Friday, December 30, 2011

Death match me vs XP Antispyware 2012

Recently received computer that was previously infected with some strain of XP Antispyware 2012.


Ok, set, fight!


1. Computer was previously infected with the above said virus and previous user had made all sort of attempts to fix it - probably not good things.
2. Avast had been the first sentry on duty and was completely mutilated by virus.
3. Malwarebytes, second sentry on duty - dead as a door nail.
4. Windows Firewall - third sentry also disabled by virus.
5. TCP/IP stack corrupted.
6. Blue Screens.
7. No Window Updates functional.


My turn:
1. Follow Bleeping Computer web site steps: virus-removal of xp-antispyware-2012
2. After I did the above, I was still not satisfied because I could run Malwarebytes in Safe mode, and it found one Trojan, but just did not feel it was good enough.  So I took the drive out of the PC, plugged into my laptop with especial adapter that allows me to connect SATA drives as USB, and proceeded to scan with Malwarebytes, but lo and behold, my Microsoft Security Essentials found 8 viruses just by plugging it in and removed the viruses.  I still finished scanning with Malwarebytes - came clean.  Scanned again with two more scanners.  All clean.
3. So I put the drive back in but even though I felt it was not infected, it was still corrupted.
4. Chkdsk fixed some more files.
5. TCP/IP stack was corrupted, and you could not get the PC on the network.  Also Windows Repair was not working, so I followed these steps:
a. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad.
b. Locate the [MS_TCPIP.PrimaryInstall] section.
c. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0×80.
d. Save the file, and then exit Notepad.
e. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
f. On the General tab, click Install, select Protocol, and then click Add.
g. In the Select Network Protocols window, click Have Disk.
h. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.
i. Select Internet Protocol (TCP/IP), and then click OK.
Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.
j. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
k. Restart
Succesfull uninstallation of TCP/IP will remove numerous keys from the registry including:
HKLM/system/CurrentControlSet/services/tcpip
HKLM/system/CurrentControlSet/services/dhcp
HKLM/system/CurrentControlSet/services/dnscache
HKLM/system/CurrentControlSet/services/ipsec
HKLM/system/CurrentControlSet/services/policyagent
HKLM/system/CurrentControlSet/services/atmarpc
HKLM/system/CurrentControlSet/services/nla
These represent various interconnected and interdependant services.
For good measure you should delete the following keys before reinstalling TCP/IP in step #2:
HKLM/system/CurrentControlSet/services/winsock
HKLM/system/CurrentControlSet/services/winsock2
Step #2
Reinstall of TCP/IP
Following the above substep #3, replace the 0×80 back to 0xa0, this will eliminate the related “unsigned driver” error that was encountered during the uninstallation phase.
Return to “local area connection”> properties > general tab > install > Protocol > TCP/IP
You may receive an “Extended Error” failure upon trying to reinstall the TCP/IP, this is related to the installer sub-system conflicting with the security database status.
To check the integrity of the security database
esentutl /g c:\windows\security\Database\secedit.sdb
There may be a message saying database is out of date
First try the recovery option
esentutl /r c:\windows\security\Database\secedit.sdb
If this don’t work for you, you needthe repair option
esentutl /p c:\windows\security\Database\secedit.sdb
Rerun the /g option to ensure that integrity is good and database is up to date.
Now return to the “local area network setup”
Choose install > protocol > TCP/IP and try again
Reboot.


Please see: Smokey's Security Web Log for a reference
6. Awesome, now I had network access again, but still had some blue screen issues so I had to reboot into safe mode and what I noticed was that Avast was still trying to load, so I uninstalled Avast and rebooted into normal mode.
7. I disabled all add-on toolbars in Explorer, and I also made sure that I looked for all residue Regentries and files left over by the virus these you can find on the clean up instructions of the Bleeping computer step by step.  I did not find reg keys, but did find a bunch of suspicious files lurking in the profile folders.
8. Now the Firewall worked so I disabled all exceptions.
9. Also could not run windows update, so after a couple of failed attempts, this finally worked (error was 0x80070424):
a. turned on the service Background Intelligent Service
b. regsvr32 wuaueng.dll
10. Pulled a bunch of updates from Microsoft - Including service pack 3 even though it was a service pack three version of XP - so a lot was corrupted on it.  Also made sure the video driver was updated also.
11. Re-installed Malwarebytes - ran scan good!
12. I had installed as part of the Windows Updates, Windows Defender - ran scan - clean!


This was a great match which I was not defeated.  I have had many a fight this year with viruses, and so far I am 100% victorious.  So I had to as part of my last Blog Entry of 2011, write something about it. Go to love it :)


Delco


4 comments:

Richard said...

How's Life?

To your tool kit add Kaspersky's:
Anti-rootkit utility TDSSKiller
http://support.kaspersky.com/faq/?qid=208283363

Did you check to see if the google search was working correctly?

Delco said...

Yes the TDSSKiller is part of the steps to get rid of it. Yes, Google search would not go to bleepingcomputer.com.

JoseB said...

about how long did this take?

Delco said...

Well, once you have the right steps not too long, but any scan would take about two hours or so. In any case, I usually can many times to be sure all is clean. So this on I had on hand for 24 hours, but not necessarily working on it all the time.