[Pilot Pete]

Hi all
just found your forum whilst trying to get round this problem.

I was uploading a photo to Imageshack hosting site and when I clicked on the URL for the imge resize for forum insertion I quickly seemed to get the above virus (trojan?).

Whenever I try to open a browser or file the kcn.exe program runs and I get a 'Windows Security Centre' and 'XP Total Security - unregistered version' windows opening up and running some sort of scan telling me about 'infections' on my machine. a few minutes later I get a 'Stealth Intrusion' message pop up from the Task Bar, followed shortly by another - 'Severe System Damage'.

It is only my login that is affected and killing the program in Windows Task Manager stops it, but it keeps coming back even in Safe Mode whenever I try to open/ run anything, including IE and Firefx browsers and any documents/ files/ programs.

I have up to date McAfee, which it seems to have bypassed. Following the forum instructions I have downloaded the OTL to my desktop, but cannot run it as the virus/trojan just starts whenever I try to open/ run it.

I managed to get SuperAnti-Spyware to download and run. A complete scan found 4 tojans and quaranteened them, but unfortunately I still have the problem after re-boot!

Any guidance greatly accepted.

PP

Edited by Pilot Pete, 05 April 2011 - 11:27 AM.

[Advertisements]

Hi, Pilot Pete



Lets give this a try throughout an External Environment, which simply means you will need to burn a boot CD with especial tools. You will also need a flash drive to move information from the troubled computer to a working computer. It is the only way we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

• Download OTLPEStd.exe to your desktop. NOTE: This file is 93.5MB in size so it may take some time to download.
• Once downloaded, insert a blank CD in your burner and click on OTLPEStd.exe.The executable includes the OTLPE_New_Std.iso and a copy of imgburn, a program to burn .iso files. When executed, the application will extract both and start the burning process automatically.
• Once the CD is burned, boot the Non working computer using the boot CD you just created.
• In order to do so, the computer must be set to boot from the CD first
  Note : For information click here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start. Change the following settings
  
  • Change Drivers to All
  • Change Standard Registry to All
  • Under the Custom Scan box paste this in
    

    
    /md5start
    UXTHEME.DLL
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    kcn.exe
    userinit.exe
    explorer.exe
    winlogon.exe
    ntoskrnl.exe
    /md5stop
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    %systemroot%\System32\config\*.sav
    

• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.

[JSntgRvr]

Hi, Pilot Pete



Lets give this a try throughout an External Environment, which simply means you will need to burn a boot CD with especial tools. You will also need a flash drive to move information from the troubled computer to a working computer. It is the only way we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

• Download OTLPEStd.exe to your desktop. NOTE: This file is 93.5MB in size so it may take some time to download.
• Once downloaded, insert a blank CD in your burner and click on OTLPEStd.exe.The executable includes the OTLPE_New_Std.iso and a copy of imgburn, a program to burn .iso files. When executed, the application will extract both and start the burning process automatically.
• Once the CD is burned, boot the Non working computer using the boot CD you just created.
• In order to do so, the computer must be set to boot from the CD first
  Note : For information click here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start. Change the following settings
  
  • Change Drivers to All
  • Change Standard Registry to All
  • Under the Custom Scan box paste this in
    

    
    /md5start
    UXTHEME.DLL
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    kcn.exe
    userinit.exe
    explorer.exe
    winlogon.exe
    ntoskrnl.exe
    /md5stop
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    %systemroot%\System32\config\*.sav
    

• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.