Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: AV Security infected computer; seems clean, need help for prevention

15 Nov 2011   #11
BinkerNate

Windows 7
 
 

Okay, this is before Jacee's recent post:

Okay, guys: new problem!

This thing happened again, this time as privacy protection. Nothing I could do got me to go on the web, or even activate malwarebytes. When this happened, I was scanning the computer with , Seven forums was still up,, Newsarama.com was up for just 2-3 minutes, and I was watching blip.tv on Firefox.

This is nuts; something is inside my computer. I don't know what nor how to find it. I was doing the ESET scan recommended by you guys, and it found three threats before this happened. Then I used Malwarebytes on safe mode and it found and deleted HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Privacy Protection and c:\Users\Owner\AppData\Roaming\privacy.exe
c:\Users\Owner\AppData\Local\Temp\823F.tmp (Rogue.PrivacyProtection) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\8951.tmp (Rogue.PrivacyProtection) -> Quarantined and deleted successfully.

I did check what was updated before this happened, and I found setupact.log (created 7/14/09, and modified 11/14/11 6 hours and accessed 2 hours before this post). Others were WindowsUpdate.log, bootstat.dat, and ntbtlog.txt. And MSE scanned WindowsUpdate.log, and it found Trojan:Win64/Sirefef.B. That's deleted (after it was restarted after safe mode). And I did do Malwarebytes afterwards, and it found nothing.

Please help me, something must be on my computer to do this. Maybe a keylogger, watcher, blogger, etc.
P.S. nortonsafeweblite.exe is no set up yet.

After Jacee's post:

I did use flush.bat and it scanned and restarted fine.

Quote:
Using a known 'clean computer', change ALL your passwords ... do not use the infected one to do this!
What do you mean?

Quote:
Yes, be careful when you see something like that telling you you need to scan for viruses on the internet (after you've clicked your browser), OR any pop-ups that claim the same. You can go directly to a website that you know is a true antivirus to scan for viruses, but random websites or pop-ups should never be accepted. I would click log off if it happened (so it shuts down IE for you automatically) in the event i stumbled upon something like this (I have). Don't ever click okay, and sometimes clicking cancel is the smae as clicking okay.
That's the thing. AV popped up after adobe said it needed to be updated, and it was the same window/design as it looks normally. And now, provacy protection, popped up out of nowhere. And all I was doing was watching on blip, having this site up, and scanning ESET. I'm afraid now to use that again.


My System SpecsSystem Spec
.
15 Nov 2011   #12
DustSailor

Microsoft Windows 8.1 Pro 64-bit
 
 

ANY pop up online (tabbed or in another browser window) for ANY antivirus protection is a fake, don't click it. Even if it looks like your antivirus (your antivirus is its own program, and will not show up in your web browser)

You are saying that the antivirus jacee recommended seemed like it gave you another virus? o.0
My System SpecsSystem Spec
15 Nov 2011   #13
BinkerNate

Windows 7
 
 

No, no. It happened when I did the scan. These things popped up and showed like they were scanning. THere's was no way for me to not click on them just to get them out, but then I couldn't not could I click on anything else because it said it was infected.
My System SpecsSystem Spec
.

15 Nov 2011   #14
DBone

Windows 7 Home Premium x64 SP1
 
 

What did the Hitman Pro and SUPERAntiSpyware scans say?
My System SpecsSystem Spec
16 Nov 2011   #15
BinkerNate

Windows 7
 
 

I haven't done those yet, but the SUPERAnti was the one I asked about because it was more "do I have to download that onto a USB or can't it just be on my computer instead?" thing.

Okay, look: ESET did its thing, but there was a problem in the end when it froze on a file for 90 minutes. Sorry but I had to stop it, but it did found five threats. Following directions, I did not deleted them (though I wanted to) so here are the threats:
C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll Win32/Toolbar.Zugo.A application
C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe Win32/Toolbar.Zugo application
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7P1Q2W82\index[1].htm JS/TrojanDownloader.Iframe.NHH trojan
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\81YKYISB\index[1].htm JS/TrojanDownloader.Iframe.NHH trojan
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\E3HF3MK2\107aca77385a493424251ce809642fb3012a3017711[1].js JS/Fraud.NAB trojan

UPDATE: Malwarebytes seems to have taken care of the startnow/zugo toolbars. This is because I used the full scan instead of the quick scan, but even so it frozed at 33mins.
My System SpecsSystem Spec
16 Nov 2011   #16
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote:
Following directions, I did not deleted them (though I wanted to) so here are the threats
Why didn't you have ESET delete the threats?
My System SpecsSystem Spec
16 Nov 2011   #17
BinkerNate

Windows 7
 
 

Because you didn't say it...?

Look, I'm sorry, it's just that how those directions were typed made it seem like I wasn't suppose to delete anything, but scan the archives. I thought maybe you wanted to know what it found so that we could deleted them and prevent at the same time. I remember something like that years ago with my old computer. Anyway, I did the scan twice, and I believe the five it found are...gone? I wasn't sure with this because at the end, I checked deleted the files, and I hit "Finish" because there wasn't anything else to click, but it got me into it's "buy this" page and I didn't think at first that it deleted the files which is why I did the scan again. So I think so.

This was the file ESET and Malwarebytes' full scan frozed at. I didn't the full link because this is what it only showed:
_default;sz=399x299;k21=1;kgender=m;kga=1002;kar=4;klg=en;kage=25;kg

Anyway, what's next?

P.S. I use StartNow as my homepage, and some of the files the scan(s) found have Startnow in its name. A little research and I found this might be bad, so as I precaution I changed it to just Google? Was I correct? Also, what about bing or blogger; are they bad too?

EDIT: Sorry, one ask question: my old computer once had something, not a pop-up blocker, but something that didn't make the ads appear on sites. If anything, where the ads were on any site just showed "page cannot be displayed". I don't know what that was but if anyone who knows what I'm saying; do you know where I could get that again?

UPDATE: IT HAPPENED AGAIN! AV security popped up again and I used Malwarebytes to removed 17 files and restart. When it popped up, Adobe Flash Player popped up asking for access for my computer, like an update, just like Day 1 on this. It must be Adobe that's infected, right? I don't know what to do, guys. Please, I need this out.
My System SpecsSystem Spec
16 Nov 2011   #18
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

My System SpecsSystem Spec
16 Nov 2011   #19
BinkerNate

Windows 7
 
 

UPDATE: I dl-ed Hitman Pro, and I now have a 30 day free trial. It found alot of things that MSE and Malwarebytes didn't see and seems to have gotten rid of them. I don't see a log or something with info to share, but what I saw were tracking cookies that came from Firefox when my brother was using it before he got his own computer.

After Hitman rebooted my comp., I did MSE again and used Hitman again to see if it found anything else or if they were still there. Nothing.

@Jacee; I changed the homepage, but I don't have the Startnow toolbar, I have Google Toolbar.

I have dl-ed Sandbox, and per DBone's request, and as for the Sweeper; that can be saved and used on my computer, no USB, right?

P.S. any other ideas on my third day of this? I guess the only way to know for sure that this is finally gone is to have one day at least with none of this happening, huh?
My System SpecsSystem Spec
16 Nov 2011   #20
DBone

Windows 7 Home Premium x64 SP1
 
 

Sounds like you're on the right track. SUPERAntiSpyware (SAS) has recently changed their online scanner to a portable scanner, and I didn't realize that in my first post, sorry about that. SAS free edition would be my next weapon ( SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware! ) followed by Trend Micro HouseCall ( HouseCall - Free Online Virus Scan - Trend Micro USA ). You can't rely on just one or two scanners once your machine is infected, use them all! Please report back after those two scans.


edit: Once you run the two above scanners you can run Norton Power Eraser ( Norton Rescue Tools ) .............BEFORE YOU DELETE ANYTHING FOUND DURING THE NPE SCAN, REPORT BACK HERE FIRST!! NPE IS VERY AGGRESSIVE, AND CAN FIND FALSE POSITIVES.
My System SpecsSystem Spec
Reply

 AV Security infected computer; seems clean, need help for prevention




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Can i scan a virus infected computer with a clean one?
I have one computer with several viruses and one that is clean and up to date. Is there a way to connect them with a usb cable or something and scan the infected one with the clean one? The infected one will not allow me to install an AV program.
System Security
Your Computer Is Infected!
Colby Vieirra: Your computer is infected!
Chillout Room
infected pcs barred from getting security updates
People infected with ROOTKIT called Alureon will unable to receive / install Microsoft's latest security updates the software giant took preventative action because similar updates issued in February caused computers the repeatedly crash :confused:
Windows Updates & Activation
MS's security chief suggests 'Net tax to clean computer
Microsoft's security chief suggests 'Net tax to clean computers Source - Microsoft's security chief suggests 'Net tax to clean computers
News
I think my computer is infected what do I do now?
This is something i found in Guidance and advice - Learn more about malware - Microsoft Malware Protection Center thought of posting it becasue lot of them have this question. I think my computer is infected – what do I do now? Depending on the malware or spyware behavior,...
System Security
Data Execution Prevention Security Feature
Please help me! The Data Execution Prevention Security Feature is really starting to stress me out. I can't access sites that I need for uni eg Hopfield Network Applet How do I turn the stupid thing off?!!! Please help! :cry:
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 11:59.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App