SIGN UP

I want to shoot somebody...

Avatar Image
SeaJayPea | 20:01 Thu 29th Nov 2012 | Computers
4 Answers
..in particular the [email protected]@rd who wrote the virus that's attacked my desktop!

Having got that off my chest, the story so far. A week or so ago I opened a picture that I'd found on Google Images. Something didn't seem quite right with the way it opened, so I closed it and thought no more of it. However, shortly afterwards, a thing I have called WinPatrol started telling me of something that wanted to go into my Startup. (I've already posted about this, thanks to thise who helped then). It was something called wxlsjynn.exe.

I've tried to run Malwarebytes and BT's security package (McAfee), but they won't load. Nor can I download any other system protecting software.

I've now started the machine in Safe Mode and, lo and behold, both Malwarebytes and McAfee work!

I've scanned it using both at different times. They both find something, they both have deleted it but, when I reboot the machine, there it is back again!

The below is the result of a Malwarebytes scan I just did:

Vendor Category Item



Rootkit.Agent File C:\Documents and Settings\Local Settings\Temp\ejjaygd.sys

Rootkit.Agent Registry Key HKLM\SYSTEM\CurrentControlSet\Services\Micors
oft
Windows Service

PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\AntivirusDisableNotify Bad [1] Good [0]

PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify Bad [1] Good [0]

PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify Bad [1] Good [0]

The mis-spelling of Microsoft in the second one is exactly how it appears.

It's driving me potty. Anybody out there in AB Land can help?

This is an eight year old Dell Dimension running XP and IE8

Thanks for staying with me. And thanks in advance for any help you're able to give.

Regards

Answers

1 to 4 of 4rss feed

Best Answer

No best answer has yet been selected by SeaJayPea. Once a best answer has been selected, it will be shown here.

For more on marking an answer as the "Best Answer", please visit our FAQ.
The PUM.Disabled.SecurityCenter bit is not a real problem - PUM stands for Potentially Unwanted Modification. Some antivirus programs turn off Security Centre notifications so that you don't get two messages when your preferred one is disabled or turned off (one from your preferred antivirus software and then another one from Security Centre itself).

Some nasties manage to hide themselves in a way that will let your antivirus or malware software find something, and delete what they find, but reinfect the machine on a reboot - no I don't know how it's done, but I had one like that a couple of years ago which also stopped me from getting access to a lot of the major security software websites and prevented me from accessing Task Manager even in the Admin user in safe mode.

So a few things to try. If you can get to the site in safe mode with networking, try the free Sophos scanner first http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx is the download site.

If that doesn't work, on a clean computer, download one or both of Kaspersky Rescue Disk (the link is http://support.kaspersky.com/viruses/rescuedisk ) or the Avira Rescue Disk (download site is http://www.avira.com/en/download/product/avira-antivir-rescue-system/product/avira-antivir-rescue-system/product/avira-antivir-rescue-system get the ISO rather than the exe), burn to a CD, then boot the infected computer from the CD and run a scan.

I haven't used the Kaspersky one, but if it needs to download updates before it scans the computer, let it do so. The Avira one is updated regularly, sometimes daily, and doesn't need to download any updates. If you really want to do a belt-and-braces job, do a scan with both of them, though that might be overkill.

If, after getting things cleaned up, you find that you can't access Task Manager, there is a program called RRT which will let you reset the permissions to that and a number of other things. The demo version is free (it has some restrictions, but should still let you reset the things you need to reset, or did when I last used it) and it will probably come up with some advertising to try and persuade you to buy the full version. The download site is http://www.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=1

If that lot doesn't work, I'm out of ideas for home brew fixing !
Question Author
Huderon, thanks so much. I'll give all that a try and come back here to let you know how I got on.
If you Google for the "Panda anti-Root kit", you can download and run it.
It's FREE and is OK as far as I'm concerned as I've had it on my computer for years.
Hope this helps in some way.
-- answer removed --

1 to 4 of 4rss feed

Do you know the answer?

I want to shoot somebody...

Answer Question >>