Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Center Alert


  • This topic is locked This topic is locked
27 replies to this topic

#1 fermomi

fermomi

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:29 PM

Posted 06 December 2009 - 04:19 PM

Good evening,

I have many pop ups opening on my screen which avoid me to work properly. :thumbsup:

I work with Windows XP Pro and I was downloading a big file.

The issue started with a - Security Center Alert - pop up every 2 mn. After some hours, different pop up windows appeared. One of them asks me to buy a software called "AntiMalware".

Even status bar (bottom right of screen) has got some new icons which also pop up some alarming messages.

This afternoon, my computer went off alone then restarted by itself (twice now).

I was trying to save archive files, but now the DVD burner software no longer works. I don't know whether that has a link with my problem or murphys' law ! I will buy an USB disc to save what I can save

I have also got some new icons on the desktop. When I erase them, they comeback when restarting windows.

To finish, this computer is used by 2 or 3 different persons on the same account (mine). Is there a possibility to have different accounts in order to limit future issues to only one account ?


What can I do ?

Thank in advance for your help.

Best Regards

FMM

PS : I am writing from another computer because the infected one starts to be boring

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 06 December 2009 - 10:03 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:29 PM

Posted 08 December 2009 - 09:58 AM

Good afternoon Computer Pro,

When having all these troubles with my computer I went over the net and found some sites where people was speaking about an equivalent problem. Bleepingcomputer was very interesting due to his tutorials and other very good information in other pages.

As soon as I discovered I was infected, I first disconnected the computer from the internet. I know it was too late but my intention was not to add more trouble.

I also bought a 250Go external disk to save everything I could save from my personal data. Then In case I entered too much in a Register modification (you see what I mean, blue screen, no start, ...), my data would be safe.

For sure being off internet, it was difficult to read my mail Therefore I read all documents and Tutorials I downloaded from Bleepingcomputer. Going through these documents, I learnt a lot of thing about registers, spyware, ... They were speaking about two complementtary softwares (Spybot Search and Distroy and Ad-ware).

Yesterday evening I ran many times Spybot, but the "viruses" were coming back after a short while.

Early this morning, I ran Ad-ware, which detected the following :
wscsvc32.exe ......... which can be confusing as it looks like winscv32.exe which is very useful for running windows
richtx64.exe ........... which, as per google is a well known virus
amext.dll .... which, as per google is a malicious trajan

Waiting for a second run, I put them into quarantine (under Ad-ware)

The second time, Ad-ware didn't find anything more (malware in quarantine area)

I then took Spybot, ran it and it discovered the same thing

Then I decided to erase all these entries (now done)

=====>>>> after some hours, no more pop-ups or warnings or whatsoever.

I decided 1 or 2 hours ago to run again Spybot, just to be sure !!! (thanks St Thomas) and the only thing found was a trim problem in one register :

(SBI $2E20C9A9) Reglages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start (is not) W=2

I corrected it (Spybot did) and launched a new analysis with Spybot ........ Same problem with the same register.

Then, I launched a new analysis with Ad-ware, it founds nothing

Do I have to correct the Register entry ? or even erase the entry ?

I am really sorry not having seen you answer before but disconnected from internet is like dying a bit and I couldn't stay doing nothing and crying in front of my machine. The good side is that I've been reading about registers, .... and it was very interesting, amazing world !

May I ask you whether it is good for my machine to apply the treatment you describe over what I already did ?

For the moment, my machine is in quarantine, meaning that I am not confident as we could have another virus somewhere waiting the right moment to be launched. One of the warnings was : "your machine needs information, please relaunch your machine with the Windows password" or something equivalent

I am also going to reinstall McAfee with the lastest updates and I will leave either Spybot or Ad-ware running in the background.

Just tell me whether I have to apply the treament you recommand over what has already been done

I would like to thank you very much for your support. I hope one day I shall have the right knowledge to help someone.

Many thanks

Regards

FMM

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 08 December 2009 - 03:22 PM

Yes, please do apply the treatment as actually Spybot and AdAware most likely missed a lot of things since they are no longer being recommended due to poor testing results.
Computer Pro

#5 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:29 PM

Posted 08 December 2009 - 04:40 PM

Good evening Computer Pro

I will download the recommended software and will apply treatment tomorrow morning. At work I have a completely secure network (Servers dedicated to powerful firewall + spam detection +antivirus + ...) and it looks much more safer to download from there. I shall also post you the result of the test

Many thanks for your help.

Concerning Spybot and Ad-ware they are recommended in Bleepingcomputer's tutorial. Perhaps starters like me should be warned ?

Best Regards

fermomi

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 08 December 2009 - 05:03 PM

Can you please give me a link to the tutorial that says that?
Computer Pro

#7 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:29 PM

Posted 08 December 2009 - 05:48 PM

Good evening,

tutorial titles are :

- Simple and easy ways to keep your computer safe and secure on the internet

- Understanding Spyware, Browser, Hijackers and Dialers

Regards

FMM

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 08 December 2009 - 05:55 PM

Ok, I see. Well I checked and those articles have a date of 2004, which is of course a long while ago. So new tools like Malwarebytes and SAS have been invented since then. I'll be waiting for your Malwarebytes log tomorrow.
Computer Pro

#9 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:29 PM

Posted 09 December 2009 - 12:01 PM

Good afternoon,

Late this morning I put the infected document on the web and I discovered that even if Spybot and Ad-ware said situation was Ok, it wasn't as I had a warning in the computer window (bottom right of the screen)

I cannot copy the print screen or a bmp file ---- sorry

I then runned MBAB and I had a lot of detections

------------------------------
here comes the mbam report
-----------------------------

Malwarebytes' Anti-Malware 1.42
Version de la base de données: 3331
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

09/12/2009 17:18:33
mbam-log-2009-12-09 (17-18-07).txt

Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 214691
Temps écoulé: 42 minute(s), 11 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 2
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 4

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreguardAV) -> No action taken.

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antimalware (Rogue.AntiMalware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\richtx64.exe (Trojan.Agent) -> No action taken.

Elément(s) de données du Registre infecté(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
D:\Documents and Settings\mfernand\Local Settings\Temp\uac5e7.tmp (Trojan.FakeAlert) -> No action taken.
D:\Documents and Settings\mfernand\Local Settings\Temp\uacf01d.tmp (Trojan.FakeAlert) -> No action taken.
D:\Documents and Settings\mfernand\Local Settings\Temp\uacf7de.tmp (Trojan.FakeAlert) -> No action taken.
D:\Documents and Settings\mfernand\Local Settings\Temporary Internet Files\Content.IE5\KIOL46M5\eH9be3d734V0100f060006R9a6a0292102Td0f96463203l000c317P000800070[1] (Trojan.FakeAlert) -> No action taken.


-------------------------------------------------------------------------------------

Reading the result of the analysis, I noticed my computer was speaking french. Is that a problem for you ?

I hope that will give you sufficient information to help me

Best Regards

Fermomi

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 09 December 2009 - 04:13 PM

The French is fine, I can still read what I need from the log. Please make sure that you have Malwarebytes remove those items that it found.

And then:

Please run ATF and SAS:

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.



Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#11 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:29 PM

Posted 10 December 2009 - 03:27 AM

Good morning Computer Pro,

This morning I launched again MBAB with the same result than yesterday.

I asked MBAB to repair what it found.

MBAB asked me to restart the computer to apply modifications and the comuter refused to restart having a Blue Screen with :

STOP : c000021a (System Error ....

Impossible to go further ... What can I do now ?

Thanks for your help

Regards

fermomi

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 10 December 2009 - 07:57 AM

Once the computer starts to boot up, start pressing F8 until the Windows Boot options screen shows. Use the arrow keys to select "Last Known Good Configuration" and then press enter and see if it boots.
Computer Pro

#13 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:29 PM

Posted 10 December 2009 - 09:30 AM

Hi,

It worked, I am back with a very appreciated desktop with all icons. phew !

I hesitate now to ask MBAM to clean again ! Do I have to ?

Is it possible to repair the issues one-by-one?

Thanks for F8

Regards

FMM

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 10 December 2009 - 03:15 PM

Lets see Malwarebytes log. It should be under the "Logs" tab of the program.
Computer Pro

#15 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:29 PM

Posted 10 December 2009 - 04:20 PM

Good evening,

under malware..... directory, the only directory I have is "languages" nothing more.

I am going to paste the last log I get before launching the big wash.

-------------------here it goes-----------------------------
no, no, sorry

I stored the logs elsewhere. Sorry for that but this morning I had a choc with the blue screen

---------log at the end of mbam analysis------------------------------
Malwarebytes' Anti-Malware 1.42
Version de la base de données: 3331
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/12/2009 09:07:48
mbam-log-2009-12-10 (09-07-26).txt

Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 216448
Temps écoulé: 42 minute(s), 28 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 2
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 4

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreguardAV) -> No action taken.

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antimalware (Rogue.AntiMalware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\richtx64.exe (Trojan.Agent) -> No action taken.

Elément(s) de données du Registre infecté(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
D:\Documents and Settings\mfernand\Local Settings\Temp\uac5e7.tmp (Trojan.FakeAlert) -> No action taken.
D:\Documents and Settings\mfernand\Local Settings\Temp\uacf01d.tmp (Trojan.FakeAlert) -> No action taken.
D:\Documents and Settings\mfernand\Local Settings\Temp\uacf7de.tmp (Trojan.FakeAlert) -> No action taken.
D:\Documents and Settings\mfernand\Local Settings\Temporary Internet Files\Content.IE5\KIOL46M5\eH9be3d734V0100f060006R9a6a0292102Td0f96463203l000c317P000800070[1] (Trojan.FakeAlert) -> No action taken.

-----------------------------------------------------------------------------------------------

------------------log after cleaning--------------------------------------------------
Malwarebytes' Anti-Malware 1.42
Version de la base de données: 3331
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/12/2009 09:08:03
mbam-log-2009-12-10 (09-08-03).txt

Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 216448
Temps écoulé: 42 minute(s), 28 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 2
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 4

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreguardAV) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antimalware (Rogue.AntiMalware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\richtx64.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
D:\Documents and Settings\mfernand\Local Settings\Temp\uac5e7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\mfernand\Local Settings\Temp\uacf01d.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\mfernand\Local Settings\Temp\uacf7de.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\mfernand\Local Settings\Temporary Internet Files\Content.IE5\KIOL46M5\eH9be3d734V0100f060006R9a6a0292102Td0f96463203l000c317P000800070[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------

I hope that helps

Regards

FMM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users