Total Security has taken over

View previous topic View next topic Go down

Total Security has taken over

Post by karen rossi on 22nd September 2009, 2:16 am

I have used this site before with great success so I downloaded Hijack this on memory stick but when I start up the infected computer it immediately starts running a Total Security scan and it seems to have disabled everything else. McAfree, userinit.exe so I can't even run the Hijack This to see what is going on.


Please please Help!
Thank You

karen rossi
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-04-17
OS OS : XP
Points Points : 27946
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by Dr Jay on 22nd September 2009, 4:22 am

Hi

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll
    winlogon.exe
    comres.dll
    crypt32.dll
    gpedit.dll
    rundll32.exe
    sfc.dll
    svchost.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Total Security has taken over

Post by karen rossi on 22nd September 2009, 3:55 pm

When I turned on the computer last night to try and run the Hijack this the Total Security scan started almost immediately and then seemed to lock me out from doing anything. I then tried to start it in safe mode and it wouldnt let me and then I started from the Last successful startup and again Total started running the scan and seemed to not let me do anything. Task Manager says it was disabled. I will try again but any first steps that might prevent this to increase my chances of it letting me run the SystemLook scan?

Thanks for your help

karen rossi
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-04-17
OS OS : XP
Points Points : 27946
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by Dr Jay on 22nd September 2009, 4:00 pm

Hi

Please download this from another computer and then transfer it to the infected computer.

Please download ComboFix by sUBs
[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". [You must be registered and logged in to see this link.] if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:




  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Total Security has taken over

Post by karen rossi on 22nd September 2009, 4:34 pm

OK

got the files copied on a stick drive. went to computer and started it in safe mode - says problem with windows and shit windows down to protect computer - it says run virus software, disable new stuff and it is on a blue screen. Can I run the program on the usb drive from here? Or what else can I try?

karen rossi
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-04-17
OS OS : XP
Points Points : 27946
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by Dr Jay on 23rd September 2009, 1:12 am

Hi

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore.
  • Download The Avira AntiVir Rescue System from [You must be registered and logged in to see this link.].
  • Just double-click on the rescue system package to burn it to a CD/DVD.
  • Then please use that CD/DVD with Avira Rescue System to boot your computer.
You'll get a boot option to either boot from hard drive or AntiVir Rescue System.


Press the number 2 on your keyboard to boot into AntiVir Rescue System.

Please wait until drivers are loaded and Main menu shows. Then please select the second option “Scan your system with AntiVir” and hit Enter.


Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.


Then please start the scan.

The Avira AntiVir Rescue System wil now

  • repair a damaged system,
  • rescue data,
  • scan the system for virus infections.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Total Security has taken over

Post by karen rossi on 23rd September 2009, 1:59 am

Burned the CD and put it in the drive. Do I do a regular startup, safe mode? How do I get the computer to know to read the CD?

karen rossi
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-04-17
OS OS : XP
Points Points : 27946
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by karen rossi on 23rd September 2009, 3:03 am

How do I get the computer to run the Avira Rescue program on the CD?????

karen rossi
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-04-17
OS OS : XP
Points Points : 27946
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by Dr Jay on 23rd September 2009, 3:16 am

Hi

When the computer boots, hit F12 quickly, then select CD/DVD drive as the option.

If this does not work, then enter the BIOS by either pressing F2 or Delete, immediately when the computer boots. Go to the section where the boot order is done, and select the CD/DVD drive as the first device that boots. Most utilities have a help section on the left or right, to guide you on how to do this. Most of these configuration screens are different.

Then, it should boot from the CD.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Total Security has taken over

Post by karen rossi on 23rd September 2009, 4:09 am

ComboFix 09-09-22.02 - Ryan 09/22/2009 22:36.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1702 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13773904
c:\documents and settings\All Users\Application Data\13773904\13773904
c:\documents and settings\All Users\Application Data\13773904\13773904.exe
c:\documents and settings\All Users\Application Data\13773904\pc13773904ins
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\fujegifu.dll
c:\windows\system32\hetibesi.dll
c:\windows\system32\hoguyovu.dll.tmp
c:\windows\system32\kutozali.exe
c:\windows\system32\logon.exe
c:\windows\system32\mefibena.dll
c:\windows\system32\merilaro.dll
c:\windows\system32\puvelepu.dll
c:\windows\system32\rafesumu.dll.tmp
c:\windows\system32\rapirapi.dll
c:\windows\system32\siweviji.dll
c:\windows\system32\wavemile.dll
c:\windows\system32\wegafuhu.dll.tmp
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wuyojogi.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-13 12:17 . 2009-09-13 12:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\scripting
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\en
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\l2schemas
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\bits
2009-09-13 09:07 . 2009-09-13 09:07 -------- d-----w- c:\windows\EHome
2009-09-12 14:55 . 2009-09-12 14:55 -------- d-----w- c:\windows\Sun
2009-09-09 23:10 . 2009-09-09 23:10 127488 ----a-w- c:\windows\system32\T4 Quote Saver.scr
2009-09-09 23:10 . 2009-09-09 23:10 25600 ----a-w- c:\windows\system32\T4SIC.dll
2009-09-08 23:21 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 15:02 . 2009-09-07 15:04 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Google
2009-09-07 15:00 . 2009-09-07 15:02 -------- d-----w- c:\program files\Google
2009-09-07 14:54 . 2009-09-07 14:54 -------- d-----w- c:\documents and settings\Ryan\Application Data\Template
2009-09-07 11:20 . 2009-09-07 11:20 -------- d-sh--w- c:\documents and settings\Ryan\PrivacIE
2009-09-07 11:12 . 2009-09-07 11:12 -------- d-sh--w- c:\documents and settings\Ryan\IETldCache
2009-09-07 10:59 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-07 10:58 . 2009-09-07 10:58 -------- d-----w- c:\windows\ie8updates
2009-09-07 10:58 . 2009-07-19 23:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-07 10:58 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-07 10:58 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-07 10:58 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-07 10:58 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-07 10:58 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-07 10:58 . 2009-09-07 10:58 -------- dc-h--w- c:\windows\ie8
2009-09-05 03:21 . 2009-09-05 03:21 -------- d-sh--w- c:\documents and settings\Ryan\UserData
2009-09-04 03:26 . 2009-09-04 03:26 -------- d-----w- c:\documents and settings\Ryan\Application Data\AdobeUM
2009-09-04 01:25 . 2009-09-04 03:25 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Adobe
2009-08-30 11:40 . 2009-09-13 09:11 -------- d-----w- c:\windows\ServicePackFiles
2009-08-30 11:39 . 2009-08-30 11:39 -------- d-----w- c:\program files\MSXML 4.0
2009-08-29 15:01 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-08-29 15:01 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-08-29 15:01 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-08-29 15:01 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-08-29 15:01 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-08-29 15:01 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-29 15:01 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-08-29 15:01 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-08-29 15:01 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-08-29 15:01 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-29 15:01 . 2009-02-06 11:08 2189056 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-29 15:01 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-29 15:01 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-29 14:59 . 2009-08-29 14:59 127 ----a-w- c:\documents and settings\Ryan\Local Settings\Application Data\fusioncache.dat
2009-08-29 14:58 . 2009-08-29 14:58 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\CTS
2009-08-29 14:58 . 2009-08-29 14:58 -------- d-----w- c:\program files\CTS
2009-08-29 14:57 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-29 14:57 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-29 14:57 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-29 14:57 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-08-29 14:57 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-08-29 14:57 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-08-29 14:57 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-29 14:57 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-08-29 14:57 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-08-29 14:57 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-08-29 14:57 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-29 14:52 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 03:42 . 2009-03-07 19:23 -------- d-----w- c:\program files\Steam
2009-09-22 01:27 . 2009-06-22 01:27 49152 --sha-w- c:\windows\system32\fiwevoga.dll
2009-09-13 21:26 . 2008-06-23 18:55 37344 ----a-w- c:\documents and settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 14:54 . 2009-09-07 14:54 0 ----a-w- c:\documents and settings\Ryan\Application Data\wklnhst.dat
2009-09-07 08:01 . 2009-09-07 08:01 -------- d-----w- c:\program files\MSBuild
2009-09-07 08:01 . 2009-09-07 08:01 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 05:02 . 2009-08-14 00:57 -------- d-----w- c:\program files\Warcraft III
2009-08-14 01:04 . 2009-08-14 00:59 55618 ----a-w- c:\windows\War3Unin.dat
2009-08-14 01:04 . 2009-08-14 00:59 2829 ----a-w- c:\windows\War3Unin.pif
2009-08-14 01:04 . 2009-08-14 00:59 139264 ----a-w- c:\windows\War3Unin.exe
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 18:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-22 01:31 . 2009-06-22 01:31 49152 --sha-w- c:\windows\system32\sapawoma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fde32ef9-7e44-452e-8f14-322f0cbf900b}]
2009-06-22 01:31 49152 --sha-w- c:\windows\system32\sapawoma.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"Steam"="c:\program files\Steam\Steam.exe" [2009-08-29 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-08 7630848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-13 110592]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-07 122368]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2008-2-6 921704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-23 02:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2/6/2008 2:09 PM 61526]
S3 jswmidin;jswmidin;\??\c:\docume~1\Ryan\LOCALS~1\Temp\jswmidin.sys --> c:\docume~1\Ryan\LOCALS~1\Temp\jswmidin.sys [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\progra~1\SMC\POWERL~1\PLCNDIS5.SYS [9/10/2002 6:44 PM 17018]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (COMP-Ryan).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2008-02-06 00:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-13773904 - c:\documents and settings\All Users\Application Data\13773904\13773904.exe
HKLM-Run-tarosejowa - fujegifu.dll
SharedTaskScheduler-{242aa567-f336-4a40-a31f-d36e11ae69c7} - c:\windows\system32\kuribuja.dll
SSODL-nagevekog-{242aa567-f336-4a40-a31f-d36e11ae69c7} - c:\windows\system32\kuribuja.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-22 22:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\PRISMAPI.DLL

- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PRISMSVR.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2009-09-23 22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 03:46

Pre-Run: 173,117,886,464 bytes free
Post-Run: 173,811,388,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

255 --- E O F --- 2009-09-14 08:00

karen rossi
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-04-17
OS OS : XP
Points Points : 27946
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by Dr Jay on 23rd September 2009, 5:18 am

Hi

Unfortunately, your log shows a dangerous trojan is residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would
be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Please let me know if you would like to continue with trying to clean your computer.

Instead, if you decide to format and reinstall, please disconnect your computer from the Internet immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Total Security has taken over

Post by karen rossi on 23rd September 2009, 2:50 pm

My husband is using this computer. He had problems with his old computer in April with Win32/Nugel and Geek Police got it back up and running. He again started having problems with that computer (security popups again)and so grabbed this computer from my son who is away at college (u can see all the games on it) to replace that old computer.
I spent all last evening running McAffree ( found only 1 PUP) , the malaware program you guys recomended doing quick scans and then full scans and removed all the infections. Starting and restarting each time.

He goes on the internet, his work(commodity trading order entry system - supposedly on a T4 line?????) reads lots of newspapers, political blogs, is what he uses it for. I took your advice and unplugged it from the comcast router.

What trojan is it this time? Is it a keylogger? He is going to change his banking codes but how can I tell if my computer is safe to do that on. I just ran full scan on the malaware and McAffree again myself yesterday because I am always nervous.

Should I run the Combo fix or Hijack this on mine to verify it is clean ???

Sounds like we should reformat it. What do I need to get together to do that? Computer is from Dell and still under warranty. Do I go through them to reformat it? Or post another thread?

karen rossi
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-04-17
OS OS : XP
Points Points : 27946
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by Dr Jay on 23rd September 2009, 7:12 pm

Hi

Here is a tutorial on reformatting and reinstalling: [You must be registered and logged in to see this link.]

Only the computer mentioned in this topic should be reformatted and reinstalled. For the other computer you mention, please post a new topic and copy & paste the address of this thread to it, along with a HijackThis log. Do not run ComboFix or any other special tools.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Total Security has taken over

Post by MEGMEG on 25th September 2009, 6:31 pm

Moderated Message: Hello, your comment has been removed. Please do not post in another member's topic. If you need help, please read [You must be registered and logged in to see this link.] over and [You must be registered and logged in to see this link.] to open a new topic.

MEGMEG
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2009-09-25
OS OS : XP
Points Points : 26311
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by karen rossi on 29th September 2009, 3:23 pm

Sorry - I have been out of town for the weekend. Actually at UD for parents weekend.

Is Total Security the big threat that I should be worried about. What is the name of this Trojan the computer has with backdoor functionality??? Where do you get it and if I reformat the computer how do I not get this particular trojan again? What software / strategies will prevent it in the future. You see my husband only goes on very specific sites ( newspapers, political blogs, Rivals (ND blog) and these habits will not change. So after I reformat - how do I be sure the computer is protected so I dont have to keep doing this?

What is the name of this TROJAN and what specifically will block this TROJAN and others????????


And who is this Megmeg posting on this thread? Could you please review my combofix results post and be sure there is not some confusion on what MY computer has and what needs to be done. Reformatting is a lot of work!


Thanks !

karen rossi
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-04-17
OS OS : XP
Points Points : 27946
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security has taken over

Post by Dr Jay on 29th September 2009, 7:04 pm

Hi

I did not catch MEGMEG, so I have now erased that comment I made afterwards.

It is called SDBot. Since this bot has been hard to remove, we will use a classic tool to remove the bot. This bot is known for stealing personal data and hijacking passwords, etc.

Since you have requested to clean rather than reformat, please do the following:

Download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum