Solved AV Security infected computer; seems clean, need help for prevention

[BinkerNate]

At 6:30pm EST today (11/14/11) AV Security popped up after a message that stated Adobe needed an update. After 2 restarts, deletions, and various virus scans; Malwarebytes seems to now completely removed AV Security. But this still scares me. The thing acted like I was in safe mode once, and it seemed like its ads and "warnings" were like mocking me because I was trying to get rid of them.

Even though things seem to be fine now, I need to know a) how it got it, and more imporant, b) how to prevent this again for the future. I use Microsoft Security Essentials and Malwarebytes; both updated. There is also Windows Defender, but that's off and I don't what nor how good that is. My firewall is a Network Firewall. I'm only stating this just in case my computer's info on here is outdated since I last did it.

Thank you.

 

[DustSailor]

I need to know
a) how it got it, and more imporant,
b) how to prevent this again for the future.

Malwarebytes and MSE are really good (usually). The most common way for someone to get malware is by clicking a link to a website that is programmed to give a virus, or by opening 'bad' email. Internet Explorer 9 seems to be a bit better than other browsers (others may dispute this claim) because when something wants to download, it will straight ask if you are sure you want to download it. It has (if I may call it that) somewhat of an antivirus built in it. When Microsoft finds out about a 'bad' web address or common 'junk' emails full of spam and malware, and you click on it, IE9 will sometimes pop up a warning telling you if a web address or download is reportedly unsafe.

Also, whenever you are looking up a google search or reading your mail (or ANYTHING on the internet), be smart about what you click on. If you don't know who it is sending you mail, put it in the junk folder. If you don't know if a website is dangerous or not, be careful if you click on it. Google will recommend common websites at the top (after you perform a search) that are usually safe. read under the website description what the web address is. Safe browsing is your number 1 antivirus.

Make sure you do "full scans" with both malwarebytes and MSE. Some people may recommend a few other tools to make sure the virus is completely gone, but unfortunalty I am not familiar with those tools. Perhaps they can let you know what they are

 

[BinkerNate]

Who could I ask for more info and ideas for other anti-virus/malware to dl? Also, it seems my memory went down 10GB. Maybe that's Malwarebytes' recent update plus info over what it did to save my computer last night, but something to mention just in case.

 

[Golden]

Hi,

DustSailor has given you good advice. I would also recommend:

1. Scan your system with Microsoft Standalone System Sweeper:

http://www.sevenforums.com/tutorials/166445-microsoft-standalone-system-sweeper.html

2. Consider a paid version of Mlawarebytes - it has a very good malcious IP blocker that will automatically prevent you from stumbling onto known bad sites.

3. Consider installing a browser plugin that will help you identify potentially malicous Google serach links. There are many free plugins that do this. I use Norton Safe Web Lite.

Regards,
Golden

 

[DBone]

I would also immediately run a scan with Hitman Pro ( Home - SurfRight ), followed by an online scan with SUPERAntiSpyware ( SUPERAntiSpyware.com - SUPERAntiSpyware Portable Scanner ) to make sure the machine is clean.

MSE is an adequate free AV, but any AV, paid or not, should not be your first line of defense regarding browsing the internet. Virtualization or what's commonly known as "sandboxing", should be your main weapon against online threats. Sandboxie offers a free and lifetime paid version ( Sandboxie - Sandbox software for application isolation and secure Web browsing ) of a very powerful sandboxing tool. It basically places your browser into a virtual sandbox while browsing the web, and completely isolates your machine from any and all malware. If you are unfamiliar with Sandboxie, search YouTube as there are several good tutorials on how to use it.............. Users who rely only on their antivirus as protection will sooner or later start a thread very similar to yours!


This vid is a bit old, but it is really good and still applies today:

http://www.youtube.com/watch?v=GueXMq-Vyi8 (Part 1)
http://www.youtube.com/watch?v=2IbwhE-r8_k (Part 2)

 

[Jacee]

You can also run an "online" scan with ESET .... this won't interfere with MSE or MBam;

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[BinkerNate]

Thanks guys. But some of these ask or are required to be pt on a CD or USB. I just want it on my computer so I can scan it.

Also, just now MSE caught two bad things: Backdoor:Win32/Cycbot.G and Rogue:Win32/Fakescanti.

 

[Golden]

Run the recommeded stuff from the CD/USB/online scan first to make sure your system is clean - unless you do that first, anything you install to your PC will always be suspect.

 

[Jacee]

Backdoor:Win32/Cycbot.G is a backdoor trojan that allows attackers unauthorized access and control of an affected computer. After a computer is infected, the trojan connects to a specific IRC server and joins a specific channel to receive commands from attackers. Commands can instruct the trojan to spread to other computers by scanning for network shares with weak passwords, exploiting Windows vulnerabilities, or possibly spreading through backdoor ports opened by other families of malicious software. The trojan may also allow attackers to perform other backdoor functions, such as launching denial of service (DoS) attacks and retrieving system information from infected computers.

Using a known 'clean computer', change ALL your passwords ... do not use the infected one to do this!

Flush the DNS cache and restore MS's Hosts file:

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

See what you've been hit with Encyclopedia entry: Rogue:Win32/FakeScanti - Learn more about malware - Microsoft Malware Protection Center

 

[DustSailor]

See what you've been hit with Encyclopedia entry: Rogue:Win32/FakeScanti - Learn more about malware - Microsoft Malware Protection Center

Ah, those get a lot of people.
Yes, be careful when you see something like that telling you you need to scan for viruses on the internet (after you've clicked your browser), OR any pop-ups that claim the same. You can go directly to a website that you know is a true antivirus to scan for viruses, but random websites or pop-ups should never be accepted. I would click log off if it happened (so it shuts down IE for you automatically) in the event i stumbled upon something like this (I have). Don't ever click okay, and sometimes clicking cancel is the smae as clicking okay.

PS. you should be able to save all open programs before you log off as nothing bad is downloaded until you accept it

However, do follow what Jacee said. This is a safe website scanner:

You can also run an "online" scan with ESET .... this won't interfere with MSE or MBam;

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

PPS. Why all of a sudden do I find like 10 posts from jacee that I want to rep, but can't because I have only recently repped her?

 

[BinkerNate]

Okay, this is before Jacee's recent post:

Okay, guys: new problem!

This thing happened again, this time as privacy protection. Nothing I could do got me to go on the web, or even activate malwarebytes. When this happened, I was scanning the computer with , Seven forums was still up,, Newsarama.com was up for just 2-3 minutes, and I was watching blip.tv on Firefox.

This is nuts; something is inside my computer. I don't know what nor how to find it. I was doing the ESET scan recommended by you guys, and it found three threats before this happened. Then I used Malwarebytes on safe mode and it found and deleted HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Privacy Protection and c:\Users\Owner\AppData\Roaming\privacy.exe
c:\Users\Owner\AppData\Local\Temp\823F.tmp (Rogue.PrivacyProtection) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\8951.tmp (Rogue.PrivacyProtection) -> Quarantined and deleted successfully.

I did check what was updated before this happened, and I found setupact.log (created 7/14/09, and modified 11/14/11 6 hours and accessed 2 hours before this post). Others were WindowsUpdate.log, bootstat.dat, and ntbtlog.txt. And MSE scanned WindowsUpdate.log, and it found Trojan:Win64/Sirefef.B. That's deleted (after it was restarted after safe mode). And I did do Malwarebytes afterwards, and it found nothing.

Please help me, something must be on my computer to do this. Maybe a keylogger, watcher, blogger, etc.
P.S. nortonsafeweblite.exe is no set up yet.

After Jacee's post:

I did use flush.bat and it scanned and restarted fine.

Using a known 'clean computer', change ALL your passwords ... do not use the infected one to do this!

What do you mean?

Yes, be careful when you see something like that telling you you need to scan for viruses on the internet (after you've clicked your browser), OR any pop-ups that claim the same. You can go directly to a website that you know is a true antivirus to scan for viruses, but random websites or pop-ups should never be accepted. I would click log off if it happened (so it shuts down IE for you automatically) in the event i stumbled upon something like this (I have). Don't ever click okay, and sometimes clicking cancel is the smae as clicking okay.

That's the thing. AV popped up after adobe said it needed to be updated, and it was the same window/design as it looks normally. And now, provacy protection, popped up out of nowhere. And all I was doing was watching on blip, having this site up, and scanning ESET. I'm afraid now to use that again.

 

[DustSailor]

ANY pop up online (tabbed or in another browser window) for ANY antivirus protection is a fake, don't click it. Even if it looks like your antivirus (your antivirus is its own program, and will not show up in your web browser)

You are saying that the antivirus jacee recommended seemed like it gave you another virus? o.0

 

[BinkerNate]

No, no. It happened when I did the scan. These things popped up and showed like they were scanning. THere's was no way for me to not click on them just to get them out, but then I couldn't not could I click on anything else because it said it was infected.

 

[DBone]

What did the Hitman Pro and SUPERAntiSpyware scans say?

 

[BinkerNate]

I haven't done those yet, but the SUPERAnti was the one I asked about because it was more "do I have to download that onto a USB or can't it just be on my computer instead?" thing.

Okay, look: ESET did its thing, but there was a problem in the end when it froze on a file for 90 minutes. Sorry but I had to stop it, but it did found five threats. Following directions, I did not deleted them (though I wanted to) so here are the threats:
C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll Win32/Toolbar.Zugo.A application
C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe Win32/Toolbar.Zugo application
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7P1Q2W82\index[1].htm JS/TrojanDownloader.Iframe.NHH trojan
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\81YKYISB\index[1].htm JS/TrojanDownloader.Iframe.NHH trojan
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\E3HF3MK2\107aca77385a493424251ce809642fb3012a3017711[1].js JS/Fraud.NAB trojan

UPDATE: Malwarebytes seems to have taken care of the startnow/zugo toolbars. This is because I used the full scan instead of the quick scan, but even so it frozed at 33mins.

 

[Jacee]

Following directions, I did not deleted them (though I wanted to) so here are the threats

Why didn't you have ESET delete the threats? :shock:

 

[BinkerNate]

Because you didn't say it...?

Look, I'm sorry, it's just that how those directions were typed made it seem like I wasn't suppose to delete anything, but scan the archives. I thought maybe you wanted to know what it found so that we could deleted them and prevent at the same time. I remember something like that years ago with my old computer. Anyway, I did the scan twice, and I believe the five it found are...gone? I wasn't sure with this because at the end, I checked deleted the files, and I hit "Finish" because there wasn't anything else to click, but it got me into it's "buy this" page and I didn't think at first that it deleted the files which is why I did the scan again. So I think so.

This was the file ESET and Malwarebytes' full scan frozed at. I didn't the full link because this is what it only showed:
_default;sz=399x299;k21=1;kgender=m;kga=1002;kar=4;klg=en;kage=25;kg

Anyway, what's next?

P.S. I use StartNow as my homepage, and some of the files the scan(s) found have Startnow in its name. A little research and I found this might be bad, so as I precaution I changed it to just Google? Was I correct? Also, what about bing or blogger; are they bad too?

EDIT: Sorry, one ask question: my old computer once had something, not a pop-up blocker, but something that didn't make the ads appear on sites. If anything, where the ads were on any site just showed "page cannot be displayed". I don't know what that was but if anyone who knows what I'm saying; do you know where I could get that again?

UPDATE: IT HAPPENED AGAIN! AV security popped up again and I used Malwarebytes to removed 17 files and restart. When it popped up, Adobe Flash Player popped up asking for access for my computer, like an update, just like Day 1 on this. It must be Adobe that's infected, right? I don't know what to do, guys. Please, I need this out.

 

[Jacee]

See this about StartNow StartNow Toolbar - Add or Remove Programs Entry Information

 

[BinkerNate]

UPDATE: I dl-ed Hitman Pro, and I now have a 30 day free trial. It found alot of things that MSE and Malwarebytes didn't see and seems to have gotten rid of them. I don't see a log or something with info to share, but what I saw were tracking cookies that came from Firefox when my brother was using it before he got his own computer.

After Hitman rebooted my comp., I did MSE again and used Hitman again to see if it found anything else or if they were still there. Nothing.

@Jacee; I changed the homepage, but I don't have the Startnow toolbar, I have Google Toolbar.

I have dl-ed Sandbox, and per DBone's request, and as for the Sweeper; that can be saved and used on my computer, no USB, right?

P.S. any other ideas on my third day of this? I guess the only way to know for sure that this is finally gone is to have one day at least with none of this happening, huh?

 

[DBone]

Sounds like you're on the right track. SUPERAntiSpyware (SAS) has recently changed their online scanner to a portable scanner, and I didn't realize that in my first post, sorry about that. SAS free edition would be my next weapon ( SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware! ) followed by Trend Micro HouseCall ( HouseCall - Free Online Virus Scan - Trend Micro USA ). You can't rely on just one or two scanners once your machine is infected, use them all! Please report back after those two scans.


edit: Once you run the two above scanners you can run Norton Power Eraser ( Norton Rescue Tools ) .............BEFORE YOU DELETE ANYTHING FOUND DURING THE NPE SCAN, REPORT BACK HERE FIRST!! NPE IS VERY AGGRESSIVE, AND CAN FIND FALSE POSITIVES.