Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

microsoft security essentials alert


  • Please log in to reply
5 replies to this topic

#1 sil3nthill

sil3nthill

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 PM

Posted 30 November 2010 - 01:24 AM

This one.

http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert
However, the above removal process didn't work for me.

Previous steps undertaken are here: http://www.bleepingcomputer.com/forums/topic363341.html
Unfortunately it just keeps coming back after some time without doing anything on my pc.


Thanks!


DDS (Ver_10-11-27.01) - NTFSx86
Run by Gary at 17:15:47.78 on Tue 11/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.611 [GMT 11:00]


============== Running Processes ===============

C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gary\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride = <local>
uWinlogon: Shell=c:\documents and settings\gary\application data\hotfix.exe
BHO: {b1b220c1-a503-59bd-f413-03b53a2c8954} - c:\windows\system32\i1m45mm.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Rmuzox] rundll32.exe "c:\windows\oqefoxosivolup.dll",Startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238211881000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {15621E4B-AB40-4D99-884E-FFEBD9CA1859} = 8.8.8.8
TCP: {650A012B-2D3E-40C7-978B-0F65BBEADA8A} = 8.8.8.8
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\7.0.517.44\npchrome_frame.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: uysefb8732hrfuishdiugfuysf: {b1b220c1-a503-59bd-f413-03b53a2c8954} - c:\windows\system32\i1m45mm.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gary\applic~1\mozilla\firefox\profiles\45ovj3f3.default\
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: XULRunner: {2D53B27E-40AC-4794-818F-95427729AB5A} - c:\documents and settings\gary\local settings\application data\{2D53B27E-40AC-4794-818F-95427729AB5A}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: AdBlock Plus: {2993bd65-2ed1-1998-a5bf-65cb77c2c864} - c:\docume~1\gary\applic~1\mozilla\firefox\profiles\45ovj3f3.default\extensions\{2993bd65-2ed1-1998-a5bf-65cb77c2c864}
FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\docume~1\gary\applic~1\mozilla\firefox\profiles\45ovj3f3.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\docume~1\gary\applic~1\mozilla\firefox\profiles\45ovj3f3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: XULRunner: {2D53B27E-40AC-4794-818F-95427729AB5A} - c:\documents and settings\gary\local settings\application data\{2D53B27E-40AC-4794-818F-95427729AB5A}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-4-24 10384]
S0 iqazzwfg;iqazzwfg; [x]
S0 rfly;rfly;c:\windows\system32\drivers\fpjrl.sys --> c:\windows\system32\drivers\fpjrl.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-27 136176]
UnknownUnknown ngbztrng;ngbztrng; [x]

=============== Created Last 30 ================

2010-11-30 06:01:28 -------- d-----w- c:\program files\Trend Micro
2010-11-30 05:56:39 101872 ----a-w- c:\program files\internet explorer\iexploremgr.exe
2010-11-29 17:21:12 789861 ----a-w- c:\docume~1\gary\applic~1\hotfix.exe
2010-11-29 16:04:48 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-29 11:22:40 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-29 11:20:13 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-11-29 11:20:13 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-29 11:18:49 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-11-29 11:18:05 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-11-29 11:14:57 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-29 11:14:07 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-11-29 11:14:07 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-11-29 10:53:39 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-11-29 07:31:09 101872 ----a-w- c:\windows\Kfanycmgr.exe
2010-11-28 05:47:42 -------- d-----w- c:\docume~1\gary\locals~1\applic~1\{2D53B27E-40AC-4794-818F-95427729AB5A}
2010-11-28 05:47:40 101872 ----a-w- c:\windows\Kfanyamgr.exe
2010-11-28 03:14:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-27 13:44:42 98816 ----a-w- c:\windows\sed.exe
2010-11-27 13:44:42 89088 ----a-w- c:\windows\MBR.exe
2010-11-27 13:44:42 256512 ----a-w- c:\windows\PEV.exe
2010-11-27 13:44:42 161792 ----a-w- c:\windows\SWREG.exe
2010-11-26 13:53:05 -------- d-----w- c:\docume~1\gary\applic~1\GetRightToGo
2010-11-26 10:22:36 -------- d-----w- c:\docume~1\gary\applic~1\Feul
2010-11-26 10:22:36 -------- d-----w- c:\docume~1\gary\applic~1\Acfay
2010-11-26 10:11:44 -------- d-----w- c:\documents and settings\gary\WINDOWS
2010-11-26 10:04:27 -------- d-sha-r- C:\cmdcons

==================== Find3M ====================

2010-11-30 05:49:58 101872 ----a-w- c:\windows\system32\cmdmgr.exe
2010-11-30 05:49:33 101872 ----a-w- c:\windows\explorermgr.exe
2010-11-29 16:26:05 0 ----a-w- c:\windows\Abomipecil.bin
2010-11-26 11:47:39 101872 ----a-w- c:\windows\system32\svchostmgr.exe
2010-11-26 09:24:17 101872 ----a-w- c:\windows\system32\REGSVR32mgr.exe
2010-11-26 09:20:46 101872 ----a-w- c:\windows\system32\verclsidmgr.exe
2010-11-26 09:10:18 101872 ----a-w- c:\windows\system32\rundll32mgr.exe
2010-11-26 08:41:55 101872 ----a-w- c:\windows\system32\runoncemgr.exe
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 01:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 17:16:20.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sil3nthill

sil3nthill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 PM

Posted 01 December 2010 - 04:26 AM

Ok, looking through the forum I seem to have a variant of the mshta.exe malware that so many others here seem infected with.
However, I've noticed this seems to be easily fixed for some, but not others.

Considering the amount of time i've spent trying to fix this already, the risk of windows not booting was not significantly worse than its state now so i decided to go all out.

Firstly i downloaded and updated most of the tools mentioned on this site.

Decided to d/c the pc from the network after updating.

Then I ran in order:

Mbam
reboot
SAS
reboot
TFC
reboot
TDSS
reboot
combo fix
reboot

Finally i ran Mbam again.

Upon the final reboot everything looked ok. No iexplore.exe rogue processes. I left the PC on, but d/c from the network overnight and all seemed good.

Today i ensured the firewall was set to block everything (including exceptions) and connected it back up while monitoring processes/scheduled tasks etc.
So far so good...for 30 mins.

Then i noticed my windows auto update shield suddenly came on!
Within about 30 secs everything was infected again =/
I suspect wuauclt.exe is also roothooked (nothing seems to detect this though.) Because even though i've disabled updates that damn process keeps showing up.

So now i don't know what besides mshta.exe, iexplore.exe and wuauclt.exe could be infected.
Seems like a neverending quest to clean the system.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 AM

Posted 03 December 2010 - 10:17 AM

Having run ComboFix on your own you now need to include that log.

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 sil3nthill

sil3nthill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 PM

Posted 03 December 2010 - 08:59 PM

The current situation is:

The malware is present on the system but dormant. iexplore processes etc.
And the PC works fine, albeit losing system resources to the malware processes - Until i connect the network cable.

Then within 30 secs to 15 mins, the MS security essentials alert pops up, and the associated problems such as scheduled tasks, disabling of programs/prompts etc starts up.

For this reason i did not connect to the internet before running combo fix, so it wasnt able to update. When I do this (and the malware flares up) combofix freezes up anyway.

Also i noticed duplicates of many exes (hidden). The modified dates are all after i was infected, and the exact same filesize. I cannot find instances of these exes prior to being infected, nor information online about them being normal or not.

http://img200.imageshack.us/img200/1759/mgrexes.jpg

combofix log attached.
hope that helps.

Attached Files

  • Attached File  log.txt   286.53KB   3 downloads


#5 sil3nthill

sil3nthill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 PM

Posted 10 December 2010 - 09:00 AM

Hi,

Is there anything in the log which might help?
I've also realised i cannot delete iexplore.exe. It just keeps reappearing after a few mins even if i shift+del.

#6 sil3nthill

sil3nthill
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 PM

Posted 16 December 2010 - 05:16 AM

pls close thread




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users