Posted 01 September 2009 - 06:08 PM
My cousin asked me to take a look at his laptop as a new anti-virus he installed is locking up his computer. It turns out he has a new version of the Total Security spy-ware/virus. This one has a different logo, but acts mostly the same way as a previous version of Total Security that I removed off of a co-workers computer. In my searching for an answer, I saw how detailed your security team was, and was wondering if you could help me out. I read through the prep guide, but was unable to complete all of the steps.
There are three icons in the task bar that I think are working together. One is the red shield with a white 'X' symbol Windows XP Security Center uses when there is a problem. Another is a red circle with a white 'X'. The last symbol looks like a combination lock with a globe in the center where the dial should be. I do not see the normal shield symbol of the old version.
The desktop was replaced with a message stating that the user is in danger and needs to use the software.
What I've done.
I ran DDS, but it did not create the logs. The command window is on for long enough to read a line or two before it closes. No text files are created. Rerunning gives me the normal warning from Total Security that the file is infected and will not open.
I started running the RootRepeal scan, but the program closed before it finished running. When I tried to open the program again, I get the normal warning from Total Security that the file is infected and will not open.
I was able to get Process Explorer from sysinternals to run when I renamed it to iexplore.exe. I saw several find.exe files were running at the time. When I killed them, the icons mentioned above went away from the system tray, but I was unable to run DDS and RootRepeal.
HijackThis was able to be installed, but it suffered the same fate as the other programs. I think that these programs are being logged in the registry or somewhere in Total Security.
I tried all of this in safe mode, but I get the same results of no returned logs. Any ideas on what I can do in order to run the programs you requested?
Thank you for your time and help. I will check my email for updates as often as I can.