Yet another Security Suite Hijack

Discussion in 'Malware Help (A Specialist Will Reply)' started by legolass, Aug 12, 2010.

  1. legolass

    legolass Private First Class

    Hey y'all!

    I am soooo happy I have two computers now!!

    I have lost one of my user accounts to this Security Suite thing, and I was afraid I'd lose the other two (they still work fine), so I disconnected my infected computer from the 'net, saved the scanner things on a flash drive, then went into one of the working accounts and did my best to follow instructions as per your Run Me. Everything looked good up until RootRepeal. It worked for a long time, then I noticed that the screen saver thing froze - it's Window Box, and it looked like a hugely enlarged piece of it against a black backdrop. I moved the mouse, but it didn't return to the user screen, so I went away and left it for a bit. When I got back, the computer was back to the select user account screen, so I went back into the same working account, and Microsoft told me the computer had recovered from a serious error. I wrote down the particulars - I'll send them if you need them. I carried on with mgtools, copied the logs to the flash drive, and here they are. I already have Malwarebytes and SAS on my infected computer (as well as Spyware Blaster and Spybot) but I ran them from the flashdrive because I hadn't updated this week, and I wanted the latest updates.

    I use that computer for work and don't do much browsing, so I can't imagine where I picked up this thing, but any help will be really appreciated!!

    Thanks!
     

    Attached Files:

    legolass, Aug 12, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I have lost one of my user accounts to this Security Suite thing

    Which account have you "lost" and what do you mean by that? Are you able to access it? If you can, then I would prefer if you ran scans directly from that account either in normal mode or safe mode if necessary. The Christina account looks clean but Java is outdated. You need to uninstall the old version (6.18) and install the new:

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now log onto the affected account:

    What version of SAS do you have on this account because the latest version is 4.41.1000.

    Run all of the requested scans/tools on the account that is affected and attach the rewuested logs.
     
    Kestrel13!, Aug 13, 2010
    #2
  3. legolass

    legolass Private First Class

    Hi there!
    Sorry I wasn't clearer. I mean I have Windows XP Home, and have three user accounts on that computer. The one that got hijacked is ChriZ, and I can't access or run anything from that account because this Security Suite thing got an icon into my system tray (beside the clock). It looks like a shield, and it keeps popping up screens telling me my computer is infected and it wants to run a scan. I disconnected the internet so that it couldn't communicate with whatever put it there and possibly start to affect my other two user accounts, Christina and Enrique, which are still OK and let me do things. Basically on ChriZ I can't open any kind of executable file, only access my documents (which have all been backed up, btw). I ran the scans by dowloading the latest versions from MG onto a flash drive from my working computer and then running them from the Christina account on the infected computer because that account still lets me do things. I will try to run them in Safe from the ChriZ account (the one that's been hijacked). Sorry about the Java - I only installed that a few months ago (when I got the computer) and have been getting updates, so I thought it was the latest one.

    I will do my best from Safe mode, and post when I'm done.

    Thanks for your help!

    legolass
     
    legolass, Aug 13, 2010
    #3
  4. legolass

    legolass Private First Class

    Hello again!

    I got the new Java (which I downloaded and installed from the working Christina user account), and the 4.41 version of SAS and the updates from Malwarebytes. I managed to get through the scans in Safe, but I could not get into the Internet from the infected account (ChriZ), so I ran them from a flash drive. Although I was (surprise!) able to run CCleaner in Safe from the infected account.

    As before, everything went well except for RootRepeal. I got a flash of a blue screen after it had been running for quite a while (maybe 1/2 an hour or more, then the computer rebooted itself and returned to the select user screen. I still had the Security Suite shield thing in the system tray on ChriZ, and again got the Microsoft warning that it had recovered from a serious error. There was no log I could find, but (like when I ran it last time from the Christina account) there is an icon on the desktop called settings.dat. I can't open it (it warned me but I tried anyway), and the size is 0 bytes, so I assume it's empty.

    I then ran MGTools, which was fine, and am attaching the four logs I did get.

    Thanks!

    legolass
     

    Attached Files:

    legolass, Aug 13, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    As stated in the R&R:

    This goes for both MBAM and SAS. (And you were out of date with SAS, so you'll need to manually update.) Refer to the "using superantispyware" section of the R&R to see how.

    So:

    Run the updated SAS after manually updating

    Now take a look at this:

    Proxy Server - Changing Settings

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Folder::
c:\documents and settings\ChriZ\Local Settings\Application Data\ytjacioiq

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"laiaqquu"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this, also attach the new SAS log.

    Let me know how this ChriZ account is behaving now.
     
    Kestrel13!, Aug 14, 2010
    #5
  6. legolass

    legolass Private First Class

    Hi Kestrel!

    Well, I am sending you this from my ChriZ user account! I followed all the steps and it seems I got rid of this thing. It had changed proxy settings (which I don't use), and it was SAS that found it - 3 trojans. There''s only one thing you might not be happy about...

    I followed the R&R instructions for if you can't get SAS to run by dowloading the SAS Portable version to a flashdrive. I went into my working Christina account and removed the SAS I already had on the computer because you said you were still getting the outdated version, even though I tried to run the newest one from the flash drive last night. I was in normal startup at this point, plugged in the flashdrive at ChrisZ and tried to run SAS, and the virus would not let me. I rebooted in Safe and ran it from there, and it found 3 trojan things and took them out. I rebooted, opened the SAS (from the flashdrive) and there were no logs. OF COURSE, after the fact, I thought maybe I should have tried to put SAS on the desktop at ChriZ in Safe, but by then (naturally) it was too late. If it maybe saved a log somewhere else, where would I look for it? (There in nothing in C: or My Documents or on the desktop.)

    I carried on with the rest of your instructions (it had put proxy settings into my internet options), everything worked fine, and I am attaching the other two logs.

    Thank you so much for your help! I know there are some cleanup things I need to do, so will await your reply re the SAS log and further actions.

    Also, I noticed I have a folder in my C: drive called ff81ed259460a338616b8fce08373649, size 0 bytes, containing folders amd64 and i386. I can't open these folders - it says Access Denied. What on earth is this??

    Thanks!

    legolass
     

    Attached Files:

    legolass, Aug 14, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please see this:

    So just what *is* the I386 directory anyway?

    Just take a look inside of the folder you are querying to see what's contained within. I doubt there's anything malicious in there.

    I need you to actually install SUPERantispyware onto this account.

    Yes, put the file for it on the desktop, double click to install, and this should be done in NORMAL mode. I am not seeing any malware in your logs at the moment so installation of SAS should run smoothly without being in safe mode!

    Attach the new SAS log.

    Now tell me how things are running please.
     
    Kestrel13!, Aug 16, 2010
    #7
  8. legolass

    legolass Private First Class

    Hello, Kestrel!

    I have installed and run SAS in normal mode, and am attaching the log. I am sending you this from the ChriZ account - everything seems to be working beautifully!

    Thanks for the link about the i386 account - I do have my XP operating discs (ancient as they are!) which really helped me when my other computer had a problem (it's all better now).

    Anyway, here are the logs from the SAS scan, and I will await further instructions before I do anything else.

    Thanks!

    Legolass
     

    Attached Files:

    legolass, Aug 16, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's good to hear!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Aug 16, 2010
    #9
  10. legolass

    legolass Private First Class

    Hi Kestrel!

    I have followed the final steps, and everything is working :celebrate. I was using Windows firewall before, and have now installed the Comodo free one, so I think that's a big improvement.

    I just want to say thank you, and that you need to make a BIG HUG smilie - it's really the only way to express how I feel.

    Bless you and all the Geeks for the tireless and wonderful work y'all are doing here.

    Sincerely,

    legolass :wave
     
    legolass, Aug 17, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thanks for expressing your appreciation. :)

    You are *most* welcome. safe surfing!
     
    Kestrel13!, Aug 17, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds