XP 2011 (fake) Antivirus cleanup issues

A few days ago, I picked up this rogue antivirus app on a WinXP computer from Facebook of all places. I did a little searching here, and essexboy’s post led me to the malwarebytes removal instruction pages. I followed the instructions and it appears I’ve gotten rid of it successfully.

I have a lingering problem in that the program appears to have turned off windows automatic updates, and the windows update page doesn’t work either. Auto-updates worked fine a week ago. Now I worry there are other annoying bits left behind.

I’m looking for help putting the computer completely back to rights.

Thanks in advance,
Jim

Do you get some redirects as well ?

As aswMBR is offline at the moment

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

OTS is quite easy, have not worked with it so far, but it’s really easy ;D

Thanks for jumping in, essexboy. I’m not experiencing any redirects.

I’m halfway through your instructions. I can’t hit the ots link you provided on either of my computers. Site might be down. Is there another download site? If I don’t hear from you, I’ll try to hit it again tomorrow.

TDSSKiller scan was clean. The report was too long to include in the message; please find it attached.

Thanks so much,
Jim

Ok, half an hour later, and the OTS download site was back. I’ve run it per your instructions. Please find the log attached.

Regards

Just a few waifs and strays by the look of it, what problems do you have ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\] > -> HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\] > -> HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Extensions\
YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}\\"ButtonText" [HKLM] -> [Reg Error: Key error.]
YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}\\"Default Visible" [HKLM] -> [Reg Error: Key error.]
YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}\\"HotIcon" [HKLM] -> [Reg Error: Key error.]
YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}\\"Icon" [HKLM] -> [Reg Error: Key error.]
YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}\\"MenuText" [HKLM] -> [Reg Error: Key error.]
YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}\\"Script" [HKLM] -> [Reg Error: Key error.]
YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}\\"ToolTip" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  TDSSKiller.exe -> C:\Documents and Settings\HP_Administrator\Desktop\TDSSKiller.exe
[Files/Folders - Modified Within 30 Days]
NY ->  l1mt4nci68jk2ni176 -> C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\l1mt4nci68jk2ni176
NY ->  l1mt4nci68jk2ni176 -> C:\Documents and Settings\All Users\Application Data\l1mt4nci68jk2ni176
[Files - No Company Name]
NY ->  l1mt4nci68jk2ni176 -> C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\l1mt4nci68jk2ni176
NY ->  l1mt4nci68jk2ni176 -> C:\Documents and Settings\All Users\Application Data\l1mt4nci68jk2ni176
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

The only problem I’ve experienced is the one with windows updates. Security Center tells me automatic updates are turned off. I can’t turn them back on from there. Automatic updates are selected under control panel/system/automatic updates, but are still turned off. The Windows Update site doesn’t work. I can see the main page, but anything I try to do results in an error (The website has encountered a problem and cannot display the page you are trying to view).

Auto updates worked just a few days ago when the last MS security fixes were rolled out. I didn’t experience Security Center warnings before the virus hit. In fact, the Security Center warning was my first indication I had a problem. Second was the XP 2011 Antivirus popup. Third was Avast! blocking a file from accessing the internet (I should probably be very glad it did that). The best hypothesis is that the rogue program blocked access to Windows updates.

I hope you can help. Here’s the report from the OTS fix:

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Search not found.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Extensions{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ButtonText deleted successfully.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Extensions{E2D4D26B-0180-43a4-B05F-462D6D54C789}\Default Visible deleted successfully.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Extensions{E2D4D26B-0180-43a4-B05F-462D6D54C789}\HotIcon deleted successfully.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Extensions{E2D4D26B-0180-43a4-B05F-462D6D54C789}\Icon deleted successfully.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Extensions{E2D4D26B-0180-43a4-B05F-462D6D54C789}\MenuText deleted successfully.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Extensions{E2D4D26B-0180-43a4-B05F-462D6D54C789}\Script deleted successfully.
Registry value HKEY_USERS\S-1-5-21-571688815-2063811557-4274646049-1008\Software\Microsoft\Internet Explorer\Extensions{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ToolTip deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\Documents and Settings\HP_Administrator\Desktop\TDSSKiller.exe moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\l1mt4nci68jk2ni176 moved successfully.
C:\Documents and Settings\All Users\Application Data\l1mt4nci68jk2ni176 moved successfully.
[Files - No Company Name]
File C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\l1mt4nci68jk2ni176 not found!
File C:\Documents and Settings\All Users\Application Data\l1mt4nci68jk2ni176 not found!
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 18090 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User
->Temp folder emptied: 18090 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 56502 bytes

User: HP_Administrator
->Temp folder emptied: 84391294 bytes
->Temporary Internet Files folder emptied: 92577905 bytes
->Java cache emptied: 155040 bytes
->FireFox cache emptied: 276557567 bytes
->Flash cache emptied: 59622 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 89393 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 119962 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 18090 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 756503120 bytes

Total Files Cleaned = 1,155.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: HP_Administrator
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05192011_135444

Files\Folders moved on Reboot…
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\IadHide5.dll moved successfully.

Registry entries deleted on Reboot…

OK windows update repair

Go to this page
Run the fixit there (big button about one third the way down) - if the normal run does not cure it then re run and use the aggressive mode

What other problems are you having ?

Thanks, essexboy. The “fix it” fixed it. As I said in the previous post, the Windows Update problems were the only lingering problems I have encountered. I was originally concerned there might be other hidden bad actors, but if you can’t find 'em, I’m satisfied all is well.

Thanks much for the help! Cheers.

Jim

Gald to hear that - if you have no further problems let me know tomorrow and I will remove my tools

Remove your tools? You left tools in my computer? Forceps, scalpel, that sort of thing? :slight_smile:

But yes, no more problems. All is well. Many thanks, again.

Regards,
Jim

Run OTS and hit the cleanup button this will remove my forceps- scalpels etc… ;D