Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal not working for Total Security


  • Please log in to reply
13 replies to this topic

#1 AlexWKS

AlexWKS

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 14 August 2009 - 12:47 AM

My main PC has been hit by that annoying "Warning! Your're in danger!" wallpaper and "Total Security" rogue app.
I could not open Process Explorer as advised in: http://www.bleepingcomputer.com/virus-removal/remove-total-security
I tried to start pc in Safe Mode, but everytime when I tap F8, it shows a set of instructions and then it reboots..
I could not open any file including MBAM.

What should I do since I couldn't even disable the rogue app's process?

BC AdBot (Login to Remove)

 


#2 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 14 August 2009 - 05:14 AM

I even tried to race with Total Security by use Avenger to delete tsc.exe and Sc2C21UvvM.exe off, but after rebooting, the report states that both files are not found.

Please help.. the "Warning! Your're in danger" and "virus scan" is making me crazy.. :thumbsup:

#3 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 14 August 2009 - 11:15 AM

BUMP.

#4 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 15 August 2009 - 06:32 AM

BUMP

#5 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 15 August 2009 - 03:15 PM

BUMP

#6 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 August 2009 - 12:52 AM

Posted Image
This is how the Total Security rogue app looks like..

I realized that everytime I tap F8 to Safe Mode, it will reach to a point where it will ask me to "Press ESC to cancel loading sptd.sys" and then it reboots.

Is this another symptom of the spyware??

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:06 AM

Posted 16 August 2009 - 02:21 AM

Hello AlexWKS and :thumbsup: to BleepingComputer.

Firstly, I understand that having a malware infection such as Total Security can be frustrating, but please realize that all of us here are volunteers. We aren't paid, we're here only because of our desire to help. Unfortunately, that means we are limited in how many people we can help.

Your topic has not been intentionally overlooked. In truth, the reason that no one has responded to your topic thus far is because of your constant bumps. Continually replying to the topic makes it appear as if someone is already helping you.


That being said, let's see if we can get you back on track for removing this pest. Try renaming the Process Explorer executable (procexp.exe) to winlogon.exe. Try running it now, and see if it will open.

Post back here and let me know if that doesn't work.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 August 2009 - 05:05 AM

Firstly, I would sincerely like to thank the staffs of BleepingComputer for helping people like me to solve our issues.

Also, I understand that the people here are volunteers and I would like to justify myself for the constant bumps. I honestly wasn't trying to pressure anyone or force anyone into replying my post immediately. I did it so that my post wouldn't end up in page 10 and got itself lost and ignored. I'm really sorry if I did cause any inconvenience. Please pardon me of my ignorance as this kind of things happens too oftenly in other forum-based homepages.

Anyway, the winlogon.exe trick works perfectly!.. however, I couldn't find tsc.exe or Sc2C21UvvM.exe but killed off some process called 14659.exe, which is the spyware's process, and I assume that this number will change everytime (hope this info could help others).

This is my log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/16/2009 5:49:53 PM
mbam-log-2009-08-16 (17-49-53).txt

Scan type: Quick Scan
Objects scanned: 108312
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 15
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 16

Memory Processes Infected:
C:\Documents and Settings\Alex\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ieobject.ieobjectobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ieobject.ieobjectobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\targetwebads.targetwebads (Adware.TargetWebADS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8152a0b9-deb6-476e-bc67-175b19080a8a} (Adware.TargetWebADS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\targetwebads.targetwebads.1 (Adware.TargetWebADS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0b0a76e7-ade1-41f4-b157-559605721b3a} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca13d72f-2dac-4d99-b08d-c5ea1c920e89} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{50da37bb-7083-4fa7-80cf-de4cdb634166} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{dfb2e345-ad44-462d-b07a-a513718fabdb} (Adware.TargetWebADS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca13d72f-2dac-4d99-b08d-c5ea1c920e89} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca13d72f-2dac-4d99-b08d-c5ea1c920e89} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{02092770-F6F6-4dce-BDDD-46527E098E57} (Adware.TargetWebADS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TargetWebADS (Adware.TargetWebADS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\16374844 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hblock (Adware.TargetWebADS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bblock (Adware.TargetWebADS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16374844 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Program Files\Target Web ADS (Adware.TargetWebADS) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\16374844\16374844.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\16374844\16374844 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\16374844\pc16374844ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Program Files\Target Web ADS\TargetWebADS.dll (Adware.TargetWebADS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\MSA\fff.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\MSA\mssadv.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\Target Web ADS\TargetWebADSh.exe (Adware.TargetWebADS) -> Quarantined and deleted successfully.
C:\Program Files\Target Web ADS\TargetWebADSb.exe (Adware.TargetWebADS) -> Quarantined and deleted successfully.
C:\Program Files\Target Web ADS\Uninstall.exe (Adware.TargetWebADS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\MSA\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\MSA\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\MSA\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\MSA\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\MSA\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#9 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 August 2009 - 05:07 AM

My system seems going smooth, I'm going to update MBAM and run a Full System scan again as precaution, is there anything else that I could do to ensure that the Malware is totally removed?

Edited by AlexWKS, 16 August 2009 - 05:10 AM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:06 AM

Posted 16 August 2009 - 05:37 AM

Here's another scanner you could run.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, do NOT log in under the account titled "Admin" or "Administrator"

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 August 2009 - 06:35 AM

This is my second log after full system scan with updated MBAM:

Malwarebytes' Anti-Malware 1.40
Database version: 2634
Windows 5.1.2600 Service Pack 2

8/16/2009 7:21:06 PM
mbam-log-2009-08-16 (19-21-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 225668
Time elapsed: 1 hour(s), 17 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca13d72f-2dac-4d99-b08d-c5ea1c920e89} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca13d72f-2dac-4d99-b08d-c5ea1c920e89} (Adware.WebDir) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{511C714D-D653-47DC-B24B-14CA99B02FCA}\RP27\A0008717.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{511C714D-D653-47DC-B24B-14CA99B02FCA}\RP27\A0008730.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{511C714D-D653-47DC-B24B-14CA99B02FCA}\RP27\A0009779.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{511C714D-D653-47DC-B24B-14CA99B02FCA}\RP27\A0010813.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.


With your professional opinion, do you think that it will be totally cleared after this full system run?
Also, the download link in SUPERAntiSpyware doesn't seem like it's working. I will give it a try again later.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:06 AM

Posted 16 August 2009 - 07:43 AM

Also, the download link in SUPERAntiSpyware doesn't seem like it's working. I will give it a try again later.


It's working fine here?

I would strongly suggest running some more scans before assuming this is clean?
Chewy

No. Try not. Do... or do not. There is no try.

#13 AlexWKS

AlexWKS
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 August 2009 - 01:27 PM

Hi both, I've downloaded SUPERAntiSpyware but unfortunately there's something wrong with my Safe Mode.
After tapping F8, it shows a set of instructions and then my pc reboots after showing "Press ESC to cancel loading sptd.sys"
Does this have something to do with the Malware or one of my .dll file is corrupted?

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:06 AM

Posted 16 August 2009 - 02:26 PM

Run SAS in normal mode
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users