Virus shuting down Norton and WIndows Security Center!

I have run into a serious problem, my stationary computer has been infected with some kind of virus or trojan. This malware shut down both Norton Internet Security and the Windows Security Center. I'm using Norton Internet Security for both my laptop and stationary computer, but my laptop has not been infected so far.

 

I believe the trouble start when my girlfriend accidently clicken on a imageshack.biz virus link sent through MSN messenger. For sometime nothing really happened and I thought I was homesafe, but on 23 december I got several blocking and your computer has been attacked messages from Norton Internet Security while surfing. I then made a horribly misstake a clicked okay on a pop-up mimicing windows security center and from that point it was like opening a floodgate. I have no clue if this later incident was related to the messenger incident, this is only a suspicion from my side.

 

I quickly shut down my computer and upon restarting Norton Internet Security doesn't autostart nor can I manually start it as nothing happens. My Windows Security Center is offline as well.

 

I have tried other malware programs like AD-Aware, but they won'r run either. It's like something is blocking them. Other then that I can't see any first hand effect of this possible malware except that my computer seems to be wide open and a crossed over windows security icon among the quick launch icon down in the right corner.

 

What are my options now? Don't even know where to start.

I sincerly need help!

 

Thank you!

 

EDIT:

 

OS Windows Vista Ultimate 32 bit

I have tried starting Norton in Safe Mode with no success

Message Edited by StarscreamSWE on 12-25-2009 11:18 PM

What version of NIS are you using ? 

 

Have you tried 'Malwarebytes', it might find some malware on you system.

Perhaps this will Run

Download the 'Free' version

You should Update it first, then run a full scan.

http://www.malwarebytes.org/about.php

 

If you cannot go on-line, perhaps you can download via laptop to a memory stick, install from there and see if it finds anything for a start.

Haven't tried this, but it may be a start.

If you are able to get anywhere, then update and do another full scan.

 

If you do, save a log of what it finds

 

I'm using NIS 09 I believe... The Lap-top recently got updated to a newer look (NIS 2010???) and I managed to somehow update NIS on my stationary computer among the chaos as well (yes after the malware infestion) through Norton Security Scan. I can access Norton Securit Scan, but it only refers and transfers me to regular NIS... and again nothing.

 

In short I'm not sure, but the Lap-top version is  17.1.o.19 if that helps.

Can't really tell with my main computer as I can't access NIS at all.

 

About Malwarebytes so am I able to download it, but it won't run. I can get programs like spotify to run, but any anti-virus program won't  run.

 

Am I looking at clean re-install here?

 

Message Edited by StarscreamSWE on 12-26-2009 02:53 AM

Download GMER

 

http://www.gmer.net/

 

It downloads as a {Random character].exe instead of "Gmer.exe" that a lot of Malware also now block.

 

Have it run a Scan and save the log.

 

Quads 

StarscreamSWE

 

Yes, latest version of NIS 2010 is 17.1.0.19

 

Try Quads suggestion and see how it goes.

 

If you have no luck with that, and  don't want to do a complete reinstall, there may be one possibility, but I'm not sure if you would want to try it.

 

Put the Hard Drive from the Desktop into an external USB  3.5 hard drive caddy (IDE or Sata, according to what type it is in the desktop), load Malwarebytes on your laptop, plug in the ext. drive. and do a malwarebytes scan from there.

If you Update it and do a Full Scan, it should include the drive in the USB box.

When doing a full scan, you get a popup with the drives to check, make sure the usb one is ticked.

 

It's just a thought.

Message Edited by boneidle on 25-12-2009 06:32 PM

Here is the GMER scan thank you for all the help so far!

 

This was red marked

 

:\Windows\System32\drivers\H8SRTmrwecdnaum.sys 

 

mrwecdnaum reacurred at several places...

 

Gonna do a rescan tomorrow to make sure.

Also scanning from normal mode ended up in blue screen of death...

 

BTW on a sidenote is their any chance my other two HD (seperate from my OS C: HD) are contaminated? I've got som files stored on one of them which I would like to copy to a external HD. Any chance the malware could hitchhike with the external HD?

 

Message Edited by StarscreamSWE on 12-26-2009 04:02 AM
Message Edited by StarscreamSWE on 12-26-2009 04:04 AM
Message Edited by StarscreamSWE on 12-26-2009 04:18 AM

Hi Starscream

 

You have a H8SRT rootkit. I would back up your files to an external drive.

You can backup any of the files in the Programs folder, or Documents and Settings folder.

 

Don't touch the "Windows" Folder

 

Quads 

Thank you!

 

I'm gonna do a complete reinstall...

 

Are you having to reinstall Windows because of the Gen 2 Rootkit??

 

Quads 

Hi Quads,

 

When you said:

 

"You can backup any of the files in the Programs folder, or Documents and Settings folder.

 

Don't touch the "Windows" Folder",

StarscreamSWE might have thought reinstalling was what you wanted him to do.

 

StarscreamSWE, search the forum on H8SRT -- you'll find NIS is currently vulnerable to attack by this rootkit but it can be removed (I have personal experience) if you're patient and persistent (pun intended).

 

Persistent


 

 

Persistent, how did you get rid of the rootkit?

It's only the older Gen2 TDSS (Tidserv) rootkit, but this one uses a larger disallowed list

 

I played with it approximately 2 weeks ago.

 

 

 

 

Reason not to clone / image the whole drive or touch the Windows folder is that is where the Rootkit is.

 

Quads 

Okay, so I went ahead of myself there. Quads I read your reply in a way that I thought my only option were to do a complete reinstall. I was thinking about going from Vista to Win 7 anyways so I thought what the heck :). I actually don't have do a complete re-install then...? Could I be so rude to ask a kind soul to link me a proper soloution. My computer skills are, as my english, mediocre at it's best.  

 

EDIT: This seems to be the right way to go. At least it got Norton back online and I was able to run and update NIS.

 

http://www.myantispyware.com/2009/12/22/how-to-remove-h8srt-trojan-remove-rootkit-tdss/

 

After running as prompted Norton where back and warned me about something called Malware Defender 2009. I now believe this is the main culprit. Running a full MBAM at the moment.

Message Edited by StarscreamSWE on 12-27-2009 11:53 PM

I have now no idea what tools you have used, what order, changes, tweaking or anything else you have done, and you have Malwarebytes running so who knows,

 

 

 

Quads 


Message Edited by Quads on 12-28-2009 12:04 PM

First I ran TDSSKiller which, I believe, found 2 root-kits.

TDSSKiller then reported it will have them removed upon reboot.

 

Secondly I updated and ran a MBAM scan which found another 12 malware which I choice to remove.

 

Thirdly I started NIS, ran a live-update and a scan which found one tracking cookie (which NIS has always done on my computer as far as I can remember. It always reappear). A NIS Alert for Malware Defender 2009 also appeared and checking the quarantine list it was listed as removed by NIS. Autoprotect also found something called graybird.backdoor which now is listed as removed.

 

So far so good.

 

Here comes the less bright side....

 

My NIS for my stationary computer is still a 2008 or 2009 version. Version number 15.5.0.23 to be precise.

 

Upon running the autofix through the NIS support menu several strange failure reports pop up (looks like code). Each time doing this Auto-protect blocks a trojan horse. 

 

I'm still unable to run Windows Security Center. When clicking on turn-on I get a failure window pops up which says "The security Service can't be started".

 

It seems I'm not quite over the hill yet.

Any more advice upon how I should proceed?

 

EDIT: adding my first TDSSKiller scan log.

 

EDIT II: adding my first MBAM scan log

 

Message Edited by StarscreamSWE on 12-28-2009 02:00 AM
Message Edited by StarscreamSWE on 12-28-2009 02:10 AM

Following this simple instructions I managed to turn Windows Security Center back on.

 

http://www.vistax64.com/tutorials/67737-security-center.html

 

All my scans with TDSSKiller, MBAM and NIS now shows no known maleware...

I seem to be in the clear, but would love a second opinion please.

Once again thank you for all the help, hint and pointers.

 

If I looks like I'm going to stay in the clear I would like to post a summarized solution to my problems in this thread.

 

A big thank you to Boneidle, Quads, floplot and Persistent. Kudos indeed!

 

Hope you could deal with the random swedish in the log.txt ;)

 

 

StarscreamSWE

On the main Malwarebytes window, click on 'Settings' along the top

At the bottom of that page you have a 'Language'  setting.

What language does it say in the box ? 

Click the 'dropdown' to change to the language you want. 

Hope this solves the swedish text.

 

Malwarebytes, Language setting change to "svenska" in the list.

 

Quads