Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010 - virus


  • Please log in to reply
1 reply to this topic

#1 Elder Laz

Elder Laz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 06 February 2010 - 12:40 AM

Howdy all,

My wife called me at work to say that something was going wrong with our Win XP Media Center Edition PC. The first symptom was the infamous blue screen with an error message that began 'A problem has been detected and Windows has been shut down to prevent damage to your computer'. She took a photo of the entire screen if it's of any use.

On reboot the first thing that happened was a pop up with the following:

Security Warning!
Worm.Win32.NetScky detected on your machine. ...

There were several issues with spelling and grammar that made me suspicious, and after few more pop-ups and warnings including one that looked like a Microsoft warning complete with red X icon in the system tray, my system automagically downloaded "Internet Security 2010". Gee, swell! How convenient....

Completely suspicious at this point I googled up the softsailor post and bleeping computer posts on how to remove this beast.

I completed the steps in the softsailor post [http://www.softsailor.com/how-to/13827-how-to-uninstall-remove-internet-security-2010-virus-removal-guide.html] but got the code 2 errors mentioned in http://www.bleepingcomputer.com/virus-remo...t-security-2010 and followed the recommended steps to resolve that.

Rkill swatted down 3 processes including IS2010.exe, and Malwarebytes took down something like 40 different entries.

On reboot it seemed that things were fine - and the first thing I did was to install the genuine Norton Internet Security 2010 that I'd purchased on the way home, then uninstalled McAfee since it clearly hadn't slowed this thing down one bit.

Sadly, not long after wrapping up that process I realized there is still something hijacking my internet browser - google searches work, but very often clicking any of the links gets redirected first to one site, then before anything even appears another. sometimes garbage link mashup sites, sometimes pr0n, sometimes seemingly random websites.

I am unable to run sytem restore, either from command line or via explorer. 'disabled by group policy' is the error message that I get, even after making a copy of the .exe and renaming it in an attempt to side step this.

I am unable to boot to any of the safe mode options - F8 brings me to the menu, and I can select from several choices, but each time I get a blue screen very similar to the one my wife said started the whole problem.

In any event, after trying to root this out with Norton, trying rkill.com & malwarebytes again multiple times, I'm at a loss as to how to make any further headway.

Every 30 minutes or so Norton kindly tells me that 'An Intrusion attempt by a58990058.cn was blocked', but other than that I'm pretty much stuck.

Any suggestions appreciated,

~ KJC

Edited by Elder Laz, 06 February 2010 - 02:53 PM.


BC AdBot (Login to Remove)

 


#2 Elder Laz

Elder Laz
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 09 February 2010 - 08:47 AM

Status update:


Downloaded SuperAnti Spyware, tried to use Repair Broken Safe Boot Key - no luck

Downloaded and ran defogger and Gmer - no action taken on these, logs available if they're of use to anyone

Downloaded and ran SafeBootKeyRepair.exe ==>> A winner! I'm now able to get into safe mode using F8

Re-ran updated rkill.com, pretty much the same results as the last few scans:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Admin on 02/08/2010 at 18:35:20.


Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\WH27KDYR\rkill[1].com


Rkill completed on 02/08/2010 at 18:35:28.



Re-ran updated Malwarebytes - no hits

ran ATF cleaner, cleared all

Downloaded and ran Super Anti Spyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2010 at 01:34 AM

Application Version : 4.33.1000

Core Rules Database Version : 4568
Trace Rules Database Version: 2380

Scan type : Complete Scan
Total Scan Time : 02:43:18

Memory items scanned : 275
Memory threats detected : 0
Registry items scanned : 6032
Registry threats detected : 2
File items scanned : 135351
File threats detected : 138

Browser Hijacker.Internet Explorer Zone Hijack
HKU\S-1-5-21-116021907-3468156426-266811844-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com
HKU\S-1-5-21-116021907-3468156426-266811844-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com#http

and 138 tracking cookies


Rebooted to normal mode, ran rkill and quickscan with Malwarebytes - nothing found

Ran ESET onine:

C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\ELSB4LGX\i[4].js HTML/Iframe.B.Gen virus deleted - quarantined


Ran smitfraud.fix, scan as follows:

SmitFraudFix v2.424

Scan done at 8:09:51.96, Tue 02/09/2010
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Admin\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Admin


C:\DOCUME~1\Admin\LOCALS~1\Temp


C:\Documents and Settings\Admin\Application Data


Start Menu


C:\DOCUME~1\Admin\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"="scpLIB"

[HKEY_CLASSES_ROOT\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]
@="C:\Program Files\Scpad\scpLIB.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]
@="C:\Program Files\Scpad\scpLIB.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{25b1248f-b805-4e06-9d9c-172f1dccb854}"="mujuzedij"

[HKEY_CLASSES_ROOT\CLSID\{25b1248f-b805-4e06-9d9c-172f1dccb854}\InProcServer32]
@="c:\windows\system32\yatehaje.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{25b1248f-b805-4e06-9d9c-172f1dccb854}\InProcServer32]
@="c:\windows\system32\yatehaje.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\windows\\system32\\fuyelore.dll c:\\windows\\system32\\yatehaje.dll,yapigifa.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 4.2.2.1
DNS Server Search Order: 4.2.2.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{12AD0C22-5F43-4139-9A2E-7B200B0E8FF7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{12AD0C22-5F43-4139-9A2E-7B200B0E8FF7}: NameServer=4.2.2.1,4.2.2.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{12AD0C22-5F43-4139-9A2E-7B200B0E8FF7}: NameServer=4.2.2.1,4.2.2.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{12AD0C22-5F43-4139-9A2E-7B200B0E8FF7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{12AD0C22-5F43-4139-9A2E-7B200B0E8FF7}: NameServer=4.2.2.1,4.2.2.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End


I'm cautiously optimistic - google searches haven't been redirecting - but still not sure if I've been able to get all of this rooted out.

~KJC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users