Need help removing XP Antimalware - won't let me on net!

Glamazon

I cant get on the net from my laptop to follow any advice on there.

would a system restore do anything?

help

thanks

Browntoa

folow these same steps

http://forums.moneysavingexpert.com/showthread.html?t=2351993

to get malwarebytes , or superantispyware on to a usb drive or CD

Glamazon

Sorted now thanks!

I think it wasnt letting me on the net because I kept clicking to close the pop up when it came up on the taskbar.

I got OH to download it onto a flashdrive and its now run on lappy and deleted the 13 infected objects.

Once mine had finished his PC flashed up with the same Malware problem so I've just sorted it out for him and it's running a full scan now.

Thanks for your help

Glamazon

AAAAAAAAAAAAAGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHH

After getting rid of one it seems like I now have another one :mad:

Browntoa

can i see the last malwarebytes log file for the pc

Glamazon

Malwarebytes' Anti-Malware 1.44
Database version: 3890
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

21/03/2010 14:29:40
mbam-log-2010-03-21 (14-29-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 188281
Time elapsed: 37 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rxup.rko (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe rxup.rko jrgsvde) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\rxup.rko (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Temp\E.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Glamazon

above is the latest log - thanks for the help

I am getting random popups even though my pops up blocked and when I type something into google - like ebay, when I click on the ebay links I'm getting sent to random websites like goldenmotel and stuff!

macman

What AV are you using?

Glamazon

macman wrote: »

What AV are you using?

McAfee - but it says there's nothing on my laptop despite running a full scan.

macman

Glamazon wrote: »

McAfee - but it says there's nothing on my laptop despite running a full scan.

So what does that tell you about McAfee?
Get yourself a decent AV: Avira, Kaspersky would be my preferences.

enigma52

well xp is on SP3 and ie is on ie8, both need updating