Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AV Security Suite


  • Please log in to reply
32 replies to this topic

#1 jgasco68

jgasco68

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 24 June 2010 - 11:10 PM

Hi guys. My daughter's laptop has been hit.. AGAIN with a virus posing as security threat, and I am not sure what all she clicked on, thinking it might have been her AVG software. She is running Windows XP, and I think all the service pack updates if I remember right. Windows Recovery Console has also been installed on this unit, after her last attack, some five months ago.
She is getting a security warning, running in windows task bar "AV Security Suite" which tells her she has multiple issues. Also getting smaller security warning boxes popping up, and a square box right over the task bar, Antivirus software alert, which is not an AVG box. Her AVG resident shield has popped up as well.. with multiple threat detection with the infection listed as Adware Gerneric4.AIMI with result as potentially dangerous. There are approx. 20 in that list. She told me she regularly runs SUPERAntispyware on here as I have instructed her to do, as well as Spybot. Once again I am turning to you kind folks for help, as you really saved us last time from a VERY nasty rootkit virus. I spent over a week cleaning it out, and it was given a clean bill of health then... and it has worked great for five months since. I appreciate any advice and directions! John

I posted this topic earlier today, but forgot to put in a complete title. I tried to delete the old post but could not, so I am reposting with proper title. Sorry for the inconvenience.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 24 June 2010 - 11:13 PM

Please post the SUPERAntiSpyware log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 24 June 2010 - 11:23 PM

I am not sure if she has a log saved of it anyplace, and I am not sure exactly when the last time she ran it was. I have told her to run it once a week, but she is 18 and out on her own for the first time, so who knows. I cannot access anything on her laptop at the time, as everytime I try, it "dings" and blocks applications.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 24 June 2010 - 11:25 PM

Are you able to run a new scan with SUPERAntiSpyware?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 24 June 2010 - 11:31 PM

I have not tried yet. So far everything I click on has been shut down by whatever has infected it. I was afraid of doing too much and making matters worse. I was trying to access "my computer" to just get the proper version of windows to post on here, with what service packs.. and could not.. yet I could get into Networking to remove it from the wireless system in my house. Unfortunately I am not at home right now, and cannot access her laptop until morning. Will starting up in safe mode allow me to run it? Any hints on how to get at it would be helpful, and I will post any results first thing.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 24 June 2010 - 11:33 PM

Yes trying in Safe Mode might help. If you have a problem downloading, installing or getting SUPERAntiSpyware to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 25 June 2010 - 08:37 AM

Okay.. I am a little lost. I Downloaded the portable, and was going to install it. I turned on the laptop, and this time there was no sign of the infection. I turned on her already installed SUPERAntispyware, and ran it. It came up with a lot of things.. most were adware tracking cookies that were low priority, but there was one trojan virus-software hit. As I finished out the removal process, I did not remember to copy and paste results to a word file, thinking it would produce a log file. Guess I was wrong. Upon restarting computer, so far there has still been no sign of the virus that was originally there. I reactivated the network on it, and I tried to update the Superantispyware definitions.. and got blocked. It says the firewall might have been blocking it, so I added Superantispyware to the exceptions list. Nope. Still blocked. Turned off firewall altogether, and nope. Still blocked. tried the browser, and didn't get a redirect on searching for Superantispyware. I plugged in the usb key that had the portable scanner on it, and cannot update definitions on that either. What do you recommend I do from here? I am afraid there is stuff lurking yet. I am running another scan right now on it, with Superantispyware, to see what comes up this time. So far just adware tracking cookies. I am cautiously optimistic the last scan pulled AV Green out, but not certain.

#8 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 25 June 2010 - 01:55 PM

Update: The SuperAntiSpyware scan came up with five adware tracking cookies, and nothing else. I have Malwarebytes installed on her computer from previous infection.. and ran it. Here are the results of that..

Malwarebytes' Anti-Malware 1.44
Database version: 3888
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/25/2010 1:17:02 PM
mbam-log-2010-06-25 (13-16-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182765
Time elapsed: 43 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 27
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.multiplebutton (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.multiplebutton.1 (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.urlalertbutton (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.urlalertbutton.1 (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@mywebsearch.com/Plugin (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\funwebproducts (Adware.MyWebSearch) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156209.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156227.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156212.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156218.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156220.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156221.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156224.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156225.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156226.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156228.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156229.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156230.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156231.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156232.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156233.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156234.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156235.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156236.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{1DED81DE-E12C-4A52-8C24-31C441357111}\RP201\A0156237.DLL (Adware.MyWebSearch) -> No action taken.

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 25 June 2010 - 04:01 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by Budapest, 25 June 2010 - 05:45 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 25 June 2010 - 11:47 PM

Here are the results you asked for.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4242

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/25/2010 11:37:55 PM
mbam-log-2010-06-25 (23-37-55).txt

Scan type: Quick scan
Objects scanned: 132730
Time elapsed: 11 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cwmomkuo (Rogue.AntivirusSuite.Gen) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cwmomkuo (Rogue.AntivirusSuite.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Your PC Protector (Rogue.YourPCProtector) -> No action taken.

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk (Rogue.YourPCProtector) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Desktop\Your PC Protector.lnk (Rogue.YourPCProtector) -> No action taken.

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 26 June 2010 - 12:27 AM

Repeat the Malwarebytes scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 26 June 2010 - 12:45 AM

This scan came up clean.. :thumbsup:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4242

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/26/2010 12:41:13 AM
mbam-log-2010-06-26 (00-41-13).txt

Scan type: Quick scan
Objects scanned: 132347
Time elapsed: 10 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 26 June 2010 - 12:47 AM

How's your computer running now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 jgasco68

jgasco68
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 26 June 2010 - 12:51 AM

Seems to be running fine.. no redirects on searches.. still cannot update SUPERAntispyware definitions.. Every once in a while I get a "beep" like a link or process failed to open.

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 26 June 2010 - 12:59 AM

Try uninstalling and then reinstalling SUPERAntiSpyware
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users