Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Security Suite + But any more?


  • Please log in to reply
16 replies to this topic

#1 lamko

lamko

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 26 June 2010 - 09:50 PM

I was on a website with tutorials on photoshop when I get see two Java icons at the bottom. Quickly I sense something weird happening and shut down the website.

After a few minutes UAC asks if I want to permit some files with random names (giagoagoa.exe qowqoroqroq.exe) to run and to access cmd.exe. I say no, but the cmd one keeps spamming me. I keep saying no, then AV Security Suite shows up. I manage to get into CTRL-ALT-DEL and I stop the viruses processes quickly. AV Security Suite window shuts off.

I quickly go to Autostart items in msconfig and disable a file with a random name. I google and find this: http://www.bleepingcomputer.com/virus-remo...-security-suite - Apparently the removal is not so hard. I am running Avast right now and I have checked to be sure that it's AV Security Suite I got. All these files are in "Temp".

I found the program in the Autorun and I changed the .exe to .gaskgaga just so it won't run again.

Now I am worried about a few things:
1) How can I be sure I haven't got any other virus with it? How do I check?
2) Is it safe to shut down the PC tonight and continue tomorrow?
3) Should I worry about having any keyloggers etc with AV Security Suite?

4) Can I just follow: http://www.bleepingcomputer.com/virus-remo...-security-suite to remove it?

Apparently it seems that for example: HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite does not exist in my computer and that I can run Avast for example and the proxy port is different.

Help please.

EDIT: Avast 5 scan finished with no result of infected files.

Edited by lamko, 26 June 2010 - 10:09 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 PM

Posted 26 June 2010 - 11:28 PM

Hello, best to run the Guide and post the resulting MBAm log.

This malware contains no keyloggers..


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lamko

lamko
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 28 June 2010 - 09:53 AM

Hello!

A couple things:

- I am running Malwarebytes right now. I am on another computer now.

- Can I run CCleaner instead of ATF Cleaner as I am more familiar with it?

- I see that Av Security Suite changes something with Pipe /Lsarpc after running it in Sandbox. Can you give any info about that? What really happened? Is it something I should worry about? Can I undo the changes?

Most importantly how can I be sure I haven't got anything else with the AV Security Suite, perhaps something that can't be detected by antiviruses or MBAB.

Thanks

#4 lamko

lamko
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 28 June 2010 - 11:32 AM

OK! Malwarebytes just finished Sadly I am not on internet on the infected PC afraid of something might happen. But I will say here what is found:


Rootkit.Drooper (Temp\sroawncmex.exe)
Rogue.AVSecuritySuite (mqksgag\gasgdaga.exe)
Trojan.Agent (Temp\qodigx.exe)
Rogue.AvS.... (Temp\bxwn.exe)
Rogue.AvS... (Local\IE5 temporary..\xxxxx.htm)
Trojan.Agent (As above)
Trojan.Agent (As above)
Rogue.AntivirusSuite (Registry key, software\avsuite)
Trojan.Fraudpack (Registry key, software\avsoft)

What worries me most here is:
Rootkit.Drooper (Temp\sroawncmex.exe)
Trojan.Agent (Temp\qodigx.exe)

Are those part of Av Security Suite? I do not think so. It thinks like I am infected with something else here... or? I am running them both in sandbox analyzers right now.

EDIT1: OK sandbox analyzing finished. qodigx.exe downloads stuff, emails stuff, posts on forums, gets stuff, changes drivers, changes system files. Sroawncmex does some stuff too. I think I need to do a format on this but I will wait and see. I am ready to format and would like to. But I will wait first to hear what you have to say and maybe say something I don't know :flowers:

EDIT2: Also how can I be sure nothing got into my personal files. I got backups of some .exe files, some .html files etc.. how do I know they have been infected? :thumbsup: It's very important.

Edited by lamko, 28 June 2010 - 01:42 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 PM

Posted 28 June 2010 - 03:54 PM

these may be bought the log is not right.
Rogue.AVSecuritySuite (mqksgag\gasgdaga.exe)
Trojan.Agent (Temp\qodigx.exe)
Rogue.AvS.... (Temp\bxwn.exe)
Rogue.AvS... (Local\IE5 temporary..\xxxxx.htm)

I don't even know your OS from it..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 lamko

lamko
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 28 June 2010 - 07:25 PM

these may be bought the log is not right.
Rogue.AVSecuritySuite (mqksgag\gasgdaga.exe)
Trojan.Agent (Temp\qodigx.exe)
Rogue.AvS.... (Temp\bxwn.exe)
Rogue.AvS... (Local\IE5 temporary..\xxxxx.htm)

I don't even know your OS from it..


I didn't know you wanted the EXACT location. I just wanted to tell you where they are.

mgksgag is in the Vista temp folder.
Temp is the Vista temp folder
IE5.Content is the temporary files (cache?) of IE.

I hope you know now what I mean :thumbsup:

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 PM

Posted 28 June 2010 - 08:13 PM

Ok so now ATF and SAS?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 lamko

lamko
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 29 June 2010 - 05:44 PM

Sorry for wasting your time but I reformatted. I paniced.

Apparently one of them was a ransomware program that made me panic very bad. I was worried that my personal data was taken. But apparently it just changed system files and probably held that as ransom? If it ever worked. I didn't allow it to run on AUC, but maybe it still ran?

Do you think you can now give me some advice on how to make sure my backups are not infected?

Do you also got some general info on this? Something I should worry about or fix?

Thanks a lot though for trying to help!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 PM

Posted 29 June 2010 - 07:13 PM

Not always a bad decision to make. You can scan the CD /DVD once it is copied for infections.
Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process.
The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.


Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.

Edited by boopme, 29 June 2010 - 07:17 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 lamko

lamko
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 29 June 2010 - 07:34 PM

Thanks. I feel a bit better that it was not a wrong move to format.

I have some questions please:

"executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) "


I do not think I have any .exe, except for some installation files but I will find them on the net and delete them.
Problem is script files. i got a lot of .htm and .html and maybe one or two .php files.
I need them too. How can I make sure they are not infected?
This is what I thought (I am not completely computer noob; just that when things get messed up I need some opinion from others): 1) malwarebytes scan 2) kaspersky scan 3) go through some files manually with notepad and see if you see anything suspicious (javascript, java, anything), 4) perhaps upload one or two at virustotal or other virus checking sites to make sure.

Do you have any other advise? Also what are the chances of malware infecting these files?

"Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them"


I have already backuped on CD and finished but anyway; I do not think I have any executable inside .rar, zip or .cab files. Does .iso also go in here? I have some Linux distros.
If I have I can just delete them :thumbsup:

"Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive."


This scared me . I copied over all the files on the CD from the infected computer to a clean computer. I just put the CD in; Disabled autorun, Explored the CD (to avoid any kind of Autorun), Dragged the files to desktop and did not and will not open any script files, executables or anything on there. That's safe right?

Also can I do the same thing on the reformated computer? Just drag them over then test them? Surely nothing can happen if I do not run anything! That's the whole point of viruses, you have to run them one way or another. That computer even had active Antivirus + Firewall.

"If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead.."


This scared me even more - It's a manufacturer computer. How do I know if it's infected? I used Recovery Disks though. Is it the same thing? I think I only need to worry about recovery partition being infected if I do not use CDs..

Thanks for all your support so far man :flowers:

Edited by lamko, 29 June 2010 - 07:35 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 PM

Posted 29 June 2010 - 07:49 PM

Problem is script files. i got a lot of .htm and .html and maybe one or two .php files.
I need them too

I woulld try backing up those up to a CD and scanning them ..

I copied over all the files on the CD from the infected computer to a clean computer. I just put the CD in; Disabled autorun, Explored the CD (to avoid any kind of Autorun), Dragged the files to desktop and did not and will not open any script files, executables or anything on there. That's safe right?

Good here

"If the recovery partition .... it was clean... Sorry should not have put that.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 lamko

lamko
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 30 June 2010 - 05:56 PM

Hey mate.

Basically I believe I was infected with the following:
Win32.TDSS.z
Trojan-Ransom.Win32.Digitala.amx
Win32.Krap.ai

So the first one just installs a rootkit in .sys files, dlls etc.
The second one breaks your internet so you can't connect to websites.
The third one is the AV Security Suite.

After googling and stuff neither of them damages any "personal files" so the chances of my backups being infected are very slim.

Also do you have any info on these? Maybe some experience you have with these files and maybe you know something.

Biggest problem right now is to make sure backup files are 100 % clean and I will have to work hard on that :thumbsup:

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 PM

Posted 30 June 2010 - 08:01 PM

Hi, the first one is the worst one and why we are formatting.
Win32.TDSS.z
it's alias is Virut
Virus.Win32.Virut.ce, Worm.Win32.AdwareAgent.a, Packed.Win32.TDSS.z [Kaspersky Lab]

ThreatExpert

with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. But it only attacks your .exe files. So if you save no exe's you should be good.

Also when you are back up and running, Greate yourself a user account to play games,facebook etc... Don't use the account with Admionistrator account for your casual surfing. This way malware doesn't get fulll admin rights too.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 lamko

lamko
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 01 July 2010 - 02:47 PM

Hi, the first one is the worst one and why we are formatting.
Win32.TDSS.z
it's alias is Virut
Virus.Win32.Virut.ce, Worm.Win32.AdwareAgent.a, Packed.Win32.TDSS.z [Kaspersky Lab]

ThreatExpert

with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. But it only attacks your .exe files. So if you save no exe's you should be good.

Also when you are back up and running, Greate yourself a user account to play games,facebook etc... Don't use the account with Admionistrator account for your casual surfing. This way malware doesn't get fulll admin rights too.


Ouch. I did not know it was that dangerous.
Well. I installed Kaspersky on the reformated PC, disabled autorun, dragged the CD content to desktop and nothing yet. I am running a Kaspersky scan on it now. I will delete all .exes in it just to be sure. In fact I might upload one .exe to some analysis site later to see.

That way, as above, I should be safe - right? No way for it to infect. Just have to be careful not opening ANY .exe files. Also Kaspersky has a TDSS killer tool I can run it and see if it finds anything :thumbsup:

PS: This is kinda weird. I ran all the viruses on ThreatExpert and the results I got, on the TDSS one I didn't get like the one you showed me. Why is this you think?
Also it seems just to infect system .exe or regullary use applications. My .exes are installations that was on Desktop on a certain map but I will still be 100 % careful :flowers:

Edited by lamko, 01 July 2010 - 02:49 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 PM

Posted 01 July 2010 - 03:10 PM

Good plan.. I cannot say why there was a difference.. ... being 100 % safe is the only thing I can recommend..

Here is all i got on Virut...

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutVirut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users