Infected by " Live security platinum " malware

Viruses and worms
1

Best regards from Croatia!

avast is my favourite antivirus last few years , almost anytime when I was infected by a virus, avast boot scan detected and removed virus.

What happaned today really concerned me : I updated antivirus program to latest version and after update I choosed to restart computer later.

While I was on some site, LIVE SECURITY PLATINUM malware started from appdata\temp folder and reported numerous of warnings like I am infected from list of trojans, I also received warning by the clock that logongui.exe is infected, and few ctrl+alt+del messages that taks manager can’t be started.

avast red window occured few times , but it couldn’t stop it, maybe because of restart pending.

I started quick scan and nothing was detected.

What I acctualy did now was started bootscaN and I will return with more info.

I would also loved to collect as more as possible info from my infected pc about this issue,

is there some kind of useful log that can be attached for your lab for improving protection against this threat?

2

this time no luck with boot scan :frowning:

3

Is it still present ?

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

4

I can’t run any .exe, I’ll try in safe mode

5

No antivirus is 100%…try in safe mode and report back here…please send the Live security platinum sample to virus@avast.com for detection…I had reported 51 samples of this fakeAV to virus lab…and now with latest update all are detected ;D

Probably u have hit a very new varient :wink:

6

Hello thanks for response.

What you acctualy mean when you say SAMPLE of live security platinum ?

Fact is I repeated full scan 2 times and 2 times of boot scan and avast said nothing! I’ll try in safe mode.

they say many antiviruses ignore this threat, AVG also.

I can’t really believe what I did on PC, 6 years like I was using avast I was never infected,

now, there was no any installation in time of infection, it looks like it was some kind of via browser banner installation or execution from firefox WEB temp folder.

I was very angry ;D

7

If the exe version of OTL does not run then try this version

Download OTL to your Desktop
If you are using Firefox then right click the link and select save as…

This is a screensaver version

8

@Essexboy why you no follow the easy path? ;D
Miro8: Use this serial to activate the fake programme and get full access to the computer,then Essexboy will be able to clean it and it will be much easier
Serial: AA39754E-715219CE

9

Hello again,

without entering serial, both .exe and .scr couldn’t be opened in normal windows mode.

But in safe mode I could run both , and I get only OTL.txt no any extras file.

Then I entered serial in normal mode, and I get access to exe-s,

OTL from normal mode is attached by this message

My plan is to start removing this virus by following next guide :

http://www.im-infected.com/rogue/live-security-platinum.html

Let me know if you have alternative solution.

10

Malwarebytes captured LIVE SECURITY PLATINUM virus and disabled it

here are the logs before action, and after clicking on remove button.

11

FakeAV remover from trend micro found some possible “fake antiviruses” but some of them were just fake reports from adobe and terratec.

here is log after cleaning

12

avast aswMBR logs before and after fixing MBR

13

There was nothing wrong with the MBR why did you fix it ?

After you have run all those programmes I will need a Fresh OTL log to see what remains

14

here is the OTL log after cleaning process (without custom scan)

15

can you tell from the posted logs, where could I get that virus?

16

The website was infected, normally Avast will catch these so it must be a new one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..network.proxy.http: "92.48.119.17" FF - prefs.js..network.proxy.http_port: 8080 [2012.07.18 22:01:23 | 000,000,000 | ---D | C] -- C:\ProgramData\7531CCA90009086700001BDCF875EF60 @Alternate Data Stream - 1176 bytes -> C:\Program Files\Common Files\System:xdUITtUCd4sMOgeiObr @Alternate Data Stream - 1060 bytes -> C:\Users\Miro\AppData\Local\3l7xhv069RHtkp:QE2sooiDRhau1n5tzF7hVcNuNg @Alternate Data Stream - 1035 bytes -> C:\ProgramData\Microsoft:kCSIWeCOnippFdTcvtNOP26rcR @Alternate Data Stream - 1018 bytes -> C:\ProgramData\Microsoft:FqgqysJtH4Mx2S9C3JWp4C

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

17

The proxy you typed is the one I really use inside firefox, it’s manually typed.

what could be the site that infect my pc?

18

Hi miro8,

There is a big difference between any antivirus detecting a virus or malware and “ignoring” it. For the first, the malware must be known, and a detection written into the virus database to protect you and other users from it. For the second, ‘ignoring’ is not possible, as when a virus, a rogue program (in your case), or malware gets on your system, it is because there is no detection signature for it as it is so new. Avast! and other antivirus programs cannot see it unless they are told to, and so cannot prevent it from installing and running on your system.

It is a cat and mouse game that has gone on for a long time now between the good guys and the bad guys, and unfortunately, this bad thing happened to you. The good guys can help, but they cannot prevent all bad things from happening, as catchup is the operative word here.

So the fix here is to be careful where you surf in the future, as even known good sites can get infected with this sort of stuff, and this sort of stuff will take advantage of obsolete or out-of-date (unsupported) software on your system and exploit that software to infect you.

So it can be any website that caused your problem, but you may have out-of-date software on your system. (See below)

Adobe software and Sun Java are the most commonly exploited software used by the bad guys to infect you when you do not keep them up-to-date. This is complicated, but it is enough to say that Avast! cannot fully protect you from software weaknesses in programs that they do not own or control. If Avast! did, then you could certainly blame Avast! for this situation, but since they do not…

19

dont worry miro8…probably essexboy will ask you to upload the infected file to avast at the end of the fixing ;D

20

haha, i think i wouldn’t be able to do that 8)