Security Master AV (&friends) removal

Hello at Majorgeeks,

The intiial problem discovered was security Master AV.

I think the advice on your site has helped me to clear it most of the problems that were found; but I am not 100% certain, and would greatly appreciate it if someone could look over the logs and advise me on current status, and suggestions to proceed, please.

One or two problem cropped up during scans, details are provided below.

HP Compaq 6735s
Vista Home Basic 2007; SP1; 32bit.
Windows defender
Windows firewall
HP Protect Tools (HP restore on drive D, HP tools on F:\)

Discovered relative's antivirus (McAfee) had expired and Security Master AV present, as well as various adware/spyware - hotbar, zango...
He's a total novice (age 75) with little or no separation in his mind between computer - browser - internet - application.
Anything he does not recognize or understand, he's inclined to cancel - & that's Everything except IE!
We had previously attempted to set up maintainance/security that requires minimal user intervention or understanding; but are not on hand regularly & it appears other people may have fiddled...
I had stripped out expired free trials (like MS office), switched browser over to Chrome; but find this has been undone.

Someone had downloaded & installed the free version of stopzilla to try to combat SM AV; but had then abandonned the attempt; as he won't pay for it (or anything!), the 1st thing I did was to uninstall that.

SM AV & friends appear to have been on the system about 2weeks - immediately on expiry of MacAfee ~ 30/06/2010
Displaying usual symptoms of hijacking browser, continual warnings.
Although no proxy settings appeared in Internet options, SM AV was reconnecting when you disconnect from the internet, and he has been unable to access his webmail.

I have downloaded Avast with the intention of installing - but was not keen to put in on to an already compromised system, with no restore points older than a day or two. Decided to follow your instructions & attempt to deal with problem first.


Followed read me instructions...Ran scans
I've been slightly less than competant, sorry! :-o

1) I've had to download & then transfer necessary tools, so definitions not been updated as a result.

2) On dealing with Mbam's results - One Hotbar item remained unchecked (oops, curses!) and was not removed - last item of Mbam log. It is not visible there when I use windows to browse/explore or search for it.

3) On running Combofix - a windows 'close program' dialogue appeared: "PEV.exe has stopped working." "A problem has caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."
I did not take any action. Combofix finished & rebooted; the syterm immediately rebooted itself again after windows log-on.

4)At this point, before I ran Rootrepeal & MGtools, several files belonging to SM AV were still remaining;but several had also gone. (After Rootrepeal and MGtools, the only remianing trace that of SM AV that was obvious was an orphaned shortcut, which I deleted.)

5) On running RootRepeal: I got a Windows dialogue box saying "Windows has recovered from an unexpected shut down".
I'm not sure if this happened during or after scan zzz it's been a while...).
When I saved the report, the 'save file' dialogue box told me it couldn't create the file; but file did save & contains data.

6) On running MGtools (as per Vista instuctions with UAC still diabled): it did not perfom/run as the instructions suggested it would. It launched the BAT file, and The system shut down within seconds of starting first BAT.
On reboot after I logged onto windows again, it continued automatically after loading a Cmdprompt window, followed by a DOS window running one of the BATs; then rapidly produced two more windows dialogues:
1: msoffice.bin has stopped working 0Xc0000006.
2: HP Digital Imaging... I did not have time to see what this said, as it appeared behind the 1st, and the system rapidly rebooted again.
Hp digital imaging appears to be functioning after reboot.
Two logs in MG tools log Zip: GetUnKey & runkeys, which I'll attach to subsequent post.

I'd just like to say a big "thank you", as well - it might be my 1st post here; but it's not the first time I've benefitted from the information, resources and advice you provide here.

Thanks,
Argle

 

Tim, thanks for your reply,
MGtools did produce a log the 1st time I ran it; attached to this post.

I read the rules about double posting, & did not want to breach etiquette, so waited for a response before I created a second post to upload it.
Maybe I've misinterpreted, or is it acceptable in those circumstances where logs exceed allowed attachment number?

Do you still want me to follow your instructions & run MGtools again; but from the cmd prompt?

I'll wait for a reply rather than just doing...

Thank you

 

Now that appears to be a better run diff dialogues & scan data on screen & got Hijackthis lic agreement this time.
MG log attached.

 

Hi Tim,
7z465.exe is 7Zip download, that has not been unpacked/installed, believe genuine. It's not really necessary.
Downloaded from http://www.7-zip.org/ http://downloads.sourceforge.net/sevenzip/7z465.exe)
I shall delete other file.

I am not certain that I do still have problems.
When the scans did not proceed smoothly...and due to lack of experience, I was not 100% sure that everything malicious had been removed, I wanted/needed second opinion.
Thank you very much for taking the time to help me.

I have not yet (re)connected the laptop to the internet; but shall as sson as I've got AV installed...
I need to install a free AV, that an absolute novice can cope with, ideally with flexible update scheduling. I'm also wonderineg if I should install a differnt firewall ~ I've read recomendations that the Windows firewall in Vista is not particularly secure.
I have no particular preference as to which of these utils, and insufficient experience to make an informed decision; the primary factor is simplicity for user, and minimal user intervention requirements. Are you able to make any suggestions, please? If posting on the forum asmounts to adverising, you are welcome to pm suggestions

Once again, thank you very much

 

Tim,
Thanks for recommendations.
I doubt there will be any problem with remaining procedure.
I shall not repost unless I find there is still a problem, or something (I'm not sure how to deal with) goes wrong.
I've learnt a few things, & it's been a good refresher in other areas.

Thank you very much for your support, help & time.

With heartfelt appreciation, http://lh6.ggpht.com/_n0Qqcpmb_Uk/TECiwatghgI/AAAAAAAAAoE/5YMDk7CxThE/s128/icon_bow.gif
Argle

 

Spoke too soon!!

ComboFix is unwilling to uninstall - it runs instead.
I have not preformed any operations while cf is running - no even a finger on the trackpad!
Most times it fails to complete any scans and system crashes. however, on 6th uninstall attempt it ran & completed all 50 stages, and then deleted c:\windows\system32\winload.exe. It started to prepare log file then crashed. No log file was displayed on screen & I have been unable to locate it by search
On reboot, Windows startup repair launched.
1 fault was found (& successfully repaired) - "boot manager failed to find OS loader"

It is installed on the Desktopn C:\user\KEITH\Desktop\ComboFix.exe.
I followed your instructions & also tried from cmd prompt [cd Desktop][combofix \uninstall].
The same thing happens in both cases: - A small (cf) box with a green status bar appears; Combofix launches in a new window & runs when it completes.
I get the dialogue/status bars as it backs up the registry, then it reverts to original cf window to begin scan, but usually fails to complete any stages before crashing.
After about a minute the screen goes black, with a small blue 'L' shaped stripe at the bottom and system reboots. On log-on windows dialogue informs that system has recovered from unexpected shutdown (that caused windows to stop working .
Occasionally it offers log-on options for safemode, usually it just goes to win log-on.

Suggestions please!
Thanks,
Argle

 

Yes, right-click delete of exe successful.
However there is no file c:\ComboFix.txt. Don't think I've ever had a successful run where it's managed to write one - or the original install was slightly broken.
There is a file/folder C:\ComboFix files; 18.8MB, 284files, 2 folders; on mouse hover it is described as "Shows disc drives and hardware connected to this computer"(?!). Attempting to open or explore it results in a loop where I end up viewing the same information as if I were in C:\computer.
i have deleted it (C:\Combofix files) too, with no apparent ill effects yet.

Do I need to remove registry enties for ComboFix?

Hoping to contiune with final steps; I'm supposed to give this :*** machine back tomorrow morning (GMT); owner becoming slightly frantic - logic & reason no defence.

Thanks again!

 

Yes!:celebrate

That seems to have done the trick.

Successfully completed final steps.​

Ccleaner found (& fixed) a registry entry still lurking for Security Master AV:
ActiveX/COM Issue: LocalServer\C:\ProgramData\6cl354f/SM6c13_2129.exe
HKCR/CLSID\ {3E2BC05-40DF-11D2-9455-00104BC936FF}

Thank you!

Last thing before I go...
There is a typo - In the vista cleaning procedure:
The last line of step 5 says: "Now continue on to step 5"...

...and should, I think, read "Now continue on to step 6"!​

It can be found here: http://forums.majorgeeks.com/showthread.php?t=139681 ; Step 5: Enable User Account Control (UAC)

 

~~~~~ String of expletives...!

Everything looked fine & dandy, after I'd carefully performed final steps, set-up & run Microsoft Security Essentials & PCtools Fw
But...Restablished the machine on it's home connection; browsing with IE, 'Google' typed in addressbar & hit enter - a hyphen & numbers suddenly appeared after Google, & search was hijacked to Findgala. The searchterm change/redirect appeared to happen after enter was hit.

It's likely to be several days. at least, before I get my hands on the laptop again & get opportunity to find out what's happening.
You might hear from me again!

Should I close this thread & open a new one, if I discover there are still problems I need advice with? Or hang on til I find outs what's happening?

TTFN,
(For those not in Blighty, that's "Ta-Ta For Now")
Argle

 

Re: re-run scans - thought so:hammer
At least I should be a bit quicker through it this time
As I said, expect it'll be a few days before I have the chance. I'll post logs...

No, It's the only machine; sometimes used wireless, sometimes plugged in to router (Broadband subscription to Talktalk). It is generally only connected for short periods - couple of hours. User was not aware it was OK to leave it connected.

To my knowledge, no other machine has used the router/connection, except possibly one occassion about 6months ago, when there was a suspicion someone had hacked the connection from an adjacent property. Do not have evidence for this though - & know the ISP was down during the day & 1/2 when this was thought to have been a possibility (& could just as easily explain the lack of access - rather than him being blocked from his own connecdtion by another user, as was suggested by someone else) This all happened 300miles away from me, & was reported (with some difficulty) after the fact. This unsubstantiated incident predates the appearance of any problems or malware, by 6months. Malware seemed to appear immediately on expiry of bundled McAfee.- 30th Jun 2010

I suspect I will have to try to convince owner/user not to put laptop in the bin & give up on computing permanently. Frustration regularly drives him close to this point anyway. I wish we could get him to go on a basic 'silver surfer' starter course, to get him at least conversant.

I'll be back in a few days,
Thanks!
Argle

 

Hello Tim,
Apart from the one "findgala" incident - where I typed "Google" in the addressbar & it was hijacked/redirected to findgala search, there've been no more overt suspicious incidents & no sign of a reappearance of Security Master AV (yet). Or I should say none have been reported to me ~ which is not the same thing at all;-)

I have serious concerns, & would like to get it cleared off the machine; but user is reluctant; from his perspective, it's working perfectly well...
At least he does no online banking or purchasing.
I hope I will get the chance to have a trawl through, look at security permissions, & run at least a couple of scans. They're due to decamp for holiday home very soon.
If I do get the opportunity to run scans, I will post logs of Mbam & SaS + any of the other malware cleaning procedure scans that I can (or that will run), as per instructions. Unless you have suggestions to the contrary.

Thanks for your perseverance,
Argle

PS
I have a number of questions - that I don't necessarily expect you to answer, some rhetorical.
I thought Findgala was a symptom of SM AV infection; does it come on its own as well?
I wonder if system was not completely clean, or whether reinfected? (logs may show..?)
If reinfected why only findgala? I wonder what I don't know about yet!
Assuming purveyor of SM AV is aware of infected machines' IPs, when it is cleared from a machine, this may also be noted. So I wonder what their policy is regarding deliberate and targetted reinfection...is it more profitable to exploit quietly in the background, and not alarm/alert user by reinfecting with SM AV, even where this is possible?