TechSpot

Nasty Malware Please Help Me Remove

By missa
Aug 23, 2009
  1. Hello,
    I'm new to this site. I haven't yet figured it out, but I have read through this post which is similar to mine problem:Brutal Malware - help.
    So PLEASE can you help me or help me. I'm so desperate to get my system working to continue my 1 year-old job search (yes, I've been unemployed that long and my computer is my last life line)
    For the past 3 days(since Aug 19) I have been feverishly clearing Registry Editor, removing and removing "PC Antispyware 2010" "Protection System" Coreguard, coreext.dll etc. I had McAfee and Malwarebytes Anti-Malware 1.40 which I'd updated and ran Aug 17 but where this vicious parasite came from is beyond me.
    I even followed "mflynn" instructions to "skein4 on 11-11-2008, 09:11 AM" but nothing is working in Safe mode networking. I download SuperAntispyware but it will not run either. I've even downloaded X-cleaner but Xblocker no longer supports it and the Malware would not let me run it in Firefox 3.0.4.
    Below is:

    Tasklist
    Image Name PID Services
    ========================= ====== =============================================
    System Idle Process 0 N/A
    System 4 N/A
    smss.exe 748 N/A
    csrss.exe 1224 N/A
    winlogon.exe 1248 N/A
    services.exe 1296 Eventlog, PlugPlay
    lsass.exe 1308 N/A
    svchost.exe 1456 DcomLaunch, TermService
    svchost.exe 1624 RpcSs
    svchost.exe 1720 Browser, CryptSvc, Dhcp, dmserver, helpsvc,
    lanmanserver, lanmanworkstation, Netman,
    SharedAccess, winmgmt, WZCSVC
    svchost.exe 1852 Dnscache
    svchost.exe 1888 LmHosts
    explorer.exe 1096 N/A
    mcmscsvc.exe 1484 mcmscsvc
    MpfSrv.exe 1728 MpfService
    mcagent.exe 368 N/A
    ctfmon.exe 884 N/A
    wscsvc32.exe 296 N/A
    svchost.exe 376 N/A
    WINWORD.EXE 1024 N/A
    firefox.exe 800 N/A
    iexplore.exe 2252 N/A
    iexplore.exe 2324 N/A
    iexplore.exe 612 N/A
    iexplore.exe 2788 N/A
    net.exe 3052 N/A
    net1.exe 3576 N/A
    mbam-setup[1].exe 3288 N/A
    mbam-setup[1].tmp 2860 N/A
    iexplore.exe 3924 N/A
    iexplore.exe 584 N/A
    mbam.exe 860 N/A
    cmd.exe 3056 N/A
    cmd.exe 2544 N/A
    tasklist.exe 3400 N/A
    wmiprvse.exe 3904 N/A
     
  2. missa

    missa TS Rookie Topic Starter

    Additional Info

    I ran all of these below: in Safe Mode - they scanned and then disappeared, so I can't tell if they found anything.
    majorgeeks dot com/Kaspersky_AVP_Tool_d4515 dot html
    majorgeeks dot com/Dr dot Web_CureIT_d4783 dot html
    majorgeeks dot com/Prevx_CSI_-_FREE_Malware_Scanner_d5785 dot html
    majorgeeks dot com/Norman_Malware_Cleaner__d5450 dot html

    ScQuery

    SERVICE_NAME: Browser
    DISPLAY_NAME: Computer Browser
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: CryptSvc
    DISPLAY_NAME: Cryptographic Services
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: DcomLaunch
    DISPLAY_NAME: DCOM Server Process Launcher
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: Dhcp
    DISPLAY_NAME: DHCP Client
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: dmserver
    DISPLAY_NAME: Logical Disk Manager
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: Dnscache
    DISPLAY_NAME: DNS Client
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: Eventlog
    DISPLAY_NAME: Event Log
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: helpsvc
    DISPLAY_NAME: Help and Support
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: lanmanserver
    DISPLAY_NAME: Server
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: lanmanworkstation
    DISPLAY_NAME: Workstation
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: LmHosts
    DISPLAY_NAME: TCP/IP NetBIOS Helper
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: mcmscsvc
    DISPLAY_NAME: McAfee Services
    TYPE : 10 WIN32_OWN_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: MpfService
    DISPLAY_NAME: McAfee Personal Firewall Service
    TYPE : 10 WIN32_OWN_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: Netman
    DISPLAY_NAME: Network Connections
    TYPE : 120 WIN32_SHARE_PROCESS (interactive)
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: PlugPlay
    DISPLAY_NAME: Plug and Play
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: RpcSs
    DISPLAY_NAME: Remote Procedure Call (RPC)
    TYPE : 10 WIN32_OWN_PROCESS
    STATE : 4 RUNNING
    (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: SharedAccess
    DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS)
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: TermService
    DISPLAY_NAME: Terminal Services
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: winmgmt
    DISPLAY_NAME: Windows Management Instrumentation
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    SERVICE_NAME: WZCSVC
    DISPLAY_NAME: Wireless Zero Configuration
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0
     
  3. missa

    missa TS Rookie Topic Starter

    Here is Norman Malware Cleaner Info

    Please I begging - can someone please help fix this problem. Now google dot com is blocked - I can get to search but if I click on article it will not open up. I did some Registry Editor "enable" just now but still can't get MBAM to run.

    Norman Malware Cleaner
    Copyright © 1990 - 2009, Norman ASA. Built 2009/08/19 05:48:17

    Norman Scanner Engine Version: 6.01.09
    Nvcbin.def Version: 6.01.00, Date: 2009/08/19 05:48:17, Variants: 3695880

    Scan started: 22/08/2009 23:09:24

    Running pre-scan cleanup routine:
    Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode with network) Service Pack 2
    Logged on user: LENOVO-C2C1C07B\Michelle Ledgister

    Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe rundll32.exe tapi.nfo beforeglav" -> "Explorer.exe"
    Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000001
    Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoFolderOptions = 0x00000001


    Scanning running processes and process memory...

    Number of processes/threads found: 1693
    Number of processes/threads scanned: 1693
    Number of processes/threads not scanned: 0
    Number of infected processes/threads terminated: 0
    Total scanning time: 44s


    Scanning file system...

    Scanning: C:\*.*

    C:\Documents and Settings\Michelle Ledgister\Local Settings\Temp\msupd_2.exe (Infected with W32/Obfuscated.P2!genr)
    Norman Malware Cleaner
    Copyright © 1990 - 2009, Norman ASA. Built 2009/08/19 05:48:17

    Norman Scanner Engine Version: 6.01.09
    Nvcbin.def Version: 6.01.00, Date: 2009/08/19 05:48:17, Variants: 3695880

    Scan started: 22/08/2009 23:25:45

    Running pre-scan cleanup routine:
    Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode with network) Service Pack 2
    Logged on user: LENOVO-C2C1C07B\Michelle Ledgister

    Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe rundll32.exe tapi.nfo beforeglav" -> "Explorer.exe"


    Scanning running processes and process memory...

    C:\Program Files\Protection System\psystem.exe (Infected with W32/FakeAV.Q!genr)
    Terminated process
    Removed registry value: HKCU\Software\Microsoft\Windows\CurrentVersion\Run -> Protection System = ""C:\Program Files\Protection System\psystem.exe" -noscan"
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Unfortunately, there are no trained malware helpers on TS. If you still have the program, you can get help HERE

    Please follow the directions for the programs to run and how to attach the logs. The moderator may well remove what you have pasted here.
     
  5. missa

    missa TS Rookie Topic Starter

    Bobbye, Thanks for the link. I'll have to use someone else's computer as the infected Laptop once I boot up and enter my password into the logon screen it freezes. Once I was able to get into Safe Mode Networking but the system soon froze up again.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. You can use a flash drive if needed. download the programs to the flash drive and install on the problem computer. Suggest you use Safe Mode alone instead of with networking. The security programs don't run in the networking setting- if you are connecting to the internet, it will leave you vulnerable.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...