Total Security 2009 [Rogue-ware Can't Remove]

[MagicHunter]

Hello everyone,

 

My brother's computer somehow got this rogue anti-spyware Total Security. and He said he did not install it manually.

 

I have read a lot of threads about this program and how to remove it; however, it seems like this rogue anti-spyware programs has improved itself :sad:

All the informations i found online that teaches how to remove this program are outdated. The Process is no longer "tsc.exe" or "Sc2C21UvvM.exe", but a bunch of random numbers such as "12728434.exe".

 

Everytime i remove it, it somehow regenerates again from somewhere. (I also downloaded Spyware Doctor and Windows Defender, still no use)

 

 

I have did a Full Scan with IObit Security 360 as well as Malwarebytes Anti Malware

Here's 2 IObit Security 360 Report:

 

Report 1:

IObit Security 360

 

OS:Windows XP

Version:0.4.0.20

Define Version:1133

Time Elapsed:2009/8/23 下午 02:48:26

Objects Scanned:56275

Threats Found:6

 

|Name|Type|Description|ID|

Misleading.TotalSecurity, Folder, C:\Documents and Settings\PowerUser\「開始」功能表\程式集\Total Security, 3-3170

Misleading.TotalSecurity, File, C:\Documents and Settings\PowerUser\「開始」功能表\程式集\Total Security\Total Security 2009.lnk, 3-3170

Tracking Cookies, Cookies, http://fast-update.com/p/exe.txt, 7-1775

Backdoor.Bot, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value=Taskman, 4-27415

Misleading.SystemSecurity, Registry Key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009, 4-30925

Misleading.SystemSecurity, File, C:\Documents and Settings\PowerUser\Local Settings\Temporary Internet Files\Content.IE5\M80O260E\install[2].exe, 12-1464

 

Report 2:

IObit Security 360

 

OS:Windows XP

Version:0.4.0.20

Define Version:1133

Time Elapsed:2009/8/23 下午 04:08:04

Objects Scanned:70624

Threats Found:3

 

|Name|Type|Description|ID|

Backdoor.Bot - Removed, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value=Taskman, 4-27415

Win32.Aliser - Quarantined, File, C:\Program Files\MSN\MSNCoreFiles\dw.exe, 12-802

Misleading.SystemSecurity - Quarantined, File, C:\Documents and Settings\PowerUser\Local Settings\Temp\354.exe, 12-1464

 

 

 

 

 

And here's 2 Malwarebytes Anti Malware Report:

 

Report 1:

Malwarebytes' Anti-Malware 1.40

Database version: 2682

Windows 5.1.2600 Service Pack 3

 

2009/8/23 下午 09:56:05

mbam-log-2009-08-23 (21-56-05).txt

 

Scan type: Quick Scan

Objects scanned: 93191

Time elapsed: 5 minute(s), 25 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 4

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\systemsecurity2009 (Rogue.TotalSecurity) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10519064 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11877034 (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11177344 (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

C:\Documents and Settings\PowerUser\「開始」功能表\程式集\Total Security (Rogue.TotalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\10519064 (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Files Infected:

C:\Documents and Settings\All Users\Application Data\10519064\10519064 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\10519064\10519064.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\10519064\pc10519064ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\PowerUser\「開始」功能表\程式集\Total Security\Total Security 2009.lnk (Rogue.TotalSecurity) -> Quarantined and d

 

Report 2:

Malwarebytes' Anti-Malware 1.40

Database version: 2682

Windows 5.1.2600 Service Pack 3

 

2009/8/24 下午 04:41:00

mbam-log-2009-08-24 (16-41-00).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 173434

Time elapsed: 1 hour(s), 46 minute(s), 58 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12728434 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Documents and Settings\All Users\Application Data\12728434\12728434 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\12728434\12728434.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\12728434\pc12728434ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\04FBE1\RegEx.fnr (Worm.AutoRun) -> Quarantined and deleted successfully.

 

 

 

 

I have attached a Hijack Scan log due to word limit on forum~

 

(I have checked "O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [12728434] C:\Documents and Settings\All Users\Application Data\12728434\12728434.exe" and Removed it.)

 

and here's the rogue-ware file (I think) It's not the whole thing)

hxxp://www.mediafire.com/?wrdmzn5zunh

I have uploaded to MediaFire due to the limit size of attachment on forum.

 

Lastly, Here's the Zip file Scan Report on Virustotal.com:

VirusTotal

File 12728434.zip received on 2009.08.27 15:56:45 (UTC)

Current status: finished

Result: 17/41 (41.47%)

HijackScan.zip

[sunny staines]

time to use the free version of SAS

 

http://www.filehippo.com/download_superantispyware/

 

FIXES where others fail.

 

let us know if it worked.

 

[remember to delete system restore]

[leofelix]

Please fix these items

 

C:\WINDOWS\system32\FC5702\CCDB99.EXE

 

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [12728434] C:\Documents and Settings\All Users\Application Data\12728434\12728434.exe

 

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [CCDB99] C:\WINDOWS\system32\FC5702\CCDB99.EXE

 

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [Added by Trojan] C:\WINDOWS\system\spool\spoolsv.exe

 

You may use Unlock & Delete function of IS 360 RC too if HiJackScan should fail to delete C:\WINDOWS\system32\FC5702\CCDB99.EXE

 

You may also use RegAssassin to completely delete compromised registry entries.

 

Please uninstall Adobe Reader 7.0 which is obsolete and vulnerable, and install Adobe Reader 9.1 and update immediately to v 9.1.3.

 

In order to be sure that Rogue has been completely removed please download to your desktop

 

SmitFraudFix from HERE

 

Please read carefully before proceeding (it works with Vista too)

 

Warning:

 

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

 

Hope it helps

[EDIT to say] Win32.Aliser - Quarantined, File, C:\Program Files\MSN\MSNCoreFiles\dw.exe, is a false positive detection of IOBit Security 360 RC

[MagicHunter]

Thank you, both of you! ^^

 

I downloaded superantispyware as well as Avira AntiVirus.

and also removed those hijack stuff =)

and did everything you said in your post.

 

It seems to be clear now~~

No more Total Security opening up on startup

 

 

Thanx guys!! :grin:

[leofelix]

Hi Magic[Hunter]

Glad to know you could solve:smile:

 

If I were you I would add a personal firewall to your brother's defense arsenal, or at least a HIPS (Like ThreatFire free, I mean)

 

Cheers

[MagicHunter]

Hello leofelix,

 

That is actually my dad's computer, but my younger brother's using it for this summer. (We came back to Taiwan to visit)

My dad does not know ANYTHING about computers, the only thing he does on there is use webcam chat with me. (My brother and I are in Canada)

I have setup to make sure MSN auto startup and logs in.

 

The reason i don't have any antivirus is because my dad's computer only has 256 RAM o.o and i dunno what i should get for a low usage memory security.

Do you have any recommendations? =)

 

Hi Magic[Hunter]

Glad to know you could solve:smile:

 

If I were you I would add a personal firewall to your brother's defense arsenal, or at least a HIPS (Like ThreatFire free, I mean)

 

Cheers

[enoskype]

Hi Magic[Hunter],

 

You will find a very valuable, memory usage and a specific home made virus file detection, comparison HERE .

 

Raymond cc is a highly reputable site.

 

I hope this is useful to you and to other users.

 

Cheers.

[leofelix]

Hi Magic[Hunter]

enoskype (and Raymond indirectly) gave you the right answer:

Avira AntiVir free :)

-------

 

I have a friend who lives in Spain and she doesn't understand anything about computers (but she is so lovely:mrgreen:),, her old laptop has Win XP home - 20 GB HDD and 256 RAM.

I suggested her to install and use Avira which is very light in memory usage and is available in spanish too.

Avira + Windows Firewall turned on and a System fully up to date work well enough.

cheers

[MagicHunter]

Okay~

 

Thank you guys for your information :smile:

 

I think i'll just use the free Avira AntiVirus

[Maxxwire]

Magic [Hunter]- I'd be interested in knowing how much of an impact in terms of RAM usage Avira has on your Dad's computer.

 

~Maxx~

[Steven]

Its really appreciative work and I hope you will keep it up as well