I have Avast on all my home computers which are networked wirelessly. One of them was recently infected with the “XP internet security” virus-worm that is apparently out there. Avast did not catch it. I found instructions on the internet for removing it via Rkill and Malwarebytes, which so far has worked.
My question is whether Avast was savvy to this worm, or whether it was a new one that Avast wasn’t ready for? And will future updates using the free version of Avast now protect my computers?
To remove this completely it is best to combine MBAM and SAS.
MBAM, Trojans will block the downloading and installation of MBAM. If this happens, download it from a known clean computer, update, and rename the executable file before executing on the infected computer.
So do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner. Download and Instructions to be found here: http://www.superantispyware.com/portablescanner.html
Manual removal instruction to check on afterwards:
POLONUS: you said to run MBAM then SAS… you gave the link for SAS but what about MBAM, how do I download it? And, I may be dense but… if I download and update the MBAM program on a clean computer, how do I then get it onto my infected pc, last I tried I couldn’t move programs, only files. Thanks for your patience!
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log / Malwarebytes log )
Hi yes, the essexboy cleansing routine could be a good idea,
I thought to combine MBAM renamed and SAS portable from a USB stick…
but await essexboy’s instructions for this apparently new variant.
Because:
Higher detection: not always possible…
Infection rate above 1000 websites in 24 hours
15000 detected (may be far more)
Websites affected: Number as yet unknown to us
Computers affected: 30 million Windows PCs (according to PandaSecurity)
Number of variant:
7,000 variants of the type of malware over the last half year alone
So good we have people like essexboy, oldman, etc.
Thanks for all your help, I think the MBAM and SAS did the trick, but am doing Essex’s methods as well just in case. One think I’ve noticed is that I keep getting these notices popping up from Avast! (supposedly) saying a trojan or malware was blocked… and it gives a link, if I click on the link it mentions buying a new version of Avast. Is this legit, or another trick of the malware? The notices look just like real Avast! notices. ???
I’ve been trying to help a lady with XP Total Security, over phone. Tried all the obvious things like her Avast 5 scan, boot scan, Spybot updated, finally the fool XP Total Security virus into thinking it was paid for, which is fraud as after entering legit license key it stops harrasing but makes net access and all other drivers and file use impossible.
Is there a file to repair WinXP after XP Total Security neutralizing ? Then inst MWbytes.
Thanks Polonus, but after doing everything it said on those two links, my mbam came up with NO infections. Ugh! I know they’re there. This is really crazy.
your exe files were hijacked - so once this ots fix has run you should be able to get malwarebytes up and running
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> [AVG Safe Search]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-65476939-965908490-3720152516-500\] > -> HKEY_USERS\S-1-5-21-65476939-965908490-3720152516-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{EEE6C35B-6118-11DC-9C72-001320C79847}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-65476939-965908490-3720152516-500\] > -> HKEY_USERS\S-1-5-21-65476939-965908490-3720152516-500\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Reg Error: Key error.]
YN -> {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} [HKLM] -> http://download.abacast.com/download/files/abasetup161.cab [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\Grisoft\AVG Free\avgamsvr.exe" -> [C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe]
YN -> "C:\Program Files\Grisoft\AVG Free\avgcc.exe" -> [C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe]
YN -> "C:\Program Files\Grisoft\AVG Free\avginet.exe" -> [C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe]
YN -> "C:\WINDOWS\system32\svchon32.exe" -> [C:\WINDOWS\system32\svchon32.exe:*:Enabled:Unspecified]
< File Associations - Select to Repair > -> HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = exefile] -> "C:\Documents and Settings\NetworkService\Local Settings\Application Data\tsu.exe" -a "%1" %*
YN -> .exe [@ = exefile] -> "C:\Documents and Settings\NetworkService\Local Settings\Application Data\tsu.exe" -a "%1" %*
[Files/Folders - Modified Within 30 Days]
NY -> 2ai31mxo783730 -> C:\Documents and Settings\All Users\Application Data\2ai31mxo783730
NY -> 2ai31mxo783730 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\2ai31mxo783730
NY -> giterdone.exe -> C:\Documents and Settings\Administrator\Desktop\giterdone.exe
NY -> 1298448245 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\1298448245
NY -> 1487563032 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\1487563032
NY -> 1298448245 -> C:\Documents and Settings\All Users\Application Data\1298448245
NY -> 1487563032 -> C:\Documents and Settings\All Users\Application Data\1487563032
[Files - No Company Name]
NY -> 1298448245 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\1298448245
NY -> 1487563032 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\1487563032
NY -> 1298448245 -> C:\Documents and Settings\All Users\Application Data\1298448245
NY -> 1487563032 -> C:\Documents and Settings\All Users\Application Data\1487563032
NY -> 2ai31mxo783730 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\2ai31mxo783730
NY -> 2ai31mxo783730 -> C:\Documents and Settings\All Users\Application Data\2ai31mxo783730
NY -> 2ai31mxo783730 -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\2ai31mxo783730
NY -> wwwbatch.ini -> C:\WINDOWS\wwwbatch.ini
[Custom Items]
:Files
ipconfig /flushdns /c
C:\Documents and Settings\NetworkService\Local Settings\Application Data\tsu.ex
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.