I have been trying to remove XP security from a family members computer by way of remote connection. She is runnin an HP dv2000 Laptop with windows XP Professional,… Complete pain, xp security loads in safe mode and every exe opened, opens xp security
The files i have noticed that play a part are
Sf.bin pops up, ppd.exe is xp security 2011. rarfx0.1 and rarfx2 are added too temp during the xp security opening (also found by rkill.exe)
I have tried roguekiller, renaming it before tranfering it or directly downloading, same with rkill, tried online scanners and xp security shuts browser down and loads itself.
Rkill loads… ppd.exe replicates a dozen times, and even if I leave it alone rkill gets stuck on the temp files mention stating the files or location does not exist.
Msconfig does not work, however regedit does, not sure if its the real registry but I did get it running.
Avast right now is running boottime scan…
if avast doesnt find anything, where can I find these files for manual deletion, or where do I go from here!!
UPDATE: I haven’t tried to run dds for a log, so tomorrow when I come back from work I’ll post it, providing it works, every program that runs in the CMD tends to make xp security go crazy
I understand, but rkill was unsuccessful in removing the rogue.
She does not have a secondary computer in which these files could be transfered from. Regardless I had the above mentioned file running, and it closed due too an error with locating or deleting from temp (rarfx01, 02)
I know that, I know it just removes the process, I have used rkill numerous times before.
But It will not even remove the process for me too try to disinfect anything. See what i’m saying?
Malwarebytes is blocked, when i run rkill.exe or even eXplorer.exe or one of the many other file names they have to offer (including renaming it before download)It still errors indicating it cannot find the files in the tempfolder that is C:/Owner/localsettings/temp
Thank you pondus, I will attempt an ots log, It right now is lagging its way through a boot time scan,
which so far has only found win32-kryptik-agv so far is the only found infection and it is at 40%, now i’m curious, will avast find this?
OTS seems to freeze on first object scanned: cd drives settings, even disconected the remote connection and the pc being unused the program doesnt seem to want to respond.
Mdnsresponder.exe
SMagent.exe, other files that may be associated with aboved infection
found ravmon.exe on her mp3 player, also when trying rkill.exe again net.exe and net1.exe showed up until rkill displayed Cannot readC:/LOCAL~DOCUME~TEMP!RKSlog.tsk
So OTS was unsuccessful and when trying to walk her through safe mode she says when trying to run combofix it says “A device connected is not functioning properly” Even when file is on tje disc
RKILL: Works if i end ppd.exe task a few times (initiating the rkill program executes numerous copies of ppd.exe)
Ending a few of these results in the program booting up, it then scans for malware processes and cannot read the temp files and stops the scan with no processes terminated.
Ok i have a pic of a folder I found running the most of these little .exe files
C:\32788R22FWJFW
I have a picture of the files in this folder, is this a legit program or the culprit? notice the circled registry.
Hi the programme you ran was it called roguekiller or RK ? as both programmes are slightly different
This one will on the first run identify what it believes to be malware and stop all processes. Thereby enabling you to run OTS. If you still have problems running OTS then use option 2 on roguekiller and it will delete what it believes to be malicious. If it makes an error we can restore the file
[]Quit all running programs
[]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created. Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop. Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.
I’m downloading and attempting it. She doesn’t have a second computer however the laptop has a dvd burner, I’m going to attempt too burn with infected machine…