TechSpot

Security Suite malware or more?

By rcboosted
Aug 22, 2010
  1. I was just browsing along today as usual and I see a java logo on screen like java was start, but I didn't initiate it. shortly after I got the Security Suite malware where it changed my proxy option in internet explorer and keeps popping up with windows saying I'm infected, buy this software. I've seen this before on someone else' pc, so I installed Malwarebytes' Anti-Malware to remove it. It looked like it did.

    After the malware removal, I found out I could not get to other networked PCs that are sharing drives nor could I even see them under my usual workgroup. Norton also popped up with a netbt.sys warning where clean and quarantine both failed. I googled around and found that if netbt.sys is under /windows/system, it could be bad, but mine is under /windows/system/drivers.

    Anyways, further google search lead to the 8-steps for malware removal and here are some logs. I hope someone can help me fix this issue. I ran mbam 3 times, first time without updating, 2nd time after updating, and 3rd time where it says I'm clean. Also, DDS' "attach" log asked me not to post it unless instructed, so I'm omitting it here. I also ran combofix, should I post that log as well? It contains a few person items. Hopefully someone can help me fix it!
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Welcome aboard [​IMG]

    Attach.txt part of DDS log is missing. Please, provide it.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Thank you for the reply! Here are the logs you requested.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I can see, you ran Combofix on your own already, which is not a good idea.
    Please, navigate to C:\Qoobox and give me ComboFix2.txt file.
     
  5. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    yea I ran it after reading the 8 step and someone else' thread. At that time, it had already asked for an update. But the combofix2.txt I posted is using the new file you linked. I hope I didn't make things worse by running it on my own.

    Below is combofix2.txt from Qoobox.
     
  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    What are the current issues?

    =========================================================================

    I can see, you blanked your username, so you'll have to delete this folder manually:
    - c:\documents and settings\xxxx\Local Settings\Application Data\mjvdmmena
    Empty recycle bin afterward.

    =========================================================================

    Please uninstall Ask.com, as it's considered as an adware.

    =========================================================================

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =========================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Current issue is just norton complaining that netbt.sys is infected with Backdoor.Tidserv.|!inf I atccached an image of norton's threat history. It could not clean or quarantine it.

    mjvdmmena folder removed

    I do not know how to remove ask.com I was installed without my knowledge and it has no uninstall tool. Under the ask.com folder in program files, all I see is GenericAskToolbar.dll

    combofix uninstalled

    rebooting as combofix requested, will run otl after it comes back up.
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Windows\System32\drivers\netbt.sys
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  9. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    I'm also now noticing that something keeps changing my folder options to hide extensions and hidden files. I normally unhide extension and hidden files. They become hidden after sometime, not just after reboot.

    Here's the steps I took for OTL.

    opened up OTL, clicked on the quick scan button thinking that'll how I bring up another context menu, but it started to scan already. This scan produced OTL and Extras files. Which I renamed to OTL1.txt and Extras1.txt. During the scan, norton popped up complaining about netbt.sys a few times, and windows file protection popped up saying Files that are required to run properly have been replaced by unrecognized version. And asked me to put in SP3 disc.

    I then copy/paste in the custom scan options to OTL and ran it again. This time it produced OTL.txt only. I did not rename it.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    We posted at the same time, so I'm not sure, if you saw my previous reply.
     
  11. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    I guess there's my problem.

    Antivirus Version Last Update Result
    AhnLab-V3 2010.08.22.00 2010.08.21 Win-Trojan/TDSSPatched
    AntiVir 8.2.4.38 2010.08.20 TR/Patched.Gen
    Antiy-AVL 2.0.3.7 2010.08.16 -
    Authentium 5.2.0.5 2010.08.22 W32/Alureon.JIL
    Avast 4.8.1351.0 2010.08.22 Win32:Alureon-FZ
    Avast5 5.0.332.0 2010.08.22 Win32:Alureon-FZ
    AVG 9.0.0.851 2010.08.22 Win32/Patched.DX
    BitDefender 7.2 2010.08.22 Rootkit.Patched.TDSS.Gen
    CAT-QuickHeal 11.00 2010.08.21 Rootkit.TDSS.ap
    ClamAV 0.96.2.0-git 2010.08.22 Trojan.TDSS-3754
    Comodo 5821 2010.08.22 TrojWare.Win32.Rootkit.TDL3.gen
    DrWeb 5.0.2.03300 2010.08.22 BackDoor.Tdss.2459
    Emsisoft 5.0.0.37 2010.08.22 -
    eTrust-Vet 36.1.7804 2010.08.21 Win32/Alureon.D!generic
    F-Prot 4.6.1.107 2010.08.22 W32/Alureon.JIL
    F-Secure 9.0.15370.0 2010.08.22 Rootkit.Patched.TDSS.Gen
    Fortinet 4.1.143.0 2010.08.22 -
    GData 21 2010.08.22 Rootkit.Patched.TDSS.Gen
    Ikarus T3.1.1.88.0 2010.08.22 -
    Jiangmin 13.0.900 2010.08.21 Rootkit.TDSS.dgu
    Kaspersky 7.0.0.125 2010.08.22 Virus.Win32.TDSS.b
    McAfee 5.400.0.1158 2010.08.22 Patched-SYSFile.d
    McAfee-GW-Edition 2010.1B 2010.08.22 Patched-SYSFile.d
    Microsoft 1.6103 2010.08.22 Virus:Win32/Alureon.H
    NOD32 5386 2010.08.22 Win32/Olmarik.ZC
    Norman 6.05.11 2010.08.22 W32/tdss.drv.gen8
    nProtect 2010-08-22.01 2010.08.22 Trojan/W32.Rootkit.162816.E
    Panda 10.0.2.7 2010.08.22 W32/Tdss.FE
    PCTools 7.0.3.5 2010.08.22 Backdoor.Tidserv
    Prevx 3.0 2010.08.22 -
    Rising 22.61.06.04 2010.08.22 RootKit.Win32.TDSS.c
    Sophos 4.56.0 2010.08.22 Mal/TDSSRt-A
    Sunbelt 6776 2010.08.22 LooksLike.Win32.PatchedDriver!A (v)
    SUPERAntiSpyware 4.40.0.1006 2010.08.22 Trojan.Agent/Gen-Virut
    Symantec 20101.1.1.7 2010.08.22 Backdoor.Tidserv.I!inf
    TheHacker 6.5.2.1.353 2010.08.22 -
    TrendMicro 9.120.0.1004 2010.08.22 PE_TDSS.A
    TrendMicro-HouseCall 9.120.0.1004 2010.08.22 PE_TDSS.A
    VBA32 3.12.14.0 2010.08.20 Rootkit.Win32.TDSL.b
    ViRobot 2010.8.18.3995 2010.08.22 -
    VirusBuster 5.0.27.0 2010.08.21 Rootkit.TDSS.Gen.3
     
  12. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    result of the scan
     
  13. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  14. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    running the killer. What do I do about the windows prompt about the file being replaced? I'm not sure what files were replaced. If I click away, I don't know if it'll come back and ask me to replace the files. Since I'm running the scan, I don't want to replace any files while it scans.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    This time, allow it.
     
  16. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    tdsskiller log

    It looks like removal was successful. What damages were done if any?

    What about removal of ask.com? I do not have any panels or task bars on my browser (opera or IE), so was it even installed?
     

    Attached Files:

  17. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    oops, too late. already rebooted for the tdsskiller. Would it prompt me again? Or am I running wrong versions of files now?
     
  18. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    No damage. You're infected with TDSS rootkit.
    Is Norton OK now?
     
  19. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    We posted at the same time.
    Is Norton still complaining?
     
  20. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Norton's not complaining anymore. Just for kicks, I uploaded netbt.sys again to virustotal, 4 out out 40 says I got Win32:Alureon-FZ False positive?

    Do you have a recommend virus scanner? I know many do not like Norton.
     
  21. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Re-run TDSSKiller one more time.
     
  22. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    TDSSKiller didn't find anything.
     
  23. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good. Most likely false positive, but to make sure, re-run OTL with slightly different Custom scan".
    It'll produce just one log.

    Custom scan:


    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    netbt.sys
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
     
  24. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Here it is
     
  25. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    I like to start removing my attached files if you don't mind.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...