Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

secruitytools scareware


  • Please log in to reply
10 replies to this topic

#1 pirsquared

pirsquared

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 November 2010 - 01:35 PM

right this may turn into an epic

i recieved an acer aspire one laptop running win XP sp3 from a friend at work, it was redirecting every web search to random sites (sometimes porn sites),
as well as this it would also block all attempts to access microsoft update.

i did the alt-f10 and restored the factory settings, including a reformat of the c partition.

problem still there so i installed spybot (which found 2 trojans and removed them), adaware which found nothing and malwarebites which again found nothing.

i decided to uninstall macafee, as soon as i did securitytools popped up, so looked for ways to remove this and followed instructions
My link

rkill runs and reports that it has closed itself??
i replace the exe file in malwarebites and when clicked instead of loading it starts to reinstall itself.
when malwarebites is run it finds secruity tools and asks to restart, all good and well

after restart i replace the host file.

it appears i can now surf without being constantly redirected but i still cant access microsoft update, when i try through firefox it says the server was reset, with ie it just says page can't be displayed please check connection, when this is clicked it tests the connection and says all is well.

any suggestions would be much appreciated

paul

Edited by pirsquared, 03 November 2010 - 02:02 PM.

should my pistol chose to jam, i have another one in my hand

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 AM

Posted 03 November 2010 - 04:11 PM

Hi,probably other infections ...
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 pirsquared

pirsquared
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 November 2010 - 04:15 PM

wrote this before the above reply, so will try that and repost.
thanks for the rapid reply :thumbsup:

i've now installed microsoft secruity essentials
and it constantly says that i have vbs\ramnit.b and ramnit.agen!

ontop of this i'm using a pen drive to transfer files to the laptop from my r2 unit and it appears to have been infected with an autorun virus, Avira blocks it on my r2, i've installed autorun eater on the laptop and it detects the autorun.inf and deletes it but it just ends up in a constant loop detecting and deleteing it.

Edited by pirsquared, 03 November 2010 - 04:18 PM.

should my pistol chose to jam, i have another one in my hand

#4 pirsquared

pirsquared
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 November 2010 - 04:33 PM

installed super and tried to:
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

it was actually under preferences/scanning control
should my pistol chose to jam, i have another one in my hand

#5 pirsquared

pirsquared
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 November 2010 - 05:42 PM

followed the instructions
booted into safe mode, got the choice of either administrator or user, chose admin...
ran SAS
when it rebooted into normal windows SAS needed to be reinstalled, as it booted into the user profile.

do i need to run it again under the user profile?

here's the log from the first scan
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/03/2010 at 10:11 PM

Application Version : 4.45.1000

Core Rules Database Version : 5807
Trace Rules Database Version: 3619

Scan type : Complete Scan
Total Scan Time : 00:32:49

Memory items scanned : 254
Memory threats detected : 0
Registry items scanned : 4917
Registry threats detected : 0
File items scanned : 35399
File threats detected : 36

Adware.Tracking Cookie
s0.2mdn.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SZN9TJVV ]
stat.easydate.biz [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SZN9TJVV ]
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
.collective-media.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.microsoftsto.112.2o7.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.advertise.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.pro-market.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
.bizzclick.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]
n-traffic.com [ C:\Documents and Settings\nicola\Application Data\Mozilla\Firefox\Profiles\rinp38ii.default\cookies.sqlite ]

Trojan.Agent/Gen-RMNet
C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\PROFESSIONAL\RUNTIME\11\50\INTEL32\IKERNEL.DLL
should my pistol chose to jam, i have another one in my hand

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 AM

Posted 03 November 2010 - 06:38 PM

We have found these.Trojan.Agent/Gen-RMNet and vbs\ramnit.b and ramnit.agen!




I'm afraid I have very bad news.

Win32/Ramnit.A / Win32/Ramnit.B are file infectors with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 pirsquared

pirsquared
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 November 2010 - 06:46 PM

heres the mbam log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5038

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/11/2010 23:42:43
mbam-log-2010-11-03 (23-42-43).txt

Scan type: Quick scan
Objects scanned: 143419
Time elapsed: 10 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\watermark.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\firefoxSrv.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\watermark.exe (Trojan.Agent) -> Delete on reboot.
should my pistol chose to jam, i have another one in my hand

#8 pirsquared

pirsquared
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 03 November 2010 - 07:31 PM

thanks for the info,
since i've already tried the alt-f10 method of reinstalling the os (i even chose the total reformat that said would remove malware and virus's)
i guess i'm gonna have to get a copy of win xp (i can get a copy from work) as well as the drivers for the laptop, any idea how i find the actual model number as acer aspire one gives numerous model numbers.

thanks
paul

ps i guess i should reformat the pen drive, whats the best way of doing this?

Edited by pirsquared, 03 November 2010 - 07:33 PM.

should my pistol chose to jam, i have another one in my hand

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 AM

Posted 03 November 2010 - 08:14 PM

How Do You Reformat a USB Flash Drive?


To clean the Flash DrivePlease download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.


Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

•Magical Jellybean Keyfinder - a utility that retrieves your Product Key (cd key) used to install windows from your registry. It has the options to copy the key to clipboard, save it to a text file, or print it for safekeeping.

Edited by boopme, 03 November 2010 - 08:23 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 pirsquared

pirsquared
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 04 November 2010 - 03:55 AM

i'm using win7 on my r2 and flash disinfector dosn't work.
would you recoment panda usb vaccine?

there is nothing on the acer netbook i want to keep, so i'm going to create a bootable win7 flash drive and see if the acer can run it, if not i'll create an xp flash drive.

should i delete the secret partion during the windows install?

i think i've got all the drivers i need from the acer site for both xp and win 7

tthanks for your help
should my pistol chose to jam, i have another one in my hand

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 AM

Posted 06 November 2010 - 05:20 PM

It appears best not to remove it.
http://windows.microsoft.com/en-US/windows7/Installing-and-reinstalling-Windows-7
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users