5 Hours of Complete Pain XP Security 2011

I have been trying to remove XP security from a family members computer by way of remote connection. She is runnin an HP dv2000 Laptop with windows XP Professional,… Complete pain, xp security loads in safe mode and every exe opened, opens xp security

The files i have noticed that play a part are
Sf.bin pops up, ppd.exe is xp security 2011. rarfx0.1 and rarfx2 are added too temp during the xp security opening (also found by rkill.exe)
I have tried roguekiller, renaming it before tranfering it or directly downloading, same with rkill, tried online scanners and xp security shuts browser down and loads itself.
Rkill loads… ppd.exe replicates a dozen times, and even if I leave it alone rkill gets stuck on the temp files mention stating the files or location does not exist.
Msconfig does not work, however regedit does, not sure if its the real registry but I did get it running.

Avast right now is running boottime scan…
if avast doesnt find anything, where can I find these files for manual deletion, or where do I go from here!!

UPDATE: I haven’t tried to run dds for a log, so tomorrow when I come back from work I’ll post it, providing it works, every program that runs in the CMD tends to make xp security go crazy

read it all before you start

Remove XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011 (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

I understand, but rkill was unsuccessful in removing the rogue.
She does not have a secondary computer in which these files could be transfered from. Regardless I had the above mentioned file running, and it closed due too an error with locating or deleting from temp (rarfx01, 02)

rKill will not remove the rogue as it is a Malware Process Terminator… you run it to help starting Malwarebytes if blocked

Part 1 http://www.brighthub.com/computing/smb-security/articles/59807.aspx
Part 2 http://www.brighthub.com/computing/smb-security/articles/59799.aspx

I know that, I know it just removes the process, I have used rkill numerous times before.
But It will not even remove the process for me too try to disinfect anything. See what i’m saying?

Malwarebytes is blocked, when i run rkill.exe or even eXplorer.exe or one of the many other file names they have to offer (including renaming it before download)It still errors indicating it cannot find the files in the tempfolder that is C:/Owner/localsettings/temp

OK, are you able to run OTS ?

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs HERE in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )

I will notifie Essexboy so he will look at this when he arrive here later

Thank you pondus, I will attempt an ots log, It right now is lagging its way through a boot time scan,
which so far has only found win32-kryptik-agv so far is the only found infection and it is at 40%, now i’m curious, will avast find this?

OTS seems to freeze on first object scanned: cd drives settings, even disconected the remote connection and the pc being unused the program doesnt seem to want to respond.

Mdnsresponder.exe
SMagent.exe, other files that may be associated with aboved infection

found ravmon.exe on her mp3 player, also when trying rkill.exe again net.exe and net1.exe showed up until rkill displayed Cannot readC:/LOCAL~DOCUME~TEMP!RKSlog.tsk

So OTS was unsuccessful and when trying to walk her through safe mode she says when trying to run combofix it says “A device connected is not functioning properly” Even when file is on tje disc

RKILL: Works if i end ppd.exe task a few times (initiating the rkill program executes numerous copies of ppd.exe)
Ending a few of these results in the program booting up, it then scans for malware processes and cannot read the temp files and stops the scan with no processes terminated.

Ok i have a pic of a folder I found running the most of these little .exe files
C:\32788R22FWJFW
I have a picture of the files in this folder, is this a legit program or the culprit? notice the circled registry.

EDIT: I now know this is combofix

Okay, Rogue killer loads and removes 4 processes
3 of them being teamviewer and one being combofix which was frozen.

Hi the programme you ran was it called roguekiller or RK ? as both programmes are slightly different

This one will on the first run identify what it believes to be malware and stop all processes. Thereby enabling you to run OTS. If you still have problems running OTS then use option 2 on roguekiller and it will delete what it believes to be malicious. If it makes an error we can restore the file

Download RogueKiller to your desktop

[]Quit all running programs
[
]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[
]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Run OTS and attach the log

I tried both, Rkill, couldnt access temp file rarfx0.1

and Roguekiller Found four processes and three were teamviewer processes and one being a combofix.exe (whixh had froze before I loaded Rogue killer)

Running in safe mode and double clicking brings up open with…
and run as brings up access is denied

Download this Programme to your desktop, right click and select install, nothing will appear to happen it will just do its job

Then try to run OTS from safe mode

Download: Run program and then RESTART in safe mode? or run program and then otl all in safe mode?

Yes - sorry not quite clear was it

Download and run the programme
Reboot to safe mode
Run OTS

when right clicking then pressing install brings open with… up

OK would you be game to work outside of windows ?

Do you have access to a system with a cd burner ?

Please print these instruction out so that you know what you are doing

Latest version: v3.1.46.0

OTLPENet.exe
MD5=79209302A1AFB2490808DB890A815CED
Size: 127,222,215b / 121.3MB

[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD

[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :slight_smile:

[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

I’m downloading and attempting it. She doesn’t have a second computer however the laptop has a dvd burner, I’m going to attempt too burn with infected machine…

When you run it to burn - run as administrator