3 Replies Latest reply on Dec 5, 2010 9:13 PM by mn_finch

    Unknown/Trojan32

      Whenever I try to access Internet Explorer a pop-up opens - "Microsoft Security Alert/Unknown Trojan32 ... with options to Clean Computer, Scan..etc". Same popup shows if I try to bring up registry (regedit).

       

      Ran a McAfee scan that reported the following:

      McAfee security center - Reports and Logs show: "System Guards have blocked a one-time change to your computer"

      Details:

      Spyware, adware and other potentially unwanted programs can make registry changes to the Winlogon Shell, allowing other programs to replace win Explorer.

       

      Rule Type: Registry

      Process: C:\Documents and Settings\Yasmin\Local Settings\Temp\od2j8tw7.exe \S-1-5-21-1659004503-436374069-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellC:\Documents and Settings\Yasmin\Application Data\hotfix.exe

       

      Currently running the stinger from McAfee - ran once in Low Sensitive mode w Repair option enabled. Now runnign in High sensitive mode w Report Only enabled.

       

      Would you please suggest what else do I need to do?

        • 1. Re: Unknown/Trojan32
          Hayton

          I think something's infected your PC for sure, but that warning message is unlikely to be from Microsoft. Whatever it is, you're being blocked from using IE, so if you've got another browser installed I'd try using that instead and see if you get the same message.

           

          As for the Stinger, that is focussed on a small group of (presumably currently high-risk) malware infections and might not detect whatever's on your PC. I would have advised you to run a McAfee scan, but you say you've run one already? If it was only a Quick Scan then check you've got the latest McAfee updates and run a Full Scan.

           

          There is a tool, Getsusp, which might be useful because it works by a process of eliminating known programs and processes and examining whatever's left over for signs of infection (at least, that's how I understand it works). You have to join the Getsusp group and ask for assistance, because the tool is not yet on general release.

           

          If that doesn't find whatever it is, there are some very powerful tools around which you should only use under the direction of someone who is expert in their use. Ex_Brit has details of these tools, and where to go for assistance in using them. One day perhaps I will be qualified to help you with them, but I'm not at that stage yet, so if you need to use them I'll flag this for his attention and he'll tell you where to go next.

          • 2. Re: Unknown/Trojan32
            Hayton

            Update : sorry, I ought to have spotted this one at once. This one is the fake Microsoft Security Essentials Alert Trojan, which will attempt to fool you into paying for one of 5 fake anti-virus programs (which are all the same, except for the names and user interface) :

            • Red Cross Antivirus
            • Peak Protection 2010
            • Pest Detector 4.1
            • Major Defense Kit
            • ThinkPoint
            • AntiSpySafeguard or AntiSpy Safeguard

             

            'ThinkPoint infection' posts were very common here a few weeks back.

             

            Don't click on anything in these pop-up messages, don't install anything they try to foist on you.

             

            Have you access to the internet at all, from this or another PC? There are details of how to get rid of this infection at

            http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-ess entials-alert

            but if you can't access the web I can send you the relevant page by email. Let me know if you'd rather have the removal details emailed to you, but don't put your email address in a post on the forum - send it in a PM (private message) by clicking on 'Your Stuff' and selecting 'Private Messages'.

            • 3. Re: Unknown/Trojan32

              Thank you so much . This is the exact solution.

               

              I ran 'net pause winmgmt' and then stinger.exe that might have restored IE access - everything seemed fine. Getsusp did not identify the bad files either. After running mbam 4 bad files were identified and deleted.

               

              Hope nothing else is lurking somewhere.