7 Replies Latest reply on Sep 13, 2010 12:58 AM by vinoo

    Problems with Security Suite after manual removal

      Hi, I recently had to remove security suite from my computer and it was quite a pain. Put when I thought all my troubles were over I was quite wrong. I bought the new McAfee 2010 total protection to upgrade from my older one to try and prevent problems later on but I think there are still some files from the virus because everything runs fine on my computer except McAfee. It says all the protection is on but when I go and look in the more specific details it says its off. And even my computer tells me you are unprotected. I also have had blue screens popping up when I restart my computer saying "DRIVER_IRQL-LESS_OR_EQUAL_TOO". I dont know what to do! I'm a student in college and I don't want to wipe my computer and lose all my important files. Plus I dont even know how to wipe my computer I lost my computer disc. Please help!

        • 1. Re: Problems with Security Suite after manual removal
          vinoo

          Hi Kyle,

           

          If you suspect you're infected and have trouble finding what is causing the infection, I'd suggest giving this handy tool a try.

          "McAfee GetSusp is intended for users who suspect undetected malware on their system. By using a combination of clever heuristics and querying McAfee's online database of known clean files to gather suspicious files, GetSusp eliminates the user's need for deep technical knowledge of computer systems to isolate undetected malware. McAfee GetSusp is recommended as a tool of first choice when analyzing a suspect machine."

          Get it from here:
          https://community.mcafee.com/message/148081#148081

          Once GetSusp identifies and collects the suspect files, post the logs here and we community members can help.

          Regards,
          Vinoo Thomas
          Technical Product Manager, McAfee Labs

          • 2. Re: Problems with Security Suite after manual removal

            Suspicious Files

            Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type Scan Error
            3b982f952b88de6e629e7e5144b91aaf C:\Windows\system32\drivers\etc hosts 1,796 07/13/2009 20:34 08/28/2010 16:29
            5473ff4d240dfc6c266cd2580435bcd5 D: autorun.inf R 155 02/09/2010 19:54 02/09/2010 19:54

            Unknown Files

            Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type
            UNKNOWN b2553363fd3da02036c628dc62431c25 C:\Program Files\Dell Printable Web toolband.dll A 1.8.12.0 1.8.12.0 253,952 12/10/2008 02:10 12/10/2008 02:10 BHO
            UNKNOWN 27cffb1e41a2be2a25957a679bd84e10 C:\Program Files (x86)\Common  Files\Adobe\CS5ServiceManager CS5ServiceManager.exe A Adobe Systems Incorporated Adobe CS5 Service Manager 5.0.1 5.0.1 402,432 02/22/2010 03:57 07/22/2010 22:10 Run-Key
            UNKNOWN 3968afdcd198b781b06113c5087141bf C:\Users\Breschini1\AppData\Roaming\LimeWire\browser\xulrunner js3250.dll A Netscape Communications Corporation Netscape 32-bit JavaScript Module 4.0 4.0 610,304 02/17/2010 22:20 02/17/2010 22:20 Module
            UNKNOWN 7b4afb6b2bbc3f23b97758475c41c25b C:\Program Files (x86)\PIXELA\ImageMixer 3 SE  Ver.5\Transfer Utility CameraMonitor.exe PIXELA CORPORATION 1, 0, 4, 2 1, 0, 4, 2 253,952 03/07/2010 17:23 09/25/2008 00:10 Process
            UNKNOWN 6a874ede522ad92fc0b2da6d29b5b9bd C:\Program Files (x86)\PIXELA\ImageMixer 3 SE  Ver.5\Transfer Utility GetUSBDeviceID.DLL PIXELA CORPORATION Get VendorID and ProductID of USB Mass Storage  Device 2007, 7, 17, 0 1, 0, 0, 1 81,920 03/07/2010 17:23 09/25/2008 00:10 Module
            UNKNOWN 38e416528555847ec198cea707df92b6 C:\Program Files (x86)\PIXELA\ImageMixer 3 SE  Ver.5\Transfer Utility IMxCameraInfo.dll A PIXELA CORPORATION 1, 0, 4, 0 1, 0, 4, 0 69,120 03/07/2010 17:23 02/20/2009 12:46 Module
            UNKNOWN 2a7f9efcafdae771dbee4c90b9abc398 C:\Users\Breschini1\AppData\Roaming\LimeWire\browser\xulrunner sqlite3.dll A sqlite.org SQLite Database Library 3.5.4.1 3.5.4.1 409,600 02/17/2010 22:20 02/17/2010 22:20 Module
            UNKNOWN 1bda2cf47113e8f17e77ee56c5acf9da C:\Program Files (x86)\Java\jre6\bin jawt.dll A Sun Microsystems, Inc. Java(TM) Platform SE binary 6.0.210.7 6.0.210.7 5,120 01/04/2010 17:36 07/17/2010 04:59 Module
            UNKNOWN f981c70653e871336e683cb5f7f5d6a4 C:\Program Files (x86)\Java\jre6\bin management.dll A Sun Microsystems, Inc. Java(TM) Platform SE binary 6.0.210.7 6.0.210.7 18,432 01/04/2010 17:36 07/17/2010 04:59 Module
            UNKNOWN 0c00c2be8d55ad4eb877d07395c6aff7 C:\Program Files (x86)\Java\jre6\bin splashscreen.dll A Sun Microsystems, Inc. Java(TM) Platform SE binary 6.0.210.7 6.0.210.7 131,072 01/04/2010 17:36 07/17/2010 04:59 Module

             

             

            And here's the network Files:

            Network Statistics Report

            Status Local Address Foreign Address Process Name Location PID Protocol
            LISTENING 0.0.0.0:135 0.0.0.0:0 936 TCP
            LISTENING 0.0.0.0:445 0.0.0.0:0 4 TCP
            LISTENING 0.0.0.0:990 0.0.0.0:0 1652 TCP
            LISTENING 0.0.0.0:5357 0.0.0.0:0 4 TCP
            LISTENING 0.0.0.0:14898 0.0.0.0:0 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            LISTENING 0.0.0.0:16134 0.0.0.0:0 flashget.exe C:\Program Files (x86)\FlashGet 3628 TCP
            LISTENING 0.0.0.0:45100 0.0.0.0:0 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            LISTENING 0.0.0.0:49152 0.0.0.0:0 648 TCP
            LISTENING 0.0.0.0:49153 0.0.0.0:0 1008 TCP
            LISTENING 0.0.0.0:49154 0.0.0.0:0 440 TCP
            LISTENING 0.0.0.0:49155 0.0.0.0:0 712 TCP
            LISTENING 0.0.0.0:49156 0.0.0.0:0 720 TCP
            LISTENING 127.0.0.1:5354 0.0.0.0:0 1736 TCP
            ESTABLISHED 127.0.0.1:5354 127.0.0.1:49210 1736 TCP
            ESTABLISHED 127.0.0.1:5354 127.0.0.1:49213 1736 TCP
            ESTABLISHED 127.0.0.1:5354 127.0.0.1:49214 1736 TCP
            ESTABLISHED 127.0.0.1:5354 127.0.0.1:49215 1736 TCP
            LISTENING 127.0.0.1:5679 0.0.0.0:0 1652 TCP
            LISTENING 127.0.0.1:7438 0.0.0.0:0 1652 TCP
            LISTENING 127.0.0.1:27015 0.0.0.0:0 1716 TCP
            ESTABLISHED 127.0.0.1:27015 127.0.0.1:49171 1716 TCP
            FIN_WAIT2 127.0.0.1:27015 127.0.0.1:49206 1716 TCP
            ESTABLISHED 127.0.0.1:27015 127.0.0.1:49208 1716 TCP
            ESTABLISHED 127.0.0.1:27015 127.0.0.1:49224 1716 TCP
            ESTABLISHED 127.0.0.1:49171 127.0.0.1:27015 iTunesHelper.exe C:\Program Files (x86)\iTunes 3680 TCP
            CLOSE_WAIT 127.0.0.1:49206 127.0.0.1:27015 iTunesHelper.exe C:\Program Files (x86)\iTunes 3680 TCP
            ESTABLISHED 127.0.0.1:49208 127.0.0.1:27015 iTunes.exe C:\Program Files (x86)\iTunes 5036 TCP
            ESTABLISHED 127.0.0.1:49210 127.0.0.1:5354 iTunes.exe C:\Program Files (x86)\iTunes 5036 TCP
            ESTABLISHED 127.0.0.1:49213 127.0.0.1:5354 iTunes.exe C:\Program Files (x86)\iTunes 5036 TCP
            ESTABLISHED 127.0.0.1:49214 127.0.0.1:5354 iTunes.exe C:\Program Files (x86)\iTunes 5036 TCP
            ESTABLISHED 127.0.0.1:49215 127.0.0.1:5354 iTunes.exe C:\Program Files (x86)\iTunes 5036 TCP
            ESTABLISHED 127.0.0.1:49224 127.0.0.1:27015 AppleMobileDeviceHelper.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device  Support 4816 TCP
            ESTABLISHED 127.0.0.1:49878 127.0.0.1:49879 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 127.0.0.1:49879 127.0.0.1:49878 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 127.0.0.1:49880 127.0.0.1:49881 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 127.0.0.1:49881 127.0.0.1:49880 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 127.0.0.1:49884 127.0.0.1:49885 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 127.0.0.1:49885 127.0.0.1:49884 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            LISTENING 192.168.1.108:139 0.0.0.0:0 4 TCP
            LISTENING 192.168.1.108:5214 0.0.0.0:0 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 192.168.1.108:5214 192.168.1.108:50426 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 192.168.1.108:50426 192.168.1.108:5214 iTunes.exe C:\Program Files (x86)\iTunes 5036 TCP
            ESTABLISHED 192.168.1.108:64502 142.68.105.35:51047 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 192.168.1.108:64624 74.213.125.116:8016 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 192.168.1.108:65151 99.56.120.81:31256 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 192.168.1.108:65152 173.77.234.196:14932 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 192.168.1.108:65156 68.47.121.213:10302 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 TCP
            ESTABLISHED 192.168.1.108:65194 209.46.39.134:443 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            ESTABLISHED 192.168.1.108:65195 209.46.39.134:443 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            ESTABLISHED 192.168.1.108:65197 209.46.39.134:443 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            ESTABLISHED 192.168.1.108:65198 209.85.225.102:80 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            ESTABLISHED 192.168.1.108:65200 66.235.153.26:443 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            ESTABLISHED 192.168.1.108:65221 74.201.117.232:80 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            TIME_WAIT 192.168.1.108:65222 74.201.117.232:80 0 TCP
            TIME_WAIT 192.168.1.108:65228 216.49.88.12:80 0 TCP
            FIN_WAIT1 192.168.1.108:65229 67.97.80.77:80 GetSusp.exe C:\Users\BRESCH~1\AppData\Local\Temp\Rar$EX00.262 4568 TCP
            ESTABLISHED 192.168.1.108:65231 70.33.2.168:80 GetSusp.exe C:\Users\BRESCH~1\AppData\Local\Temp\Rar$EX00.262 4568 TCP
            ESTABLISHED 192.168.1.108:65237 209.85.225.118:80 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            ESTABLISHED 192.168.1.108:65238 209.85.225.118:80 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            ESTABLISHED 192.168.1.108:65239 209.85.225.118:80 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            TIME_WAIT 192.168.1.108:65240 209.85.225.118:80 0 TCP
            TIME_WAIT 192.168.1.108:65241 209.85.225.118:80 0 TCP
            ESTABLISHED 192.168.1.108:65247 209.85.225.190:80 chrome.exe C:\Users\Breschini1\AppData\Local\Google\Chrome\Application 5284 TCP
            TIME_WAIT 192.168.1.108:65249 209.85.225.190:80 0 TCP
            0.0.0.0:500 440 UDP
            0.0.0.0:3702 1836 UDP
            0.0.0.0:3702 1836 UDP
            0.0.0.0:4500 440 UDP
            0.0.0.0:5353 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 UDP
            0.0.0.0:5355 1256 UDP
            0.0.0.0:6347 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 UDP
            0.0.0.0:14898 LimeWire.exe C:\Program Files (x86)\LimeWire 5332 UDP
            0.0.0.0:16134 flashget.exe C:\Program Files (x86)\FlashGet 3628 UDP
            0.0.0.0:16135 flashget.exe C:\Program Files (x86)\FlashGet 3628 UDP
            0.0.0.0:39050 1792 UDP
            0.0.0.0:49152 1736 UDP
            0.0.0.0:49159 1836 UDP
            0.0.0.0:50382 flashget.exe C:\Program Files (x86)\FlashGet 3628 UDP
            127.0.0.1:1900 1836 UDP
            127.0.0.1:44301 2012 UDP
            127.0.0.1:51389 AppleMobileDeviceHelper.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device  Support 4816 UDP
            127.0.0.1:51390 AppleMobileDeviceHelper.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device  Support 4816 UDP
            127.0.0.1:53429 wlmail.exe C:\Program Files (x86)\Windows Live\Mail 2036 UDP
            127.0.0.1:55847 1836 UDP
            127.0.0.1:56195 iTunes.exe C:\Program Files (x86)\iTunes 5036 UDP
            127.0.0.1:56196 iTunes.exe C:\Program Files (x86)\iTunes 5036 UDP
            127.0.0.1:60318 wlcomm.exe C:\Program Files (x86)\Windows Live\Contacts 4092 UDP
            127.0.0.1:60459 flashget.exe C:\Program Files (x86)\FlashGet 3628 UDP
            192.168.1.108:137 4 UDP
            192.168.1.108:138 4 UDP
            192.168.1.108:1900 1836 UDP
            192.168.1.108:5353 1736 UDP
            192.168.1.108:55846 1836 UDP

            • 3. Re: Problems with Security Suite after manual removal
              vinoo

              Hi Kyle,

               

              Thanks for posting the GetSusp logs.

               

              It does not appear that your machine is actively infected. The autorun.inf is legit and the hosts file appears to be modified by a keygen that was used to registered a pirated version of Adobe software.

               

              Nothing to suggest malware is responsible. It could be a product related issue.

               

              Best,
              Vinoo

              • 4. Re: Problems with Security Suite after manual removal

                Hi Vinoo,

                In my early morning grogginess signing onto my home computer for work, I got duped into downloading the Security Suites thinking it was McAfee related. I read document 1294 as advised in a post and ran stinger 10101028 but I can't read the results becasue it saved in a .opt file. So now I have downloaded the GetSusp that you suggested because I am trying to decide if I am infected...(I am hoping not, I have not been getting pop ups) but I am afraid that this might be the kind of thing that sits here and gets worse and worse. My info obtained from the GetSusp scan isnot being allowed to send, it says, becasue it is >3MB. It also says there are suspicious files. What do I need to do differently? Do I press the upload button? I am afraid to up or download anything!  T

                • 5. Re: Problems with Security Suite after manual removal
                  vinoo

                  The benign files have been whitelisted - next time you rerun a GetSusp scan, the zip file created should be under 3 MB.

                   

                  We've seen a rash of this rogue Security Suite Trojan over this weekend and our research team is working on a generic fix.

                   

                  Best,
                  Vinoo

                  • 6. Re: Problems with Security Suite after manual removal

                    I'm having issue with security system software.  here is my log after runningGetsusp:

                    Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type Scan Error
                    TROJAN b28d9f6653fb2f284818a234efe60cda C:\Users\Charlene\AppData\Local\gjqqgfolc knnpgcquqiw.exe A Security Suites Corporation Security Suite for Windows 5.1.2600.0 5.1.2600.0 245,760 09/11/2010 20:37 09/11/2010 20:37 Run-Key

                    Unknown Files

                    Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type
                    UNKNOWN 5bf2d368ca2c3fa12cfced2eb6d6e050 C:\PROGRA~2\MYWEBS~1\bar\2.bin m3SrchMn.exe A MyWebSearch.com MyWebSearch SearchScope Monitor 2, 3, 0, 0 1, 0, 0, 5 28,783 06/23/2010 20:22 06/23/2010 20:22 Run-Key
                    UNKNOWN a8e2d2429e86ee910cff9594f8adbec8 C:\PROGRA~2\MYWEBS~1\bar\2.bin mwsoemon.exe A MyWebSearch.com My Web Search Plugin Loader 2,3,0,0 1,2,2,7 32,849 06/23/2010 20:22 06/23/2010 20:22 Run-Key
                    UNKNOWN 48d50d679d28e5c4bf5a67664cc56b41 C:\PROGRA~2\MYWEBS~1\bar\2.bin mwssvc.exe A MyWebSearch.com My Web Search Bar 2, 3, 0, 0 1, 0, 0, 5 28,762 06/23/2010 20:22 06/23/2010 20:22 Service

                    • 7. Re: Problems with Security Suite after manual removal
                      vinoo

                      Pizzagirl,

                       

                      Thanks for posting the GetSusp logs.

                       

                      The file "knnpgcquqiw.exe" is correctly classified as a Trojan and detection for it should out as FakeAlert-SpyPro.gen.ai in the next dats.

                       

                      Best,
                      Vinoo