System Security won't let anything run

View previous topic View next topic Go down

System Security won't let anything run

Post by scw2 on 15th June 2009, 8:09 pm

Hello. I browsed around and tried many of the suggestions for ridding my computer of the System Security virus. I downloaded IceSword, malwarebytes, and Hijack This, but was unable to run any of these programs. I am running XP. The virus won't let me run any programs whatsoever - task manager, regedit, and I cannot start up in safe mode, no matter how I try.

Any suggestions? Please and thank you!

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 15th June 2009, 8:24 pm

Okay, quick update:

I was able to extract IceSword. When I ran it, I followed the prompts to registry, HKEY_LOCAL_MACHINE, all the way through to "Run," where I was supposed to find 2 run commands of random numbers. Instead, I found only one entry of random numbers, and I deleted that. Then I closed IceSword. System Security is still running on my computer.

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 15th June 2009, 8:57 pm

After continuing to follow advice given to users with my same problem, I rebooted after the IceSword, and downloaded HijackThis, which worked this time. The following is the text I think you asked to see for some others, maybe it will be helpful for me too.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:20 PM, on 6/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\websrvx\websrvx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\ld08.exe
C:\windows\mstre19.exe
C:\windows\freddy46.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\romeo15.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\windows\romeo15.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre19.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy46.exe
O4 - HKLM\..\Run: [sysberay2] C:\windows\romeo15.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [systgray2] c:\windows\tag12.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Auto Detect.lnk = C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: websrvx - Unknown owner - C:\Program Files\websrvx\websrvx.exe

--
End of file - 7158 bytes

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 15th June 2009, 9:08 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
    O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
    O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
    O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre19.exe
    O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy46.exe
    O4 - HKLM\..\Run: [sysberay2] C:\windows\romeo15.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [systgray2] c:\windows\tag12.exe
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: websrvx - Unknown owner - C:\Program Files\websrvx\websrvx.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 15th June 2009, 11:16 pm

Thank you! I did what you said, and I will be posting the log of the MBAM in just a few moments. However, in the meantime, my computer told me that I was running very low on free disk space, so I went to "Add or Remove Programs" to try to delete those that we don't use much. I found an enormous program that is over 1,000 MB big, a game of some kind that my brother installed. I tried to uninstall it, but I get an error that says:

>SetupDLL/SetupDLL.cpp (439)
pAPP:Magic: The Gathering - Battlegrounds
PVENDOR:Atari
PGUID:0C88C4A1-A9D7-4C28-8F06-4C2048765193
$7.1.100.1248
@Windows XP Service Pack 2 (2600) IE 7.0.6000.16791

Setup has experienced an error. Please do the following:
-Close any running programs
-Empty your temporary folder
-Check your Internet connection (Internet-based setups)
Then try to run the Setup again.
Error code: -5001


Do you happen to know what I could do to fix that while I'm letting this malwarebytes scan?

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 15th June 2009, 11:47 pm

Malwarebytes' Anti-Malware 1.37
Database version: 2285
Windows 5.1.2600 Service Pack 2

6/15/2009 7:38:42 PM
mbam-log-2009-06-15 (19-38-42).txt

Scan type: Quick Scan
Objects scanned: 138419
Time elapsed: 29 minute(s), 4 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 44
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 45

Memory Processes Infected:
C:\Program Files\websrvx\websrvx.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmgr180.wmdrmax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b0eceac-f597-4858-a542-d966b49055b9} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c092742-10fe-4db2-988d-fc71948de70c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a16650a9-b065-40ec-bbd1-f8d370d17fb1} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e43dfaa6-8c16-4519-b022-8792408505a4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f1f1e775-1b21-454d-8d38-7c16519969e5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\podmena (Trojan.Downloader) -> Delete on reboot.

Files Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\tag12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\pp10.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\anna.white-0vw8yoglu\local settings\Temp\ron_1244690230.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\alex.white-0vw8yoglu\local settings\temporary internet files\Content.IE5\61N56WB7\pp.10[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\alex.white-0vw8yoglu\local settings\temporary internet files\Content.IE5\BRBG1F5T\install[2].exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\rachel.white-0vw8yoglu\local settings\temporary internet files\Content.IE5\MDF26XPA\pp.10[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\rachel.white-0vw8yoglu\local settings\temporary internet files\Content.IE5\V07EIXPK\pp.10[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\program files\Zango\zangoau.dat (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\Zango\zango_gdf.dat (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\Zango\zango_hpk.dat (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\Zango\zango_kyf_update.dat (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images\0043122A.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\websrvx\websrvx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\podmena\podmena.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\freddy46.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\romeo15.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\mstre19.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\tgmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\b4657.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\run_1244260023.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\run_1244512209.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\run_1245114762.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122361.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122366.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122378.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122390.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122458.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122710.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122715.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122739.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122807.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123173.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123193.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123198.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123222.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123290.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\dk39fi4fe.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 12:04 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Symantec)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 12:30 am

I tried to disable auto protect on symantec, and I'm pretty sure that's what I did, but combo fix warned me that the scanner is still actively running and that this is at my own risk. I went to the website you instructed, and the only information for Symantec AntiVirus Corporate Edition was to disable auto protect, which I have done. Is my computer going to die when I press okay for combo fix to continue running?

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 12:32 am

Can you do the following in Safe Mode with Networking, (as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then in this mode, run Combofix, Symantec won't intefere (even if CF says it's still active)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 12:34 am

Should I just "x" out of the warning!! box from combo-fix and then restart my computer? Or not touch the box and just try to restart in safe mode?

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 12:35 am

Press the X and close it, then reboot to safe mode and run it again in safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 12:38 am

No, I cannot run in safe mode with networking. I get a long string of white letters on a black background, with the last one reading:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\Drivers\Mup.sys

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 12:40 am

Yeah, that's what usually happens. You need to give it a minute or so, mup.sys is a pretty big driver.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 12:48 am

It's been stuck on mup for almost 5 minutes now (I'm typing this from my laptop, the sick computer is a desktop). Should I continue to give it time?

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 1:01 am

Mup.sys is still the last line of white letters when trying to boot in safe mode with networking, almost 20 minutes later.

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 1:03 am

Okay, try running it with Symantec not disabled in normal mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 1:07 am

Won't that destroy my computer? It made a terrible beeping sound when the warning came up earlier...

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 1:09 am

New idea, don't run Combofix, we'll use this instead.
Just a scanner, doesn't do anything. I just want to check there is no rootkit, your MBAM log was looking pretty bad.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 1:15 am

DDS (Ver_09-05-14.01) - NTFSx86
Run by Anna at 21:13:58.10 on Mon 06/15/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.349 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anna.WHITE-0VW8YOGLU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\anna~1.whi\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autode~1.lnk - c:\program files\iconcepts music express\MEAutoDetect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-2 1267024]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090403.004\naveng.sys [2009-4-3 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090403.004\navex15.sys [2009-4-3 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 gtermddo;gtermddo;\??\c:\docume~1\alex~1.whi\locals~1\temp\gtermddo.sys --> c:\docume~1\alex~1.whi\locals~1\temp\gtermddo.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

=============== Created Last 30 ================

2009-06-15 20:36 161,792 a------- c:\windows\SWREG.exe
2009-06-15 20:36 155,136 a------- c:\windows\PEV.exe
2009-06-15 20:36 98,816 a------- c:\windows\sed.exe
2009-06-15 20:35 388,608 a------- c:\windows\system32\CF27140.exe
2009-06-15 20:35 --ds---- C:\Combo-Fix
2009-06-15 19:03 --d----- c:\docume~1\anna~1.whi\applic~1\Malwarebytes
2009-06-15 19:03 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 19:03 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 19:03 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 19:03 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-15 16:48 --d----- c:\program files\Trend Micro
2009-06-11 21:45 --d----- c:\docume~1\alluse~1\applic~1\11840934

==================== Find3M ====================

2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 11:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll

============= FINISH: 21:14:46.60 ===============

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Origin on 16th June 2009, 2:48 am

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 2:09 pm

The Complete scan is still running - however, at one point I got a popup box that asked me if I wanted to move an object, and I pressed yes on instinct because all the other pop up boxes had asked me if I wanted to "cure?". Am I in trouble?

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 2:15 pm

No, some items Dr.web can cure, some of them it can't.
The log came out pretty good, no rootkits, just a folder that is leftover from system security infection. We can delete that now.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
gtermddo

Folders to delete:
c:\docume~1\alluse~1\applic~1\11840934

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 2:19 pm

Should I do this while my Dr.Web complete scan is running or should I wait until it's finished? It looks like it's only about a quarter of the way finished with the scan, and so far it has found 15 things.

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 2:23 pm

Surprisingly, it just "moved" Combo-Fox.exe

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 2:24 pm

Combo-Fix.exe, I'm sorry

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 2:49 pm

Yeah, some parts inside Combo-Fix are used to stop processes, like malicious processes, etc, so some scanners find parts of Combofix as a "RsikTool" or "HackTool", this is a false claim, false positive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 2:51 pm

Oh okay. Should I keep the complete scan running or go ahead and stop it to do the Avenger program?

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 2:54 pm

Let it run first, then when it finishes, do the avenger script.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 6:20 pm

The Complete scan is still running, almost 5 hours after I started it. Can I stop it before it's completely done? It has scanned over 620000 files Can't Believe It

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 6:26 pm

Yes, it if takes too long, stop it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 6:30 pm

Hmm, okay, I stopped the scan, and I pressed "cure" as instructed by Origin above, but there is no option for "Report incurable", there are only the 3 he told me not to press.

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 6:44 pm

Okay, leave that and do my avenger script.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 6:55 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gtermddo" deleted successfully.
Folder "c:\docume~1\alluse~1\applic~1\11840934" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 7:02 pm

Good.
This should be fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 7:04 pm

Great, thank you so much! I will post my other question about a program that refuses to uninstall in the software forum.

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by scw2 on 16th June 2009, 7:05 pm

Can I now delete/uninstall all of the programs I downloaded to kill the virus (MBAM, IceSword, HijackThis, Avenger, Combo-Fix)?

scw2
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-06-15
OS OS : Windows 7
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security won't let anything run

Post by Belahzur on 16th June 2009, 7:06 pm

Yes, delete or uninstall them.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum