"xp smart security"

Discussion in 'Virus Information' started by cisz, Apr 15, 2010.

  1. cisz

    cisz Guest

    We recently got a virus that tries to look like it's from microsoft. It
    brings up a window that looks exactly like the "security center" in the
    control panel (win xp). It then brings up another window that looks like
    it's from microsoft and seems to be a program called "xp smart security". It
    acts like it's running a scan and then says you're infected. It doesn't
    allow any other programs to run.

    We got this in spite of having a firewall and real time virus protection.

    Fortunately, it only affected our limited access account.

    I was able to get rid of it using a malware scanner, but it disconnected all
    the programs from their files and now, whenever I try to run a program in
    that account, a window comes up asking which program or file to use to run
    the program.
     
    cisz, Apr 15, 2010
    #1
    1. Advertisements

  2. What malware scanner did you use to 'get rid of it'?
     
    FromTheRafters, Apr 15, 2010
    #2
    1. Advertisements

  3. From: "cisz" <>

    | We recently got a virus that tries to look like it's from microsoft. It
    | brings up a window that looks exactly like the "security center" in the
    | control panel (win xp). It then brings up another window that looks like
    | it's from microsoft and seems to be a program called "xp smart security". It
    | acts like it's running a scan and then says you're infected. It doesn't
    | allow any other programs to run.

    | We got this in spite of having a firewall and real time virus protection.

    | Fortunately, it only affected our limited access account.

    | I was able to get rid of it using a malware scanner, but it disconnected all
    | the programs from their files and now, whenever I try to run a program in
    | that account, a window comes up asking which program or file to use to run
    | the program.



    It wasn't a "virus" but was malware.

    Download,
    http://www.malwarebytes.org/mbam/program/mbam-setup.exe

    rename; mbam-setup.exe to cisz.com
    and then run cisz.com to install Malwarebytes' Anti-Malware.

    Go to;
    C:\Program Files\Malwarebytes' Anti-Malware
    COPY; mbam.exe to mbam.com

    update and then execute a quick scan.
     
    David H. Lipman, Apr 15, 2010
    #3
  4. cisz

    cisz Guest

    Thanks.

    It was malwarebytes that I used to get rid of the problem. I had renamed
    mbam-setup.exe
    to mb.exe and installed and then scanned.
     
    cisz, Apr 15, 2010
    #4
  5. cisz

    David Kaye Guest

    Go to the file types tab on your folder options applet and enter a new
    filetype called EXE. On the Advanced button associate it with "Application",
    even though it says it's already associated with Application. Save your work.
    Go to your favorite app and it should load now.
     
    David Kaye, Apr 15, 2010
    #5
  6. cisz

    David Kaye Guest

    This doesn't always work. Some malware tracks some other part of the program,
    maybe the filesize or the internal name or the DLLs being called or something.
     
    David Kaye, Apr 15, 2010
    #6
  7. From: "David Kaye" <>


    | This doesn't always work. Some malware tracks some other part of the program,
    | maybe the filesize or the internal name or the DLLs being called or something.



    No, it is usually the name (explicit) or just EXE files.
     
    David H. Lipman, Apr 15, 2010
    #7
  8. cisz

    David Kaye Guest

    But not always. Believe me; I've had lots of malware kill MBAM regardless of
    what I called it. Remember that I've been doing this stuff fulltime since
    2002.

    Some of the particularly bad infection would kill everything but a very old
    copy of SpySweeper and PrcView.exe, again, regardless of what I named the
    executable.
     
    David Kaye, Apr 15, 2010
    #8
  9. From: "David Kaye" <>


    | But not always. Believe me; I've had lots of malware kill MBAM regardless of
    | what I called it. Remember that I've been doing this stuff fulltime since
    | 2002.

    | Some of the particularly bad infection would kill everything but a very old
    | copy of SpySweeper and PrcView.exe, again, regardless of what I named the
    | executable.

    Certainly not size. That's a stupid approach. Different versions will have different
    sized executables. I have examined *numereous* malicious binaries. They hard code the
    name of EXE files into their code. Everything from; \drivers\vmmouse.sys, SbieDll.dll,
    ollydbg.exe, WIRESHARK.EXE--> PROCEXP.EXE --> HIJACKTHIS.EXE . I have also see the codes
    the thwart analysis, such as "IsDebuggerPresent", "createtoolhelp32snapshot" and ...
    This program cannot be run in VMware Workstation. Please close VMware Workstation
    first.
    This program cannot be run in Threat Expert. Please close Threat Expert first.
    This program cannot be run in VirtualBox. Please close VirtualBox first.
    This program cannot be run in VirtualPC. Please close VirtualPC first.
    This program cannot be run in CWSandbox. Please close CWSandbox first.
    This program cannot be run in Sandboxie. Please close Sandboxie first.
    This program cannot be run in JoeBox. Please close JoeBox first.
    This program cannot be run in Anubis. Please close Anubis first.



    BTW: I've been dealing with malware for ~20 yrs. Ever since I had to remove the
    Jerusalem.B virus from a Netware v2.11 network.
     
    David H. Lipman, Apr 15, 2010
    #9
  10. DHL is writing about *this* particular malware, and not just *some*
    malware.
     
    FromTheRafters, Apr 15, 2010
    #10
  11. cisz

    MEB Guest

    http://www.dougknox.com/xp/file_assoc.htm

    Note 1: it would be better to use exported entries from the particular
    system IF you have a backup or image. OR you may find the defaults
    exportable from admin account as you appear to indicate this was a
    "user" account.

    Note 2: Any application specific entries beyond the defaults will
    likely no longer exist, hence they may need reinstalled [depends upon
    how thorough the hack was].

    You MAY have a block of *.reg files, see the link for a "workaround".

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 15, 2010
    #11
  12. cisz

    cisz Guest

    The malware problem is happening in a limited user account. I was able to
    add the EXE filetype and
    associate it with "Application" in the admin account but for some reason, it
    doesn't seem to
    show up when I restart windows explorer. The "Apply" button was greyed-out
    so I don't
    know if it got saved.
     
    cisz, Apr 15, 2010
    #12
  13. cisz

    cisz Guest

    I did have a problem. The 1st time I ran it, it didn't find anything. I
    hadn't saved the log file at 1st,
    thinking I could get it later. But when I tried to open mbam later, I got an
    error message. So, I reinstalled
    it and ran it again. This time it found the malware.
     
    cisz, Apr 15, 2010
    #13
  14. cisz

    Andy Medina Guest

    Try the following batch file to re-associate files to the XP defaults.
    You'll need to use "run as administrator" if you run it from the
    limited user account.

    http://www.dougknox.com/xp/tips/xp_easy_file.htm

    "REM Restore Default File Associations for Windows XP.
    REM Copyright 2003 - Doug Knox
    REM This BAT file restores the Default associations that XP ships with
    REM It does not restore associations created by 3rd party
    applications."
     
    Andy Medina, Apr 16, 2010
    #14
  15. Some have recommended this reg file as a more surgical approach.

    Windows Registry Editor Version 5.00


    [-HKEY_CURRENT_USER\Software\Classes\.exe]
    [-HKEY_CURRENT_USER\Software\Classes\secfile]
    [-HKEY_CLASSES_ROOT\secfile]
    [-HKEY_CLASSES_ROOT\.exe\shell\open\command]


    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"


    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"
     
    FromTheRafters, Apr 16, 2010
    #15
  16. cisz

    cisz Guest

    I'm not exactly sure why, but suddenly the programs associated with their
    files. I did try creating the EXE file type and associating it with
    "applications" but that didn't seem to work. Maybe it needed a few reboots?

    Thanks to everyone for your help.
     
    cisz, Apr 19, 2010
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.