Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Suite


  • Please log in to reply
7 replies to this topic

#1 Ketsuraku

Ketsuraku

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 10 June 2010 - 06:56 PM

I just got the same exact thing at 12 last night. I don't know if I got it downloading the Deviant Art extension for Firefox or from watching videos, but it messes with my browser, making it use a proxy, won't let programs start up.. and AVG won't detect it, and it wouldn't let my Task Manager to start up so I could stop its process. I FINALLY got it to stop spamming its messages when i opened up my brand new Tuneup Utilities. Tuneup isn't an anti-virus program, but it DID allow me to stop the program and it's processes because the 'AV Security Suite' didn't recognize Tuneup's task manager. Tuneup put the beast to sleep, but i still have to get rid of it.

On the internet now because Tuneup allowed me to shut it down, but I fount a guide that says to run in 'Safemode with Networking' and download Spyware Doctor.

I've never used Spyware Doctor, so.. can anyone say if that will get rid of it? And is it safe? Someone who knows more about it than me, before I give it a try in safemode.

EDIT: Looks like someone just posted before me, might give that a try first.

Edited by Ketsuraku, 10 June 2010 - 07:00 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 10 June 2010 - 07:44 PM

Hello and welcome...I created your own topic.

Best procedure is to start with this. Forget that other tool.

You need to do all the steps as some pertain to your issue..
Please follow our Removal Guide here Remove Antivirus Suite
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Ketsuraku

Ketsuraku
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 10 June 2010 - 08:15 PM

I'm already able to get on the internet, and Tuneup Utilities 2010 ended like 3 or more related processes + made it impossible for it to 'auto run' at startup..

I'm getting exactly no interference at all with IE/Firefox, downloading malewarebytes, or anything ^^ haha
Before it wouldn't even let me open MS paint without 5 fake 'infection' or 'would you like to block' messages.

Should i still go through the whole Safemode and Rkill steps, or can i skip to the 'malewarebytes' step without any problems? Because, most the time i have trouble with getting into safemode cause it gives me a 'keyboard malfuction' when i try to press F8.. I can sometimes get in, but I'd like to skip unless it would mess up the whole process.

Edit: In process of scanning with Malwarebytes, if it messes up the process I'll just begin with step 1 again. It's fount 1 thing so far ^^

Edited by Ketsuraku, 10 June 2010 - 08:41 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 10 June 2010 - 08:43 PM

OK go to MBAM and post that log.

Also if you like you can try this to repair Safe Mode.
Please download and run SafeBootKeyRepair.exe.

Once it has completed, please try booting into Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Ketsuraku

Ketsuraku
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 10 June 2010 - 09:05 PM

Malewarbytes made me restart, and so far so good.. started up just as smoothly as if it was new.

I noticed in the log it caught and deleted some files named avsoft and avsuite, i guess the main parts of the infection.. but, something I don't see in the logs is two or 3 identical processes that Tuneup Utilites 2010 noticed as a 'new startup programs' and the exact same program/processes I ended in TuneUp's process manager. The process name was Yxxwzrv, and the program linked to the process name was 'ncliua.exe' located at C:\document and settings\name\local settings\application data\wlseisi

As soon as I ended the 2 or 3 ncliua.exe's the whole AV Security Suite shut down and I could get on the internet again, but no where in the Malewarebytes logs do I see it.. should i be worried about it?

Here's the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4187

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/10/2010 8:51:18 PM
mbam-log-2010-06-10 (20-51-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 160891
Time elapsed: 29 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E17E0217-1633-44A2-B658-429E0FF45133}\RP643\A0110200.exe (Malware.Gen) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 10 June 2010 - 09:24 PM

They appear to be malware processes and wer stopped in the earlier scan. We should still run SAS in at least Normal mode and than an online scan with ESET as we do not want to leave any traces. I know it sounds like much ado,but trust me I have seen it come back. Looks like we are done with RKILL/

Download and scan with SUPERAntiSpyware(SAS) Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\ESET\ESET Online Scanner\log.txt
    folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Ketsuraku

Ketsuraku
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 10 June 2010 - 09:51 PM

I think Eset got it! ^^ It had gotten the exact one TuneUp had noticed as the 'startup program', so perhaps I am all set now :D

SUPERAntiSpyware is not done scanning yet, so far it has fount 86 more 'threats' that other programs didn't catch. I'll let it continue on into the night, but for now I have to sleep and get up early for work. Thanks a lot for the help, really appreciate it!

Perhaps SUPERAntiSpyware will get everything else overnight, i'll bookmark this topic and check for a reply in the morning in the event you think there is anything else i should do, and as for Eset's log:

ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9d6bf40e13a78c4c9d2bc0c8a3328b79
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-11 01:06:27
# local_time=2010-06-10 08:06:27 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1279 16777215 0 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=37814
# found=2
# cleaned=2
# scan_time=2589
C:\Documents and Settings\Brandon\Local Settings\Application Data\wlseisi\ncliua.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Brandon\Local Settings\Temp\xribqp.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Edited by Ketsuraku, 10 June 2010 - 09:53 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 10 June 2010 - 09:55 PM

Excellent,, OK good night, I'll look back for the SAS log and we'll probably mop up.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users