Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-up YOU HAVE A SECURITY PROBLEM!


  • Please log in to reply
15 replies to this topic

#1 Bigmac1955

Bigmac1955

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 25 February 2009 - 09:14 PM

I am getting this pop-up periodically - approx at 15 minute intervals.

Exact message reads
You have a security problem! Do you want to scan your computer for viruses.


I have searched around via google, and found various suggestions to get rid of it, and tried most of them.
I have run spybot, malwarebites anti-malware, and superAntiSpyware - but still the problem persists.

I do not have enough computer knowledge to understand my hi-jack this log, and wouldnt think about downloading combofix as I have read in these forums that it should only be used by knowledgable users.

I am running Windows XP.

I wasnt doing anything out of the ordinary when the first pop-up appeared. (I was actually in the kitchen, and the first pop-up was on my screen when I returned).

Any advice on the removal of this would be much appreciated as it is driving me crazy.

thanks

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:35 AM

Posted 25 February 2009 - 09:28 PM

Welcome to BC

Can you post your Malwarebytes log? Thanks

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Bigmac1955

Bigmac1955
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 25 February 2009 - 09:32 PM

HI
THanks for the quick response (especially at this time of the morning!

I ran malware bites twice.............

Both logs are below.
The first one was a quick scan, the second one is a full scan

First log...........

Malwarebytes' Anti-Malware 1.32
Database version: 1648
Windows 5.1.2600

25/02/09 13:19:00
mbam-log-2009-02-25 (13-19-00).txt

Scan type: Quick Scan
Objects scanned: 82852
Time elapsed: 55 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090225121911202.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VB45Cp1w.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.






Second log (full scan)

Malwarebytes' Anti-Malware 1.34
Database version: 1801
Windows 5.1.2600

25/02/09 22:33:58
mbam-log-2009-02-25 (22-33-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 381545
Time elapsed: 8 hour(s), 29 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\VB45Cp1w.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali\Local Settings\Temporary Internet Files\Content.IE5\F7DV31SW\216[1].jpg (Trojan.Dropper) -> Quarantined and deleted successfully.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:35 AM

Posted 25 February 2009 - 10:02 PM

Do you have any XP service packs on your computer?

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Bigmac1955

Bigmac1955
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 26 February 2009 - 06:50 AM

Hi

ok not sure what has happened now.

i managed to log on this morning as normal.

i read your post, printed it out, , set up my superantispyware as suggested, and turned computer off.

wwent to start in safe mode, and once i selected ''administrator'' - screen went black, safe mode was in the 4 corners. it just sat like that for 15 minutes.
i re-started - and tried again. This time I clicked on administrator, it started coming up, then a message saying ''saving yoiur settings'', and returned to the menu.I then tried logging in under my normal user id, same thing - I cannot get past this screen now, and have no access to ny desktop.
I have had to use a friends olaptop to type this message.

this really is a nightmare - my entire business is on my computer.

any help please

#6 Bigmac1955

Bigmac1955
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 26 February 2009 - 07:57 AM

I need to get back in to my puter urgently - can anyone tell me what happens if i click on recovery console?

As soon as i click on any of the user icons now, i get a few seconds of a blank desktop, then the message comes ''saving your settings'' and it returns to the choice of users

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:35 AM

Posted 26 February 2009 - 08:15 AM

can anyone tell me what happens if i click on recovery console?


http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/

http://www.bleepingcomputer.com/forums/t/138692/xp-boot-fixes/

This probably won't help you with an infection in any user friendly way


You might try last known good or command prompt and try running system restore

If you have the right CD available, you can also try running windows as a repair disk

http://www.michaelstevenstech.com/XPrepairinstall.htm

Then there are options for trying to save your data.........................................
Chewy

No. Try not. Do... or do not. There is no try.

#8 Bigmac1955

Bigmac1955
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 26 February 2009 - 09:08 AM

thankds - was worth a try, but all the command prompts on the recovery console interface are just gobbledygook to me

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:35 AM

Posted 26 February 2009 - 09:36 AM

http://www.bleepingcomputer.com/forums/ind...st&p=943085

This is user friendly. last known good and/or system restore from a safe mode command prompt
Chewy

No. Try not. Do... or do not. There is no try.

#10 Bigmac1955

Bigmac1955
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 26 February 2009 - 09:38 AM

Just as an update of where I am now.

When I start the computer, I get to the page with user ids (or admin when i am in safe mode).
I click on any of the user ids or admin, i get taken to a blank desktop for a few seconds. I then get the message ''saving your settings', and the windows tune.
That takes me back to the user id page.
If i click on a user id again, it says ''loading your personal settings'', then within 2 seconds, it says ''loggin off'' followed by ''saving your settings, and take me back to the user id page.

Edited by Bigmac1955, 26 February 2009 - 09:39 AM.


#11 Bigmac1955

Bigmac1955
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 26 February 2009 - 10:19 AM

http://www.bleepingcomputer.com/forums/ind...st&p=943085

This is user friendly. last known good and/or system restore from a safe mode command prompt


Tried both options.
Last known good - i just got the same as before.
System restoare from a safe mode command prompt - I dont get that far. I click on ''safe mode with command prompt'', it lists all the files, but doesnt give me a prompt to type anything

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:35 AM

Posted 26 February 2009 - 07:03 PM

Have you tried a repair install?

http://www.michaelstevenstech.com/XPrepairinstall.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 Bigmac1955

Bigmac1955
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 26 February 2009 - 07:31 PM

Have you tried a repair install?

http://www.michaelstevenstech.com/XPrepairinstall.htm


unfortunately i sat on my xp disk a couple of years back and it snapped in two

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:35 AM

Posted 26 February 2009 - 10:44 PM

If you cannot bootup in normal or safe mode, then your options are limited. You may be able to use a Windows XP bootable Floppy Disk to boot from a diskette instead of your hard drive. If your hard drive's boot sector or Windows' basic boot files have been corrupted, this disk will circumvent the problem and boot you into Windows. If you don't have an emergency boot floppy, you may be able to use one created on another PC running Windows XP but there's no guarantee that it will boot your machine.Another option is to create a Bootable CD:You can try doing a "Repair Install with Recovery Console". The Recovery Console is a Windows utility that provides a DOS-like command line from which you can run some repair programs.If you don't have your XP CD you can download an ISO of the Recovery Console files:Burn it as an image to a disk to get a bootable CD which will startup the Recovery Console for troubleshooting and fixing purposes. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO and Creating A Windows XP Recovery Console CD Image.

These are links to Antivirus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. All (except Avira) are in the ISO Image[ file format. Avira uses an EXE that has built-in CD burning capability.If you need a FREE utility to burn the ISO image, download and use ImgBurn.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Bigmac1955

Bigmac1955
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 26 February 2009 - 10:51 PM

after much searching around, and looking at my original post which contains malware bites log, it appears the the problem now may be caused by the fact that malware bites deleted userinit.exe file.

Is there any way I can get that file back using the recovery console?

My reasoning behind this is I found the following thread somewhere....

This is the only thing that I know of that will work.
1.) Boot with the XP CD to the Recovery console.
By default you'll be placed in C:\Windows
2.) go to System32 Directory i.e CD system32
now you are in C:\Windows\system32
3.) you have to overwrite the wsaupdater.exe with userinit.exe.
C:\Windows\System32\copy userinit.exe wsaupdater.exe

Remove the CD, boot up normally (As an Admin).
4.) Browse to windows\system32 directory & rename wsaupdater.exe back to
userinit.exe, if userinit.exe already exists, once you are SURE you have
userinit.exe in the system32 directory delete wsaupdater.exe
5.) Open up regedit, Browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
right click "Userinit" to modify value to
C:\WINDOWS\System32\userinit.exe,
Type the above exactly as it appears with the trailing ,



unfortunately when i tried it, at no.3, i got the message ''The system cannot find the file specified"

Edited by Bigmac1955, 26 February 2009 - 10:55 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users