Live Security Platinum

Discussion in 'Malware Help (A Specialist Will Reply)' started by JNT, Jul 27, 2012.

  1. JNT

    JNT Private E-2

    Hi

    I live in Australia and was attempting listen to sample some music from a random US radio station. Not long after I started listening to the music, a message came up telling me that I had a suspected virus and that a scan was going to run. Having seen this type of screen before over the years, I exited the site immediately, but obviously not quickly enough. I received a message encouraging me to buy Live Security Platinum.

    Now I can't access the internet. Some applications won't run. Microsoft Security Essentials has been disabled as has MalwareBytes and Spybot.

    I downloaded RogueKiller, HitmanPro and MGtools.exe couldn't run them in Windows normal environment, so I ran them in Safe mode.

    I have attached the relevant logs and look forward to hearing from you.

    Please bear with me, I'm no genius computer whiz.

    JT
     

    Attached Files:

    JNT, Jul 27, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes you have a zeroaccess infection. Run these first then we will start on a fix.

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
     
    Kestrel13!, Jul 28, 2012
    #2
  3. JNT

    JNT Private E-2

    Thanks for the prompt response Kestrel13

    I followed your instructions and have attached the logs.

    JT
     

    Attached Files:

    JNT, Jul 30, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: Updater For Spam Free Search Bar - {20a0be68-8fd9-4539-8712-ce3d1c1fdfc6} - C:\Program Files\blekkotb\auxi\blekkoAu.dll
    • O2 - BHO: Spam Free Search Bar - {26c9e18c-3717-4be1-a225-04e4471f5b6e} - C:\Program Files\blekkotb\blekkoDx.dll
    • O3 - Toolbar: Spam Free Search Bar - {26c9e18c-3717-4be1-a225-04e4471f5b6e} - C:\Program Files\blekkotb\blekkoDx.dll
    • O4 - HKLM\..\Run: [sbnto] rundll32.exe "C:\Documents and Settings\Jim\Application Data\sbnto.dll",CrackNotificationPackage
    • O4 - HKLM\..\Run: [ngilpa] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Jim\Application Data\ngilpa.dll",IsExtensionPresent
    • O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    • O4 - HKCU\..\RunOnce: [036DFF850000F7C89359F4DB7B07D287] C:\Documents and Settings\All Users\Application Data\036DFF850000F7C89359F4DB7B07D287\036DFF850000F7C89359F4DB7B07D287.exe
    After clicking Fix exit HJT.


    ---------------------------------------------

    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    ---------------------------------------------

    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 7 detections:
    • [BLACKLIST DLL] HKLM\[...]\Run : sbnto (rundll32.exe "C:\Documents and Settings\Jim\Application Data\sbnto.dll",CrackNotificationPackage) -> FOUND
    • [BLACKLIST DLL] HKLM\[...]\Run : ngilpa ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Jim\Application Data\ngilpa.dll",IsExtensionPresent) -> FOUND
    • [SUSP PATH] HKCU\[...]\RunOnce : 036DFF850000F7C89359F4DB7B07D287 (C:\Documents and Settings\All Users\Application Data\036DFF850000F7C89359F4DB7B07D287\036DFF850000F7C89359F4DB7B07D287.exe) -> FOUND
    • [SUSP PATH] HKUS\S-1-5-21-1343024091-2052111302-682003330-1003[...]\RunOnce : 036DFF850000F7C89359F4DB7B07D287 (C:\Documents and Settings\All Users\Application Data\036DFF850000F7C89359F4DB7B07D287\036DFF850000F7C89359F4DB7B07D287.exe) -> FOUND
    • [ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\n.) -> FOUND
    • [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Jim\Local Settings\Application Data\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\n.) -> FOUND
    • [ZeroAccess] HKLM\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\n.) -> FOUND

    Place a checkmark each of these items, leave any others unchecked.
    Now press the Delete button.

    Now do the same for Files/Folders. See below items.

    • [ZeroAccess][FILE] n : c:\windows\installer\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\n --> FOUND
    • [ZeroAccess][FILE] @ : c:\windows\installer\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\@ --> FOUND
    • [ZeroAccess][FOLDER] U : c:\windows\installer\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\U --> FOUND
    • [ZeroAccess][FOLDER] L : c:\windows\installer\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\L --> FOUND
    • [ZeroAccess][FILE] n : c:\documents and settings\jim\local settings\application data\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\n --> FOUND
    • [ZeroAccess][FILE] @ : c:\documents and settings\jim\local settings\application data\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\@ --> FOUND
    • [ZeroAccess][FOLDER] U : c:\documents and settings\jim\local settings\application data\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\U --> FOUND
    • [ZeroAccess][FOLDER] L : c:\documents and settings\jim\local settings\application data\{8b81a245-f9c6-0f88-9a60-fc0c2c94113d}\L --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND


    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.


    Delete these folders if you are able to.

    C:\Documents and Settings\Jim\Local Settings\Application Data\Babylon
    C:\Documents and Settings\Jim\Local Settings\Application Data\blekkotb

    • Now REBOOT the machine.
    • Run RogueKiller again (NO FIX just a scan and attach the log)
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jul 30, 2012
    #4
  5. JNT

    JNT Private E-2

    I ran RogueKiller and when the scan finished I looked at the registry.

    The seven detections you listed were missing. They were replaced by five others which had ticked boxes beside them - indicating that RogueKiller wanted them deleted. I ignored that suggestion.

    I attempted to delete the files indicated, although they didn't have a ticked box beside them. The only file deleted was the desktop.ini file. Interestingly, when I checked the registry tab again, the five detections were gone. I did notice a comment about something being transferred to quarantine during the process.

    Both Babylon and blekkotb were easily deleted.

    I tried to open Windows Security Essentials but received the following message;-
    "Couldn't start the Security Essentials service. The specified service does not exist as an installed service."

    I had a quick dip into Internet Explorer and that seems to work. I loaded some Word and Excel files and they worked correctly. MS Outlook works as does VLC media player. I am now allowed access to both Spybot and Malwarebytes. A Spybot quick scan found no infections, however Malwarebytes found three infected objects.

    I have attached all logs for your review.

    Thanks for your help.

    MS Outlook works
     

    Attached Files:

    JNT, Jul 31, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Looking better.


    What is inside of this folder please?

    C:\Documents and Settings\All Users\Application Data\036DFF850000F7C89359F4DB7B07D287


    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    You may be better uninstalling it and reinstalling. Use Revo (see below)

    Try Revo Uninstaller.
    Choose the option on the bottom of the list (#4). Be very careful while deleting the bolded registry items ONLY!! This software will create a system restore point for you as well prior to uninstalling a software program.
     
    Kestrel13!, Jul 31, 2012
    #6
  7. JNT

    JNT Private E-2

    The contents of C:\Documents and Settings\All Users\Application Data\036DFF850000F7C89359F4DB7B07D287 are as follows:

    036DFF850000F7C89359F4DB7B07D287 file 2kb
    036DFF850000F7C89359F4DB7B07D287.exe 404kb
    036DFF850000F7C89359F4DB7B07D287.ico 5kb

    Tried to run fixMe.reg from the desktop and received the following msg:

    Cannot import C:\Documents and Settings\Jim\Destktop\fixMe.reg: The specified file is not a registry script.
    You can only import binary registry files from within the registry editor.

    Uninstalled MSE with Revo Uninstaller and then reinstalled MSE.
    During the process received a message saying "for some unknown reason the firewall was not turned on during installation. You can turn it on manually etc"

    I went into Control Panel and couldn't get into Windows Firewall. The error message says "Due to an unidentified problem, Windows cannot display Windows Firewall settings.

    As part of it's installation process MSE updates and runs a quick scan. On completion it displayed the following message:

    "Security Essentials detected a potential threat on your PC.
    To complete the cleanup, you'll need to restart your PC."

    Restarted the computer and HitmanPro started automatically and did a scan finding no threats.

    MSE finished it's scan and all appeared well, but I ran another quick scan and it advised there were no threats found. I ran a MalwareBytes scan and there were no threats reported either.

    However, I still cannot access my Windows Firewall in Control Panel.

    JT
     
    JNT, Jul 31, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete this: C:\Documents and Settings\All Users\Application Data\036DFF850000F7C89359F4DB7B07D287

    Now, for the firewall issue -

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    After reboot, check to see if your firewall is working.
     
    Kestrel13!, Aug 1, 2012
    #8
  9. JNT

    JNT Private E-2

    Deleted: C:\Documents and Settings\All Users\Application Data\036DFF850000F7C89359F4DB7B07D287

    I downloaded and ran Windows Repair and I can now access Windows Firewall in Control Panel.

    MSE appears to be working - I ran a Quick Scan with no problems. However Windows Security Alerts tells me that I don't have Virus Protection.

    Where to now?
     
    JNT, Aug 1, 2012
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you uninstall MSSE with Revo or the normal way?

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
    Kestrel13!, Aug 2, 2012
    #10
  11. JNT

    JNT Private E-2

    Hey Kestrel13!

    Looks like we might be at journey's end.

    1. As noted on my post of 1st August - I removed MSE with REVO.

    2. I created and saved fixME.reg to the desktop; ran it and received the success message.

    All appears to be in good working order, however I have a folder on my desktop titled RK_Quarantine. The folder contains twelve VIR files; four registration entries; two DAT files; and two text files.

    HitmanPro now runs everytime I start the computer - can I delete it?

    JT
     
    JNT, Aug 2, 2012
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes you can delete them all. If HitmanPro is already running at start up, just find it's icon and disable it first.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Aug 3, 2012
    #12
  13. JNT

    JNT Private E-2

    Following your instructions and recommendations I purchased Malwarebytes. The installation process calls for a re-start and on re-start MSE found Trojan: DOS/Sinowal.Q which I deleted. I had previously run a scan before the re-start and found nothing.

    I'm wary of creating a restore point when we may still have some "leftovers" in the computer.

    Anything you can recommend? (I've run a quick MBAM scan using the purchased version with a nil result).

    JT
     
    JNT, Aug 4, 2012
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run roguekiller = attach log. Where was location it found it? Could have been in a quarantine from one of our tools you see.
     
    Kestrel13!, Aug 4, 2012
    #14
  15. JNT

    JNT Private E-2

    Copy of requested log attached. (There now exists a folder on the desktop titled RK_Quarantine.)

    I see your point regarding the quarantined items, but I cleared out all detected items on MSE after I sent you the message (doh!) so I can't help with the location.

    Sorry about that Chief.

    JT
     

    Attached Files:

    JNT, Aug 5, 2012
    #15
  16. JNT

    JNT Private E-2

    About to turn in and thought I'd run a full scan with the newly purchased version of MalwareBytes and it found a nasty. The log is attached.

    MalwareBytes requires a restart to properly delete unwanted items and on the restart MSE found and removed the Trojan:DOS/Sinowal.Q

    It had the following information under the headings Items:

    boot:\Device\Harddisk7\DR9\(MBR)
    boot:\Device\Harddisk7\DR9\(MBR)\(MBR)

    Rgds

    JT
     

    Attached Files:

    JNT, Aug 6, 2012
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Run RogueKiller once more and attach log.
     
    Kestrel13!, Aug 6, 2012
    #17
  18. JNT

    JNT Private E-2

    Applications run and reports attached as requested.

    JT
     
    JNT, Aug 6, 2012
    #18
  19. JNT

    JNT Private E-2

    Take two.

    Applications run and reports attached as requested.

    JT
     

    Attached Files:

    JNT, Aug 6, 2012
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Everything running as it should?
     
    Kestrel13!, Aug 6, 2012
    #20
  21. JNT

    JNT Private E-2

    The machine seems to be operating well - certainly it seems a little speedier. I ran quick scans with MSE and MalwareBytes and nothing turned up. Might be the journey's ended. If that's the case thanks heaps Kestrel13!
     
    JNT, Aug 6, 2012
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome. :)
     
    Kestrel13!, Aug 7, 2012
    #22
  23. JNT

    JNT Private E-2

    Back again Kestrel13!

    I'm not a big fan of co-incidence, but all of a sudden my desktop computer can't access the internet nor can I get emails.

    All the relevant lights appear on my router. My laptop accesses the internet via wi-fi on the router without problem. I replaced the lead between the computer and the router.

    I've uninstalled and re-installed the ethernet card.

    Seemingly the problem lies within the desktop computer. Could it be a side effect of our recent skirmish with the zeroaccess infection on the desktop?

    Sorry to be a pest.

    JNT
     
    JNT, Aug 11, 2012
    #23
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there. :) Could you please post in the software forum regarding this please. The guys and gals in there will assist you.
     
    Kestrel13!, Aug 12, 2012
    #24

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds