Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msscntr32


  • Please log in to reply
13 replies to this topic

#1 cosmo727

cosmo727

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 21 May 2008 - 11:14 PM

Hello Smart Computer People

My computer (XP Home) has been infected with "msscntr32". I came across this site by doing a google search and read the topic "Infected With Something, not sure what" in the HijackThis section. I followed Sam's advice and created a OTMoveIt2 log. I searched my computer for any traces of the infection and found "MSSCNTR32.EXE-1B3676AB.pf". How can I get rid of this infection completly? I am new to this whole computer infection thing and to this site. Do I need a HijackThis log and am I in the wright section. Any help would be greatly appreciated.

Thanks
cosmo 727

Edited by cosmo727, 21 May 2008 - 11:22 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 PM

Posted 22 May 2008 - 06:58 AM

Welcome to BC cosmo727

You should not be following specific instructions provided to someone else especially if they were given in the HijackThis forum. Those instructions were given under the guidance of a trained staff expert to help fix that particular member's problems, NOT YOURS. Before taking any action, the helper must investigate the nature of the malware issues and then formulate a fix for the victim. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware. Using someone else's fix instructions could lead to disastrous problems with your operating system. It's best that you tell us what specific issues YOU are having rather than point to someone else.

I searched my computer for any traces of the infection and found "MSSCNTR32.EXE-1B3676AB.pf"

Where did you find that file (full path/location)?

What program is advising that you are infected with "msscntr32"?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 22 May 2008 - 10:13 AM

Thank-you for your reply quietman7

I will start from the beginning. On the 19th of May I was surfing the Internet, when all of a sudden I got a warning that my computer was infected. It did not look like an official warning and was asking to download a fix. The next thing I know there are black bugs coming from the sides of the screen and eating my short cut icons on the desktop and then my desktop background picture went missing. This is when I started to panic!!!

The computer in question is my older XP machine. I recently got a new computer as a package deal through my Internet service provider which included a security package which I could use on any computer. The problem is that I never did get around to installing it on the XP computer in question. I installed the security software and it did a preliminary scan and removed some stuff (not sure what exactly). After that the computer seemed to be fine. The little bugs were gone and I was able to get my desktop background back.

Than a day or two later I get a warning from the security software firewall that msscntr32 is trying to access the Internet. Again, I started to panic. I then did a Google search and found this web site and without knowing any better followed some advice which may or may not be specific to my problem. By the way, thank-you for setting me staight on the proper course of action for when I get a computer problem. I wiil come here first and ask before I do anything. Like I said, I am new to this virus thing and I panicced. Here is a copy of the OTMoveIt2 log if that helps:


C:\WINDOWS\system32\msscntr32.exe moved successfully.
File/Folder C:\WINDOWS\system32\lanmandrv.sys not found.
File/Folder C:\WINDOWS\system32\aspimgr.exe not found.
File/Folder C:\WINDOWS\system32\lanmanwrk.exe not found.
File/Folder C:\WINDOWS\11qqaasswww.exe not found.
C:\WINDOWS\system32\ntpl.bin moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05212008_225226

Following Sam's advice, I did get rid of the firewall warning and I hope I didn't screw anything else up in the process. After doing that I searched my computer for msscntr32 and it was found in C:\WINDOWS\Prefetch\MSSCNTR32.EXE-1B3676AB.pf. Still in a panic, I did a full scan with the security software and I think that it got rid of it. Can't find it by doing a search anymore. Not sure if the problem is totally gone now.

Again thank-you very much for your advice and let me know what you think.

cosmo727

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 PM

Posted 22 May 2008 - 10:28 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 22 May 2008 - 11:22 AM

Here is the copy of the log quietman7


Malwarebytes' Anti-Malware 1.12
Database version: 777

Scan type: Quick Scan
Objects scanned: 66109
Time elapsed: 26 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nvrsma.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\.tt10.tmp (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt14.tmp (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt69.tmp (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.ttF.tmp (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kerri\Local Settings\Temp\.tt5.tmp (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvrsma.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\KernelDrv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Dll.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmopt.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\s32.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kerri\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\_check32.bat (Malware.Trace) -> Quarantined and deleted successfully.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 PM

Posted 22 May 2008 - 11:31 AM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM and post the new log report.

Also, let me know how your is computer running and if there are any more signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 22 May 2008 - 11:34 AM

MBAM asked me to reboot so I did. Did you want me to reboot again and run the scan?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 PM

Posted 22 May 2008 - 11:35 AM

If you already rebooted, just do another scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 22 May 2008 - 11:37 AM

Thanks, I will do that and get back to you in aprox. 15 minutes.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 PM

Posted 22 May 2008 - 11:43 AM

Ok. Don't forget to let me know how your pc is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 22 May 2008 - 11:55 AM

Malwarebytes' Anti-Malware 1.12
Database version: 777

Scan type: Quick Scan
Objects scanned: 65219
Time elapsed: 16 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


PC seems to be running fine now. Thanks again for all your help!!!! Hopefully everything is ok now.

cosmo727

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 PM

Posted 22 May 2008 - 12:21 PM

Good job.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 22 May 2008 - 01:05 PM

Thanks quietman7

I created a new restore point and ran disk clean-up. Also read the links provided.

cosmo727

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 PM

Posted 22 May 2008 - 01:09 PM

You're welcome. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users