Security master av removal

Solved/Closed
rubyg - Sep 8, 2010 at 04:42 AM
Gervarod Posts 306 Registration date Saturday March 27, 2010 Status Member Last seen June 8, 2014 - Sep 16, 2010 at 06:54 AM
Hello,


I have been trying for two days to get rid of this virus, i have done loads both in safe mode and normal mode and managed to get rid of thousands , i kid you not, of viruses , worms , trojans and items related to this dam security master av, all were removed , i am now round the bend as it is not in add remove program list , i cannot find it anywhere but it is in the windows security centre running the firewall and antivirus, i cannot download avg as it only gets halfway and tells me to uninstall this program , i cant , so i cant get avg, also i have run the removal tool found through google , didnt work, went through all the steps on two different websites to remove this and nothing has worked ,
now when i run malwarebytes, spybot SD etc , it comes up clean, but security master av is lurking on here somewhere , how can i find it and get rid , before i kill myself

45 replies

kill'em txt:-

¤¤¤¤¤¤¤¤¤¤ Kill'em by g3n-h@ckm@n 2.1.0.5 ¤¤¤¤¤¤¤¤¤¤

User : User (Administrators)
Update on 12/09/2010 by g3n-h@ckm@n ::::: 16.00
Start at: 21:56:28 | 13/09/2010

Intel(R) Celeron(R) M processor 1.40GHz
Microsoft Windows XP Home Edition (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 8.0.6001.18702
Windows Firewall Status : Enabled
AV : Security Master AV [ Enabled | Updated ]
FW : Security Master AV[ Enabled ]

C:\ -> Local Fixed Disk | 37.25 Go (32.72 Go free) | NTFS
D:\ -> CD-ROM Disc


¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ------- Memory(Ko)

C:\WINDOWS\System32\smss.exe ----400 Ko
C:\WINDOWS\system32\csrss.exe ----3464 Ko
C:\WINDOWS\system32\winlogon.exe ----3100 Ko
C:\WINDOWS\system32\services.exe ----3376 Ko
C:\WINDOWS\system32\lsass.exe ----1664 Ko
C:\WINDOWS\system32\svchost.exe ----4784 Ko
C:\WINDOWS\system32\svchost.exe ----4248 Ko
C:\WINDOWS\System32\svchost.exe ----24364 Ko
C:\WINDOWS\system32\svchost.exe ----3452 Ko
C:\WINDOWS\system32\svchost.exe ----6188 Ko
C:\WINDOWS\Explorer.EXE ----18988 Ko
C:\WINDOWS\system32\spoolsv.exe ----4580 Ko
C:\WINDOWS\system32\svchost.exe ----3700 Ko
C:\WINDOWS\system32\svchost.exe ----4132 Ko
C:\WINDOWS\AGRSMMSG.exe ----2448 Ko
C:\WINDOWS\system32\keyhook.exe ----4288 Ko
C:\Program Files\Messenger\msmsgs.exe ----1856 Ko
C:\WINDOWS\system32\sistray.exe ----4244 Ko
C:\WINDOWS\System32\alg.exe ----3540 Ko
C:\WINDOWS\System32\svchost.exe ----3384 Ko
C:\WINDOWS\system32\cmd.exe ----2928 Ko
C:\WINDOWS\system32\wbem\wmiprvse.exe ----6676 Ko
C:\Program Files\List_Kill'em\ERUNT.EXE ----3264 Ko
C:\Program Files\List_Kill'em\pv.exe ----2232 Ko

¤¤¤¤¤¤¤¤¤¤ Files/folders :

Quarantined & Deleted !! : C:\WINDOWS\SET3.tmp
Quarantined & Deleted !! : C:\WINDOWS\SET4.tmp
Quarantined & Deleted !! : C:\WINDOWS\SET8.tmp

Quarantined & Deleted !! : C:\Documents and Settings\User\LOCAL Settings\Temp\SSUPDATE.EXE

¤¤¤¤¤¤¤¤¤¤ Hosts ¤¤¤¤¤¤¤¤¤¤

127.0.0.1 localhost

¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤

Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser : {0E5CBF21-D15F-11D0-8301-00AA005B4383}
Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : DisallowRun
Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoFind
Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoLogoff
Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoRun
Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoSetFolders

¤¤¤¤¤¤¤¤¤¤ Internet Explorer ¤¤¤¤¤¤¤¤¤¤

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
Start Page = https://www.msn.com/fr-fr/?ocid=iehp
Local Page = C:\WINDOWS\system32\blank.htm
Default_Search_URL = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page = https://www.google.com/?gws_rd=ssl
Local Page = C:\WINDOWS\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

¤¤¤¤¤¤¤¤¤¤ Security Center ¤¤¤¤¤¤¤¤¤¤

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
FirstRunDisabled = 1 ()
AntiVirusDisableNotify = 0 (0x0)
FirewallDisableNotify = 0 (0x0)
UpdatesDisableNotify = 0 (0x0)
AntiVirusOverride = 0 (0x0)
FirewallOverride = 0 (0x0)
AntiSpywareOverride = 0 (0x0)

¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤

Ndisuio : Start = 3
EapHost : Start = 2
Ip6Fw : Start = 2
SharedAccess : Start = 2
wuauserv : Start = 2
wscsvc : Start = 2

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Disk Cleaned
anti-ver blaster : OK
Prefetch cleaned
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

FEATURE_BROWSER_EMULATION | svchost :
====================================


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK




¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ ( EOF ) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
0
I downloaded the USBFIX and run it, when it opened i could not see a button " suppress" only buttons i see are as follows
Research-Deletion- Listing- Vaccinate- Uninstall- Options and Exit
0
Anonymous User
Sep 13, 2010 at 04:49 PM
Deletion
0
Anonymous User
Sep 14, 2010 at 12:44 AM
hello i will not be here until tomorrow evening , sorry for this wait
0
ok thanks i have run the usbfix here is the log:-

############################## | UsbFix 7.024 | [Deletion]

User: User (Administrator) # USER-5EE492C982 [ ]
Updated 09/09/10 by El Desaparecido / C_XX
Started at 06:43:13 | 14/09/2010
Website: http://www.teamxscript.org
Contact: FindyKill.Contact@gmail.com

CPU: Intel(R) Celeron(R) M processor 1.40GHz
Microsoft Windows XP Home Edition (5.1.2600 32-Bit) # Service Pack 3
Internet Explorer 8.0.6001.18702

Windows Firewall: Enabled
Antivirus: Security Master AV [Enabled | Updated]
Firewall: Security Master AV [Enabled]
RAM -> 223 Mb
C:\ (%systemdrive%) -> Fixed drive # 37 Gb (33 Mb free - 88%) [] # NTFS
D:\ -> CD-ROM

################## | Files # Infected Folders |


################## | Registry |


################## | Mountpoints2 |

Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\E
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{141be38c-1d4f-11de-aca1-0016ec0068d5}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{141be38e-1d4f-11de-aca1-0016ec0068d5}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{33f8aa68-1265-11de-ac94-0016ec0068d5}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{523723ba-3a74-11de-acd5-0016ec0068d5}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{911416aa-10c2-11de-ac8c-0016ec0068d5}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{92fe82e4-1163-11de-ac90-0016ec0068d5}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{9d9112a2-34f3-11de-accc-0016ec0068d5}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{af2ef061-7e86-11de-ad05-0016ec0068d5}

################## | Listing |

[13/09/2010 - 22:09:58 | A | 4] C:\AUTOEXEC.BAT
[12/09/2010 - 21:26:46 | SH | 211] C:\boot.ini
[14/03/2009 - 18:29:35 | A | 0] C:\CONFIG.SYS
[09/09/2010 - 07:07:45 | D ] C:\Documents and Settings
[07/09/2010 - 08:55:57 | D ] C:\go
[14/03/2009 - 18:29:35 | RASH | 0] C:\IO.SYS
[13/09/2010 - 21:56:31 | D ] C:\Kill'em
[12/09/2010 - 21:54:32 | A | 24688] C:\List'em.txt
[14/03/2009 - 18:29:35 | RASH | 0] C:\MSDOS.SYS
[14/04/2008 - 13:00:00 | RASH | 47564] C:\NTDETECT.COM
[14/04/2008 - 13:00:00 | RASH | 250048] C:\ntldr
[14/09/2010 - 06:39:50 | ASH | 352321536] C:\pagefile.sys
[12/09/2010 - 21:39:13 | RD ] C:\Program Files
[14/09/2010 - 06:43:53 | SHD ] C:\RECYCLER
[08/09/2010 - 14:05:11 | A | 390] C:\rkill.log
[10/09/2010 - 08:15:57 | SHD ] C:\System Volume Information
[14/09/2010 - 06:43:53 | D ] C:\UsbFix
[14/09/2010 - 06:43:54 | A | 733] C:\UsbFix.txt
[13/09/2010 - 22:09:43 | D ] C:\WINDOWS

################## | Vaccin |

C:\Autorun.inf -> Folder created by UsbFix (El Desaparecido & C_XX)

################## | E.O.F |

i notice it still says security master av enabled at the top of this report !
0
Anonymous User
Sep 15, 2010 at 05:29 PM
ok hello i 'm coming back now ^^

Download here: OTL

saves the on your desktop.

if you have XP = double click
if you have Vista or Windows 7 => right click "run as ....

OTL.exe about to launch.

? Tick the 2 boxes and Purity Lop

? Please check the box in front all users

? Rule on file age 60 days

? in the left half, put everything on "all"

does not change this:

"File created" and "Changed files"

? Click on Analysis .

At the end of the scan, Notepad will open with the report (OTL.txt).

This file is on your desktop (usually C: \ Documents and Settings \ session name \ OTL.txt)

? ?DO NOT POST ON THE FORUM

To send me click on this link: http://www.cijoint.fr/

? Click on Browse and look for the above file.

? Click Open.

? Click on "Click here to submit the file".

just at the button at the end of loading the file, a link of this form appear:

http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt

? Copy this link in your answer.

? ? You will do the same thing with the "Extra.txt" which logically will also be on your desktop.
0
Anonymous User
Sep 15, 2010 at 07:56 PM
(the google's translator is very bad !!) lol
0
Hello, the problem is solved !
last night i was browsing some forums while you were away just because i had nothing else to do, and someone suggested i run combofix and post the log into the forum , (not this one), just to see if they could spot anything, but it turns out as soon as i started combofix, the windows security centre icon popped up to say the firewall was switched off and there was no antivirus installed , i knew then it was fixed as up until then the security master av had full control of both, i let combo fix run and it even fixed the windows recovery console which had disappeared . i did not even need to post the log, i dont know how it did it but the laptop is free of security master av now, thank you all so much for your help you have been brilliant and so patient.
0

Didn't find the answer you are looking for?

Ask a question
Anonymous User
Sep 16, 2010 at 06:04 AM
ok perhaps but you are still infected , combofix doesn't delete all of the infection but i see you prefer use some tools without knowing what they really do , then i think so you can do your desinfection alone

i didn't say to you to make combofix

your machine could be out of order with combofix and also , what would you do with a machine out of order ??

goodbye
0
Gervarod Posts 306 Registration date Saturday March 27, 2010 Status Member Last seen June 8, 2014 21
Sep 16, 2010 at 06:54 AM
Well gen-hackman the person took the risk without you telling him or her to use it they can not blame you that there computer or laptop is stuffed up and they should blame there selfs not you.

the only way i would use it if only someone like you tells me to use it.
0