'AV security suite' malware

[Jintan]

That syssvc.exe file name suggests a fake security software, so good ComboFix removed that. Some malware created proxy settings show that we need to address, and then we need to check for possible rootkit activity before anything else.

Code:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
"ProxyOverride"=-

Open Notepad (Start Search, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

-----------------

Download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe).

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after:

cd\

mbr.exe -t

Then type exit and press Enter to close the command window.

The report created in the command window will have been saved to C:\mbr.log. Locate that and post it here please.

[ryno]

how do i do this?

Download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe).

i cant give it that specific pathway. not sure if its a vista thing or part of the computer protecting itself.

right now its here:

C:\Users\ryan\Desktop

[Jintan]

You really shouldn't have problems saving to the C drive folder, but we can adapt to the changes you made. Just use these commands instead:

cd C:\Users\ryan\Desktop

mbr.exe -t

[ryno]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll dxgkrnl.sys
kernel: MBR read successfully
user & kernel MBR OK

[Jintan]

That shows as okay. What folder/location did you run it from?

Let's do some scans now to check for any remaining malware.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Open and update Malwarebytes.

* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

---------------

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.

Post that log and the Malwarebytes log please.

[ryno]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll ndis.sys athr.sys dxgkrnl.sys igdkmd32.sys tcpip.sys NETIO.SYS win32k.sys
kernel: MBR read successfully
user & kernel MBR OK



dont think i did it correctly the first time. as you can see this has more info. as far as where i ran it from. im pretty sure its the desktop.

[Jintan]

Yes, that is the right log this time. And looks all okay, so go ahead with these other scans please.

[Lisafxtrader]

I have NOrton I did not install if I go to safe mode and try to install it (I can't do anything with this AV vista thing - it pops up continually) and run it will this handle it????

IF not what should I do please? THANKS! Lisa

[Lisafxtrader]

I'm not sure if I am posting in the right area?? I just saw somebody else had the same problem so posted a reply here - is there another area I should be doing it at?

[smurfy]

Hi Lisafxtrader.
You've done the right thing now by starting your own topic.
I'm sure one of the malware removal experts will help you as soon as they can in that thread. This one is dedicated to helping ryno clean his particular infection.

[ryno]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4278

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/5/2010 10:28:06 AM
mbam-log-2010-07-05 (10-28-06).txt

Scan type: Quick scan
Objects scanned: 136351
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[ryno]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c39a70977b86c34aafd877bab8721f75
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-05 06:55:13
# local_time=2010-07-05 11:55:13 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=5892 16776573 100 100 0 114960442 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=125876
# found=2
# cleaned=2
# scan_time=3199
C:\Program Files\Acer GameZone\Jewel Quest Solitaire\aJewelQuestSolitaire.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\ryan\AppData\Local\sy ssvc.exe.vir Win32/Fuclip.BJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[Jintan]

Thanks smurfy. Looking pretty good now ryno. Eset only picked up infection ComboFix already removed to it's Qoobox quarantine folder, and then looks like it mistakenly ID'd that legit game file as malware. You "might" be able to have it return that by running the Eset scan again, and if the option then shows check "Manage quarantine".

No malware now, and things look cleaned up there. Before we do some final steps, and remove what our work added to your system, post back how things are running now please.

[ryno]

everything that ive used works well and seems just as fast as before that very dark day when i checked into the av security 'suite'. ie is (obviously) back to its former state of dubious glory. firefox, adobe, excel and the other stuff i've used since are all 'normal' as far as i can tell.

[Jintan]

Very good. If we have not discussed it yet here, be sure to open Java in the Control Panel and update to the latest version. For now though, just need to remove what our work added to your system to finish up here.


Eset, if you don't plan to use it again, uninstalls through Add/Remove Programs.


You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTC.exe by OldTimer to your desktop. This will help by automatically removing some of the tools we used.

Just click OTC.exe, then click CleanUp, and select Yes. When it finishes removing some of the tools and files we used there just agree to the reboot, and OTC should self-delete once the system has rebooted (if not just delete the OTC.exe file).

-------------------------

Then a good idea is to reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.



In addition, I like to recommend reviewing the information Here to make sure you stay malware free.