penandnen Posted March 3, 2011 ID:395549 Share Posted March 3, 2011 In a moment madness, I "accidently" let this trojan through McAfee by runnung a fake Adobe Flash update.This version of System Tool wouldn't let me do anything from desktop. My XP restore options were going to lose all my data and my data backups were probably not going to restore everything with certainty. Setting up another drive and using malware cleanups on my damaged system also looked like a painful process.So .... What I did to get round it was --- fired half a dozen control-alt-dels at XP as it was loading drivers and putting up desktop. (Process manager is still running OK at this point)Then while the trojan was trying to work that out, I loaded, using Start - Help and Support. Got restore running and went back a previous saved restore point. Perfect result!!Hope this helps some of you.I'd appreciate any tips from the experts on ensuring all traces of this virus are gone for good. Link to post Share on other sites More sharing options...
LDTate Posted March 6, 2011 ID:396731 Share Posted March 6, 2011 Please don't attach the scans / logs for these tools, use "copy/paste".DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.Vista and Windows 7 users:1. These tools MUST be run from the executable. (.exe) every time you run them 2. With Admin Rights (Right click, choose "Run as Administrator")Stay with this topic until I give you the all clean post.You might want to print these instructions out.I suggest you do this:XP UsersDouble-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.Uncheck "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Uncheck "Hide protected operating system files." Click Apply, and then click OK.Vista UsersTo enable the viewing of hidden and protected system files in Windows Vista please follow these steps:Close all programs so that you are at your desktop.Click on the Start button. This is the small round button with the Windows flag in the lower left corner.Click on the Control Panel menu option.When the control panel opens you can either be in Classic View or Control Panel Home view: If you are in the Classic View do the following: Double-click on the Folder Options icon.Click on the View tab.If you are in the Control Panel Home view do the following: Click on the Appearance and Personalization link.Click on Show Hidden Files or Folders.Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.Remove the checkmark from the checkbox labeled Hide extensions for known file types.Remove the checkmark from the checkbox labeled Hide protected operating system files.Please do not delete anything unless instructed to. I've been seeing some Java infections lately.Go here and follow the instructions to clear your Java Cachehttp://www.java.com/en/download/help/plugin_cache.xmlNext:Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.Please download ATF Cleaner by Atribune.Download - ATF Cleaner Link to post Share on other sites More sharing options...
penandnen Posted March 6, 2011 Author ID:396988 Share Posted March 6, 2011 Many thanks for your post.I followed your instructions and got the following log from mbam:Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 5977Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870206/03/2011 22:12:44mbam-log-2011-03-06 (22-12-44).txtScan type: Quick scanObjects scanned: 146891Time elapsed: 5 minute(s), 52 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)I'll sleep easy tonight!The only question I have: Did McAfee modify these register entries or was it the malware?Many thanks again for taking the trouble to guide me through the clean up checks. Link to post Share on other sites More sharing options...
LDTate Posted March 6, 2011 ID:397023 Share Posted March 6, 2011 Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.My guess is McAfee. I've seen other Anti-virus programs do the same thing.How's it running? Link to post Share on other sites More sharing options...
penandnen Posted March 7, 2011 Author ID:397360 Share Posted March 7, 2011 System running AOK. Thanks again. BTW, I just noticed in the log of the full McAfee file scan I did using their latest update (two days ago)- says it deleted two trojans. Better late than never! Link to post Share on other sites More sharing options...
LDTate Posted March 7, 2011 ID:397365 Share Posted March 7, 2011 System running AOK. Thanks again. BTW, I just noticed in the log of the full McAfee file scan I did using their latest update (two days ago)- says it deleted two trojans. Better late than never!You're more than welcome. Glad we were able to helpPeace be with you Link to post Share on other sites More sharing options...
LDTate Posted March 7, 2011 ID:397366 Share Posted March 7, 2011 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts