next »

[Splinter]

Yet another nasty dressed up as AV on a client's PC.
This one is proving very resistant to my efforts to remove it.
Tried MBAM, SB S&D amongst others.
Even tried the manual registry entries deletion, but the damn thing keeps coming back.
Blocks any efforts to update MBAM database, even using a proxy. Googled the lot on this, but it seems to take on different guises on different PC's.
I'll keep persisting until I reach the last resort and start to tear my hair out.

[corroded]

You know, I looked at the thread name and thought.... wow, that sounds like Spyware to me.

[keasy]

LOL it does doesn't it !


If you know where the bugger has burried itself directory wise could you could fire up a distro and wheech it out.

[Splinter]

It's nasty, I tell you.
Left the PC isolated and running MBAM again overnight in the shop with a full scan.
If it's still there tomorrow, I'm zapping the drive.
Although I may try this first
http://www.bleepingcomputer.com/virus-removal/remove-xp-home-security-2012

[Wooster]

It's been about for yonks under various guises, but I'm forgetting that a lot of people are still running XP and behind the curve.

All that seems to change is the date and OS version it shows.  

I used to use ProceXP to suspend it* (if you kill it, it starts up again) and then hit it with MBAM, HiJackThis and a decent AV.

* http://technet.microsoft.com/en-us/sysinternals/bb896653

..if you run Hijackthis and bung the log file into the Hijackthis Analyzer (spelling is correct) site first it should show you the rogue processes to suspend.

[Splinter]

I will try all these suggestions for my self education.
Zapping the drive achieves nothing, except nuking the virus and learning nothing.
Thanks to both.

[keasy]

BTW it seems it's just more of a nagware and scamware...not reporting to any external ip's or actually logging anything trojan style.



Seems it's intended purpose is 100% to scam people into buying the so called 'product'.

Apparently.... this works....

enter this code...

2233-298080-3424, 3425-814615-3990

It thinks you've bought it...will stoip the nagging and allow normal surfing etc.
Then malwarebytes or spydoctor will hit it and kill it after doing these manual instructs...


Reg Values to delete...

Code:

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1

'

Sys Directories to delete...

Code:

%AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h %LocalAppData%\kdn.exe %LocalAppData%\u3f7pnvfncsjk2e86abfbj5h %Temp%\u3f7pnvfncsjk2e86abfbj5h %UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h

Just done a quicky google. So it may not be true but well worthy of giving a bash.

[Splinter]

Roger, wilco and many thanks!

[Splinter]

Only thing that worked was the manual editing of the registry which enabled finally an internet connection and update malwarebytes.
Thanks Keasy for that.
Client to be billed accordingly

[Hap Hazzard]

Try running pc in safe mode with internet. Then install malwarebytes via pen drive, set to full scan, work for me on a friends machine a week ago, all gone. 

Ah that was with windows 7

If i remember right, with xp you had about 6 seconds from your desktop appearing to find and kill the process in task manager, what ever that was,and then start malwarebytes, fingers like bees wings i say.

[Splinter]

Thanks Hap, all sorted now but point taken.
This was a relatively simple problem to solve once the solution was in hand, so to speak.

[Splinter]

And then this one turns up, Windows Debug
http://www.myantispyware.com/2012/03/28/how-to-remove-windows-debug-center-virus/

Much easier to remove. One of the common traits here is that Ares was installed on all the pc's infected in this way and Nod32 cracked av expired Aug 2011, not that even that would have stopped it.
Still, it's good business