ChatterBank0 min ago
I want to shoot somebody...
..in particular the b@st@rd who wrote the virus that's attacked my desktop!
Having got that off my chest, the story so far. A week or so ago I opened a picture that I'd found on Google Images. Something didn't seem quite right with the way it opened, so I closed it and thought no more of it. However, shortly afterwards, a thing I have called WinPatrol started telling me of something that wanted to go into my Startup. (I've already posted about this, thanks to thise who helped then). It was something called wxlsjynn.exe.
I've tried to run Malwarebytes and BT's security package (McAfee), but they won't load. Nor can I download any other system protecting software.
I've now started the machine in Safe Mode and, lo and behold, both Malwarebytes and McAfee work!
I've scanned it using both at different times. They both find something, they both have deleted it but, when I reboot the machine, there it is back again!
The below is the result of a Malwarebytes scan I just did:
Vendor Category Item
Rootkit.Agent File C:\Documents and Settings\Local Settings\Temp\ejjaygd.sys
Rootkit.Agent Registry Key HKLM\SYSTEM\CurrentControlSet\Services\Micors
oft
Windows Service
PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\AntivirusDisableNotify Bad [1] Good [0]
PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify Bad [1] Good [0]
PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify Bad [1] Good [0]
The mis-spelling of Microsoft in the second one is exactly how it appears.
It's driving me potty. Anybody out there in AB Land can help?
This is an eight year old Dell Dimension running XP and IE8
Thanks for staying with me. And thanks in advance for any help you're able to give.
Regards
Having got that off my chest, the story so far. A week or so ago I opened a picture that I'd found on Google Images. Something didn't seem quite right with the way it opened, so I closed it and thought no more of it. However, shortly afterwards, a thing I have called WinPatrol started telling me of something that wanted to go into my Startup. (I've already posted about this, thanks to thise who helped then). It was something called wxlsjynn.exe.
I've tried to run Malwarebytes and BT's security package (McAfee), but they won't load. Nor can I download any other system protecting software.
I've now started the machine in Safe Mode and, lo and behold, both Malwarebytes and McAfee work!
I've scanned it using both at different times. They both find something, they both have deleted it but, when I reboot the machine, there it is back again!
The below is the result of a Malwarebytes scan I just did:
Vendor Category Item
Rootkit.Agent File C:\Documents and Settings\Local Settings\Temp\ejjaygd.sys
Rootkit.Agent Registry Key HKLM\SYSTEM\CurrentControlSet\Services\Micors
oft
Windows Service
PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\AntivirusDisableNotify Bad [1] Good [0]
PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify Bad [1] Good [0]
PUM.Disabled.SecurityCenter Registry Data HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify Bad [1] Good [0]
The mis-spelling of Microsoft in the second one is exactly how it appears.
It's driving me potty. Anybody out there in AB Land can help?
This is an eight year old Dell Dimension running XP and IE8
Thanks for staying with me. And thanks in advance for any help you're able to give.
Regards
Answers
Best Answer
No best answer has yet been selected by SeaJayPea. Once a best answer has been selected, it will be shown here.
For more on marking an answer as the "Best Answer", please visit our FAQ.The PUM.Disabled.SecurityCenter bit is not a real problem - PUM stands for Potentially Unwanted Modification. Some antivirus programs turn off Security Centre notifications so that you don't get two messages when your preferred one is disabled or turned off (one from your preferred antivirus software and then another one from Security Centre itself).
Some nasties manage to hide themselves in a way that will let your antivirus or malware software find something, and delete what they find, but reinfect the machine on a reboot - no I don't know how it's done, but I had one like that a couple of years ago which also stopped me from getting access to a lot of the major security software websites and prevented me from accessing Task Manager even in the Admin user in safe mode.
So a few things to try. If you can get to the site in safe mode with networking, try the free Sophos scanner first http ://w ww.s opho s.co m/en -us/ prod ucts /fre e-to ols/ viru s-re mova l-to ol.a spx is the download site.
If that doesn't work, on a clean computer, download one or both of Kaspersky Rescue Disk (the link is http ://s uppo rt.k aspe rsky .com /vir uses /res cued isk ) or the Avira Rescue Disk (download site is http ://w ww.a vira .com /en/ down load /pro duct /avi ra-a ntiv ir-r escu e-sy stem /pro duct /avi ra-a ntiv ir-r escu e-sy stem /pro duct /avi ra-a ntiv ir-r escu e-sy stem get the ISO rather than the exe), burn to a CD, then boot the infected computer from the CD and run a scan.
I haven't used the Kaspersky one, but if it needs to download updates before it scans the computer, let it do so. The Avira one is updated regularly, sometimes daily, and doesn't need to download any updates. If you really want to do a belt-and-braces job, do a scan with both of them, though that might be overkill.
If, after getting things cleaned up, you find that you can't access Task Manager, there is a program called RRT which will let you reset the permissions to that and a number of other things. The demo version is free (it has some restrictions, but should still let you reset the things you need to reset, or did when I last used it) and it will probably come up with some advertising to try and persuade you to buy the full version. The download site is http ://w ww.s ergi wa.c om/m odul es/m ydow nloa ds/s ingl efil e.ph p?ci d=2& lid= 1
If that lot doesn't work, I'm out of ideas for home brew fixing !
Some nasties manage to hide themselves in a way that will let your antivirus or malware software find something, and delete what they find, but reinfect the machine on a reboot - no I don't know how it's done, but I had one like that a couple of years ago which also stopped me from getting access to a lot of the major security software websites and prevented me from accessing Task Manager even in the Admin user in safe mode.
So a few things to try. If you can get to the site in safe mode with networking, try the free Sophos scanner first http
If that doesn't work, on a clean computer, download one or both of Kaspersky Rescue Disk (the link is http
I haven't used the Kaspersky one, but if it needs to download updates before it scans the computer, let it do so. The Avira one is updated regularly, sometimes daily, and doesn't need to download any updates. If you really want to do a belt-and-braces job, do a scan with both of them, though that might be overkill.
If, after getting things cleaned up, you find that you can't access Task Manager, there is a program called RRT which will let you reset the permissions to that and a number of other things. The demo version is free (it has some restrictions, but should still let you reset the things you need to reset, or did when I last used it) and it will probably come up with some advertising to try and persuade you to buy the full version. The download site is http
If that lot doesn't work, I'm out of ideas for home brew fixing !
-- answer removed --