XP Antivirus

[evilfantasy]

The program files can be backed up onto a CD or flash drive.

Try to download and run this.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• On the main window, check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in Section 5, labeled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done

Let me know if IE behaves properly.

[hunt3rshadow]

IE is still the same wont let me access those links you posted and it gives me strange google searches

[evilfantasy]

Try booting into Safe Mode and running a Full system scan with MalwareBytes.

[hunt3rshadow]

Alrite that'll take me about more then an hour. So ill see you then

[mcxeb52!]

if you're using xp or vista and have system restore points, I'd have just restored to an earlier date. However .... first complete the fixes that are already in place 

[kpac]

if you're using xp or vista and have system restore points, I'd have just restored to an earlier date. However .... first complete the fixes that are already in place 

It's best to follow the instuctions evilfantasy gave.

[hunt3rshadow]

Malwarebytes' Anti-Malware 1.17
Database version: 856

6:32:19 PM 8/22/2008
mbam-log-8-22-2008 (18-32-19).txt

Scan type: Full Scan (C:\|J:\|)
Objects scanned: 118149
Time elapsed: 1 hour(s), 17 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Richard\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Richard\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Richard\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Richard\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Done.

[kpac]

Have you got a Hijack This log at all? Or is it that you had to type it out?

I think it will be needed.

[evilfantasy]

Agreed, if we could get a HJT log at some point it would be a huge help.

This scan can only be run in Safe Mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

[hunt3rshadow]

Yes very well, I will do as you stated BTW I cant download HJT it wont let me with the links being stupid.  Also now I know that I have indeed been effected by AntiVirus Xp 2008 when I downloaded a audio codec. I've been doing a little research and I found this:

http://www.windowsvistaplace.com/xp-antivirus-2008-removal-instructions-xp-antivirus-2008/spyware-removal

EDIT: I cant download SDdFix. Link is being stupid

[mcxeb52!]

if you're using xp or vista and have system restore points, I'd have just restored to an earlier date. However .... first complete the fixes that are already in place 

It's best to follow the instuctions evilfantasy gave.

Yeah. isn't that what I said? I'd fix it a certain way that has helped me many times but evilfantasy is already taken him so far so why stop at this point?

[kpac]

Yes very well, I will do as you stated BTW I cant download HJT it wont let me with the links being stupid.

What can you do with this PC?

Can you go to another computer and download all these tools? If you can, do that, and copy them to a flash drive or CD or something, and run them on the infected PC.

[hunt3rshadow]

Thanks to everyone's help. I just got rid of this cursed thing by running MBAM multiple times then cleaning my registry. My computer's running fine so far and the background has changed back to normal.

[kpac]

It may seem fine, but the virus might be still on your computer.

I recommend you continue with posting the logs/following our instructions etc.

[mcxeb52!]

It may seem fine, but the virus might be still on your computer.

I recommend you continue with posting the logs/following our instructions etc.

At least for now, I'd post a new HiJackThis Log and have evilfantasy review it one more time to be sure it's clean.

You don't want to have traces of diseases still lingering in your body that might potentially open up another problem even though you are now feeling fine and life appears to be going on normally.