Jump to content

System Tool


Recommended Posts

In a moment madness, I "accidently" let this trojan through McAfee by runnung a fake Adobe Flash update.

This version of System Tool wouldn't let me do anything from desktop. My XP restore options were going to lose all my data and my data backups were probably not going to restore everything with certainty. Setting up another drive and using malware cleanups on my damaged system also looked like a painful process.

So .... What I did to get round it was --- fired half a dozen control-alt-dels at XP as it was loading drivers and putting up desktop. (Process manager is still running OK at this point)

Then while the trojan was trying to work that out, I loaded, using Start - Help and Support. Got restore running and went back a previous saved restore point. Perfect result!!

Hope this helps some of you.

I'd appreciate any tips from the experts on ensuring all traces of this virus are gone for good.

Link to post
Share on other sites

post-32477-1261866970.gif

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

I've been seeing some Java infections lately.

Go here and follow the instructions to clear your Java Cache

http://www.java.com/en/download/help/plugin_cache.xml

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Many thanks for your post.

I followed your instructions and got the following log from mbam:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5977

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

06/03/2011 22:12:44

mbam-log-2011-03-06 (22-12-44).txt

Scan type: Quick scan

Objects scanned: 146891

Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I'll sleep easy tonight!

The only question I have: Did McAfee modify these register entries or was it the malware?

Many thanks again for taking the trouble to guide me through the clean up checks.

Link to post
Share on other sites

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

My guess is McAfee. I've seen other Anti-virus programs do the same thing.

How's it running?

Link to post
Share on other sites

System running AOK. Thanks again.

BTW, I just noticed in the log of the full McAfee file scan I did using their latest update (two days ago)- says it deleted two trojans. Better late than never!

rofl.gif

You're more than welcome.

Glad we were able to help

Peace be with you wavey.gif

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.