Previous Topic Next Topic

Security master av removal

Solved/Closed
rubyg - Sep 8, 2010 at 04:42 AM
Gervarod Posts 306 Registration date Saturday March 27, 2010 Status Member Last seen June 8, 2014 - Sep 16, 2010 at 06:54 AM
Hello,


I have been trying for two days to get rid of this virus, i have done loads both in safe mode and normal mode and managed to get rid of thousands , i kid you not, of viruses , worms , trojans and items related to this dam security master av, all were removed , i am now round the bend as it is not in add remove program list , i cannot find it anywhere but it is in the windows security centre running the firewall and antivirus, i cannot download avg as it only gets halfway and tells me to uninstall this program , i cant , so i cant get avg, also i have run the removal tool found through google , didnt work, went through all the steps on two different websites to remove this and nothing has worked ,
now when i run malwarebytes, spybot SD etc , it comes up clean, but security master av is lurking on here somewhere , how can i find it and get rid , before i kill myself
Related:

45 responses

Answer 1 / 45
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 8, 2010 at 04:46 AM
Hello,

Very interesting problem you have there!

To fix the problem, I must have a Hyjacthis log.

http://free.antivirus.com/hijackthis/

Please download, install and request a scan and save a log. Copy the log and post it here.

Regards
0
Answer 2 / 45
rubyg
Sep 8, 2010 at 06:06 AM
thanks for trying to help i did this before on advice of another website and was told to look for a certain entry whch i could not find in the list. hope you can see what the problem is :-
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:58:01, on 08/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Computer Updater\ComputerUp-daterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Computer Updater\ComputerUp-dater.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = a5cb934b8ee74
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Computer Updater] "C:\Program Files\Computer Updater\ComputerUp-dater.Exe" /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe (file missing)
O23 - Service: ComputerUpdater Service - SafeApp Software, LLC - C:\Program Files\Computer Updater\ComputerUp-daterService.exe
0
Answer 3 / 45
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 8, 2010 at 06:22 AM
Hello Ruby

Yes there are other Web sites but there is Kioskea, the reference in IT forum

1. Please run another Hyjacthis scan but do not request a log.

2. Once the scan is finish, please check the following items:

R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe (file missing)

3. Click fix checked and close Hyjackthis


Download, install and run Malwarebyte which you can find on this site:

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware

Ensure you make an update.

Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan.

When the scan is completed, delete all items found.

Once your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

Please let me know the results.
0
Answer 4 / 45
rubyg
Sep 8, 2010 at 07:01 AM
Thanks, i have done as you said with the hyjackthis , i already had malwarebytes so i have updated and now running full scan, will let you know what happens
0

Didn't find the answer you are looking for?

Ask a question
Answer 5 / 45
rubyg
Sep 8, 2010 at 07:52 AM
ok i am now going to kill myself idid the malwarebytes scan after fixing the stuff in hyjackthis then after the scan which didnt pick up anything :-
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4570

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/09/2010 13:15:29
mbam-log-2010-09-08 (13-15-29).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 133774
Time elapsed: 12 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I then switched of system restore waited about 30 seconds and turned it back on then i started the avg for the umpteenth time and again it stopped and said;-some potentially incompatible software is currentlyinstalled to continuethe installation please remove the following application:- security master av . and sure enough it is still running as the firewall and antivirus in windows security centre in control panel maybe he should just chuck this and get a new laptop i am ready to throw it out the window. thanks for your help any more suggestions?
0
Answer 6 / 45
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 8, 2010 at 08:00 AM
Hello,

Please, wait for my permission before killing yourself, I do not want to have you on my conscience for the rest of my life, do it only if you get my okay.

I am pretty sure now that we are dealing with a rogue trojan horse;

Please follow the following procedure carefully and to the letter.

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.

To kill the processes:

1. Download to your desktop and run Rogue Kill:

https://download.bleepingcomputer.com/grinler/rkill.com

2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Then full scan again with Malwarebyte

After you are done, remember do not through yourself into the river or anything like that
0
Answer 7 / 45
rubyg
Sep 8, 2010 at 08:29 AM
bac
k again i followed the instructions rkill run without problems only takes seconds i have used this yesterday and it gave same result i did not get any mesages or anything trying to stop me from running it:-
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as User on 08/09/2010 at 14:05:08.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\User\Desktop\rkill.com


Rkill completed on 08/09/2010 at 14:05:11.

then i ran malwarebytes again ( i did not reboot or anything):-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4570

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/09/2010 14:20:25
mbam-log-2010-09-08 (14-20-25).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 133823
Time elapsed: 12 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 8, 2010 at 08:32 AM
So do you still have Security Master?

Are you still breathing?
0
Answer 8 / 45
rubyg
Sep 8, 2010 at 08:44 AM
yes an yes i am not getting all the problems that were present when he gave me this laptop to hopefully fix it was redirecting web pages kept putting findgala website address in and getting pop ups etc but since i have used malwarebytes superantispyware hyjackthis cc cleaner amongst others ( i have flung everything at it ) i am only having problems getting it to let go in windows security centre, i found a few websites directing you to kill processes in task manager and find certain files etc and delete them, i tired that but found i did not have the processes and following the paths for the files i could not see any that matched what i was looking for back to square one do you think. barbequed laptop might be in order !
0
rubyg
Sep 8, 2010 at 08:57 AM
at the moment i have downloaded the windows malicious software removal tool and it is scanning the lappy, think this is only one i have not yet tried , let you know what happens but i am not holding my breath , thanks again
0
Answer 9 / 45
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 8, 2010 at 08:55 AM
BBQ laptops taste awful, like cabonised plastic, it would be like killing yourself and I said not to do that.

I have two more solutions:

1. Run another Hyjackthis scan and delete the items that have reappeared, then...

READ CAREFULLY IF NOT, LIGHT-UP THE BBQ

Remedy one:

I shall prescribe to you a very powerfull antidote that is able to kill and send any virus to the glue factory. It is of very last resort and should not be abused of, as matter of a fact, once you have used it, I suggest you delete it from your system.

To keep your system safe, you must follow the instructions hereunder to the letter:

1. Download Combofix to your desktop.

http://www.combofix.org/download.php

2.Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.

Once you are done, report to me on how your system is behaving.

Good luck

Ambucias
0
Answer 10 / 45
rubyg
Sep 8, 2010 at 08:59 AM
ok i will give that a go, need to wait till this one is finished mind you
0
Answer 11 / 45
rubyg
Sep 8, 2010 at 09:03 AM
you said to disable any antivirus and firewall , that might be a problem as i cannot sop the security master av that is what is running the firewall and antivirus just now and i have found no way to stop it, windows security centre reports i have two firewalls running as i had put the windows own one on but i cant see how to stop the other one or the antivirus
0
rubyg
Sep 8, 2010 at 09:10 AM
windows software malicious removal tool reports no malicous software
0
rubyg
Sep 8, 2010 at 09:40 AM
I went back in to security centre and tried again to stop the antivirus and turn off the firewall, when i try to turn off the firewall the windows firewall is the only one i can turn off, t there are options to manage the automatic updates and windows firewall so i can turn them off or on but not the security master av crap
0
Answer 12 / 45
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 8, 2010 at 05:21 PM
Hello Ruby, can you smell the plastic BBQing?

Sorry I did not reply immediatly for I had to log off, we all have a personal life.

You may feel that I am repeating thing but I have added a few things which will help.

I am sure of myselft for this solution also appears on other Websites such as the reputable Malware Bleeping Computer:

2.It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.


3.Before we can do anything we must first end the processes that belong to Security Master AV so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link


4.Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Security Master AV and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Master AV when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Master AV . So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Do not reboot your computer after running rkill as the malware programs will start again.


5.Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link (Download page will open in a new window)

6.Once downloaded, close all programs and Windows on your computer, including this one.

7.Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.

8.When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.

9.MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

10.On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Security Master AV related files.

11.MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

12.When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the Security Master AV removal process.


13.You will now be back at the main Scanner screen. At this point you should click on the Show Results button.


14.A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.


15.When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.


16.You can now exit the MBAM program.


17.As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, Security Master AV changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:

Hostsperm.bat Download Link
When the file has finished downloading, double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.


18.We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.

Windows XP HOSTS File Download Link
Windows Vista HOSTS File Download Link
Windows 2003 Server HOSTS File Download Link
Windows 2008 Server HOSTS File Download Link
Windows 7 HOSTS File Download Link
Your Windows HOSTS file should now be back to the default one from when Windows was first installed.

19.Now reboot your computer.
0
Answer 13 / 45
rubyg
Sep 9, 2010 at 01:29 AM
I have been on the bleepingcomputer.com website and followed these instructions before i came on here , nothing changed , i am still left with security master av on the computer although all the pop ups and rediections have stopped , it is still in control of the firewall and antivirus and no way of switching it of

i have also been on the 2-virus.com and followed the list of task manager files , dll files to disable and registry files to remove , I DO NOT HAVE ANY , the task manager is not showing any of these files when i tried disabling the dll files it told me they were not found, and the registry does not have one single file that is in the list, i think the first run of malwarebytes removed all the files and registry stuff that was related to security master av but i still have the actual program/virus whatever it is on the computer and i cant get any other antivirus because of it
thank you for your help
0
Answer 14 / 45
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 9, 2010 at 03:58 AM
Hello,

I reaxamined your HJT log, I can't see your antivirus programme. Can you remind me what it is.
Which firewall are you using, Win or other?
0
rubyg
Sep 9, 2010 at 04:22 AM
this is the exact problem, i cant get any antivirus to install because they all say i have SECURITY MASTER AV installed , but this is a virus it has taken over the windows security centre it is running a firewall and an antivirus , well not eally as IT is a virus , but i have tried to install avg, and pc tools antivirus free they both tell me to uninstall security master av before i install their program as they will conflict, and i cannot uninstall this as i do not know where it is running from , there are no processes related to it in task manager , no files or folders relating to it that i can see , it is very well hidden , it has also disabled system restore
0
Answer 15 / 45
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 9, 2010 at 04:35 AM
You know what Ruby, I know understand why you wanted to BBQ your machine, but I would much prefer BBQ, live, the guy who concocted this virus.

Thank you for the reminder for there are so many threads to read, one may get a little lost.

I do hope that we will not be required to do a Windows repair for it may mean data lost.

1. I would like you to go to c:\ at the root, try to spot stand alone unsual files (not in a folder), often numeric and tell me what they are if any.

2. Please download, install and run this totally free but efficient registry cleaner.

https://www.eusing.com/free_registry_cleaner/registry_cleaner.htm

Before you delete the registry entries and there could be a ton, you may be able to spot the virus in local machine.
0
Gervarod Posts 306 Registration date Saturday March 27, 2010 Status Member Last seen June 8, 2014 21
Sep 9, 2010 at 06:09 AM
what about using safemode with no networking?
0
Answer 16 / 45
Gervarod Posts 306 Registration date Saturday March 27, 2010 Status Member Last seen June 8, 2014 21
Sep 9, 2010 at 05:15 AM
hello have you tried to disconnect your laptop from the internet before loading these programs that you put on a CD or a usb drive as you should know the rouge virus may be download and updating files for your computer to be harder to remove these files what are you using XP Vista or Windows7? but on thing is make sure you have another computer near you like one of your friends or parents.

hope you have not BBQ your laptop or killed your self. as i and Ambucias can help you.

Cheers, Gervarod
0
Answer 17 / 45
rubyg
Sep 10, 2010 at 02:48 AM
I tried to do a system recovery and found that the option which is supposed to be in START- PROGS-SYSTEM RECOVERY , is not there, also should be able to access it via F10 on start up but it did not come up, it is an Advent 7086 with xp OEM so the xp is preloaded and he did not get xp cd with it, i was just going to wipe the lot ,, he agreed to me doing that, but now i cant even do that at least he would have a fresh pc, i am going to download all the anti virus , malwarebytes etc on my pc and put them on cd to transfer to his laptop see if that makes any difference, when i click on windows security centre and expand the firewall it says at least one of the firewalls on your computer iscurrently ON, and goes on to say two firewalls runnign at the same time can conflict with each other, the only one i can turn of is the windows one !when i expand the antivirus this is what it says , security master av reports that it is up to date and virus scanning is on, where the heck is it running from , thats what i need to find out, i have checked and double checked , for processes relating to this in task manager and they are never there, how is it running without the processes showing up !
0
Answer 18 / 45
rubyg
Sep 10, 2010 at 03:48 AM
ok i deleted all the progs i downloaded on here and downloaded them on my pc and put them on cd and transfered back on here malwarebytes still comes up clean hyjackthis log :-
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:14:04, on 10/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = a5cb934b8ee74
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
0
Answer 19 / 45
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Sep 10, 2010 at 04:37 AM
Please run another HJT scan and remove:

O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - (no file)

I suggested to you to run the registry cleaner and to look in to your C for suspicious files. Did you?

Can you put a name on the other firewall?

You said that your XP was preinstalled, mine was too, yet one must never purchase a computer without the disc.

Do you have any precious data which you have not backed-up?
0
Answer 20 / 45
rubyg
Sep 10, 2010 at 03:34 PM
I will run the hyjackthis again and do as you said, have not run the registry
cleaner but i will do, and i have searched through the C drive but everything there
looks like it belongs, i will have another look,
the other firewall is windows own
his xp was preinstalled , usually with OEM pc's you need to make your own backup dvd's right away, laptops usually have a seperate partition with the recovery media , but you can usually still make recovery dvd, he did not do this,
i am back at work just now so it will be difficult to get much done ,
thank you for your patience, and no , he does not have very much on it , lots of 3gp mobile videos and a few pictures but nothing he cant replace, t
0

Similar discussions

Facebook Security Check Preventing Login
huhjehun -
HelpiOS -

1 response
Quick heal removal tools
vyas -
Ambucias -

1 response