Jump to content

InternetSecurity2010 or Antivirus2010


Recommended Posts

In spite of McAfee current antivirus signatures ( and indicating it stopped a virus) the subject variants are popping up. I havent gone thru the combo tool yet, but these are the steps taken on the infected Windows XP computer that has Malwarebytes loaded and current as of yesterday (but will not currently run).

Booting into safe mode task manager shows whenever a program (malwarebytes, etc) is attempted to be run (other than for instance windows explorer) msascuai.exe runs. Searching for this, it is found in docs settings\locals\applicdata and there is a prefetch file msascui.exe-099fd6d4.pf also. Renaming the extensions on these disables the popups, but no programs run and windows explorer shows directories, but no files.

Renaming msascui back to .exe continues the popups if the process isnt ended immediatly in task manager. But then programs such a mbam.exe will not run.

Renaming mbam.exe to winlogin.exe gives the same result when trying to execute.

Downloaded rootrepeal.zip on another computer from malwarebytes forum link and copied rootrepeal.exe to desktop of infected computer via cd (based on mbam wont run TDL2 instructions).

Safe mode startup - rootrepeal executes and is resident after stopping msacui.exe via task manager!

Scan files with rootrepeal and nothing found B).

Started firefox to try Kaspersky on line scan and Internetsecurity2010 pops up.

Not sure what might be a next step and hoping for some guidance. This is a very nasty malware....

I do have a clone of the hard drive from 4 months back and could load it as a secondary, but do not want to risk tranfering the infection.

Comments?

Thanks.

F

Link to post
Share on other sites

In addition to the information above, was able to run Hijack This ver2.02, but cannot burn the log to a cd (no cd in drive error) with windows cd burner, and other programs such as nero do not run...

Thx

I booted up (not in safe mode since that was the problem with not being able to burn above) and with the virus mscuai.exe showing in task manager, was able to capture and transfer the HyjackThis log. Here is the log, although it does not show the mscuai running that I can see. I also have logs from in safe mode with and without the process showing as running in task manager.

Hope this helps as I am stumped for whats next at this point. Apologies for the multiple posts, but I couldn't see an edit option for an existing post.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:56:40 PM, on 3/5/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ISS\Proventia Desktop\blackd.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\ISS\Proventia Desktop\RapApp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Caere\OmniPagePro80\opware32.exe

C:\Program Files\ISS\Proventia Desktop\blackice.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\MSASCui.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro80\opware32.exe

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Proventia Desktop Agent.lnk = ?

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0...inAxControl.CAB

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128279942546

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--

End of file - 6727 bytes

Link to post
Share on other sites

I have hopefully just removed InternetSecurity 2010. I used system restore to go back a couple of days. MalwareBytes was then allowed to run, was updated and apparently removed the infection.

One of my early steps was to turn off system restore, as some viruses "hide" there, so this is not an option for me. Hope it works for you. I'm hoping the hijack log reveals a clue to a knowledgeable person.

Thx

F

Link to post
Share on other sites

It appears that a self help solution solved the problem and purged the maleware!

The process used came from bleepingcomputer.com/virus-removal/remove-maleware-defense core advice (step 7 and on)

Boot up normal mode, maleware running

copied rkill and randomly named mbam.exe to desktop

ran rkill - log shown

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Administrator on 03/06/2010 at 8:44:57.

Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Caere\OmniPagePro80\opware32.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\MSASCui.exe

C:\Program Files\McAfee\VirusScan Enterprise\SCAN32.EXE

C:\Documents and Settings\Administrator\Desktop\iExplore.exe

Rkill completed on 03/06/2010 at 8:45:17.

virus stopped

copied renamed mbam.exe to malewarebytes program folder

ran renamed mbam.exe

malwarebytes ran

udated malwarebytes

ran

log is shown

Malwarebytes' Anti-Malware 1.44

Database version: 3829

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

3/6/2010 10:17:17 AM

mbam-log-2010-03-06 (10-16-53)afterkillroot.txt

Scan type: Full Scan (C:\|)

Objects scanned: 212362

Time elapsed: 1 hour(s), 12 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Administrator\Local Settings\Application Data\MSASCui.exe (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RUEEENLI\z002106201r0409Rf6bd6fd1Xf1b01a92Yba209036Z0100f07030dP000201080[1] (Trojan.FakeAlert) -> No action taken.

Virus entries were cleaned.

Rebooted appears normal!!!!

Rescanning with Mbytes and Antivirus program and kysperski online scan, but expect them to come up as OK.

Thanks to this and other help forums!! :P

F

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.