GeekPolice Tech TutorialsLog in

 


can I delete System Security from XP system

Share

descriptioncan I delete System Security from XP system Emptycan I delete System Security from XP system

more_horiz
my windows XP SP2 was installed System Security when I visited a youtube site. I lost control to my computer & I can't open any program. By the way, my XP is protected by antivirus software CA. They showed a lot of things. Warning me a lot. I can not use my computer even though I restarted it. So I registered System Security & paid by credit card. Then my computer is back. I can change its settings & forbide it start with windows. But I got other problem.

1. when I start my computer, it always shows me MEMCHECK.EXE as problem before I login to my account.

2. After I login, it seems everything looks fine. But I can't print anything from Outlook express, word, excel, etc. My printer always printed blank paper. Just one time, I printed 2 pages of excel file. the first page is blank & second page is OK. I tried to switch to Aministrator account, printing is work. By the way, my account is also admi privilege.

3. my computer is connected to company server. So I can check our software to check our stock or some info. Before system security invade, it works properly. But now, it still works & would closed suddenly. Just several minutes. But I don't have similar problem with IE or Excel, etc.

I called system security & cancelled it. They said I can delete it from www.systemsecurityonline.com & there is a file wscleaner.exe. I can use it to unistall system security. But I used it & it loaded system security to system & nothing happened. so they told me I had to wait for 2 business days.

please let me know if I have to wait for that tow days. Or I can use your suggested software to remove it thoroughly. Can I get my printing & our software working properly? Thanks for help.

I use my personal computer to post this. So some info I said is not so exactly as I saw today. Just want you know what happend & what's my present problem. Hope you can help me out? Thanks

descriptioncan I delete System Security from XP system Emptyone more question

more_horiz
can I install your suggeted software to my laptop. it is installed win2000 & protected by Kaspersky 6.0.2.671? Is it could be a guard for preventing malware or spyware? Thanks

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
Don't phone them ever again, or use anything they give you, it's all fake.

Please download Ice Sword from HERE

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Then look in the left hand bottom of the program and press "Registry"
  4. When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
  5. Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  6. Now look in the right side pane for two run values that are just random numbers.
  7. Once you have found the value(s), right click it and press "Delete"
  8. Okay the prompt and close IceSword.

descriptioncan I delete System Security from XP system EmptyI will come back

more_horiz
thank you very much. I will follow your instruction on Monday & come back to you. I extract ice sword zip file & found another zip file "cooperator" here. Do I ave unzip is as well? Anyway, I tried icesword.exe on my personal computer & it works. Hope it could help my working computer.

By the way, I want to delete this fake from XP thoroughly. Do you think smitfraudfix would be helpful?

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
No, you don't need to unzip the copperator.
Smitfraudfix does target this, but useless, because it would be blocked right now.

IceSword is the only tool that I have found that isn't found by the malware yet.

descriptioncan I delete System Security from XP system Emptyice sword

more_horiz
I did it as your instruction. But I did not find any random numbers there. When I start ice sword, it shows me as follows

IOComplete request was hooked (=>847a3baa), restore now.

I press OK & icesword is began. at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, shows me as follows.

(Default) REG_SZ (value not set)
AdminWorks Tray REG_SZ "C:\Acer\LANScope Agent\awtray.exe"
Alcmtr REG_SZ ALCMTR.EXE
IMEKRMIG6.1 REG_SZ C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
IMJPMIG8.1 REG_SZ "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
installnet.exe REG_SZ "C:\Acer\LANScope Agent\Installnet.exe" "C:\Acer\LANScope Agent\
MSPY2002 REG_SZ C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
net REG_SZ "C:\WINDOWS\system32\net.net"
PHIME2002A REG_SZ C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
PHIME2002ASync REG_SZ C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
Realtime Monitor REG_SZ "C:\Program Files\CA\eTrustITM\realmon.exe" -s
RemoteControl REG_SZ "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
RTHDCPL REG_SZ RTHDCPL.EXE
SiSPower REG_SZ Rundll32.exe SiSPower.dll,ModeAgent
SunJavaUpdateSched REG_SZ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, there's sub-dir here & name is Optionalcomponents. He also has three sub-dir including IMAIL, MAPI, MSFS as follows.

IMAIL (DEFAULT)
INSTALLED 1 (IT IS DATA)
MAPI (DEFAULT)
INSTALLED 1 (IT IS DATA)
NOCHANGE 1 (IT IS DATA)
MSFS (DEFAULT)
INSTALLED 1 (IT IS DATA)

I even tried smitfraudfix. But it could be not in Safe Mold. Please let me what I can do now? Thanks

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
Hello.
Use IceSword again, go to the same Run key, and delete the "net" value, this one:

net REG_SZ "C:\WINDOWS\system32\net.net"

To delete, highlight "net" and right click, select delete.

Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptioncan I delete System Security from XP system EmptyHJT

more_horiz
I already deleted net.net from registry. But I can not start HJTinstall. What can I do? Thanks

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
Can you try renaming the installer?

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
I could rename it. But it could not be started & installed. What's name I have to use?

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
it's already installed. please check following

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:45 AM, on 6/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\LANScope Agent\awtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kbctools.com/can/main.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.ca.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.ca.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [installnet.exe] "C:\Acer\LANScope Agent\Installnet.exe" "C:\Acer\LANScope Agent\
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKCU\..\Run: [EPSON Stylus CX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE /FU "C:\DOCUME~1\USER1\LOCALS~1\Temp\E_SC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239205886890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244737463937
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCED07BB-62BB-4239-B92A-9380A4066C90}: NameServer = 204.50.251.17,201.107.254.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFA6B775-0E90-4FFF-BC04-A6B99288DB53}: NameServer = 204.50.251.17,201.107.254.9
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6545 bytes

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [net] "C:\WINDOWS\system32\net.net"


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
Hijack is already fixed -04. I installed Malwarebytes' Anti-Malware as well. System is restarted but Malwarebytes' Anti-Malware can not be started. What can I do next?

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    can I delete System Security from XP system CF_download_FF

    can I delete System Security from XP system CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (Symantec)?
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    can I delete System Security from XP system Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    can I delete System Security from XP system Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
when I try to download, I get this

While trying to retrieve the URL: http://subs.geekstogo.com/ComboFix.exe
The content is blocked due to the following condition: The item you have requested is infected by a virus. It will not be downloaded.
Report: Pua.Hideexec
Your cache administrator is: glynch@lynch.ca

descriptioncan I delete System Security from XP system EmptyRe: can I delete System Security from XP system

more_horiz
Permissions in this forum:
You cannot reply to topics in this forum