System Securty 2009 - Mostly fixed, I think

Discussion in 'Malware Help (A Specialist Will Reply)' started by videocreed, Jul 21, 2009.

  1. videocreed

    videocreed Private E-2

    Visited what must have been a bad site and ended up getting displays of System Security 2009 on my Win XP. Sadly, had put off updating IE to current, as I do not use it as my browser. Dumb mistake.

    Went through the entire Read & Run Me First instructions for Win XP pretty much successfully:

    Ran SAS, on first time at end of scan, before instructed reboot, another window said it was going to automatically restart Windows in 30 seconds. Being suspicious, I ran SAS again after startup and found another infection. So there are tow SAS logs attached.

    Ran MBAM successfully with no errors.

    Ran Combofix - When it needed to install the Microsoft Windows Recovery Console, it said it was installing the one for Win XP SP2, and I have SP3, is that a problem? Also, at end of the scan, Combofix did not prepare the log as described in the Bleepingcomputer instructions link. Instead it said it was going to reboot the machine and do not reboot it manually. After reboot, it started up automatically (continued) said it was preparing the log and not to run any programs until finished. Of course during this time, my Zone Alarm, AVG, and SuperAntiSpyware all autostarted on bootup during this message. Waited 3 min. and ZA alerted that a new program pev.cfexe was trying to access 71.243.0.12 DNS.

    Successfully ran RootRepeal and MGTools.

    Most things seem to be running OK, but an concerned about the pev.cfexe and anything else that may show up in the logs attached.

    Thank you for your time in analyzing these.
     

    Attached Files:

    videocreed, Jul 21, 2009
    #1
  2. videocreed

    videocreed Private E-2

    NOT a bump. Second set of attachments.

    While waiting for my first post to be validated so I could add the other log attachments now, I got another ZA alert that SupportSoft Agent sprtscv.exe was attempting to access the same address a pev.cfexe below, 71.243.0.12. But I think that may be connected to my Dell Support Center utility.

    And while waiting, AVG Resiodent Shield Alert notified me of Win32/Cryptor detected in C:\Windows\system32\svchost.exe. It was successfully placed in the Virus Vault and other instances deleted.

    I have attached the remaining logs along with the AVG Resident Shield Alert log. Am awaiting instructions.

    Thanks.
     

    Attached Files:

    videocreed, Jul 22, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. It appears as thought the scans took care of the malware.

    pev.cfexe is part of ComboFix and not an issue. And as far as the AVG log you attached, it only is showing items in your system restore folders. They can only be removed by toggling system restore, which I will have you do in a few.

    Now lets just handle a little clean up>

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please use add/remove programs to uninstall:
    Java(TM) 6 Update 5

    Reboot and download and install:
    Java Runtime 6

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    TimW, Jul 25, 2009
    #3
  4. videocreed

    videocreed Private E-2

    Thank for your response, TimW.

    Everything on your list is now done, and in order, except the above. Add and Remove Programs returned "An error occurred while trying to remove HijackThis 2.0.2. It may have been already uninstalled. Would you like to remove HijackThis 2.0.2 from the Add and Remove Programs list?"

    Should I remove it from the list? I searched the computer and HijackThis.exe was not found, just the log file in the MGTools directory. Is there a chance that the preceding step of uninstalling Combofix uninstalled HijackThis?

    My only remaining question was from my first post:
    Can I find the SP3 version on Microsoft.com and install it over the SP2 version?

    Or is it absolutely necessary now that I am clean. Can it be uninstalled?
    Thanks again.
     
    videocreed, Jul 25, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sorry for the delay.

    You need not worry about HJT and the recovery console installation is fine. It is only there in case of a system failure.
     
    TimW, Jul 28, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds