"xp smart security"

April 15, 2010

We recently got a virus that tries to look like it's from microsoft. It

brings up a window that looks exactly like the "security center" in the

control panel (win xp). It then brings up another window that looks like

it's from microsoft and seems to be a program called "xp smart security". It

acts like it's running a scan and then says you're infected. It doesn't

allow any other programs to run.

We got this in spite of having a firewall and real time virus protection.

Fortunately, it only affected our limited access account.

I was able to get rid of it using a malware scanner, but it disconnected all

the programs from their files and now, whenever I try to run a program in

that account, a window comes up asking which program or file to use to run

the program.

April 15, 2010

What malware scanner did you use to 'get rid of it'?

"cisz" wrote in message

news:hq6e6s026nl@news2.newsguy.com...

> We recently got a virus that tries to look like it's from microsoft.

> It brings up a window that looks exactly like the "security center" in

> the control panel (win xp). It then brings up another window that

> looks like it's from microsoft and seems to be a program called "xp

> smart security". It acts like it's running a scan and then says you're

> infected. It doesn't allow any other programs to run.

>

> We got this in spite of having a firewall and real time virus

> protection.

>

> Fortunately, it only affected our limited access account.

>

> I was able to get rid of it using a malware scanner, but it

> disconnected all the programs from their files and now, whenever I try

> to run a program in that account, a window comes up asking which

> program or file to use to run the program.

>

April 15, 2010

From: "cisz"

| We recently got a virus that tries to look like it's from microsoft. It

| brings up a window that looks exactly like the "security center" in the

| control panel (win xp). It then brings up another window that looks like

| it's from microsoft and seems to be a program called "xp smart security". It

| acts like it's running a scan and then says you're infected. It doesn't

| allow any other programs to run.

| We got this in spite of having a firewall and real time virus protection.

| Fortunately, it only affected our limited access account.

| I was able to get rid of it using a malware scanner, but it disconnected all

| the programs from their files and now, whenever I try to run a program in

| that account, a window comes up asking which program or file to use to run

| the program.

It wasn't a "virus" but was malware.

Download,

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

rename mbam-setup.exe to cisz.com

and then run cisz.com to install Malwarebytes' Anti-Malware.

Go to

C:\Program Files\Malwarebytes' Anti-Malware

COPY mbam.exe to mbam.com

update and then execute a quick scan.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

April 15, 2010

"David H. Lipman" wrote in message

news:OXYPwjI3KHA.5880@TK2MSFTNGP02.phx.gbl...

> From: "cisz"

>

> | We recently got a virus that tries to look like it's from microsoft. It

> | brings up a window that looks exactly like the "security center" in the

> | control panel (win xp). It then brings up another window that looks like

> | it's from microsoft and seems to be a program called "xp smart

> security". It

> | acts like it's running a scan and then says you're infected. It doesn't

> | allow any other programs to run.

>

> | We got this in spite of having a firewall and real time virus

> protection.

>

> | Fortunately, it only affected our limited access account.

>

> | I was able to get rid of it using a malware scanner, but it disconnected

> all

> | the programs from their files and now, whenever I try to run a program

> in

> | that account, a window comes up asking which program or file to use to

> run

> | the program.

>

> It wasn't a "virus" but was malware.

>

> Download,

> http://www.malwarebytes.org/mbam/program/mbam-setup.exe

>

> rename mbam-setup.exe to cisz.com

> and then run cisz.com to install Malwarebytes' Anti-Malware.

>

> Go to

> C:\Program Files\Malwarebytes' Anti-Malware

> COPY mbam.exe to mbam.com

>

> update and then execute a quick scan.

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Thanks.

It was malwarebytes that I used to get rid of the problem. I had renamed

mbam-setup.exe

to mb.exe and installed and then scanned.

April 15, 2010

"cisz" wrote:

>I was able to get rid of it using a malware scanner, but it disconnected all

>the programs from their files and now, whenever I try to run a program in

>that account, a window comes up asking which program or file to use to run

>the program.

Go to the file types tab on your folder options applet and enter a new

filetype called EXE. On the Advanced button associate it with "Application",

even though it says it's already associated with Application. Save your work.

Go to your favorite app and it should load now.

April 15, 2010

"David H. Lipman" wrote:

>rename mbam-setup.exe to cisz.com

>and then run cisz.com to install Malwarebytes' Anti-Malware.

This doesn't always work. Some malware tracks some other part of the program,

maybe the filesize or the internal name or the DLLs being called or something.

April 15, 2010

From: "David Kaye"

| "David H. Lipman" wrote:

>>rename mbam-setup.exe to cisz.com

>>and then run cisz.com to install Malwarebytes' Anti-Malware.

| This doesn't always work. Some malware tracks some other part of the program,

| maybe the filesize or the internal name or the DLLs being called or something.

No, it is usually the name (explicit) or just EXE files.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

April 15, 2010

"David H. Lipman" wrote:

>

>No, it is usually the name (explicit) or just EXE files.

But not always. Believe me I've had lots of malware kill MBAM regardless of

what I called it. Remember that I've been doing this stuff fulltime since

2002.

Some of the particularly bad infection would kill everything but a very old

copy of SpySweeper and PrcView.exe, again, regardless of what I named the

executable.

April 15, 2010

From: "David Kaye"

| "David H. Lipman" wrote:

>>No, it is usually the name (explicit) or just EXE files.

| But not always. Believe me I've had lots of malware kill MBAM regardless of

| what I called it. Remember that I've been doing this stuff fulltime since

| 2002.

| Some of the particularly bad infection would kill everything but a very old

| copy of SpySweeper and PrcView.exe, again, regardless of what I named the

| executable.

Certainly not size. That's a stupid approach. Different versions will have different

sized executables. I have examined *numereous* malicious binaries. They hard code the

name of EXE files into their code. Everything from \drivers\vmmouse.sys, SbieDll.dll,

ollydbg.exe, WIRESHARK.EXE--> PROCEXP.EXE --> HIJACKTHIS.EXE . I have also see the codes

the thwart analysis, such as "IsDebuggerPresent", "createtoolhelp32snapshot" and ...

This program cannot be run in VMware Workstation. Please close VMware Workstation

first.

This program cannot be run in Threat Expert. Please close Threat Expert first.

This program cannot be run in VirtualBox. Please close VirtualBox first.

This program cannot be run in VirtualPC. Please close VirtualPC first.

This program cannot be run in CWSandbox. Please close CWSandbox first.

This program cannot be run in Sandboxie. Please close Sandboxie first.

This program cannot be run in JoeBox. Please close JoeBox first.

This program cannot be run in Anubis. Please close Anubis first.

BTW: I've been dealing with malware for ~20 yrs. Ever since I had to remove the

Jerusalem.B virus from a Netware v2.11 network.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

April 15, 2010

On 04/15/2010 03:11 AM, cisz wrote:

> We recently got a virus that tries to look like it's from microsoft. It

> brings up a window that looks exactly like the "security center" in the

> control panel (win xp). It then brings up another window that looks like

> it's from microsoft and seems to be a program called "xp smart security". It

> acts like it's running a scan and then says you're infected. It doesn't

> allow any other programs to run.

>

> We got this in spite of having a firewall and real time virus protection.

>

> Fortunately, it only affected our limited access account.

>

> I was able to get rid of it using a malware scanner, but it disconnected all

> the programs from their files and now, whenever I try to run a program in

> that account, a window comes up asking which program or file to use to run

> the program.

>

http://www.dougknox.com/xp/file_assoc.htm

Note 1: it would be better to use exported entries from the particular

system IF you have a backup or image. OR you may find the defaults

exportable from admin account as you appear to indicate this was a

"user" account.

Note 2: Any application specific entries beyond the defaults will

likely no longer exist, hence they may need reinstalled [depends upon

how thorough the hack was].

You MAY have a block of *.reg files, see the link for a "workaround".

--

MEB

http://peoplescounsel.org/ref/windows-main.htm

Windows Info, Diagnostics, Security, Networking

http://peoplescounsel.org

The "real world" of Law, Justice, and Government

___---

April 15, 2010

"David Kaye" wrote in message

news:hq7sok$1sc$1@news.eternal-september.org...

> "cisz" wrote:

>

>>I was able to get rid of it using a malware scanner, but it disconnected

>>all

>>the programs from their files and now, whenever I try to run a program in

>>that account, a window comes up asking which program or file to use to run

>>the program.

>

> Go to the file types tab on your folder options applet and enter a new

> filetype called EXE. On the Advanced button associate it with

> "Application",

> even though it says it's already associated with Application. Save your

> work.

> Go to your favorite app and it should load now.

>

The malware problem is happening in a limited user account. I was able to

add the EXE filetype and

associate it with "Application" in the admin account but for some reason, it

doesn't seem to

show up when I restart windows explorer. The "Apply" button was greyed-out

so I don't

know if it got saved.

April 15, 2010

"David Kaye" wrote in message

news:hq7sro$1sc$2@news.eternal-september.org...

> "David H. Lipman" wrote:

>

>>rename mbam-setup.exe to cisz.com

>>and then run cisz.com to install Malwarebytes' Anti-Malware.

>

> This doesn't always work. Some malware tracks some other part of the

> program,

> maybe the filesize or the internal name or the DLLs being called or

> something.

>

I did have a problem. The 1st time I ran it, it didn't find anything. I

hadn't saved the log file at 1st,

thinking I could get it later. But when I tried to open mbam later, I got an

error message. So, I reinstalled

it and ran it again. This time it found the malware.

April 15, 2010

"cisz" wrote in message

news:hq850n090p@news2.newsguy.com...

> The malware problem is happening in a limited user account. I was

> able to add the EXE filetype and

> associate it with "Application" in the admin account but for some

> reason, it doesn't seem to

> show up when I restart windows explorer. The "Apply" button was

> greyed-out so I don't

> know if it got saved.

Try the following batch file to re-associate files to the XP defaults.

You'll need to use "run as administrator" if you run it from the

limited user account.

http://www.dougknox.com/xp/tips/xp_easy_file.htm

"REM Restore Default File Associations for Windows XP.

REM This BAT file restores the Default associations that XP ships with

REM It does not restore associations created by 3rd party

applications."

April 15, 2010

"Andy Medina" wrote in message

news:eYltiLP3KHA.5880@TK2MSFTNGP04.phx.gbl...

> "cisz" wrote in message

> news:hq850n090p@news2.newsguy.com...

>

>> The malware problem is happening in a limited user account. I was

>> able to add the EXE filetype and

>> associate it with "Application" in the admin account but for some

>> reason, it doesn't seem to

>> show up when I restart windows explorer. The "Apply" button was

>> greyed-out so I don't

>> know if it got saved.

>

> Try the following batch file to re-associate files to the XP defaults.

> You'll need to use "run as administrator" if you run it from the

> limited user account.

>

> http://www.dougknox.com/xp/tips/xp_easy_file.htm

>

> "REM Restore Default File Associations for Windows XP.

> REM This BAT file restores the Default associations that XP ships with

> REM It does not restore associations created by 3rd party

> applications."

Some have recommended this reg file as a more surgical approach.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]

@="exefile"

"Content Type"="application/x-msdownload"

April 19, 2010

I'm not exactly sure why, but suddenly the programs associated with their

files. I did try creating the EXE file type and associating it with

"applications" but that didn't seem to work. Maybe it needed a few reboots?

Thanks to everyone for your help.

Sign In

"xp smart security"

Recommended Posts

Guest cisz

Guest FromTheRafters

Guest David H. Lipman

Guest cisz

Guest David Kaye

Guest David Kaye

Guest David H. Lipman

Guest David Kaye

Guest David H. Lipman

Guest MEB

Guest cisz

Guest cisz

Guest Andy Medina

Guest FromTheRafters

Guest cisz

Join the conversation

Browse

Activity