Go Back   The Scream! > COMPUTER RELATED > Spyware Removal

Reply
 
Thread Tools Display Modes
  #1  
Old 05-August-2010, 19:49
Unpeeled
Guest
 
Posts: n/a
Default Security Master - Ransomware...

Evening All,

Got the dreaded 'Your computer is infected, click here' virus on my laptop.

Downloaded and memory-sticked the Malawarebytes onto it, MA spotted the virus, removed, rebooted and then virus came back.

The infected laptop has'nt been connected to the net during the attempted removal.

Now, I am as you know (Hallo Jonny Reb) a completely tech-free idiot, so by the numbers instructions on how to remove this bugger will be very much appreciated.

Cheers,

Shane
@ Unpeeled
Reply With Quote
  #2  
Old 05-August-2010, 19:57
Unpeeled
Guest
 
Posts: n/a
Default Re: Security Master - Ransomware...

test
Reply With Quote
  #3  
Old 05-August-2010, 21:30
JohnnyReb51's Avatar
JohnnyReb51 JohnnyReb51 is offline
Screamager
 
Join Date: Apr 2001
Location: UK.
Posts: 2,484
Default Re: Security Master - Ransomware...

Hiya.

Mbam should get rid of it, but you need to stop the Security Master program first, using another program (Rkill). And then use some other apps during the cleaning process. They are all free and small in size.

You will need Rkill, Mbam, There are some renamed Mbam versions there if needed, EG. Iexplore.exe, Explorer.exe, these are to fool the SM scumware. Also hotsp*rm.bat and there are also a variety of host files for various flavours of winblows, if needed.

Rather than me type it all out, I found some pretty comrehensive removal instructions at the site below, read it all first, download what is needed in preparation first, then do it.

It says to print off the instructions, but seeings though you are using another PC/Other you can just follow them from that PC's/other browser and commit the cleaning act on the Laptop. :)

http://www.bleepingcomputer.com/viru...rity-master-av
__________________
JR51.
Reply With Quote
  #4  
Old 05-August-2010, 21:44
JohnnyReb51's Avatar
JohnnyReb51 JohnnyReb51 is offline
Screamager
 
Join Date: Apr 2001
Location: UK.
Posts: 2,484
Default Re: Security Master - Ransomware...

Ammendment to the above post, the Iexplore and Explorer are for Rkill, not Mbam.
__________________
JR51.
Reply With Quote
  #5  
Old 05-August-2010, 22:27
Unpeeled
Guest
 
Posts: n/a
Default Re: Security Master - Ransomware...

Thanks for that, I'll have a whack at it in the morning. The laptop actually belongs to my stepson and, at age 23, he's less techie than me, hard to imagine, but true.

So if I (with help) fix it all up, it's a point for ye olde geezers.

Cheers,

Shane
@ Unpeeled
Reply With Quote
  #6  
Old 06-August-2010, 08:32
JohnnyReb51's Avatar
JohnnyReb51 JohnnyReb51 is offline
Screamager
 
Join Date: Apr 2001
Location: UK.
Posts: 2,484
Default Re: Security Master - Ransomware...

Hiya.

I had a similar experience on my grandaughters laptop, wayback, but I stopped the program through Task Manager, then ran Mbam and it was gone.

These infections are getting more and more sophisticated and harder to get rid of.

Anyway, let us know how it goes.
__________________
JR51.
Reply With Quote
  #7  
Old 06-August-2010, 09:34
Unpeeled
Guest
 
Posts: n/a
Default Re: Security Master - Ransomware...

Morning JR,

Short version is that I did as advised and the bugger is still on the laptop.

Any ideas?

Cheers,

Shane
@ Unpeeled
Reply With Quote
  #8  
Old 06-August-2010, 10:11
JohnnyReb51's Avatar
JohnnyReb51 JohnnyReb51 is offline
Screamager
 
Join Date: Apr 2001
Location: UK.
Posts: 2,484
Default Re: Security Master - Ransomware...

Hiya.

Can you post a HiJackThis log here, so I can see what is what.
__________________
JR51.
Reply With Quote
  #9  
Old 06-August-2010, 10:40
Unpeeled
Guest
 
Posts: n/a
Default Re: Security Master - Ransomware...

Thanks for the rapid response, here's the logfile thingy...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:31, on 06/08/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [TSMAgent] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [TVAgent] "C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMen u.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu. exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStart Menu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [O2Start] C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe /s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Security Master AV] "C:\ProgramData\0cbf1a3\SM0cbf_2124.exe" /s /d
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stw rt.inf_c92065b9\aestsrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stw rt.inf_c92065b9\STacSV.exe
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe

--
End of file - 10097 bytes


Cheers,

Shane
@ Unpeeled
Reply With Quote
  #10  
Old 06-August-2010, 11:00
JohnnyReb51's Avatar
JohnnyReb51 JohnnyReb51 is offline
Screamager
 
Join Date: Apr 2001
Location: UK.
Posts: 2,484
Default Re: Security Master - Ransomware...

Hiya.


There is one instance of SM in the registry, which runs at Startup, that is probably what you are seeing.

There is also a non related entry with no file, so that can go aswell.

So run HJT again, but as Scan only and put a check mark against the following 2 entries....


O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKCU\..\Run: [Security Master AV] "C:\ProgramData\0cbf1a3\SM0cbf_2124.exe" /s /d



Then click on the Fix Button.

Close any other open windows/programs and restart the Laptop to see if it has gone.
__________________
JR51.
Reply With Quote
  #11  
Old 06-August-2010, 11:46
Unpeeled
Guest
 
Posts: n/a
Default Re: Security Master - Ransomware...

That seems to have nailed the little sod, thanks for the help.

I'm loading the laptop with anti-virus software now, the silly bugger had nothing before.

Putting in Malawarebytes / Advanced System Care / CC Cleaner / Hijack This / File Shredder
any other free programmes you recommend?

Cheers,

Shane
@ Unpeeled
Reply With Quote
  #12  
Old 06-August-2010, 12:47
JohnnyReb51's Avatar
JohnnyReb51 JohnnyReb51 is offline
Screamager
 
Join Date: Apr 2001
Location: UK.
Posts: 2,484
Default Re: Security Master - Ransomware...

Hiya.

Thats great news.

Having no AV, etc, at all, is not good. :(

I use very little in the way of AV's, etc. I run Avast AV in the background and scan when I feel like it, Outpost Firewall, which I have set to ask me what to let in or out, MalWareBytes which I use occasionally once a month, SuperAntiSpyware, which I use maybe quarterly and HJT once in a blue moon, thats it.

Other than that, the PC runs without user interference. :D

There is no point having gazillions of Security/AV/Scumware programs installed that may conflict with each other, the less the better.

I use Freeware ones which I find superior and outclass many if not all of the big corp ones.
__________________
JR51.
Reply With Quote
Reply

Tags
aol, audio, company, computer, context menu, files, free, game console, health, hewlet, hewlett, hijack, hijackthis, internet, ipod, laptop, messenger, network, nokia, security, software, speed, virus, windows, wireless

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet security suites fail to block exploits gem PC Security 2 13-October-2008 22:57
0-day bug shatters Windows gem General Software 4 08-November-2006 13:17
Concerns over security software gem PC Security 4 20-September-2006 23:03
The Microsoft Security Update Newsletter gem PC Security 32 11-August-2004 11:17
Security conference turns nasty over 'employ a hacker' claim silver PC Security 2 23-April-2003 12:24


All times are GMT +1. The time now is 22:31.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!