I have not ever gotten a virus for about five years now on this computer and suddenly as of December this last year I randomly get this “XP Internet Security 2012” virus come trucking in out of nowhere.
Sure, I removed it and cleaned everything out, Avast has never had a problem before now with blocking anything or identifying what might come my way but what strikes me as strange is that Avast does not seem to be blocking this, or identifying it at all. It literally is like the virus itself is not in the definitions at all and so every few weeks it keeps showing up.
Need I state beforehand, XP Internet Security first shuts any browser down, then starts downloading itself… Avast is still running and does not shut off; hell as I said it may as well just be twiddling it’s thumbs as far as I am concerned because it isn’t identifying anything is wrong at all!
Every time it shows up (four times so far in the past month) I just clean my computer, check the registry… all that jazz so I know that it is gone and not attached to anything.
I will go two weeks, a week, three weeks without it randomly showing up after browsing whatever random websites that it may be attached to in a pop-up or what have you. After dealing with it this many times I just have to curiously ask…
Is this even in Avast’s registry at all to block it?
Is Avast literally just ignoring it because it does not exist in the virus database?
Is there going to actually be an update to block this because man its just so annoying…
Yes, you are deeply infected…if it keeps coming back, it might be a rootkit behind it all. Downloading a fresh copy of the rogue for your entertainment after every time you clean it.
Hm, well I already run all the programs and things necessary to remove it, that is why it is annoying that it continues to try and return. I have a friend that has the same issue (though they run Windows 7) that also clears the issue and runs Avast and so we are just unsure if the thing even exists in the virus database yet for Avast. I have no way to confirm that it does or doesn’t since there has been no threads stating that “Yes, we have already added this to our definition updates”.
Either way, I just always go through the same process of removing it each time, which is still the same as what is told to everyone else to do since I just read the instructions because they are easy enough to follow and I have had to always help others remove things off of their computers in the past.
You mistake the rogue AV (XP IS 2012) for the illness…it is more like a symptom.
Light metaphor/You keep getting a cold, so you keep taking cold medicine. But it will do little good if you have AIDS. The reality is much more complicated than that, but you get the general idea? If you have a rootkit installed, all bets and safeguards are off.
This is all on the assumption you have a rootkit infection, I could easily be wrong…but thats the most common source of “it keeps coming back” that I have seen. 2nd would be someone keeps going back to the same “trusted site” that is compromised and keeps infecting them.
Not trying to sweep under the fact that Avast! has failed to perform for you as advertised, just an explanation.
Yep, I know, this is why I tossed it out there to see if there could be a definitive answer on whether it exists in their definitions or not. That way it narrows down what I have to do.
Of course, right now I am cleaning up any sort of potential, lingering, effects of this last ninja-attack that happened as we speak. Since it just happened prior to me posting this thread. So unless one of the programs is not doing what it ought to in order to clean it up, it beats me. Arbitrarily, I will obviously have the logs of tonight’s fiasco when programs are done scanning so that someone else can look at them.
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.12.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Lunactic Inferno :: AVRAIL [administrator]
1/11/2012 7:37:08 PM
mbam-log-2012-01-11 (19-37-08).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 406708
Time elapsed: 1 hour(s), 34 minute(s), 17 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
c:\documents and settings\lunactic inferno\local settings\application data\mcl.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lunactic Inferno\Local Settings\Application Data\ncv.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\lunactic inferno\my documents\42n1l.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{e0e29660-213b-489e-aaf8-e5de0d975889}\rp39\a0014710.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lunactic Inferno\Local Settings\temp\oiu0.018459031998561692.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
(end)
Removed, Restarted. OTL ran, logs posted in clips.
^ Course it says ZA, though not much seems to ever come up. I did have that once but then it got removed. I will have to have it looked into if it comes up again.
and so we are just unsure if the thing even exists in the virus database yet for Avast. I have no way to confirm that it does or doesn't since there has been no threads stating that "Yes, we have already added this to our definition updates".
This is not one program...even if they look the same they are changed inside. So new versions are released every day...needing new signatures
I always just send in what avast does find in order to update against what might be there. It is pretty annoying to just get the same dull thing trying to get on my computer every so often.
The logs are up, I am doing one last scan to see if it finds anything else. I don’t really know what RKill was going on about if it thinks that I have ZeroAccess again. That thing was a pain in the arse to remove last time I had it.
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.12.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Lunactic Inferno :: AVRAIL [administrator]
Protection: Enabled
1/12/2012 12:26:03 AM
mbam-log-2012-01-12 (00-26-03).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 389270
Time elapsed: 2 hour(s), 14 minute(s), 8 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Final Report.
I hope that it is gone for good, but I don’t really know for sure. Someone else probably should go through this just in case I overlooked something.
For now, I am heading to sleep and will check back later on to see if anything has been updated here or someone had something else to say.
Since you have made many attempts to get rid of this malware, I have contacted our malware removal expert named Essexboy. He comes on the forum late UK time zone around 18:00 (6:00 PM). Please make no further changes to your machine and follow his instructions. If you are on a network, please disconnect this machine from the network. Thank you.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
When the computer restarted after OTL ran with the last script we had a minor power-outage from the weather so I don’t have the log for it. I am running Mbam and aswMBR again to see if they pick anything else up since I could not get the log from OTL.
The cdrom thing did not show up again in aswMBR when scanned, nothing showed up on Mbam. Rkill still states ZA.
RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Lunactic Inferno [Admin rights]
Mode: Scan -- Date : 01/14/2012 04:05:49
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!
¤¤¤ HOSTS File: ¤¤¤
ÿþ1
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7363adf36d8e872b19cd06f829973af5
[BSP] 59e6e5e25adc36f1c7d0322b9e2c3180 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 250048 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 58d5d8d1486c4505f69dc64b33f839f8
[BSP] 0e667feb6452a6589648bbd85603dfb2 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 63 | Size: 750153 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
I was hoping we could skip combofix on this one, but it looks like we will need to use it
windir\NtUpdateKBxxxx present!
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[]Allow the installation of the recovery console
Rebooted to see if anything really changes right now. After reboot, things were pretty much the same as always. Nothing faster, nothing slower - I did have to fix my start menu back to having the default items off of it that I never use, but that really isn’t anything big.
They do, though I have to update adobe acrobat (poo, I hate doing that.)
So far it seems alright, the thing that makes me wonder a little is that if I have everything closed (as far as windows are concerned) Mbam still has “blocked incoming ip address”. I only started using Mbam for two months so I don’t know if this is suppose to be normal or not… or if its similar Ip addresses trying to download host files that have to do with the rootkit…like they are trying to connect or search for obvious things that were erased.