Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent SecurityHelper.dll


  • This topic is locked This topic is locked
10 replies to this topic

#1 lMarcusl

lMarcusl

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 June 2015 - 03:13 AM

Hi there,

a few days ago, I downloaded a file via Torrent which was seemingly infected. A bunch of tmp files started getting reported as security threats by AVG, so I let it clean them up and performed a full test to clean up the rest. However, every so often a new thing popped up. Seeing as the file I downloaded didnt work anyway, I was ok with just doing a system restore before the time I downloaded. Unfortunately, that didn't work (unexpected error, not caused by antivirus, turned AVG off for the restore as per the windows recommendation). So I went along with it, security threats weren't popping up anymore, so I thought maybe I was safe. Except now, a SecurityHelper.dll gets reported every time I launch windows. I looked it up on the web and all the advice on removing it has been useless (the associated processes, .dlls, registry locations etc. which I am being directed to aren't there on my PC, and advice such as "use the software removal tool for securityhelper.dll" obviously won't work either (not to mention that AVG removes the file every time I launch)). Seeing as this virus is kind of a big deal and I use the PC for work, banking etc. I really need to get rid of it (the system is relatively fresh but reinstall is the last resort for me). My system uses win7 (which is perhaps why some HKEY directories are different than in the guides)...though I suppose you will require full system info anyway. Can you help me please?

 

Marcus



BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 PM

Posted 12 June 2015 - 06:03 AM

Hi Marcus,

sounds like a Sathurbot infection.. Let's gather some information first:


Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

Edited by aharonov, 12 June 2015 - 06:03 AM.


#3 lMarcusl

lMarcusl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 June 2015 - 06:29 AM

Thanks for the quick response. Done and done. Here are the logs.

Attached Files



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 PM

Posted 12 June 2015 - 06:41 AM

Ok, here we go:


Step 1

Please uninstall some programs:
  • Click on the Start Menu button, open Control Panel and click Uninstall a program.
  • Search and select the following programs one by one and click on Uninstall:

    Ask Toolbar
    RelevantKnowledge

  • Reboot your computer.


Step 2

Please download this attached Attached File  fixlist.txt   1.15KB   1 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 3

Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!



Step 4

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.

Edited by aharonov, 12 June 2015 - 06:42 AM.


#5 lMarcusl

lMarcusl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 June 2015 - 08:16 AM

Alright, everything done. Here's the fixlog.txt, log.txt and the new FRST.txt (expected it to save a new FRST.txt but it seems to have just overwritten the old one).

 

A few things that happened during the process:

1) The Ask toolbar refused to uninstall, claiming that I have to first shut down all Internet Explorer windows. It did so even after I did a fresh reboot to make sure there isn't some unterminated process running. Had to go to the task manager where I found iexplorer.exe running which I had to terminate manually for the toolbar to uninstall. This makes no sense since I use Mozilla Firefox and I haven't used Internet Explorer on this machine since I bought it (about 6 months ago). When checking the task manager now, there is no trace of iexplorer.exe anymore (I rebooted since).

 

2) After running the fix you sent and rebooting, upon windows startup I got the following message.

ASUS SETUP

C:Users/Marek/AppData/Local/Temp/15394Log.iniis lost.

 

3) During the same boot that the above-mentioned message appeared, AVG no longer showed anything about SecurityHelper.dll being detected. I'm not sure I quite remember the path (I think it was in AppData/Local/Microsoft/Performance/Monitor) but if I remember it correctly, the folder is gone. There is neither a Performance nor a Monitor folder in there anymore.

Attached Files



#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 PM

Posted 12 June 2015 - 08:43 AM

Had to go to the task manager where I found iexplorer.exe running which I had to terminate manually for the toolbar to uninstall. This makes no sense since I use Mozilla Firefox and I haven't used Internet Explorer on this machine since I bought it (about 6 months ago).

Yeah, this instance of iexplore.exe was started and used in the background by the malware that was running on your computer. Now that we've deleted the malware there shouldn't be any instances of iexplore.exe running anymore (except when you open Internet Explorer of course).

When checking the task manager now, there is no trace of iexplorer.exe anymore (I rebooted since).

So that's good.

After running the fix you sent and rebooting, upon windows startup I got the following message.
ASUS SETUP
C:Users/Marek/AppData/Local/Temp/15394Log.iniis lost.

The fix cleaned the temporary files. That message is no problem and will be gone.

the folder is gone. There is neither a Performance nor a Monitor folder in there anymore.

Yes these were the folders created by the malware. And the fix has deleted them.


How is your computer running now? Is everything alright or are there still problems left?

#7 lMarcusl

lMarcusl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 June 2015 - 08:55 AM

Well, I haven't actually been noticing any slowdowns or hijacks per se while the malware was on my computer, the only clue I got that it was actually there were the AVG popups on startup or when working. Haven't seen any popups since the SecurityHelper.dll message on startup disappeared so it would appear it's gone. The only thing that pops up now when I reboot (just did to test) is the lost file I wrote about earlier. Hopefully that sorts itself out, I guess it's preferable to having a malware alert every time I boot :-D What about the things the Online Scanner found? There were a few things it deceted and I didn't have the Remove found threats ticked. Those are still there, right?



#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 PM

Posted 12 June 2015 - 09:12 AM

What about the things the Online Scanner found? There were a few things it deceted and I didn't have the Remove found threats ticked. Those are still there, right?

None of them are active malware:

vn="a variant of Win32/Toolbar.Widgi.N potentially unwanted application" ac=I fn="C:\Users\Marek\Downloads\media.player.codec.pack.v4.3.3.setup.exe"
vn="a variant of Win32/Toolbar.Widgi.N potentially unwanted application" ac=I fn="C:\Users\Marek\Downloads\media.player.codec.pack.v4.3.6.setup.exe"
vn="a variant of Win32/Toolbar.Widgi.N potentially unwanted application" ac=I fn="C:\Users\Marek\Downloads\windows.7.codec.pack.v4.1.1.setup.exe"

These three are just installers that you've downloaded that are bundled with a toolbar.

vn="a variant of Win32/HackTool.Crack.BQ potentially unsafe application" ac=I fn="D:\Games\Akella\Disciples III - Reincarnation\steam_api.dll"
vn="a variant of Win32/HackTool.Crack.BQ potentially unsafe application" ac=I fn="D:\Images\Disciples III Reincarnation [MULTI2][PCDVD][PROPHET]\ppt-d3rn.iso"

Here ESET states that this game is cracked. Well you already knew that didn't you.. ;)

vn="Win32/Injector.DW trojan" ac=I fn="D:\Images\homm5\Heroes of Might And Magic V Hammers of Fate\HOMAM.V.iso"

"Injector" is a pretty generic detection, so I can't say if this is just because it is cracked as well or because this image is actually infected. Use at your own risk. But as it's just an image and nothing that is actively running I don't care.
(And in general: Be careful with this cracked stuff. It's often the source of serious malware.)



Change your passwords and other credentials now. They might have been logged.



That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:
  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.


Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

#9 lMarcusl

lMarcusl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 June 2015 - 09:22 AM

Thank you so much :)



#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 PM

Posted 12 June 2015 - 01:56 PM

You're very welcome.
Take care.

#11 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 PM

Posted 12 June 2015 - 01:56 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users