Solved Security Suite malware or more?

[rcboosted]

I was just browsing along today as usual and I see a java logo on screen like java was start, but I didn't initiate it. shortly after I got the Security Suite malware where it changed my proxy option in internet explorer and keeps popping up with windows saying I'm infected, buy this software. I've seen this before on someone else' pc, so I installed Malwarebytes' Anti-Malware to remove it. It looked like it did.

After the malware removal, I found out I could not get to other networked PCs that are sharing drives nor could I even see them under my usual workgroup. Norton also popped up with a netbt.sys warning where clean and quarantine both failed. I googled around and found that if netbt.sys is under /windows/system, it could be bad, but mine is under /windows/system/drivers.

Anyways, further google search lead to the 8-steps for malware removal and here are some logs. I hope someone can help me fix this issue. I ran mbam 3 times, first time without updating, 2nd time after updating, and 3rd time where it says I'm clean. Also, DDS' "attach" log asked me not to post it unless instructed, so I'm omitting it here. I also ran combofix, should I post that log as well? It contains a few person items. Hopefully someone can help me fix it!

 

[Broni]

Welcome aboard

Attach.txt part of DDS log is missing. Please, provide it.

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

========================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[rcboosted]

Thank you for the reply! Here are the logs you requested.

 

[Broni]

I can see, you ran Combofix on your own already, which is not a good idea.
Please, navigate to C:\Qoobox and give me ComboFix2.txt file.

 

[rcboosted]

yea I ran it after reading the 8 step and someone else' thread. At that time, it had already asked for an update. But the combofix2.txt I posted is using the new file you linked. I hope I didn't make things worse by running it on my own.

Below is combofix2.txt from Qoobox.

 

[Broni]

What are the current issues?

=========================================================================

I can see, you blanked your username, so you'll have to delete this folder manually:
- c:\documents and settings\xxxx\Local Settings\Application Data\mjvdmmena
Empty recycle bin afterward.

=========================================================================

Please uninstall Ask.com, as it's considered as an adware.

=========================================================================

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=========================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[rcboosted]

Current issue is just norton complaining that netbt.sys is infected with Backdoor.Tidserv.|!inf I atccached an image of norton's threat history. It could not clean or quarantine it.

mjvdmmena folder removed

I do not know how to remove ask.com I was installed without my knowledge and it has no uninstall tool. Under the ask.com folder in program files, all I see is GenericAskToolbar.dll

combofix uninstalled

rebooting as combofix requested, will run otl after it comes back up.

 

[Broni]

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\drivers\netbt.sys
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[rcboosted]

I'm also now noticing that something keeps changing my folder options to hide extensions and hidden files. I normally unhide extension and hidden files. They become hidden after sometime, not just after reboot.

Here's the steps I took for OTL.

opened up OTL, clicked on the quick scan button thinking that'll how I bring up another context menu, but it started to scan already. This scan produced OTL and Extras files. Which I renamed to OTL1.txt and Extras1.txt. During the scan, norton popped up complaining about netbt.sys a few times, and windows file protection popped up saying Files that are required to run properly have been replaced by unrecognized version. And asked me to put in SP3 disc.

I then copy/paste in the custom scan options to OTL and ran it again. This time it produced OTL.txt only. I did not rename it.

 

[Broni]

We posted at the same time, so I'm not sure, if you saw my previous reply.

 

[rcboosted]

I guess there's my problem.

Antivirus Version Last Update Result
AhnLab-V3 2010.08.22.00 2010.08.21 Win-Trojan/TDSSPatched
AntiVir 8.2.4.38 2010.08.20 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2010.08.16 -
Authentium 5.2.0.5 2010.08.22 W32/Alureon.JIL
Avast 4.8.1351.0 2010.08.22 Win32:Alureon-FZ
Avast5 5.0.332.0 2010.08.22 Win32:Alureon-FZ
AVG 9.0.0.851 2010.08.22 Win32/Patched.DX
BitDefender 7.2 2010.08.22 Rootkit.Patched.TDSS.Gen
CAT-QuickHeal 11.00 2010.08.21 Rootkit.TDSS.ap
ClamAV 0.96.2.0-git 2010.08.22 Trojan.TDSS-3754
Comodo 5821 2010.08.22 TrojWare.Win32.Rootkit.TDL3.gen
DrWeb 5.0.2.03300 2010.08.22 BackDoor.Tdss.2459
Emsisoft 5.0.0.37 2010.08.22 -
eTrust-Vet 36.1.7804 2010.08.21 Win32/Alureon.D!generic
F-Prot 4.6.1.107 2010.08.22 W32/Alureon.JIL
F-Secure 9.0.15370.0 2010.08.22 Rootkit.Patched.TDSS.Gen
Fortinet 4.1.143.0 2010.08.22 -
GData 21 2010.08.22 Rootkit.Patched.TDSS.Gen
Ikarus T3.1.1.88.0 2010.08.22 -
Jiangmin 13.0.900 2010.08.21 Rootkit.TDSS.dgu
Kaspersky 7.0.0.125 2010.08.22 Virus.Win32.TDSS.b
McAfee 5.400.0.1158 2010.08.22 Patched-SYSFile.d
McAfee-GW-Edition 2010.1B 2010.08.22 Patched-SYSFile.d
Microsoft 1.6103 2010.08.22 Virus:Win32/Alureon.H
NOD32 5386 2010.08.22 Win32/Olmarik.ZC
Norman 6.05.11 2010.08.22 W32/tdss.drv.gen8
nProtect 2010-08-22.01 2010.08.22 Trojan/W32.Rootkit.162816.E
Panda 10.0.2.7 2010.08.22 W32/Tdss.FE
PCTools 7.0.3.5 2010.08.22 Backdoor.Tidserv
Prevx 3.0 2010.08.22 -
Rising 22.61.06.04 2010.08.22 RootKit.Win32.TDSS.c
Sophos 4.56.0 2010.08.22 Mal/TDSSRt-A
Sunbelt 6776 2010.08.22 LooksLike.Win32.PatchedDriver!A (v)
SUPERAntiSpyware 4.40.0.1006 2010.08.22 Trojan.Agent/Gen-Virut
Symantec 20101.1.1.7 2010.08.22 Backdoor.Tidserv.I!inf
TheHacker 6.5.2.1.353 2010.08.22 -
TrendMicro 9.120.0.1004 2010.08.22 PE_TDSS.A
TrendMicro-HouseCall 9.120.0.1004 2010.08.22 PE_TDSS.A
VBA32 3.12.14.0 2010.08.20 Rootkit.Win32.TDSL.b
ViRobot 2010.8.18.3995 2010.08.22 -
VirusBuster 5.0.27.0 2010.08.21 Rootkit.TDSS.Gen.3

 

[rcboosted]

result of the scan

 

[Broni]

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[rcboosted]

running the killer. What do I do about the windows prompt about the file being replaced? I'm not sure what files were replaced. If I click away, I don't know if it'll come back and ask me to replace the files. Since I'm running the scan, I don't want to replace any files while it scans.

 

[Broni]

This time, allow it.

 

[rcboosted]

Tdsskiller log

It looks like removal was successful. What damages were done if any?

What about removal of ask.com? I do not have any panels or task bars on my browser (opera or IE), so was it even installed?

 

[rcboosted]

This time, allow it.

oops, too late. already rebooted for the tdsskiller. Would it prompt me again? Or am I running wrong versions of files now?

 

[Broni]

No damage. You're infected with TDSS rootkit.
Is Norton OK now?

 

[Broni]

We posted at the same time.
Is Norton still complaining?

 

[rcboosted]

Norton's not complaining anymore. Just for kicks, I uploaded netbt.sys again to virustotal, 4 out out 40 says I got Win32:Alureon-FZ False positive?

Do you have a recommend virus scanner? I know many do not like Norton.

 

[Broni]

Re-run TDSSKiller one more time.

 

[rcboosted]

TDSSKiller didn't find anything.

 

[Broni]

Good. Most likely false positive, but to make sure, re-run OTL with slightly different Custom scan".
It'll produce just one log.

Custom scan:


netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
netbt.sys
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

 

[rcboosted]

Here it is

 

[rcboosted]

I like to start removing my attached files if you don't mind.