5 Replies Latest reply on Apr 8, 2010 11:08 AM by zor

    xp security tool hijacked my computer,

      xp secutity tool hijacked my desk top, i cannot access the interned from the affectd computer, i have the lates version 13.15 and build 13.15.116  installed but still this virus has effected my desk top its a windows xp home edition, any ideas how to get rid of it.any help will be great the scanning does not help, Kindly do help it is affecting my job hunt i am desperate.

      Thanks

      Zor

        • 1. Re: xp security tool hijacked my computer,

          Virus Research Analyst: Girish Pillai

          McAfee™ Labs, Bangalore - India

           

          Dear Sir/Madam,

           

          In order for us to research this question, please send us a sample for analysis, in a password-protected ZIP file (password - infected).  You can find detailed instructions for how to do this at <http://vil.mcafeesecurity.com/vil/submit-sample.aspx>

           

          If you have a system where you can do a test scan, you may first wish to try our beta DailyDATs to get the latest detection available.   You can find this on our web-site at: <http://vil.mcafeesecurity.com/vil/averttools.aspx>

           

          Please include a description of the symptoms your system is experiencing, and any pertinent information about what AV Products you are using including company, version number (engine/dat numbers for McAfee Products) and results of the scan.

           

          Note -

           

          Due to the prevalence of network gateway AV products it is important that all submissions be zipped and the zip file password protected (password - infected). Some products will reject an email that contains a virus that is not sent in this way. In addition, often we receive a file that appears not to have been infected, to find later that the file was infected when it left the sender, and was cleaned somewhere along the line.

           

          For additional information, our Virus Information Library page can be found at <http://vil.mcafeesecurity.com/vil/default.aspx>

           

          Please use the following links to reach our technical support group for McAfee products.

           

          Corporate Customers:

          <https://support.mcafee.com>

           

          Single User/Retail Customers:

          <http://www.mcafeehelp.com>

           

          Regards,

           

          Girish Pillai

          Virus Research Analyst

          McAfee Labs™ - A division of McAfee, Inc.

          • 2. Re: xp security tool hijacked my computer,

            i ran anti virus in safe mode,  it  got  this

             

            3/23/2010 6:51:53 PM Scan Started: 03/23/2010 06:51:53 PM
            3/23/2010 9:04:02 PM "C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP552\A1240404.exe" "PrcViewer" "5"
            3/23/2010 9:04:02 PM "C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP552\A1240404.exe" "Reboot-BD" "5"
            3/23/2010 10:04:41 PM Total objects scanned: 270129
            3/23/2010 10:04:41 PM Objects detected: 1
            3/23/2010 10:04:41 PM Scan Done: 03/23/2010 10:04:41 PM

             

            but  the XP SECURITY VIRUS still exists.

             

            My macaffe verison is the latest see attached file with screen shots,

            • 3. Re: xp security tool hijacked my computer,

              I would try Stinger and before you run a scan go into preferences and set the sensitivity to very high.

              here is the link and i got this link from mcafee tech support,hope it helps.

               

              http://download.nai.com/products/mcafee-avert/fakealertstinger.exe

              • 4. Re: xp security tool hijacked my computer,

                i cannot access the web from my infected computer as  the ie explorer has been hijacked and it closes all web window , can i down load this on the thum drive and then use it .

                Thanks

                • 5. Re: xp security tool hijacked my computer,

                  I manually remove  the stuff mentioned below,  I can use my explorer now, I guess the code is still on my computer, How do I get rid of the code now any  suggestions any one please.

                  FYI:The exe file i had on my computer was  "ave.exe" that i removed not "AV.exe" no such file existed.

                  Note: These registry entries I found of the net, who ever did it initially to give this solution hats off to him, Thanks

                  %Documents and Settings%\[UserName]\Application data\ave.xe <----Removed this

                  HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*ß removed this

                  HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*ß-removed this

                  HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*ß- removed this

                  HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*ß- removed this

                  HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\com mand “(Default)” = “av.exe” /START “firefox.exe”ß I don’t use this product

                  HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode \command “(Default)” = “av.exe” /START “firefox.exe” -safe-mode ß I don’t use this product

                  HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\co mmand “(Default)” = “av.exe” /START “iexplore.exe”ß---Removed this

                  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1?<---not found

                  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “1?<--- could not find

                   

                  %Documents and Settings%\[UserName]\Application Data\av.exe ß--This was found and removed

                  %Documents and Settings%\[UserName]\Application Data\WRblt8464Pß------ This I could not find

                   

                  Moderator: Kindly close this discussion thanks

                   

                  Message was edited by: zor on 3/26/10 8:02:46 AM CDT

                   

                   

                  Message was edited by: zor on 4/8/10 11:08:14 AM CDT