Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Suite virus


  • Please log in to reply
11 replies to this topic

#1 Merlot

Merlot

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 13 August 2010 - 10:21 AM

Hello...my husband's computer is infected with the Security Suite virus. I found the 'fix' at this link: http://www.product-reviews.net/2010/08/12/...-removal-guide/ which I have attempted to follow but it's not working.

For starters, once in safe mode, after clicking off the “Use a proxy server for your LAN” and attempting to install CCleaner, I get a message that Windows can't open the program and would I like to search online for a program to open it. I try that only to realize I can't get online AT ALL. There is absolutely no internet connection and I can't seem to get one going, even though the computer is wired to a router w/cable internet and it's functioning on my computer (wireless).

Second, I go ahead and run rkill. It doesn't disable anything but itself (which I read is normal). I download another copy (iExplore) and it does the same thing. I attempted to run them in normal mode, and the only difference was that it didn't log a termination of itself.

Third, I decide to at least try running Malawarebytes. It goes through the system and finds nothing, assuming b/c the virus is still running and blocking its identity.

So now I am truly stuck. This seems to be the most up to date info, yet it's not doing me any good. Is there something else I can try?

BC AdBot (Login to Remove)

 


#2 Merlot

Merlot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 13 August 2010 - 12:25 PM

Ok, just coming back to add that I did get rkill to halt one process, which allowed me to stop all the pop up warnings and have a seemingly normal computer. But, I still can't get online. The proxy boxes remain unchecked and Windows tells me there is a problem with the hardware or driver for the ethernet card. However, device manager says it's functioning.

I ran malawarebytes again in normal mode, took about an hour and it found absolutely nothing. It can't update, however, due to the non-existence of an internet connection. I am currently running Stinger and crossing my fingers it finds something.

I have read all the threads I can find on Security Suite/AV Security Suite, but none of them mention internet connection issues (aside from the proxy server, which isn't the problem now). I did reboot the computer just to make sure it was still infected, and yes I had to go through the rkill process all over again and re-click the proxy boxes to clear them. I would post some logs but I can't get online from that comp to do it. Arrrrggghh.

#3 Stor-A11

Stor-A11

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 13 August 2010 - 01:21 PM

I would post some logs but I can't get online from that comp to do it. Arrrrggghh.


Copy the logs onto a flashdrive and post the logs from the computer that can access bleepingcomputer.com.

Click here for instructions for manually updating MBAM. You can also scan with SuperAntiSpyware.

Regarding the internet access issue, check your DNS settings.

#4 Merlot

Merlot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 13 August 2010 - 02:23 PM

MBAM log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

8/13/2010 12:32:11 PM
mbam-log-2010-08-13 (12-32-11).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 369106
Time elapsed: 51 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)


----------------
Stinger log:
McAfee® Labs Stinger™ Version 10.1.0.728 built on Mar 18 2010

Copyright © 2010 McAfee, Inc. All Rights Reserved.

Virus data file v1000.0000 created on Mar 18 2010.

Ready to scan for 1331 viruses, trojans and variants.



Scan initiated on Fri Aug 13 13:02:26 2010

Number of clean files: 185187

-----------------
SuperAntispyware: I have run it twice and it tells me it has found 21 Adware. Flash Tracking Cookie items. But when it's done it gives me no option but to restart. If I click cancel, the window closes. When I click restart and go to the control center, click on the Statistics/Logs tab, it is empty. Both boxes are checked at the bottom for keeping logs.

Then I did a Quick Scan again until it listed the 21 items again, and this time I hit 'Next' before it had a chance to complete. NOW a log shows up, which I am posting. It went through a quarantine process, though, and rebooted the computer. Still have the Security Suite.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/13/2010 at 02:56 PM

Application Version : 4.41.1000

Core Rules Database Version : 5242
Trace Rules Database Version: 3054

Scan type : Quick Scan
Total Scan Time : 00:07:35

Memory items scanned : 547
Memory threats detected : 0
Registry items scanned : 2576
Registry threats detected : 0
File items scanned : 1692
File threats detected : 21

Adware.Flash Tracking Cookie
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\149.MEMECOUNTER.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEMECOUNTER.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\CACHE.SPECIFICMEDIA.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\CONTENT.VIDEO.IMEDIA.RO
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\CONVOAD.TECHNORATIMEDIA.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\IA.MEDIA-IMDB.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEDIA.ENTERTONEMENT.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEDIA.JOKUZ.NET
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEDIA.MTVNSERVICES.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEDIA.RESULTHOST.ORG
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEDIA.SCANSCOUT.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEDIA.TATTOMEDIA.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEDIA1.BREAK.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MEDIA1.THEGAMEHOMEPAGE.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\MSNBCMEDIA.MSN.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\OBJECTS.TREMORMEDIA.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\INTERCLICK.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\UDN.SPECIFICCLICK.NET
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\WWW.CRACKLE.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\EC.ATDMT.COM
C:\Users\Kevin\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A9EG6JJ8\SECURE-US.IMRWORLDWIDE.COM


-----------------
Running rkill gets me this:
This log file is located at C:\rkill.log
Please post this only if requested by the person helping you.
Otherwise you can close this log when you wish.
Ran as Kevin on 08/13/2010 at 14:45:20.


Processes terminated by Rkill or while it was running:

C:\Users\Kevin\AppData\Local\blppwxglm\xmxkobwshdw.exe
C:\Users\Kevin\Desktop\rkill.com


Rkill completed on 08/13/2010 at 14:45:26.


Running Windows Vista Home Premium, SP2

As for the internet, I'm getting a message that 'The network adapter "NVIDIA nForce 10/100/1000 Mbps Ethernet" is experiencing driver or hardware related issues.
-Yet when I check the device manager, it says it's functioning properly and the driver is up to date.

'Make sure your Internet Protocol Bindings are Correct' Ensure that "Internet Protocol Version 4 (TCP/Pv4)" and "Internet Protocol Version 6 (TCP/Pv6)" are selected in the configuration for the network adapter "Local Area Connection"
--These are checked. Yet under the LAN status, both IPv4 and IPv6 say 'not connected'.

----------------
The rules.ref link keeps giving me this:

Uh Oh!
Oops, Looks like our system cannot get your file or folder to view/download. There could be various reason for this:

-The file/folder you selected may have been deleted.
-The url you entered is not correct.
-You have incorrectly entered the file/folder key.
-This file/folder may have been trashed by the user.

#5 Stor-A11

Stor-A11

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 13 August 2010 - 02:50 PM

Open an admin command prompt and type
taskkill /im xmxkobwshdw.exe /t /f
and press enter.

If taskkill succeeds, type
del C:\Users\Kevin\AppData\Local\blppwxglm\xmxkobwshdw.exe
and press enter.

I don't know how long this link will last before the filename changes, but here's a direct link to rules.ref. Rename it to rules.ref and copy to "%appdata%\Malwarebytes\Malwarebytes' Anti-Malware" and scan with MBAM again.

#6 Merlot

Merlot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 13 August 2010 - 04:23 PM

Open an admin command prompt and type

taskkill /im xmxkobwshdw.exe /t /f
and press enter.

If taskkill succeeds, type
del C:\Users\Kevin\AppData\Local\blppwxglm\xmxkobwshdw.exe
and press enter.

I don't know how long this link will last before the filename changes, but here's a direct link to rules.ref. Rename it to rules.ref and copy to "%appdata%\Malwarebytes\Malwarebytes' Anti-Malware" and scan with MBAM again.


Taskkill gave me an error, said there was no such process running. Of course I did it after I ran rkill.

I got the rules.ref, thanks. Unfortunately my computer illiteracy is shining through b/c I am not able to find the area to which I'm supposed to copy it. I'm assuming it's a folder? I have even typed the full string ("%appdata%\Malwarebytes\Malwarebytes' Anti-Malware) into my search and it gives me the Malwarebytes Anti-Malware folder, but when I open it there are only 2 folders, Log and Quarantine. I've searched making sure to show hidden folders and still can't figure it out.

I so appreciate all your help. I will be heading out for the evening (about ready to pull my hair out so it's a good thing), so if there are any replies please don't think I'm ignoring them. Also, I did realize that the SAS is hitting an error, which is stopping the program from fully completing.

#7 Merlot

Merlot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 13 August 2010 - 04:54 PM

Well, I managed to find a rules.ref file in the program data folder so I deleted it and replaced it with the new one. Have no idea if that's what's supposed to happen, but we'll see. Running a new scan now.

#8 Merlot

Merlot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 13 August 2010 - 05:10 PM

Aaaannnnnd...it found a virus! And quarantined it! *clap* I opened in normal mode and nothing popped up. I checked the LAN settings in the internet options, they were checked on for proxy again but I don't know if that's normal or not. Now running a full scan w/Malwarebytes to double check.

Still can't get online, don't know if we had a coincidental driver issue or if my husband clicked something he shouldn't have, but it's weird timing. Now to try and find the exact model so I can re-load the drivers...

Thanks again for everything, I'll post here again if it is still acting up later from a virus standpoint.

*edited to add - I opened IE on my laptop (clean comp) and the proxy settings were not checked. So now I'm not so sure that the evil thing is truly gone from husband's comp, since the proxy settings were turned ON when I booted back up in normal mode after the quarantine.

Edited by Merlot, 13 August 2010 - 05:13 PM.


#9 Stor-A11

Stor-A11

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 14 August 2010 - 06:03 AM

Disable the proxy settings on your husband's pc.

Here's an updated direct link to rules.ref. Don't forget to rename the file to rules.ref. Copy rules.ref to C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware and overwrite the existing file.

#10 Stor-A11

Stor-A11

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 14 August 2010 - 09:24 AM

You should also run TDSSKiller to verify that a common rootkit wasn't also installed on the pc.

#11 Merlot

Merlot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 14 August 2010 - 12:32 PM

Just wanted to update that the computer is now fixed! Thank-you all SO MUCH!

The TDSSKiller didn't find any problems. I spent the rest of last night trying to research the network issues, nothing was showing as having a problem or appeared to not be set properly, but it still wouldn't work.

This morning I had the bright idea of trying System Restore. I guess I was too brain fried yesterday to think of it. The good news is that it worked, it's back online and I'm re-running all the scans to double check for malware, but so far so good :D

You all rock :thumbsup: Now to see if I can get the CA suite properly installed and make sure he keeps up with it.

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:32 PM

Posted 15 August 2010 - 04:21 AM

Glad to hear that the problem appears to be resolved.

Please let us know if anything still seems amiss.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users