Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Fake Microsoft Security Essentials Alert Trojan


  • Please log in to reply
2 replies to this topic

#1 Maniac4cs

Maniac4cs

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 17 October 2010 - 08:48 AM

I was infected with the Fake Microsoft Security Essentials Alert Trojan as described here http://www.bleepingcomputer.com/virus-remo...ssentials-alert

I'm running Windows 7.

Whenever I'd logon to windows (regular or safe mode), the Microsoft Security Essentials Alert and I would immediately blue screen (irql_not_less_than_or_equal was the reason).

I put the Kaspersky rescue cd on a usb disk and it found a lot of malware which it removed. Logging back into windows, however, still blue screened.

Back in kasperky, I went to the file explorer and poked around, and found "hotfix.exe" in appdata/local/temp, which I promptly deleted (I'd done this for someone else recently). Now I could login to windows, but I still wasn't out of the woods yet.

Logging into windows in regular mode would show a black screen with no explorer, I had to launch it from task manager. Full scan with MalwareBytes showed that there was a registry entry in policies/explorer which turned it off, and some driver with a random name (sqbzeh.sys) was an infected file. Neither MalwareBytes nor I was able to delete this file, so I had to go back into Kaspersky to do it.

Running Sophos rootkit finder flagged some temp files, and Security Task Manager found another file in the temp dir that was bad.

Now MalwareBytes gives me a clean bill of health, but I still see a lot of strange activity in TCPView. Here's my dds file output:


DDS (Ver_10-10-10.03) - NTFSx86
Run by D at 9:15:24.05 on Sun 10/17/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3582.2125 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\Program Files\kX Audio Driver\3550\kxmixer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Everything\Everything.exe
C:\Programming\Tools\sysinternals\Tcpview.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Programming\Tools\sysinternals\procexp.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Programming\Tools\TFC.exe
C:\Windows\explorer.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\D\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
EB: Web Test Recorder 9.0: {3c7adade-d1e8-45d2-bdcd-7f8d8b99b2a2} - mscoree.dll
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [kX Mixer] c:\program files\kx audio driver\3550\kxmixer.exe --startup
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\oldaim\aim.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.liquidnet.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://vpn.liquidnet.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\d\appdata\roaming\mozilla\firefox\profiles\p8uis37q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsharedview.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\d\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-10-17 18816]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2010-8-3 27648]
R3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [2009-9-17 607496]
R3 rt61x86;Gigabyte RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2010-8-3 378368]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-8-3 278560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2010-1-3 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-12-25 79360]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-29 16472]
S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2010-8-3 43520]
S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtVlan60.sys [2010-8-3 19968]
S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2010-8-3 43520]
S3 TNMGBRF;TNMGBRF;c:\users\d\appdata\local\temp\tnmgbrf.exe --> c:\users\d\appdata\local\temp\TNMGBRF.exe [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-10-17 12:38:53 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-10-17 12:04:51 -------- d-----w- c:\program files\Sophos
2010-10-16 21:22:25 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-10-15 21:33:28 70144 --sha-r- c:\windows\system32\itirclr.dll
2010-10-15 21:32:11 -------- d-----w- c:\progra~2\Update
2010-10-13 10:58:09 -------- d-----w- C:\books
2010-10-13 01:21:25 6084944 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{1cf9b9e7-8af6-42c4-9da3-1c10b359a3b1}\mpengine.dll
2010-10-11 23:28:22 -------- d-----w- C:\WG0A4.TMP
2010-10-11 22:01:01 -------- d-----w- c:\program files\uMusic
2010-10-10 00:59:35 -------- d-----w- C:\Pics

==================== Find3M ====================

2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

============= FINISH: 9:15:55.91 ===============


Any ideas if I'm still in trouble?

BC AdBot (Login to Remove)

 


#2 Maniac4cs

Maniac4cs
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 17 October 2010 - 09:15 AM

BTW, the network icon in the taskbar shows that I'm not connected, even though when I click on it and open up the dialog, it says I'm connected. More fallout from the infection? Any way to get this back to normal without reformatting?

#3 Maniac4cs

Maniac4cs
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 17 October 2010 - 02:25 PM

BTW, gmer.exe crashes everytime I try to run it. When I run it twice in a row, I get a blue screen. Is that also a cause for concern?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users