Win XP Home hit with virus

Topic

New Reply

My sister-in-law, I’ll call her Deb called and asked me to take a look at her PC, it was “acting funny” she could not get IE or Outlook to work. When I got there it was discovered that this has been going on for over a week.
She could not stop this software from scanning and finding viruses. “Privacy Protection“ was running her computer. Went to Malwarebytes to see how to handle it. Well, I thought it would be easy to follow their instructions but evidently “PP” has been updated and MalwareBytes has not. As soon as MB starts up even after renaming it to “Explorer” it gets shut down and blocked from being accessed again until uninstalled and reinstalled to a different location.
I do not have a Windows XP Home install CD to attempt a “Repair”, I am actively looking for one but not with much confidence that it will help.
This one is beating me and I don’t like it.
I have made a boot CD with AVG and scanned the HDD removing most of the virus, but there remains a ‘Trojan’ somewhere that keeps adding a service that I cannot stop or prevent. It’s name consists of 234987.459265.exe or similar as it changes on each boot. I see it in Task Manager but can not stop it or prevent it from starting.

I have tried “autoruns”, “ccleaner”, “spybot s&d” two different utilities for “killing” processes. It always seems to be one step ahead of me.

Any ideas are welcome.

Reply | Quote

Replies

??Have you tried deleting it in safe mode??

Zig

Reply | Quote

I would second Zig’s advice – boot in safe mode, usually these apps do not start in safe mode.
If safe mode doesn’t solve it, try a boot disk from one of the AV manufacturers:

http://windowssecrets.com/windows-secrets/bootable-rescue-cds-can-fix-your-damaged-windows/

Reply | Quote

I would make an attempt to kill the processes from within safemode as well. Kill any and all processes that look amiss.
Use Process Explorer as well as taskmanager to ID & their root locations and kill processes.
You also need to go into the services section (services.msc) to identify anything amiss.
To delete a service use: “sc delete servicename” from an elevated command prompt.

Malwarebytes Anti-Malware Portable

To make Malwarebytes’ Anti-Malware portable is more difficult, as it does NOT run from a USB-Stick by just copying the application directory! Two system files (mbam.sys & mbamswissarmy.sys), two registered libraries (mbamext.dll & ssubtmr6.dll) and one registered ActiveX control (vbalsgrid6.ocx) are mandatory!

Malwarebytes Anti-Malware execution behavior:
Three objects have to be registered: mbamext.dll, ssubtmr6.dll and vbalsgrid6.ocx
To do so, use the command regsvr32.exe “pathfile” (use switch “s” for ‘silent’)
(The files are located in the application directory)Two system files have to exist:
C:WINDOWSsystem32driversmbam.sys
C:WINDOWSsystem32driversmbamswissarmy.sys
(These files are copied there during install and you have to take them with you)Necessary directories are created automatically:
%ALLUSERSPROFILE%Application DataMalwarebytes
%ALLUSERSPROFILE%Application DataMalwarebytesMalwarebytes’ Anti-Malware
%USERPROFILE%Application DataMalwarebytes
%USERPROFILE%Application DataMalwarebytesMalwarebytes’ Anti-Malware
%USERPROFILE%Application DataMalwarebytesMalwarebytes’ Anti-MalwareLogs
%USERPROFILE%Application DataMalwarebytesMalwarebytes’ Anti-MalwareQuarantineNecessary files (definitions) are created upon update:
%ALLUSERSPROFILE%Application DataMalwarebytesMalwarebytes’ Anti-Malwareignore.dat
%ALLUSERSPROFILE%Application DataMalwarebytesMalwarebytes’ Anti-Malwarenews.txt
%ALLUSERSPROFILE%Application DataMalwarebytesMalwarebytes’ Anti-Malwarerules.ref
(Further files like logs are created during operation)Settings are saved in registry (HKCUSoftwareMalwarebytes’ Anti-Malware)
Making Malwarebytes Anti-Malware portable:
InstallCopy application directory to any location you likeCopy mbam.sys & mbamswissarmy.sys from “C:WINDOWSsystem32drivers” anywhere you like, to take them with you (eg. the copied application directory)UninstallRemove the uninstall files (unins000.dat, .exe & .msg) from the copied application directory if you likeTake the application directory anywhere you likeOn the host machine copy mbam.sys & mbamswissarmy.sys to “C:WINDOWSsystem32drivers”On the host machine run:
regsvr32.exe “DRIVE:PATHmbamext.dll”
regsvr32.exe “DRIVE:PATH\ssubtmr6.dll”
regsvr32.exe “DRIVE:PATH\vbalsgrid6.ocx”
(You will be notified about registration success (or errors), use switch “/s” for silent registration.)
(You need admin rights for registration to succeed. Do this from an admin account or with elevated rights)Run “mbam.exe” from the application directory (not mbamgui.exe)
Batch to automate the necessary preparation on the host machine:
(Assuming that all mentioned files, including the batch, are located in the same directory)
Code:

COPY “%CD%mbam.sys” “C:WINDOWSsystem32driversmbam.sys”
COPY “%CD%mbamswissarmy.sys” “C:WINDOWSsystem32driversmbamswissarmy.sys”
regsvr32.exe “%CD%vbalsgrid6.ocx”
regsvr32.exe “%CD%ssubtmr6.dll”
regsvr32.exe “%CD%mbamext.dll”
(Remember: Administrative rights needed. Use switch “/s” for silent registration)

Traces left on host system and how to clean up:
Malwarebytes’ definition files, logs etc. are quite small (below 2MB) wich is small enough, but the system files and settings in registry should be removed anyway and the registered objects should be unregistered in any case!
This leaves us for complete clean-up with:
DELETE: “%ALLUSERSPROFILE%Application DataMalwarebytes”DELETE: “%USERPROFILE%Application DataMalwarebytes”DELETE: “C:WINDOWSsystem32driversmbam.sys”DELETE: “C:WINDOWSsystem32driversmbamswissarmy.sys”DELETE: HKCUSoftwareMalwarebytes’ Anti-MalwareUNREGISTER: regsvr32.exe /u “DRIVE:PATHvbalsgrid6.ocx”UNREGISTER: regsvr32.exe /u “DRIVE:PATHssubtmr6.dll”UNREGISTER: regsvr32.exe /u “DRIVE:PATHmbamext.dll”
Batch to automate clean-up:
(Assuming that the batch is located in the same directory as the registered objects. WinXP cmd only! Use DELTREE in DOS instead of RMDIR.)
Code:

RMDIR /S /Q “%ALLUSERSPROFILE%Application DataMalwarebytes”
RMDIR /S /Q “%USERPROFILE%Application DataMalwarebytes”
DEL “C:WINDOWSsystem32driversmbam.sys”
DEL “C:WINDOWSsystem32driversmbamswissarmy.sys”
REG DELETE HKCUSoftwareMalwarebytes’ Anti-Malware /f
regsvr32.exe /u “%CD%vbalsgrid6.ocx”
regsvr32.exe /u “%CD%ssubtmr6.dll”
regsvr32.exe /u “%CD%mbamext.dll”
(Remember: Administrative rights needed. Use switch “/s” for silent unregistration)

The above may be attempted, although it looks like a complicated process.

Consider a clean install if system is completely hosed.

Reply | Quote

A repair install will probably not clear the virus. If the safe mode options do not work, a clean install may be in order. Discuss with your sister-in-law about not clicking on these pop ups. Instead, use the Task Manager to close these uninvited pop ups. Quite often the X in the corner has been reprogrammed to activate the nasty.

Reply | Quote

Thismight be of interest.

JScher2000 Note: That page’s download button downloads “STOPzilla”, which you can read about here: http://www2.stopzilla.com/

Reply | Quote

Hi Russ : I recommend you try the procedure recommended by the highly regarded BleepingComputer Site specifically located at http://www.bleepingcomputer.com/virus-removal/remove-privacy-protection .

Reply | Quote

Thank you all VERY much for the help in removing this thing.
The majority of the virus/malware is gone or can not be identified.
However, there is a NASTY after-taste in that this PC cannot access the internet and what good is a modern PC with that problem?

I learned that the original “Privacy Protection” virus had been running for over a week before I was involved. I was asked to help when the Internet could no longer be used. Now it has become a challenge that I don’t want to lose.

Anyway. This thing was even in partial control during Safe Mode. What I ended up doing is to make a boot CD with AVG freeware scanning SW. This found a couple dozen Trojans and Worms of which one of the trojans was in nlsbl.dll (IIRC) which is used in networking. I deleted it and eventually replaced it from a clean location.
The original system still however had a problem as task manager still showed a “234xxxxxx.347xxxxxx.exe” that was VERY persistant. Then used a boot CD from Kasperski and scanned, found two more trojans. After which I could properly boot the original back to WinXP Home without the “persistent file” in Task Manager. From here Microsoft Security Essentials was re-installed and manually updated. On the first quick scan with MSE it killed 2 more trojans finally a full scan came up clean. Then XP Service Pack 3 was re-installed to replace the deleted file(s) and clean it up a little more (I hoped).
Now on to getting the internet back:
The boot CD has Firefox on it and that works fine in Linux so I KNOW the problem is software related.

Some of what has been done in an effort to get to the internet from this thing.

I have reset Winsock, flushed DNS, IP and TCP. Updated the NIC driver.
The HOSTS file is at original and fine.
It is plugged into the same router as my desktop and I can ping between them.
Re-installed IE8 and reset everything to defaults.
Turned off the firewall.
Plus many things that I can’t recall right now, anyway here are the symptoms hopefully someone will give me the silver bullet.

I noticed that after updating the NIC driver Windows Update said that it was downloading (GREAT) it is fixed. NOT! After a few seconds it was gone again.
I did get an Error that wanted to report back to Master MS, I said go for it. This came back.
So, how did that get through?
Each time the Network is reset the Update Icon shows for about 15-20 seconds.
Something is turning it back off.
Here are a couple more screen shots that may bring an idea to someone with more knowledge than I.

This & open ports report above is from SIW free version.

Thanks for looking, Deb & I will be very happy when this is done. 🙂

Reply | Quote

Does it make sense to consider an XP repair install: http://michaelstevenstech.com/XPrepairinstall.htm ?

Reply | Quote

If Rui’s suggestion doesn’t work, a full clean install is seriously recommended.

You’ve spent 14 days or so trying to remove malware when a clean install would have taken a couple of hours.

Sometimes you just need to bite the bullet and take it from there.

Reply | Quote

If Rui’s suggestion doesn’t work, a full clean install is seriously recommended.

You’ve spent 14 days or so trying to remove malware when a clean install would have taken a couple of hours.

Sometimes you just need to bite the bullet and take it from there.

Very true, that would be the easy way out, just not there yet. BTW I have less than 4 hours total working on this so far.
I do lots of other things too. 🙂
And as stated this has become a bit of a challenge, man vs. bit, geek vs. hacker. 🙂

Reply | Quote

Very true, that would be the easy way out, just not there yet. BTW I have less than 4 hours total working on this so far.
I do lots of other things too. 🙂
And as stated this has become a bit of a challenge, man vs. bit, geek vs. hacker. 🙂

LOL, I do understand the challenge and I will battle like heck to remove the intruder!

I’ve not seen anybody mention TDSS Killer yet, maybe worth a try?

Reply | Quote

Verify that the virus did not set up a proxy server. Go to Control Panel > Internet Options > Connections tab> Lan Settings button and verify “use a proxy server….” is not checked. Also verify that there is nothing in your Hosts file. You can find it at c:windowssystem32driversetc . Open it with notepad. You should only see a local hosts entry.

Jerry

Reply | Quote

TDDSS Killer is definitely worth trying as is SuperAntiSpywareand Microsoft Standalone System Sweeper .

Jerry

Reply | Quote

My solution to relatives that just can’t stop clicking on bad stuff is to install the appropriate flavor of Linux on their machines. All they want to do is surf the web, send email and type letters, without getting tons of viruses, defragging,, crashing, and slowing down. Show them how to run their “new” windows, and you won’t hear from them again until you get a Christmas card. Well, you might get email forwards, but that’s better than frantic calls to fix their machines.

Until said relatives try to install any software from the High Street….Don’t get me wrong, Linux is great; but in the hands of inexperienced users, I have found it even more of a challenge to support than Windows.

TDDSS Killer is definitely worth trying as is SuperAntiSpyware and Microsoft Standalone System Sweeper .

I does sound like rootkit and TDSS Killer is a good place to start. Use it in Safe Mode, without networking, wireless turned off or ethernet unplugged. Also look at Sophos AntiRootKit too.

Before all else though, run a System Restore (in safe mode without networking) to a time before the infection – remember to reboot into safe mode to complete the system restore. Then use the tools to clean up the left overs. Only connect to the internet when you are reasonably happy the beast is under control.

Reply | Quote

A technician will never go through all that gobbledegook to clean up a HD.
They (I) would just take out the hard drive and connect it as a slave to a fully protected computer, with a good ‘package’ of anti malware software installed. With the drive connected as a slave, nothing on that drive can run, so any file(s) can be scanned, cleaned and deleted if necessary. Chkdsk /r/f can also be run on the drive to eliminate any HD errors.

If the drive does not behave when put back in its own case, it can be reconnected to the ‘repair’ computer and all the data files can be saved to DVD’s for permanent safe keeping. Then the drive can be wiped and reformatted, prior to putting it back in its own case and reinstalling the OS.

I think in the past ten years, I’ve only reinstalled an OS about three times, out of the hundreds of PC’s I’ve worked on, where the OS was so damaged by viruses that it could not be fixed. During the reformat process, so many little things get deleted, that the computer will never be the same again.
For that very reason, I backup my entire C: drive at least once a week, with Ghost 11.5, run from a DOS boot disk.
There is NO replacement for a nice clean Backup, in the can, so to speak, when disaster strikes.

😎

PS: A properly protected PC will never get infected in the first place. In the past ten years, not ONE of my customers has ever gotten infected with a virus. I provide everyone with a Great Package of Anti-Malware software (all FREE).
”The best anti-malware software in the world is 100% FREE”

Reply | Quote

As always Dr., you provide sound advice, but you must have been very lucky not to encounter a boot sector virus, rootkit or a DNS hijack/proxy server attack, let alone a worm. Unfortunately, in those cases the slave drive method is not as effective as it could be.

If a malware attack changes a DNS setting or re-directs internet traffic to a proxy, one can scan for and remove the original infection from the slave but the re-direction settings will still be present.

Perhaps these types of infection are more prevalent in the UK than US? In one case, it puzzled me why the infection had taken hold so deeply, so I dropped in a few probing questions to the owner, only to get this reply:

“yes there were messages about viruses or something. I’ve seen a lot of them recently but thought it must have been glitch because I’ve got antivirus.“.

To say I was speechless is an understatement.

:
:
:

@RussB: you should also consider a System Restore from safe mode. It does sound like a TDSS rootkit and often (but not always) they are non-functional from safe mode as long as you don’t enable networking. Remember to reboot into safe mode to complete the System Restore.

Reply | Quote

so what is that great package ??
no link to it
no url
no name
no nothing

stop teasing
and let us know what package works so well

Reply | Quote

so what is that great package ??
no link to it
no url
no name
no nothing

stop teasing
and let us know what package works so well

Well. Dr.Who wants you to be a sleuth 🙂
I tell you the secret ,haha
Click on his name > Visit his website > Look for this:Security URL List My preferred list of Computer Security programs.

However, prevention is much better than a cure.
For starters use a sandboxed browser with the help of Sandboxie http://www.sandboxie.com/
or BufferZone http://www.trustware.com/
Properly adjusted and set up ,it will go a long way in preventing trash from reaching your system.
Pete.

Reply | Quote

Try Combofix. It has bailed me out many times with the nasties.
Download the latest official version of ComboFix (2.8mb) save to your desktop
http://www.combofix.org/
Also http://www.technibble.com/ has some really good free tools to combat viruses. Check it out.
http://www.technibble.com/computer-repair-tools/
Copy them to a USB drive or CD. They will come in handy.

Reply | Quote

I get house calls for this virus on a regular basis. It changes names but it always does the same thing. I’ve seen the “Privacy Protection” about 10 times in the last week on XP machines. There was a similar virus about a year ago that really locked up the OS. Out of all the times I’ve dealt with these, I’ve only had to reinstall XP once. You have to boot into safe mode and then run Malewarebytes. Also check your start up in “msconfig” and un-check the program. I also run asearch in the registry, “regedit, edit, find” and search for and delete any instance of the software. Only do this if your familiar with the registry.- Most techs don’t want to take the time to clean a drive. They wipe out and re install. I tell people that the best anti virus is safe surfing. And BACK UP – BACK UP – BACK UP. But somehow people still seem to manage to get infected no matter what kind of protection they install. And they don’t even know IF they have a back up. I have never been infected, and I use a free AV and scan once a week with Spybot and Malewarebytes.

Reply | Quote

Many thanks for all the helpful suggestion if nothing else I learned a few things with this one, part of which is that there is a LOT of knowledge on this forum.
When “ComboFix” did not find anything I decided to start over.
Saturday night I formatted the HDD and installed the OS and a couple of the original programs.
After several boots and visits to Windows Update center the old system is running VERY good and the owner is happy, costing her nothing and me about 6-7 hours of time. It was an investment in “family” so well worth the effort.
As this was for my wife’s sister they are now both happy and “Happy Wife, Happy Life.” 🙂

Again, thank you all.

Reply | Quote

[Quote]
PS: A properly protected PC will never get infected in the first place. In the past ten years, not ONE of my customers has ever gotten infected with a virus. I provide everyone with a Great Package of Anti-Malware software (all FREE).
“The best anti-malware software in the world is 100% FREE”
[/Quote]
Only if the computer operator is savvy enough to NOT click on things they shouldn’t. Any poorly trained or naive operator will outsmart any and all protective software every time. I have seen it done. 🙂

Reply | Quote

Only if the computer operator is savvy enough to NOT click on things they shouldn’t. Any poorly trained or naive operator will outsmart any and all protective software every time. I have seen it done. 🙂

true for existing hardware/software. BUT it *is* possible to *architect* and design a 100% scumware proof pc.
I did that back in the DOS days. But nobody would pay for it.
Could do it for a windows type graphic style interface pc too. But not unless somebody pays for it up front.

With reports of corporate databases being hacked on a regular basis and other countries hacking into DoD and other classified data why doesn’t the government or a corporate consortium fund the development of a totally scumware proof pc ?

If it is **architected** into the hard/soft wares it can be done. There is no way to tack on security after the fact. And AV software will always be behind the power curve trying t oatch up to the hackers methods.

Reply | Quote