Need help on a Virus / Trojan

SME

My laptop is infected with a Virus / Trojan. Can some one identify it and
help me remove it. This is what it has done:

1. It replaced the wallpaper with one advertizing itself. Even if I replace
it, it comes back when I reboot the system.
2. It installed a screen saver, which on activation takes a snapshot of the
desktop and some bugs keep eating it away. I think this repeats every few
minutes, since I will have to move the mouse several times before I get the
current desktop.
3. It cleared all previous system restore points. So I can't restore to a
previous good state.
4. The "Desktop" and "Screen Saver" tabs in the Display Properties window
have been removed. So I can't disable the wallpaper and the screen saver.
5. I do have McAfee provided by Comcast. Once my system is infected, I did a
manual scan and found nothing unusual. But even it was not able to clear
Internet Temp files. It crashes when this is attempted. I found a file in
internet temp directory with a name that looks like some script. But the
McAfee warned me of a program ".tt20.tmp" accessing internet and I didn't
grant permission.
6. When my system was infected, it actually installed a program called
"Malware Protector". It appears there was no choice but install it when it
pops up a window, since even if you say NO, it does what it want to do. It
provided no option to uninstall. So I removed it from "Add / Remove
Programs" of Control Panel. Then only I realized that my wallpaper and
screen saver have been set (originally I didn't have any wallpaper and
screen saver). This Malware Protector was asking to pay up $49 or so to
PROTECT MY COMPUTER. That was on June 8th.
7. Yesterday, on June 9th, it installed another program called "Advanced XP
Defender". So now I have disconnected this machine from rest of my home
network and from internet.

Am I the only one affected by this? How old is this Virus / Trojan (I found
a reference to one that encrypted all files and ask for the ransom)? Any
remedy other than restoring the system from OEM's restore disk? If it is a
old one, why McAfee couldn't protect me from this?

ThanQ...

Daave

SME wrote:
> My laptop is infected with a Virus / Trojan. Can some one identify it
> and help me remove it. This is what it has done:
>
> 1. It replaced the wallpaper with one advertizing itself. Even if I
> replace it, it comes back when I reboot the system.
> 2. It installed a screen saver, which on activation takes a snapshot
> of the desktop and some bugs keep eating it away. I think this
> repeats every few minutes, since I will have to move the mouse
> several times before I get the current desktop.
> 3. It cleared all previous system restore points. So I can't restore
> to a previous good state.
> 4. The "Desktop" and "Screen Saver" tabs in the Display Properties
> window have been removed. So I can't disable the wallpaper and the
> screen saver. 5. I do have McAfee provided by Comcast. Once my system
> is infected,
> I did a manual scan and found nothing unusual. But even it was not
> able to clear Internet Temp files. It crashes when this is attempted.
> I found a file in internet temp directory with a name that looks like
> some script. But the McAfee warned me of a program ".tt20.tmp"
> accessing internet and I didn't grant permission.
> 6. When my system was infected, it actually installed a program called
> "Malware Protector". It appears there was no choice but install it
> when it pops up a window, since even if you say NO, it does what it
> want to do. It provided no option to uninstall. So I removed it from
> "Add / Remove Programs" of Control Panel. Then only I realized that
> my wallpaper and screen saver have been set (originally I didn't have
> any wallpaper and screen saver). This Malware Protector was asking to
> pay up $49 or so to PROTECT MY COMPUTER. That was on June 8th.
> 7. Yesterday, on June 9th, it installed another program called
> "Advanced XP Defender". So now I have disconnected this machine from
> rest of my home network and from internet.
>
> Am I the only one affected by this? How old is this Virus / Trojan (I
> found a reference to one that encrypted all files and ask for the
> ransom)? Any remedy other than restoring the system from OEM's
> restore disk? If it is a old one, why McAfee couldn't protect me from
> this?

http://www.bleepingcomputer.com/malw...eprotector2008

http://www.bleepingcomputer.com/malw...ed-xp-defender

Also, please read:

http://www.elephantboycomputers.com/...iruses_Malware

David H. Lipman

From: "SME" <smelchuri@hotmail.com>

| My laptop is infected with a Virus / Trojan. Can some one identify it and
| help me remove it. This is what it has done:
|
| 1. It replaced the wallpaper with one advertizing itself. Even if I replace
| it, it comes back when I reboot the system.
| 2. It installed a screen saver, which on activation takes a snapshot of the
| desktop and some bugs keep eating it away. I think this repeats every few
| minutes, since I will have to move the mouse several times before I get the
| current desktop.
| 3. It cleared all previous system restore points. So I can't restore to a
| previous good state.
| 4. The "Desktop" and "Screen Saver" tabs in the Display Properties window
| have been removed. So I can't disable the wallpaper and the screen saver.
| 5. I do have McAfee provided by Comcast. Once my system is infected, I did a
| manual scan and found nothing unusual. But even it was not able to clear
| Internet Temp files. It crashes when this is attempted. I found a file in
| internet temp directory with a name that looks like some script. But the
| McAfee warned me of a program ".tt20.tmp" accessing internet and I didn't
| grant permission.
| 6. When my system was infected, it actually installed a program called
| "Malware Protector". It appears there was no choice but install it when it
| pops up a window, since even if you say NO, it does what it want to do. It
| provided no option to uninstall. So I removed it from "Add / Remove
| Programs" of Control Panel. Then only I realized that my wallpaper and
| screen saver have been set (originally I didn't have any wallpaper and
| screen saver). This Malware Protector was asking to pay up $49 or so to
| PROTECT MY COMPUTER. That was on June 8th.
| 7. Yesterday, on June 9th, it installed another program called "Advanced XP
| Defender". So now I have disconnected this machine from rest of my home
| network and from internet.
|
| Am I the only one affected by this? How old is this Virus / Trojan (I found
| a reference to one that encrypted all files and ask for the ransom)? Any
| remedy other than restoring the system from OEM's restore disk? If it is a
| old one, why McAfee couldn't protect me from this?
|
| ThanQ...
|



1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sect...eckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/i...hp?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp