Can someone please help with security essentials 2010 virus?

Been farting around with this POS for two days. I have a hijackthis log I can post if someone can help me with it. I can see a bunch of it on there but, am not confident in doing this myself. Malwarebytes cleans things up but, can't get all of this. I use Avira, Spybot, SpywareBlaster and Malwarebytes regularly and have tried numerous other apps. including AVG Anti-Rootkit and Iobit 360. The "BUY THIS!!" pop ups have stopped but the browser keeps getting re-directed. Using Firefox on Vista home basic.

Please and Thank You!

Here's 3 links that look promising and use different tools...all FREE...

http://www.bleepingcomputer.com/virus-removal/remove-security-essentials-2010 (My favorite website for virus & malware info)
http://www.spyware-techie.com/security-essentials-2010-removal-guide/ (got EXCELLENT mark from WOT)
http://www.myantispyware.com/2010/02/15/how-to-remove-security-essentials-2010-uninstall-instructions/ (good rep from WOT)

If you cannot remove it yourself using any of these, or even if you do, I would consider starting a thread at one of these 2 sites (or others, if you choose):

Start here: MBAM Forum-- http://forums.malwarebytes.org/index.php?showtopic=9573 (I've observed rapid responses here)
Start here BleepinComputer-- http://www.bleepingcomputer.com/forums/topic41987.html (sometimes you have to wait, but worth it, IMHO)

Good luck, let me know if I can help in any way. One caveat: I am NOT an expert, fwiw. :hi:

but, can't keep it removed. From the Malwarebytes log, C:\Windows\system32\Drivers\dhsxog.sys (Rootkit.Agent) This may be a separate issue from the security-essentials one, I don't know. I may have that one taken care of. Malwarebytes finds it and says it's removed. Hitman Pro finds it and says it's removed but, it is not removed. I've read thru many forums, including the ones listed above. Is there any way to get this removed???

Yes, I'm going to post on Bleepingcomputer as well.

Please and Thank You!

Right click MyComputer select properties and then click "system restore"
then check on box to turn off SR. This will close one possible path. Reboot and see if still there.

Start CCleaner and select tools on the left. Then click on startup. It will show a table of things that start at bootup. Look down the table for a line reference to (a suspect file), when found click on line to highlight and then click on disable down on the bottom center. That's it.

Reboot if clean go back and delete the cmd that you disabled and clear the check box for system restore.

Not a TRACE of this anywhere on the web.:wtf: Not even the BOGUS sites that try to get you to "run a scan for XYZABC.exe errors".

Try AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx or Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx from Sysinternals (if you haven't already done so) two EXCELLENT free utilities.

TDSSKiller by Kaspersky http://support.kaspersky.com/viruses/solutions?qid=208280684 has slain a number of these nasty rootkits....the flip side is I've read some threads that say this tool borked a few boxes, too, use at your own risk. :shrug:

Go all these years without a hitch and now, Bam! Couldn't find a thing on this either. Ran Kaspersky's online scan. Tried the TDSSKiller but, it didn't work. Can't remember exactly why, now. I just got a post up on bleepingcomputer with the logs they have you run. We'll see what happens there. They sure named that site perfectly, didn't they?

Thanks for all the info so far. I think my head's gonna explode now...

There's probably something in there that will be helpful. If not, I can tell you the steps I would take to get rid of the bugger.

I appreciate any help with this :hi:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:20 PM, on 2/16/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\cmd.exe
C:\games\Secret Mission 2 The Forgotten Island\Secret_Mission_2_Forgotten_Island.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tmz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7AFD21AD-B3D5-4700-AD74-B56FFA402841} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: ICO.EXE
O4 - HKUS\S-1-5-19\..\Run: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: WinMail - Shortcut.lnk = C:\Program Files\Windows Mail\WinMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.buy-security-essentials.com
O15 - Trusted Zone: http://*.download-soft-package.com
O15 - Trusted Zone: http://*.download-software-package.com
O15 - Trusted Zone: http://*.get-key-se10.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.buy-security-essentials.com (HKLM)
O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - https://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
O20 - AppInit_DLLs: lehelojo.dll c:\windows\system32\pozimadu.dll
O21 - SSODL: magugasek - {8a97161e-4ef1-41b9-9e46-a0cd363fd998} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {8a97161e-4ef1-41b9-9e46-a0cd363fd998} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\Windows\system32\mqsv32.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: sscSched - Unknown owner - C:\Windows\system32\sscsched.exe (file missing)

--
End of file - 4616 bytes

1. Download and install Spybot Search & Destroy. If you already have it installed, uninstall it and download and install a new version. When it installs, click Yes to installing the Tea Timer and Internet Explorer protections. I want those in place before you do the next step. Download SuperAntiSpyware but don't yet install it.

SuperAntiSpyware (click on the free version): http://www.superantispyware.com/download.html
Spybot: http://www.safer-networking.org/en/download/index.html

2. Click Start and in the box type "msconfig" (without the quotes). On the General tab, click 'Selective startup' and uncheck the 'Load startup items' option. Reboot your computer.

3. Fix these entries using HijackThis:

From this point, do NOT open a browser

Close HijackThis

** if at anytime during the HijackThis fix, the Spybot TeaTimer application pops up asking you to confirm the change, click to allow it once. Then, if after you're done with HijackThis, TeaTimer pops up with changes, tell it to always Deny the change.

4. Next, make sure that you have only 1 anti-virus package installed. I use Avast and recommend it to everyone who needs a good AV program that is free for home use. At this time, make sure that you only have 1 AV program installed. This doesn't include anti-malware programs like Malwarebytes, Spybot, or Super AntiSpyware.

Avast: http://www.avast.com/free-antivirus-download

5. Install SuperAntiSpyware.

6. Run SuperAntiSpyware and perform a complete scan. Reboot your computer if it requires it.

7. Run Malwarebytes and perform a complete scan. Reboot your computer if it requires it.

8. Perform a complete scan using your AV program. I suggest using Avast, but if you have another program use it now. Once it's done, schedule a boot-time scan. Don't reboot your machine yet.

9. Open My Computer and browse to C:\Windows\System32\drivers\etc and right-click the file named "hosts" and select Open With. Use Notepad to open the file. If it looks anything different than this, delete entries until it does look like this (note that lines starting with # are just comments and can be safely ignored - the only line that counts is the one that begins with 127.0.0.1):If you can't make changes to the "hosts" file, try this:
- Right click hosts and select Properties.
- Make sure that Read-Only and Hidden are not selected.
- Change the hosts file to match what is above and save it (if it's possible at this point).
- Update the Properties of the hosts file so that it is again Read-Only.

10. Reboot your computer

11. Download and install CCleaner. Use all the tools in it to clean up your computer and registry.

CCleaner: http://www.piriform.com/ccleaner/download

You may have to perform these steps several times to completely remove the virus. The 1st time or 2, you may not be able to clean your "hosts" file (because it's locked by the virus). Until you can, the virus is still there. Starting up in "Safe Mode - With Networking" may help.

Let me know if you have any questions.

Can't do much more tonight. Will post results of scans tomorrow.

Thank you!!!!

I've found that it sometimes takes days to fully clean these out of the system.

I got a bit confused on your info on changing the hosts file. Mine was full of Spybot logs (?) and I didn't know if I was supposed to remove everything but the 127.0.0.1 localhost line and the comments above it. Avira shows TR/Rootkit.Gen but cannot delete it. Can't do a system restore either. Tried to do some cleaning and diagnostics in safe mode but, didn't make any difference. Also disabled my Avira and tried to install Avast but it wouldn't start. Went back to Avira.

I've been reading about Combofix and GooRedfix. Need to read up a lot more on them before I try them. Gonna try again tomorrow. Brain is mush already today :-)

Thanks again!

As long as you leave the 127.0.0.1, that's all that you really need unless you have a really funky OS installation (which I doubt).

The Rootkits can be a real PITA to remove, especially if they're hiding in the OS somewhere and hijacking your AV software.

Have you seen this link: http://www.bleepingcomputer.com/forums/lofiversion/index.php/t292793.html

What I have in this file starts right after 127.0.0.1

::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com

And about a million more from spybot. Looks like everything they scan for. Should I remove all this? I have looked at tons of posts on bleepingcomputer. Don't really understand all that I see in those logs. I'm waiting for someone to help me with the logs I posted last night and tell me what to do next.

and atapi.sys suspicious modification, which is a signature of the TDL3 rootkit.

"I've been reading about Combofix and GooRedfix. Need to read up a lot more on them before I try them."

I've never heard of Goored fix. DON'T run ComboFix unsupervised IMO, unless you have the knowledge needed to do so. Perhaps someone here has that expertise and can help you. I know I'm not qualified.

Keep us posted.

I have a very healthy respect for the computer registry and messing around if I don't know exactly what I'm doing. Which is why I'm waiting for a step by step solution - while having my hand held. I've seen plenty of cautions about using these apps. Just hoping I don't have to reinstall Windows.

:scared:

http://remove-malware.com/malware/malware-news/atapi-sys-rootkit-is-everywhere/



Is your Vista 32 or 64bit?

BartPE: http://www.nu2.nu/pebuilder/

I have 32bit. So, basically, I can replace the infected file with a good one? Gotta read that a few more times. Tomorrow. My beloved night time drugs are kicking in so, I'm done thinking for the day.

Thanks so much for the info and links. Appreciate your looking for that!

If so, they have a manual removal here: http://www.bleepingcomputer.com/virus-removal/remove-security-essentials-2010

which (seemingly) took care of the Rogue AV pop-ups,but not the ROOTKIT.

First two replies on this thread, as a matter of fact.

I used Kaspersky's TDSSKiller, SUPERAntiSpyware and GMER which are some of the things always recommended on bleepingcomputers and other help sites. After a few hours of smooth surfing I again ran Avira, Malwarebytes, SAS and TDSSKiller and all came up clean! I knew I'd figure this out eventually. I'm a persistent little bugger, too!

DAMN, I'm good :applause:

Thanks to everyone for their help. Now, don't go too far away.........

Out of curiosity, did the TDSS tool replace/and or/disinfect atapi.sys? Or any other ".sys" file? What about that dhsxog.sys file, was that removed/quarantined by any of the scan tools?

Inquiring minds want to know. :)

dhsxog.sys is out of the sys32 folder and quarantined in SuperAntiSpyware and Avira. I do have a new atapi.sys file dated 2/18/10. I think most of the removal was with TDSSKiller and GMER. Although I think SyperAntiSpyware is a great tool. Hadn't heard of it before. At this point I'm just so relieved to have this crap out of my computer that I don't really care exactly how I did it! :)

I'd read that TDSSKiller attempts to disinfect an infected atapi.sys file (or other low level infected driver), or failing that, searches for a healthy copy stored in either the dll cache or in any backup folders and deletes the infected copy, then replaces it with the clean file. After killing/removing the rootkit, it's "soldiers" become fairly easy pickings for AV scanners and secondary scanners like MalwareBytes & SUPERAnti---I use both.

Thanks for replying, I appreciate it!

Isn't it a feeling of both relief and achievement when you've finally broken the virus' back? I love it, and it's led to almost everyone I know bringing their computers to me when they're infected (which is sometimes a PITA, but is always validation of my persistence).

I'm glad you got it licked - keep us updated on your status. :hi:

Feel like a million bucks after that! Great sense of accomplishment and relief. I'm patting myself on the back as I type this :) Now I get to do battle with an abscessed tooth :grr: But, I'll beat that one, too!