Jump to content

system defender


dadbug
 Share

Recommended Posts

malware has infected my computer. trace.registry.VirusShield2009!A2. I cannot seem to remove the system defender program.

also, iseeyou is not working. i am getting a message "The process cannot access teh file because it is being used by another process.

~ INLINE LOGS REMOVED {Lynx}

really appreciate any help.

Link to comment
Share on other sites

Hi dadbug, and welcome to the nee forum.

The rules are changed compare to the old forum, where you were requesting assistance in the past

Read START HERE, if you don't we are just going to send you back to this thread <--click

and attach all required log files

You ran Smart Scan. Update a-squared; rerun and attach Deep Scan report

Provide brief description of the problems and/or the symptoms of the system's misbehaviour, if any

My regards

P.S.

In addition if you are using Symantec/Norton Adaware. etc or was using those previously, irrespectively submit flagged items from detection list to EMSI developers for analysis.

Some of the detections could be False Positives

(e.g. C:\WINDOWS\system32\drivers\atapi.sys if not poisoned it's legit system file)

Link to comment
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to comment
Share on other sites

all instructions followed as requested.

i have attached the a-squared free and hijackfree logs.

in regards to ISeeYouXP log, i get this message:

The system cannot execute the specified program.

The process cannot access the file because it is being used by another process.

the "system defender" is preventing any other antiviral program from functioning it seems.

thank you for you help.

dadbug

Link to comment
Share on other sites

The Malware Fighter will reply and have a look at the removal of the illegal Software...

...but 11 seconds for the Deep Scan of just 188 files

Scan type: Deep Scan

Objects: Memory, Traces, Cookies, C:\, F:\

Scan start: 11/21/2009 10:56:09 PM

Scanned

Files: 188

Processes: 9

Scan end: 11/21/2009 10:56:20 PM

Scan time: 0:00:11

That's something really "new"...

Link to comment
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

You are using MsConfig to prevent several items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everything you used MsConfig to disable. If you are receiving error messages, related to these items, at system start; we can fix this without using MsConfig.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

J2SE Runtime Environment 5.0 Update 12

-----------------------------------------------------------

Download Avenger from HERE and unzip to your desktop.

  • Run Avenger
  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Files to delete:
    c:\documents and settings\yong\application data\microsoft\internet explorer\quick launch\system defender.lnk
    c:\documents and settings\yong\application data\system defender\instructions.ini
    c:\documents and settings\all users\application data\wsddsys\wsd.cfg
    C:\WINDOWS\temp\6a423fed-613d-4320-9c4d-392aacd734b0.tmp
    
    Folders to delete:
    c:\documents and settings\all users\application data\wsddsys
    c:\documents and settings\yong\application data\system defender
    
    Registry keys to delete:
    HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}


    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

a-squared Free - Version 4.5
Last update: 11/21/2009 10:39:52 PM

You are scanning with out-dated definitions for a-squared Free. Updated a-squared Free.

-----------------------------------------------------------

Attach fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

ok. here are the new logs.

You are using MsConfig to prevent several items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everything you used MsConfig to disable. If you are receiving error messages, related to these items, at system start; we can fix this without using MsConfig.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

-----------------------------------------------------------

Download Avenger from HERE and unzip to your desktop.

  • Run Avenger
  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Files to delete:
    c:\documents and settings\yong\application data\microsoft\internet explorer\quick launch\system defender.lnk
    c:\documents and settings\yong\application data\system defender\instructions.ini
    c:\documents and settings\all users\application data\wsddsys\wsd.cfg
    C:\WINDOWS\temp\6a423fed-613d-4320-9c4d-392aacd734b0.tmp
    
    Folders to delete:
    c:\documents and settings\all users\application data\wsddsys
    c:\documents and settings\yong\application data\system defender
    
    Registry keys to delete:
    HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}


    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

a-squared Free - Version 4.5
Last update: 11/21/2009 10:39:52 PM

You are scanning with out-dated definitions for a-squared Free. Updated a-squared Free.

-----------------------------------------------------------

Attach fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sy?


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Attach this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to comment
Share on other sites

ok.

here it is.

Download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sy?


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Attach this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to comment
Share on other sites

Open notepad

Copy and Paste the below lines of code to notepad:

@echo off
copy C:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\atapi.sys

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop.

Double-click on fixes.bat to execute it.

-----------------------------------------------------------

Run Avenger

  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Files to delete:
    C:\WINDOWS\system32\drivers\atapi.sys
    
    Files to move:
    C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

Post fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

ok.

Open notepad

Copy and Paste the below lines of code to notepad:

@echo off
copy C:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\atapi.sys

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop.

Double-click on fixes.bat to execute it.

-----------------------------------------------------------

Run Avenger

  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Files to delete:
    C:\WINDOWS\system32\drivers\atapi.sys
    
    Files to move:
    C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

Post fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

the computer seems to be running fine. no problems except that avg antiviral program keeps alerting me that C:\Avenger\atapi.sys has a trojan horse BackDoor.Generic12.LZF. other than that, no problems. if i purchase the A squared antimalware program, would i be protected again such attacks in the future? so many programs state that they protect, but do not seem to do so well.

dadbug

Link to comment
Share on other sites

Any security vendor is going to tell you that their software will protect your computer across the entire range of threats. When in reality, well written malware is designed to bypass security software and avoid detection. It's a game of cat and mouse and the good guys are in reactive mode.

a-squared Anti-Malware is a very good application with high detection rates, and probably the best proactive protection on the market. However, the application has it's limitations just like any other application. There is only so much a software application can do to protect your system and it still be usable.

In my experience it is a users habits that determine how quickly and/or how often a system becomes infected. As long and you take adequate steps to protect your system and have good computing habits, it is difficult to infect a system.

-----------------------------------------------------------

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  • AvoidTDSS /uninstall or combofix /uninstall or Combo-Fix /uninstall
    Note: The space before /uninstall, must be there. Which command you use depends on if I had you rename ComboFix during download.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete everything in C:\!KillBox (If I didn't have you use KillBox, then this won't be present)

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

CFscript.txt

dds.scr

dds.pif

DisableAutoRuns.reg

fixes.bat

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Win32kDiag.exe

Win32kDiag.txt

Anything else I had you use

Delete the following files: (If they exist)

C:\Avenger.txt

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\Avenger

C:\AvoidTDSSS

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run CCleaner

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4. Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

Link to comment
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...