'
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center "FirewallOverride" = '1'


Here are a couple of videos on removing the rouge name virus.





Remember you got this infection from vising suspect website's , something to try to avoid in the future


Good luck on your mission


edit on 22-1-2012 by PhoenixOD because: (no reason given)



posted on Jul, 7 2012 @ 09:24 PM
link   
reply to post by PhoenixOD
 


deep thx PhoenixOD~!

Really appreciate it, I know it's been a few months since this happened.. but as of this post, my friend's Vista PC is running SUPER slow after the last window update as of the 3rd of this month...

thus far, my removal of suspected Virus is:

1). Ran/updated Malwarebytes
~Deep scan=none (clean)
2) Updated/ran Kasspersky; deep scan(1 hour, 07mins)=none (clean)

3) Defraged HD/Registry

None of the above has fixed the issue with the PC booting to desktop, yes it will go into safe mode and w/ networking np.. but it's SLOW, but quicker than normal (obviously)

at this point I'm going to try ComboFix, I think I used it on my wife's PC and it worked fine, however, it had a little trouble with mine.

I do intend to wipe the drive and reinstall but, for now, the critical stage is getting his HD cleaned and moving docs off to a backup.

any other suggestions is always welcome.. I'm gong to document this for future reference.

ETA: yes.. I know VISTA is crap, and working to try and get a copy of WIndows7.





new topics
top topics
 
2
<< 1   >>

log in

join