Aagh, HELP! Malware "XP Antivirus 2010"

Ok, ok..I was got. And how! I use three virus scanners, update my definition regularly (just this morning, in fact) and yet I've still spent all afternoon trying to chase down this most pernicious XP Antivirus 2010 trojan piece of crap.

So, those of you who know what this is know how it works. Suddenly you start getting virus alerts that look legit and show you a list of infections and direct you to a website to buy something. Let it be known, I didn't fall for it. I immediately started my own virus scans (Symantec Corporate 10.1.5 and SuperAntiSpyware, both updated this morning). They both showed two trojans related to the file 'ar.exe.' SAS finished and removed them both, prompting a reboot. Symantec detected them but froze when I tried to complete removal (It always does this, but I get usage free from my university and it has always done fine enough with the other stuff I use).

OK, reboot. The pop ups keep coming so I disable the net connection on the affected desktop and fire up my netbook to do some more research. Find out that this thing is of middling strength and find some decent advice to get rid of it. Download a new version of Malwarebytes - as per directions - and something called SREng which seemed to be highly touted. I also do a registry search to try to find the identified associated files to ar.exe and remove them manually. By the time I get all of this done and load the new virus killers via USB, my registry is totally boned. If I try to open any executable file, say a virus scanner, I get a message that Windows cannot identify the creating program and asks if I want Windows to find it automatically online or if I want to pick from a list of files. In other words, I cannot do anything. I cannot move forward. i can only stand still.

My documents and pdfs all open, and I can still access the web. But I don't want to do nothing to nothing until I get this cleared up.

Any suggestions?

If so, try this: http://www.winhelponline.com/articles/165/1/Restore-the-exe-file-association-in-Windows-Vista-after-incorrectly-associating-it-with-another-application.html

If you have XP, this link has a downloadable batch file that fixes the association: http://www.dougknox.com/xp/file_assoc.htm

Hope that helped! :hi:

Anti-Virus scanners don't play well together. You should only need one. You have symantic well that's one of your problems kill that pig.
Uninstall that and get down to one scanner like AVG or Avast. Try booting up in safe mode then run Malwarebytes it will find your problem. It sounds more like a malware problem.

symantec comes through my university. As a broke ass grad student it is hard for me to overlook free software. Though I agree that it is a pig.

Also, as I mentioned, I did download Malwarebytes, but because ar.exe screwed up my registry, none of my .exe files (and that would include the installation software for Malware) seem to be associated.

But I will kill symantec when this is over. I promise and swear to this you (and myself, really)

1. Caution: this link will do a net scan and give you some needed info, but...you being an adult know there is a hook. If they find a problem you need to register (free) and they will suggest a plan and try to sell you their software. Do the scan and get the info and then worry about solutions later.
online scan:
<http://www.pandasecurity.com/homeusers/solutions/activescan/>

2. There are several good sites to help fix your system, but...they expect you to do your part and tell you what you need, and how to use the utilities and logs you need to post for their forum. Please read and follow links for tutorial.
forum info:
<http://www.bleepingcomputer.com/files/hijackthis.php>

3. Get together material you need to do a backup or reinstall.
Keep us updated and let us assist.

I have already had several pitched battles, with little success (except I got the pop ups to stop.) I've looked at the second site, but not the first. I will (re)start there and keep working with the folks at GeekPolice (unless you know something terrible).

Dumb question, but since I probably won't finish this tonight, I don't need to keep the computer on, do I? Most of what I've read says "do A, B, C, but then it will prompt a reboot. DON'T DO IT!" So now I'm afraid to turn it off.

Gods I'm a naif...

you should know that good decisions are based on good info. Don't be a slave to a machine turn it off, have some green beer.

Tomorrow will take care of itself.

This morning I restarted with exefix.reg and then Malwarebytes. I changed the executable to a .com and ran Malware, coming up with a single infection and deleting it. I have posted my OTL logs to GeekPolice and am waiting further advice.

Everything seems to be working. I can open and use executables and av.exe seems to gone. Still, this was pernicious, so I am not 100% confident that it isn't yet lurking somewhere waiting to kick my ass some more. Proceeding slowly. I am uninstalling Symantec and moving to something that works.

Assuming I killed it, I still have Malwarebytes loaded. Should I uninstall and reinstall from a known clean source, or should it be ok?

Thanks for all your help. DUers are the best!

link:
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039>

MS has a good free antivirus called MSE and is rated as good or slight better than the 2 most popular free antivirus, Avast and AVG.

I recommend MSE for easy and low resource usage.

Thanks for update.

I've heard it said of norton: "Norton is about as useful to a computer user as a screen door is to a submerged submarine."

I've read many good things about MSE, though I haven't tried it. I use Avast5 Free, I like it's powerful boot scan and the "new look" GUI with version 5--I never did much like the old "radio" GUI.

No need to uninstall/re-install MBAM, IMO, just remember to change the executable back to .exe.

If I were you, I'd hit this thing with a 1-2-3 punch of a GOOD AV (NOT Norton), like the MSE that CK_John suggested, or my AV of choice--Avast 5 (also free), then MBAM & SuperAnti FULL scans.

BTW, a great big thank you for the heads-up re: GeekPolice site. Like Siskel & Ebert, I give it
2 big :thumbsup: :thumbsup:

How to remove XP Internet Security 2010---bleepingcomputer.com instructions: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010



More instructions, along with associated files & registry info at the link at the top of my post.

If the rogue blocks the FixExe.reg from doing it's thing, Malwarebytes has a workaround that should enable you to run a scan. I'm fairly confident that MBAM should kill it, or at least soften it up enough to enable other scanners to finish it off. SuperAntiSpyware is another good one, and I see you already have it installed.

MBAM's workaround (specifically post #3):

http://forums.malwarebytes.org/index.php?showtopic=38629&st=0&p=193288&#entry193288

Good Luck!