"Total Security" and/or "Personal Ativirus&qu

Hello.
A Newby here. My kids got this "Total Security" and/or "Personal Ativirus" on my laptop.
I've gone the Malwarebytes route, and the thing still manifests itself when I seek to confirm eradication.
I saw the warning against using other peoples instructions for using potent removal software, so here I am....Help?!?...pleez? anyone?
Also, am I safe in the meanwhile to do my online banking? Thanks.

Hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Thank You!

Here's the results:


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:44 on 21/09/2009 by Office Max (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\Windows\System32\scecli.dll --a--- 177152 bytes [02:50 21/01/2008] [02:50 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\SysWOW64\scecli.dll --a--- 177152 bytes [02:50 21/01/2008] [02:50 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_942c7ddf9178e048\scecli.dll --a--- 235520 bytes [02:49 21/01/2008] [02:49 21/01/2008] 35F1DD99F9903BC267C2AF16B09F9BF7
C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_9e812831c5d9a243\scecli.dll --a--- 177152 bytes [02:50 21/01/2008] [02:50 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9

Searching for "netlogon.dll"
C:\Windows\System32\netlogon.dll --a--- 592384 bytes [02:48 21/01/2008] [02:48 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\Windows\SysWOW64\netlogon.dll --a--- 592384 bytes [02:48 21/01/2008] [02:48 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_59d652c6f057598d\netlogon.dll --a--- 716800 bytes [02:51 21/01/2008] [02:51 21/01/2008] 5D0A4891F8CD0E9E64FF57A6A34044F5
C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_642afd1924b81b88\netlogon.dll --a--- 592384 bytes [02:48 21/01/2008] [02:48 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F

Searching for "eventlog.dll"
C:\Program Files (x86)\Cyberlink\PowerDirector\EventLog.dll --a--- 7216 bytes [05:30 13/01/2007] [05:30 13/01/2007] C2A279A458A06DE2C83D842AA042B5A8

Searching for "winlogon.exe"
C:\Users\Office Max\AppData\Local\Temp\Temp1_Malwarebytes_Anti-Malware_1.41.zip\winlogon.exe --a--- 4045528 bytes [04:37 16/09/2009] [04:37 16/09/2009] 866E72C78E98CA4919CD16724A3BD4C1
C:\Users\Office Max\Documents\Downloads\Software\Bad Malware Day\Malwarebytes_Anti-Malware_1.41\winlogon.exe --a--- 4045528 bytes [04:37 16/09/2009] [04:37 16/09/2009] 866E72C78E98CA4919CD16724A3BD4C1
C:\Windows\System32\winlogon.exe --a--- 314880 bytes [02:50 21/01/2008] [02:50 21/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24
C:\Windows\SysWOW64\winlogon.exe --a--- 314880 bytes [02:50 21/01/2008] [02:50 21/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24
C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_cbe19c9a8d4eed2b\winlogon.exe --a--- 406016 bytes [02:49 21/01/2008] [02:49 21/01/2008] 856491FCED98093D824B9EB2892F564A
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a--- 314880 bytes [02:50 21/01/2008] [02:50 21/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24

Searching for "comres.dll"
C:\Windows\System32\comres.dll --a--- 1291264 bytes [02:50 21/01/2008] [02:50 21/01/2008] 4211249955AF9133E2E357CC92B54DFD
C:\Windows\SysWOW64\comres.dll --a--- 1291264 bytes [02:50 21/01/2008] [02:50 21/01/2008] 4211249955AF9133E2E357CC92B54DFD
C:\Windows\winsxs\amd64_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_88cf765b9e8f4a59\comres.dll --a--- 1291264 bytes [02:49 21/01/2008] [02:49 21/01/2008] DDEE5FE5C3C3141CE02DE6B7B2BF686B
C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [02:50 21/01/2008] [02:50 21/01/2008] 4211249955AF9133E2E357CC92B54DFD

Searching for "crypt32.dll"
C:\Windows\System32\crypt32.dll --a--- 977408 bytes [02:50 21/01/2008] [02:50 21/01/2008] D4D86075510C02F887528207D8E0D713
C:\Windows\SysWOW64\crypt32.dll --a--- 977408 bytes [02:50 21/01/2008] [02:50 21/01/2008] D4D86075510C02F887528207D8E0D713
C:\Windows\winsxs\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_b78e5d5f96313810\crypt32.dll --a--- 1254400 bytes [02:49 21/01/2008] [02:49 21/01/2008] 35F494C3AFC788FA8AA2D3F68A283459
C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\crypt32.dll --a--- 977408 bytes [02:50 21/01/2008] [02:50 21/01/2008] D4D86075510C02F887528207D8E0D713

Searching for "gpedit.dll"
C:\Windows\System32\gpedit.dll --a--- 936960 bytes [02:49 21/01/2008] [02:49 21/01/2008] E3DDEB38C6303086F79C6B7E83C372C8
C:\Windows\SysWOW64\gpedit.dll --a--- 936960 bytes [02:49 21/01/2008] [02:49 21/01/2008] E3DDEB38C6303086F79C6B7E83C372C8
C:\Windows\winsxs\amd64_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6001.18000_none_2a50c8191d44d9bb\gpedit.dll --a--- 996352 bytes [02:48 21/01/2008] [02:48 21/01/2008] 5DE5E6AEA096D3DCE9830A35F56D7ABC
C:\Windows\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6001.18000_none_ce322c9564e76885\gpedit.dll --a--- 936960 bytes [02:49 21/01/2008] [02:49 21/01/2008] E3DDEB38C6303086F79C6B7E83C372C8

Searching for "rundll32.exe"
C:\Windows\System32\rundll32.exe --a--- 44544 bytes [12:20 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A
C:\Windows\SysWOW64\rundll32.exe --a--- 44544 bytes [12:20 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A
C:\Windows\winsxs\amd64_microsoft-windows-rundll32_31bf3856ad364e35_6.0.6000.16386_none_31ed2b17665cf346\rundll32.exe --a--- 46592 bytes [09:33 02/11/2006] [11:16 02/11/2006] 10446646D128E580C46615338E74E672
C:\Windows\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.0.6000.16386_none_d5ce8f93adff8210\rundll32.exe --a--- 44544 bytes [12:20 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A

Searching for "sfc.dll"
C:\Windows\System32\sfc.dll --a--- 4608 bytes [12:21 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\Windows\SysWOW64\sfc.dll --a--- 4608 bytes [12:21 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\Windows\winsxs\amd64_microsoft-windows-sfc_31bf3856ad364e35_6.0.6001.18000_none_03545ed0148f16ae\sfc.dll --a--- 6144 bytes [09:05 02/11/2006] [11:19 02/11/2006] 2CCA759379C220D29F0066CA49E9259F
C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6001.18000_none_a735c34c5c31a578\sfc.dll --a--- 4608 bytes [12:21 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8

Searching for "svchost.exe"
C:\Windows\System32\svchost.exe --a--- 21504 bytes [02:48 21/01/2008] [02:48 21/01/2008] 3794B461C45882E06856F282EEF025AF
C:\Windows\SysWOW64\svchost.exe --a--- 21504 bytes [02:48 21/01/2008] [02:48 21/01/2008] 3794B461C45882E06856F282EEF025AF
C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_11d9f524bdab2f1b\svchost.exe --a--- 27648 bytes [02:50 21/01/2008] [02:50 21/01/2008] CDA9F1373805AF88F6FA4F2064BBA24D
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe --a--- 21504 bytes [02:48 21/01/2008] [02:48 21/01/2008] 3794B461C45882E06856F282EEF025AF

-=End Of File=-

Hi

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thank You,

I will do so again, but as I indicated, I have done all of this; Only the quick scan found the file (twice), but the folder/files were still found in C:/Program Files/(x86/TS.
Also it was still listed in the "Programs and features" list.
(Attempting to uninstall or delete only has re-awakened it, and now Malwarebytes doesn't detect it anymore - at least not on the last attempt).
But I will re-download it and follow instructions to the tee, and get back.

Thanks again.

Hi

Please use the Internet Explorer and run a BitDefender Online scan from Here

• Please check I agree with the Terms and Conditions and click Start Here
  
• You will need to allow an Active X install for the scan to run.
  
• Leave the scanning options at default and click Start Scan
  

Please post the results in your next reply.

Hello,

Just returned to report the Malwarebytes results and found your last posting. Here are the Malwarebytes results after uninstalling Malwarebytes, then RE-INSTALLING it following your instructions, (and before running BitDefender):



Malwarebytes' Anti-Malware 1.41
Database version: 2845
Windows 6.0.6001 Service Pack 1

9/22/2009 9:48:18 PM
mbam-log-2009-09-22 (21-48-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 349638
Time elapsed: 1 hour(s), 38 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files (x86)\Common Files\TSUninstall (Rogue.TotalSecurity) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Nick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\11BT0LC0\PersonalScan-1249ffc_2009-1[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Common Files\TSUninstall\Uninstall.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\TS\Computer Scan.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\TS\Help.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\TS\Registration.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\TS\Security Center.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\TS\Settings.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\TS\Total Security.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\TS\Update.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Users\Office Max\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TS.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Program Files (x86)\TS\tsc.exe (Rogue.TotalSecurity) -> Quarantined and deleted successfully.




I checked C:/Program Files/(x86)/TS, and IT IS NOW AN EMPTY FOLDER!
Also, I went to the "Programs and features" list to uninstall “Total Security”, and was informed there is nothing to un-install, and the remaining folder was deleted.

It appears that this download of Malwarebytes was different somehow – or at least had the desired result.

THANK YOU!

I will run BitDefender anyway (I already started it and watched it scan C:/Program Files/(x86)/TS with no detection!), and will post the results just in case, but the problem appears to be corrected.

THANKS AGAIN SO MUCH!

Hello,

The BitDefender results confirm removal.

Thanks again!


BitDefender Online Scanner



Scan report generated at: Wed, Sep 23, 2009 - 02:52:06





Scan path: C:\;D:\;E:\;







Statistics

Time
02:38:23

Files
605667

Folders
29854

Boot Sectors
0

Archives
10046

Packed Files
37839




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
4252414

Engine build
AVCORE v2.1 Windows/i386 11.0.0.26 (Aug 27 2009)

Scan plugins
17

Archive plugins
44

Unpack plugins
8

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

No virus found.

Hi

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==

Please download DragonFix by DragonMaster Jay, and save it to your Desktop.

• Please disable realtime protection. (If any)
  
• Double-click RunFirst.vbs. Follow the prompts and make sure it completes. It will confirm the Restore Point was added.
  
• Double-click DragonFix.reg, and follow the prompt(s).
  
• Please reboot your computer.

Please post the checkup log in your next reply.