# PC Virus - XP Security 2010, XP Defender Pro, and other names



## deltadude (Apr 17, 2010)

I have been silent for a couple of weeks for two reasons.  The 1st reason is personal resulting from some shocking online mistreatment (not SMF related).  So I decided to take an online hiatus.

The 2nd my PC was attacked by a serious virus XP Security 2010 / ave.exe. My son had jumped on my PC and went to two big sites, yahoo, and facebook, and the PC was infected.  This attack helped enforce my online hiatus.

Before some start saying my PC was attacked because of poor security, think again.  All of my security software was up to date, I try to be proactive about being current on PC security.  However daily new PC vulnerabilities are discovered, and hackers generate new malware/virus/trojan/rootkits/etc to infect your PC. I thought it would be helpful to share my experience with this latest virus attack.

• *Fake Virus Warning Popups* that attacked me below.
• *Names for this virus* image below.

This rogue  pretends to be an update for Windows installed via    Automatic Updates. It will then install itself as executable  called    AV.exe or AVE.exe that uses very aggressive techniques to prevent you from removing    it. First, you can't launch any executable, instead  it launches    XP Security Tool 2010, or (see virus list below). Only    programs that the virus deemed safe (won't threaten the virus) are allowed to launch,in order to protect itself. Anti Virus software will not be allowed to launch, instead the Fake Virus Warnings popup. It may also modify  certain    keys so that when you launch FireFox or Internet Explorer it will  launch the    rogue instead and display a fake firewall warning. Your Windows Firewall is disabled. In addition when    trying to browse a web site, it will hijack your browser and state  that the    site is a security risk.

• You can read about this virus here

My PC, is 3 year old 2.0+ghz, 3 gig ram, dual core.
Anti Virus software:  Avast (resident), SuperAntispyware Pro (resident), Windows Firewall (I have now changed), Winpatrol resident.  Malwarebytes (on call), Sophos for rootkit detection.

My security hole was Windows Firewall.  I used Windows Firewall because I felt with Winpatrol, Avast/Superantispyware setup was pretty solid, and if infected the 4 AV programs I could detect or clean most infections.   I was wrong!

Tools you will need:
Malwarebytes (MB)
Everything  this is a super fast NTFS drive file finder tool, will find any file in 1 to 3 seconds after initial scan.  (I have 750gigs of storage initial scan is less than 1 minute).  Won't search USB Fat32 flash stick, or any Fat32 device.

*STEPS To REMOVE Virus.*
This only applies to XP, and my system but may help others.
• *If you don't have Malwarebytes,* you need to download it on a clean PC, and put the MB setup file on a flash stick.  If you don't have another PC that is connected to the internet, see sys restore method below.  
-You need the latest database update. Install MB on clean PC, launch and update, click ok.  
- Copy "rules.ref" from clean PC to your flash stick located C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
• Boot the infected PC to Windows Safe Mode 
• The virus stops launch of "mbam-setup-1.45.exe", so change the file name .exe extension to .com. (mbam-setup-1.45.com).
Now launch MB INSTALL only.  When MB installs, it will ask to Update & launch,  *STOP!*
- copy "rules.ref" to the correct directory on the infected PC.  Use "Everything" to quickly find that directory.  Or using Windows Explorer check here: C:\Documents and Settings\All Users\Application  Data\Malwarebytes\Malwarebytes' Anti-Malware,  overwrite the existing rules.ref.  ALSO
-using "Windows Explorer" go to the directory you installed malwarebytes,  and change "mbam.exe" to "mbam.com".  Remember the virus takes over all  .exe and prevents them from running especially Anti Virus apps.
Back to the MB install screen.
-  click No on Update.
- NOW Launch.
• Do a quick Scan, MB should locate the virus and its various infections.  Follow the steps to quarantine or delete.
• Reboot your PC to normal windows mode.  Now run your other virus detectors and see if you can find any other viruses.  Besure to update your AV detectors before you do this scan.  Only run one scanner at a time.

*You already have Malwarebytes*, but it won't run.  Follow the step above and rename the "mbam.exe" to "mbam.com".  Try to launch and scan, if successful good. 
If not successful, uninstall malwarebytes then run "mbam-clean.exe".
Follow the instructions above for those that don't have malwarebytes.

*If none of above worked then.  *Use Windows *System Restore* and restore the registry to a point several days prior to the infection.  BEWARE, if your system wasn't running smoothly before the infection System Restore could cause a catastrophic failure.  (To make sure your system is operating properly weekly, clean out all browser cache, defrag hard drive, keep the number of programs launching at startup to minimum only, remove from startup all other unnecessary apps.)
-  After System Restore Follow the instruction above.

*Problems*
In my case there was residual viruses installed by initial infection.  Depending on how bad a version you are infected with, you may be lucky and the above instructions get you up and running with no more problems.  If you are unlucky and the infection not only installs the Security 2010 virus, you may also be infected with 1 to dozens of other viruses.  In my case there were about 4 to 6 other viruses.

• The initial virus was stored in "av.exe" or "ave.exe", but that isn't the only place, and I can't find any posting that gives a complete list of files to search for.  Fortunately Avast did a good job in blocking a majority of the residual viruses, but the attacks were random and happened at various times of the day.  I still don't know what events triggered them.

• When new popups occurred I would reboot into safe mode and do a scan with the virus detector that gave the warning. I always did a scan with all three of my Virus detectors (Avast, Superantispyware, Malwarebytes). Combined that could be 2 hours of scanning.  I had to find the root of the problem.  Sometimes after a warning or pop up, running all three AV scans one after another, each would catch something different.  That is why you need multiple AV engines.  NOTE, it is NOT recommended to have two Antivirus apps running resident, one Antivirus and one antimalware is ok.

• I contacted Superantispyware, as a Pro owner, I get free analysis using SAS's online system diagnostic tool, which uploads a complete system detailed report.  Unfortunately, SAS on this virus did a lousy job, and the technical help and I just went back and forth, never achieving anything.

• I posted in the Malwarebytes support forum, but never received an answer.  However after carefully reading the many other complaints and requests for help on the exact same issue, I noticed some repetitive things. One was a common complaint about PDF files, and I read many advisories on Adobe Reader vulnerabilities in connection with java.

• I *uninstalled Adobe Reader*, and install a free PDF reader alternate. 

*ALL VIRUS ATTACKS STOPPED!  *  (It was more involved than this, but it is worth a shortcut try.)

*Read how to remove this virus*
Here , here , check this forum category

*TIPS On Security*
• Keep all the programs you are regularly using up to date.  I can't stress this enough!  
• Dump Windows Firewall, I used to believed in my other AV apps with W.firewall was enough.  The sophistication and level of attacks/infections are so broad and no security app can keep up.  Therefore all levels of protection needs to be addressed, I had failed in not dealing with the Firewall.  I now use "Online Armor", so far ok.  
•This forum is fairly reliable for finding PC problems info
• Check this site for Free Anti Virus stuff that works, look under Security Category.
• YOU PAID for one of the Big AV programs Norton, McAfee, etc. Maybe you are getting what you paid for maybe not, Independent feb 2010 report,  Proactive tests, tests conducted by.







*VIRUS fake warning POP UPS *































*VIRUS NAMES :     XP Security Tool 2010*,  *XP Defender Pro*, *Vista Security Tool 2010, and Vista Defender Pro,
are just a few of the names this virus uses...
*


----------



## scubadoo97 (Apr 17, 2010)

Timely warning.

I got hit with Security Tool about 10 days ago.  Bad virus for sure.  I was doing a google search (not porn) and just opened up a site.  My Avira antivirus pop up with 3 detections and I denied acess to each.  Did a delete/Alt/ctrl  to shut down the browser and was left with a little box wanting me to close it.  Instead I just shut off the computer.  Well not good enough when I went back up Security Tool had taken over my comuter and began it's fake scan of my computer looking for the virus that it put there.  I could not even shut down the computer from the start button but had to do shut it off from the CPU.  


My 23 yr old son got rid of it in a day.  I'm too computer illiterate to know exactly how he did it but we now have malwarebytes running on the computer.  He told me one of his friends just got it and my accountant got it on his home computer recently.   This bug is out there waiting to strike.


----------



## DanMcG (Apr 17, 2010)

Thanks for the heads up Dude!


----------



## brud (Apr 17, 2010)

Thanks for the good info. I have a computer down right now with the same problem.
I have Windows Vista.


----------



## tom37 (Apr 17, 2010)

I also had this nasty little bug about 2 weeks ago. This thing jumped in with both feet and tried to take over. I worked on it for a few hours in safe mode with no success. 

A friend of mine has a computer shop south of here about 50 miles, being that far I didn't want to just run down there. A few minutes on the phone and he was in my system creeping around picking and choosing files to delete. He said at that point in time there was no quick fix via a program or patch. Claims that if certain files are not deleted in order that it Will come back. Maybe a few days maybe a few hours. Knowing the time of the onset was vital for him to pick and choose the correct files. 

Its been to weeks and no re-attack. I think I am in good shape. I hope.

He stated the same as above about Malwarebytes being a program of choice. 

The day I called he was working on his own machine (freshly built no less). He hit google for a search and that was all it took, he had it as well. 

Its a durn shame that there is folks sitting around with enough time on there hands to create these sorts of nasty files. 

Hopefully everyone can stay clean and virus free. There's no sence wasting time while we could be cooking.


----------



## mythmaster (Apr 17, 2010)

Thank you for the detailed info.

I saw tons of those types of viruses when I was a PC Tech.  A similar  one just hit a buddy of mine's system except the "scanner" started up  before his desktop (just the wallpaper would load) and it had disabled  the task manager so he couldn't kill the process or run explorer.exe  manually.  Further, it didn't ID itself with a name making it pretty  much impossible to Google any info about removing it.

If anyone finds themselves in this kind of a situation, then you'll have to boot to a rescue cd that has virus scanning software on it, and scan your system from there.  Sometimes the rescue cd won't have the right driver for your network card, so it's a good idea to download one (on another computer) that the definitions have already been updated or one that will let you update them from a USB flash drive.

The following 2 rescue cd's support those features:

*Avira*.  This download is updated several times a day, so you don't need to worry about updating the virus definitions: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

*F-Secure*.  You can download the updates to a blank USB Flash drive that is larger that 256MB: http://www.techmixer.com/free-f-secure-rescue-bootable-cd-to-clean-virus-and-malware/

After my friend did that he was able to get back into his desktop and update and run Malwarebytes to make sure everything was cleaned.


----------



## silverwolf636 (Apr 17, 2010)

Great job Delta. There should more ppl in this world like you. Helping others out.  
I don't run Windoze but the info is still good to know. 







--ray--
(0||||0)


----------



## daddyzaring (Apr 17, 2010)

Maybe you guys should stay away from those adult BBQ sites, and quit looking at all of that naked smoked meat.


----------



## deltadude (Apr 17, 2010)

Mythmaster,
Thanks for the info on for rescue CD.  I will look into that.

I already keep all my AV software on a flash stick, I update it each week, these are the download ready to install copy.

I am working on trying to make sure my PC is absolutely clean, then I will be looking into a "Sandbox" solution.  
Read more here


----------



## wingman (Apr 17, 2010)

Vista and up users... You can always go back to a recent restore point. Restore our system to a previous day or several days before the issye started occuring. You woul d want to scan your data files thoroughly once your back in bisiness. 

Right click on my computer. Select "Properties". under Tasks on the left select "System protection". A dialogue box will appear click continue. Next select "system restore". you will then see the available restore points. I have had to do this on a couple ocassins and it worked great. They were related to bugs in Iphone installs etc. Regardles it will restore your system to that day and time you sect for the restore point. Any software loaded after that will have to be reloaded.


----------



## bassman (Apr 17, 2010)

Thank you a bunch for the information. I have malwarebytes, but haven't run it for awhile.  Guess I'll be doing that this evening.


----------



## gooberguy (Apr 17, 2010)

Sorry, but some of these viruses will not allow system restore either.


----------



## ronp (Apr 18, 2010)

Here is one that is very iritating after running malwarebytes and removing 29 adware.pro instances. I run at least 3 other programs 2 times a day. It pops up every 5- 10 minutes and can't seem to get rid of it. It wants to be in my start up folder and I can't figure how to get rid of it. I also have mc afee runnning in the background.

Here is a pic.



Thanks.


----------



## mythmaster (Apr 18, 2010)

I use Linux, but I've run XP in VirtualBox with much success.  It's quite fast if your CPU supports virtualization technology.  I'm about to start using Xen now, but it's much trickier to set up.

Don't expect to watch videos or play games from your guest OS, though.  Xen 4.0 does support VGA passthrough so that the guest OS can use hardware accel, but I haven't seen it in action yet.  You need a CPU/chipset that support IOMMU which is primarily Intel now, and my systems are AMD.


----------



## mythmaster (Apr 18, 2010)

That one's trickier Ron because userinit.exe is actually a system file required by Windows but we don't know if it has been infected by a rootkit or not.  It would be best to go ahead and replace it with the official userinit.exe binary from Microsoft.  I'd search though their tech support articles for "replacing infected userinit.exe in vista" or something similar for the best method to do that -- whether it be extracting it from the installation disc, re-installing a service pack that updated it, or downloading it directly from Microsoft.


----------



## deltadude (Apr 18, 2010)

Ronp,
You can online scan that file at: http://www.virustotal.com/
However it may scan clean, and there may be another trigger that will take action as soon as the init file in startup.

The reason to have 2 or 3 virus scanners is each has a different scan engine, and each will find different things.  Per my initial post, it is ok to have a resident "always on" Antivirus (i.e. Norton, or Avast, AVG, etc) and a resident malware such as (Superantispyware, or Malwarebytes, or Search and Destroy), example  Norton with Malwarebytes, or Norton with Search & Destroy both running resident is ok.  But Norton + Malwarebytes + Search & Destroy all resident is a NO NO and they will conflict.  Another example Avast + Malwarebytes + Norton, again a NO NO.  Only one AV and one Antimalware running resident "always on"  

So on my PC its Avast + Superantispyware running resident "always on", Malwarebytes is installed but only runs when I open it and manually run a scan.

Ok so that is clear,  Ronp, scan with your 2 resident programs, first update them, then scan with 2 others.   
• Check this  site for Free Anti Virus stuff that works, look under Security Category.

Also using Winpatrol, check the startup and the processes and see if you can recognize anything new, check the dates when first seen.

If none of that works, then go to the malwarebytes support forum and follow these instructions and post the results here.  Someone will help you.

I could get you on the phone, but I'm not an expert, and it would be trial and error. 

I have had your problem about 6 months ago and SuperAntispyware detected it and cleaned it.  However after this past infection Superantispyware let me down, I don't think they are tops anymore.


----------



## wingman (Apr 18, 2010)

You are correct. My point was it's an option to try. It may be a quick fix or may not. There is a really good tool out there that has been the one I have used when others have failed. SpyHunter. It's preetty good about getting rid of Malware etc. Just a thought.


----------



## mythmaster (Apr 18, 2010)

This is one of the many, many reasons that I use Linux.

Whether or not you got hit with a rootkit, you should simply replace the userinit.exe file with an official one.  This way you can be sure.  Even if anti-malware software were to be able to detect that it was infected, it wouldn't be able to replace it for you.  You would still have to do that manually.

I've been doing this for 25+ years and have a pretty good idea about it.

I'm not saying don't scan it with everything that you can get your hands on -- definitely do that.

I'm just telling you what I see and what I think that you need to do about it.


----------



## deltadude (Apr 18, 2010)

Your right mythmaster if you have easy access to system files.


----------



## chefrob (Apr 18, 2010)

good to see ya back.......


----------



## ronp (Apr 18, 2010)

Win patrol was popping up every 5 minutes last night. I checked all my scanning programs and start up folders and couldn't find a trace of that file. I finally did a restore and it went away finally, we'll see.


----------



## mythmaster (Apr 18, 2010)

I never said it was *easy* 
	

	
	
		
		



		
			






, but there are proper ways to get them which is why I suggested that he go to Microsoft and search.

I'm glad to hear that a restore worked for you, Ron!

----------

Personally, I think that there should be stronger legislation against people who write and spread malware, because it's just like walking up to someone on the street and punching them in the face.  While it's difficult to track them down, it's not impossible, and they should be punished.

As a technician, some 60-70% of my business was from removing malware, so it's pretty obvious to me why this is being done.

Would we let a doctor get away with injecting his patients with a disease so they would have to come back for repeated treatments?  This isn't just unethical, it's criminal.

/rant


----------



## silverwolf636 (Apr 19, 2010)

MythMaster, I'm with you on this one. These virus' and malware makes me money on the side for gettin rid of them for people but they definetly need to raise the bars on punishment when they catch them. 

I enjoy my Linux cause some times I run a trace and follow where it actually originated. 
--ray--
(0||||0)


----------



## pops6927 (Jul 3, 2020)

I use Malwarebytes Premium (paid, not Free) and since I have gotten that, it catches EVERYTHING!  Very inexpensive computer insurance against all attacks!


----------



## FrankLeen (Jul 9, 2020)

I had the same problem, viruses are such pain in the neck, if I were you, I would install a cleaner after deleting your virus because it will remove all residual and unnecessary files from your computer. I advise you to check this article if you want to find the best computer optimizer for your system. There you can find different types of cleaners, so you won't be disappointed, some of them are free to download, so you won't spend your money on it.


----------

