Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Destructor 4.5

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby beynac » September 25th, 2007, 2:18 am

Hi -Whiteman51x,

I realise you are trying to help, but only AUTHORISED personnel are allowed to post in the Malware Removal forum.

Helpers here go through a demanding training course before they are allowed to give advice in this forum.

If you wish to train to be a helper here, enrol in the Malware Removal University.

Your posts have been removed.

Please disregard any advice given by this Member and wait for an AUTHORISED helper.


------------------------------------------

Good morning jp29598.

HijackThis needs to be "Run as administrator" for it to work properly. I would like you to re-do the fix with that important difference.

First, please make sure that Spybot's TeaTimer and Windows Defender are disabled (as before).

Next, open HijackThis by right-clicking on the shortcut and selecting Run as administrator. Please always use this method when running HijackThis

Click Scan and then check (tick) the following, if present (don't worry if any are missing):

O4 - HKLM\..\Run: [Windows SysNotify] C:\Windows\system32\mssecc.exe

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

Still in HijackThis:
  • Click on Config... (bottom right)
  • Click on Misc Tools (at the top)
  • Click on Delete a file on reboot...
  • Copy and paste the following into the "File name:" text box and then click Open: C:\Windows\system32\mssecc.exe
  • When you are asked "Do you want to restart your computer now?", click OK.
Your PC MUST reboot to delete the file!

---------------------------------------------------------

After the reboot, please run another HijackThis scan ("Run as administrator") and post the log. Please also let me know whether the popup has gone.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Advertisement
Register to Remove

Malware Destructor 4.5

Unread postby jp29598 » September 25th, 2007, 2:38 am

Hi beynac, (it's 11:37 P.M. here!)

My nephew (who works in the computer department at college) solved the problem.

He switched Vista to administrator mode and tried to eliminate the mssecc.exe file and that didn't work.

He then ran Vista in adminstrator mode AND in safe mode and that allowed the file to be eliminated (sent to the recycle bin).

The popup is now gone.

Do you have any more suggestions or advice.

Thank you for your help. Where on this site can I donate something for your time?

Thanks again!
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Unread postby beynac » September 25th, 2007, 4:06 am

The popup is now gone.

That's good news. :)

What your nephew did will have the same effect as deleting the file on reboot using HijackThis. However, it will not get rid of the registry entry (the O4 line in the HijackThis log). I suggest that you follow the instructions in my previous post. Obviously, you will not now need to do delete the file! :)

Make sure that you empty the recycle bin.

Thank you for your help. Where on this site can I donate something for your time?

You're welcome. Any donations towards running this site would be gratefully received. You can donate by clicking on this link.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Malware Destructor 4.5

Unread postby jp29598 » September 27th, 2007, 1:33 am

Hi,

The following is the latest hijackthis log...looks like that 04 line with the mssecc file is gone.

I didn't have to check the "Fix" button to correct the registry entry. I ran the scan and it wasn't there.

I guess it was fixed when when my nephew deleted the file...

I made a site donation this evening.

Thanks again for all your help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:26 PM, on 9/26/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/microsoftup ... 0495054843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0495041062
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8976304A-BEF7-4CDE-85E8-1BED2A5E7546}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{91A6908B-7909-4BC9-8881-94C0C7D32A4B}: NameServer = 206.13.29.12 206.13.30.12
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 4893 bytes
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Unread postby beynac » September 27th, 2007, 4:38 am

Hi.
The following is the latest hijackthis log...looks like that 04 line with the mssecc file is gone.

I didn't have to check the "Fix" button to correct the registry entry. I ran the scan and it wasn't there.

I guess it was fixed when when my nephew deleted the file...

I don't understand how that happened (unless a registry clean-up utility was used), but the important thing is that it has gone. :)

--------------------------------------------------

System Restore

Now that the computer is clean, it would be a good idea to 'flush' your system restore points and create a new, clean one.
  1. Click the Start button
  2. From the Start menu click Control Panel
  3. In Control Panel click the System icon
  4. On the left of the System properties window you will see a list of Tasks, click on the System protection link
  5. In the System Protection window, remove the 'tick' mark from beside the main drive
  6. A message will now appear asking: 'Are you sure you want to turn System restore off'
  7. Press the Turn system restore off button
  8. System Restore will now be turned off permanently on that particular drive
  9. Click OK and then reboot the computer
  10. Repeat steps 1 to 4
  11. In the System Protection window, re-tick the box next to your main drive
  12. Click Apply then OK
-------------------------------------------

I made a site donation this evening.

Thank you - that is much appreciated. :)

Thanks again for all your help!

You're welcome.


This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 53 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware