Solved

Displaying Virus Alert wallpaper in windows xp

Posted on 2009-05-15
11
14,603 Views
Last Modified: 2013-12-06
In my laptop virus alert wallpaper is displaying and System security 2009 automatically installed. System security 2009 showing that my laptop is infected with virus it ask me to scan after scan it showing many viruses. when i try to clean all virus it ask me to activate the system security 2009.

I am using Mcafee virus scan it has catched some Fake Trojan virus . Now macfee also infected onaccess scan has been disabled automatically.

I have attached hijackthis log file and wallpaper screen shot.
hijackthis.log
virus.JPG
0
Comment
Question by:rajasekarramasamy
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24401513
Remove System security 2009 from your system.  Download spybot search and destroy, and also adaware.  Reboot your system in safemode with networking.  Insall those two, and update the definitions.  Scan them there, another one you should try is http://malwarebytes.org/.
0
 
LVL 15

Accepted Solution

by:
xmachine earned 200 total points
ID: 24401532
Hi,

1) Kill the following processes (From Task Manager):

C:\Documents and Settings\All Users\Application Data\17167654\17167654.exe
C:\Documents and Settings\All Users\Application Data\97177646\97177646.exe

2) Delete the following Files (Unknown & Looks malicious):

C:\Documents and Settings\All Users\Application Data\17167654\17167654.exe

C:\Documents and Settings\All Users\Application Data\97177646\97177646.exe

3) Delete the following Registry Keys (Unknown & Looks malicious):

O4 - HKLM\..\Run: [17167654] C:\Documents and Settings\All Users\Application Data\17167654\17167654.exe

O4 - HKLM\..\Run: [97177646] C:\Documents and Settings\All Users\Application Data\97177646\97177646.exe

4) Delete the following BHO using ToolbarCop:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

http://windowsxp.mvps.org/toolbarcop.htm

5) Upload the mentioned executables to:

http://vil.nai.com/vil/submit-sample.aspx
http://virustotal.com

6) Download & Run CCleaner to wipe any related temp/junk files:

http://www.ccleaner.com/download

7) Reboot Windows in "Safe Mode" and run a full virus scan

8) Run Hijackthis again and attach the log file for additional reviewing

A Symantec Certified Specialist @ your service
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24401548
Smitfraudfix deals with Desktop Hijacks, or you can also try Combofix and MalwareBytes as already suggested.

1. Please download SmitfraudFix, and select Option 2. Clean (Safe mode recommended)
http://siri.geekstogo.com/SmitfraudFix.php


2. Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



If you want to manually delete the files as well as fixing the Hijackthis entries as already suggested, you need to delete the folder not just the .exe.
C:\Documents and Settings\All Users\Application Data\17167654 <-- this folder
C:\Documents and Settings\All Users\Application Data\97177646 <-- this folder

Or just use aboe scanners to remove the reg entries and directories as often than not there will be files that aren't showing in the log.
0
 

Author Comment

by:rajasekarramasamy
ID: 24401553
Hi rpggamergirl,

I already tried with combofix but no improvement.......

0
 
LVL 15

Expert Comment

by:xmachine
ID: 24401580
Hi rajasekarramasamy,

Have you tried my solution? Any additional guidance you need?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:rajasekarramasamy
ID: 24401649
Hi xmachine,

I followed your steps it works great!. I have attached new hijackthis log file.



New-hijackthis.log
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24401675
The new hijackthis.log doesn't contain any malicious entry anymore. Congrats dude ... your system is clean :)

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24401682
Has this been resolved?
If not... just attach the combofix log so we can check to make sure it's clean, since a clean Hijackthis log doesn't necessarily mean a clean system as some nasties can still hide from the hijackthis scan.
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24401713
rpggamergirl is right, so let's do some more advanced testing.

Please do the following:

1) Download & run GMER (rootkit scanner) from (http://www2.gmer.net/gmer.zip)

2) Start GMER, select all options on the right side, after scanning is finished, click on save. Attach the log file here

3) Visit Symantec Online virus scan page to do addition check-up

http://security.symantec.com

Select "Symantec Security Check" on the right side

0
 

Author Comment

by:rajasekarramasamy
ID: 24401723
Hi rpggamergirl,

I have attached combofix log.

 After i followed the xmachine steps desktop wallpaper and system security 2009 has been removed.


combofix-log.txt
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 50 total points
ID: 24404985
That log is the result of the 3rd scan.
Log is clean.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to remove the ad in PC win8? 7 69
Ransom.CRYPTXXX Activity 2 9 103
Sophos EC migration to Cloud. 1 86
Check a file for virus / malware 24 129
PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now