surviving xp security 2011?

[geronimotwo]

just got hit by this on my desktop.  ran malware bytes in safe mode, thenms  security essentials.  still not able to run most of the the programs include the tools in control panel (add remove software etc). is there a registry restore for xp?  heck, i don't even know what i need to fix it.  malware bytes came up with a few trojans etc that i was able to remove.  ms security essentials says i'm clean.  i downloaded a new version of malwarebytes and am running it in regular windows now.     aaaaaaaaaaaaaaaahhhhhhhhhhh!!!!!!

[Jim147]

Make sure security essentials is up to date and set to full scan.

I still prefer to pull the drives and scan from a clean machine.

jim

[AJ Dual]

Try Vundofix.exe, if it's a vundo variant at the core, it'll kill it, and then malwarebytes can clean the rest off.

Also, try renaming malwarebytes.exe to something random like 23riohr9fw.exe Some malware either prevents the execution of, or hides from the names of known anti-malware processes.

[geronimotwo]

thanks, after running mwarebytes the second time (found three more infected files), i am able to run my control panel programs.  i cannot update ms security essentials at this time.  the virus recognizes the antivirus website and stops the download with a "threat to my computer" warning.  i'll try removing ms security, and reloading from their website.  the wierd thing is that internet explorer never stopped working, although anything that i could find as an antivirus was not allowed to download.

[Brad Johnson]

Download the MS security update file on another machine, renam it, and transfer it to your machine by CD (not by flash drive as you run the risk of infecting it, too.)

Also, check for rootkits.  Kaspersky has a dandy little utility called TDSSKiller that does a good job of digging out rootkits other malware programs can't touch.

Brad

[AJ Dual]

Check your C:\windows\drivers\etc\hosts file. The malware might have re-written it to block all the common virus/malware cleaning tool and update URL's.

You could also try going to update MS Security through Google Translate. Translate it from anything (German.. whatever) into English, and the English content will just pass through.

Might trick the malware and keep it from blocking the page after that.  Worth a try as that might be quicker than finding another PC and burning a disk. Otherwise that will work.

[Bogie]

Some of 'em will also point you to a different proxy server... Basically, get on a different box, download the tools, boot off the network, and run 'em.

[MikeB]

Combofix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

May need to run in Safe Mode, follow the instructions in the link. Then use Malwarebytes and Microsoft Security Essentials.

[geronimotwo]

everything seems back to normal except for being able to download updates automatically.  called microsoft and gave them hands on access.  "rj" worked with me for about an hour and 45 min, still couldn't resolve the problem.  he did double check my registry for any sighns of the malware, and said it was clean.  he suggested calling my isp to see if there is something wrong there.  doesn't make sense as it worked fine before i had the virus, and i am obviously online, just can't get a download for security essentials without going to their website and finding it manually.

[Brad Johnson]

Uninstall and reinstall the AV program.

Brad

[never_retreat]

Go get rkill.exe from download.com. Run this than run your AV software. It will kill all non windows critical process, including the pest thats stopping you from running your av.
After you run rkill do not open any other programs like your browser that my restart the pest. Or reboot. If you have to re boot rerun rkill.

If you have to rename rkill also to make it work.

[geronimotwo]

Uninstall and reinstall the AV program.

Brad

i did that before calling ms, then the tech did as well. still doesn't auto download.

[Brad Johnson]

Then you still likely have a malware problem.  Do a manual update, boot to safe mode, and run all your AV scans, including Malwarebytes, Ad-Aware, and TDSSKiller.

Brad

[Matthew Carberry]

Just got rid of one called cryptic that did the same thing. It had hidden in the restore files.

Ended up buying a used drive for $5 and booting to that to scan and clean.

[Brad Johnson]

Hang on a sec, it doesn't auto download, but can you do a manual update?  If you can, check this link for potential MSE auto-download scheduling demons...

http://www.mydigitallife.info/2010/01/05/fix-microsoft-security-essentials-mse-not-auto-update-virus-and-spyware-definitions-signature-problem/

and here, too...

http://answers.microsoft.com/en-us/protect/forum/protect_updating/mse-definitionssignatures-update-faq/74e507b8-f6da-4eca-8ce7-d1aca7d3f1ba

Brad

[RocketMan]

The bug may have hosed one or more of the files used for the update process.  That is a common malware tactic. Put your original WinXP CD (is it Windows XP?) in your CD/DVD drive and run "sfc /scannow" in command mode. That is the system file check.  It will replace any missing, damaged or improperly modified system files, including the three or four used to run the update process.
If you don't have a WinXP CD, you can direct the restore source location to one of the i386 folders for the new file copies, but you run the risk of reinfection if any of those were compromised by the bug.

[AJ Dual]

Also... try Combofix.

http://www.bleepingcomputer.com/download/anti-virus/combofix

[geronimotwo]

Hang on a sec, it doesn't auto download, but can you do a manual update?  If you can, check this link for potential MSE auto-download scheduling demons...

i can't download from the ms essentials program (manually or automatically), but i can get the files if i go to thier website and download them.

The bug may have hosed one or more of the files used for the update process.  That is a common malware tactic. Put your original WinXP CD (is it Windows XP?) in your CD/DVD drive and run "sfc /scannow" in command mode. That is the system file check.  It will replace any missing, damaged or improperly modified system files, including the three or four used to run the update process.
If you don't have a WinXP CD, you can direct the restore source location to one of the i386 folders for the new file copies, but you run the risk of reinfection if any of those were compromised by the bug.

good idea if i could lay my hands on my xp disc!  can't find it in the usual places.  i think it's one of those "i'll put it here for safer keeping" syndromes.

i have yet to try some of the other antimalware progs suggested, just been too busy with work lately.  thanks for the suggestions!

[Brad Johnson]

i can't download from the ms essentials program (manually or automatically), but i can get the files if i go to thier website and download them.

Yeah, you have some kind of residual nastiness.  I vote for some kind of rootkit bug that most AV/malware programs can't touch.  TDSSKiller for starters.

Brad