Solved Virus "Please update your internet explorer" even after formatting

[cottonball]

Please download RogueKiller from one of the following links
•Link 1 > RogueKiller Download
•Link 2 > RogueKiller - Geeks to Go Forum
Save to your desktop:

Close all programs and disconnect any USB or external drives before running the tool.

Right-click and select: Run As Administrator
Once the Prescan finishes, click: Scan

When the Status box shows Scan Finished, please close the program, and make sure you do not fix anything!

Please provide the report that opens in your reply.

Thanks!

 

[Wintermoon1919]

ok i booted to peppermint and downloaded the files(MBAM,TDSS killer,PANDA cloud and RogueKiller) then i checked in windows with those tools

MBAM and TDSS killer detected nothing while Panda cloud and RogueKiller detected something
i'll post the logs of Panda and RogueKiller
i'll post the log of my system info

I cleaned the issues with Panda but i didn't touch nothing with RougeKiller(like cottonball told me)

(the only thing that went slightly wrong is that i forgot to disconnect the ethernet cable while i was in windows for a maximum of 15 seconds then i disconnected the cable ; anyway i didnt open any browser so i hope it won't be a problem )

 

[andrew129260]

Hmm, logs look very interesting.

By the way, great job at following the directions

I am interested to see what cottonball thinks on these logs. It looks like Panda cloud cleaner detected a reg issue with explorer. But to be honest it looks like nothing. It appears it finds it weird that show file extensions are not enabled, which does not help. Give me some time to look at the others fully, yuor specs is what I am interested in right now.

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

 

[cottonball]

Wintermoon1919,

:info: Please run RogueKiller once again, and this time press: Delete (Cancellare)

:info: Also, please download aswMBR:
http://www.bleepingcomputer.com/download/aswmbr/
Save it to the pen drive, and then move it to the Desktop of the problem computer.

Make sure your AntiVirus is temporarily disabled!!
For information on how to disable protective programs, refer to this Link:
http://www.bleepingcomputer.com/forums/topic114351.html

Right-click the aswMBR file and select: Run as Administrator

When prompted with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes

The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definition database, etc.

When the Avast! scan is done, the last line changes to: Avast Engine definitions #####

At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say "Scanning" while in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!
Exit the program.

:ar: Please post the aswMBR log in your reply.

Note that a file named MBR.dat is also created on the Desktop.

Please submit MBR.dat for analysis to the following online services that analyze suspicious files:
Jotti's virusscan

:ar: Please post the links for the file analyses in your reply.

 

[cottonball]

@andrew,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt"=dword:00000000
(Means : shown file extension)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt"=dword:00000001
:ar: (Means : hide file extension)

Isn't "HideFileExt"=dword:00000001 the default? That is what my Registry setting shows.


Was a hard Reset done on the router? Where the manufacturer's instructions for a Reset followed?

The software approach has not worked in this situation. Maybe a hardware approach will get rid of the issue...

 

[Wintermoon1919]

the log of aswMBR (i tried to attach the .dat file but it tells me "invalid file" 'cause i tried to open it with "windows block notes" and it gave strange letters and stuff.....

i deleted the issues with RogueKiller

i used Peppermint do download aswMBR and the fault page(update flash player etc etc)occured again but as a pop-up that i could easily close so again i think the problem might be on the internet/router/etc


yes i did a reset by pushing the button on my router to try to solve the problem some weeks ago but nothing changed(for some minutes/hours i didnt come across the problem but then again it occured)

 

[gregrocker]

I spoke with Rayda today who is swamped after just getting back from Hawaii, but she browsed the thread and wanted to know why the router had not yet been reset since there is a known issue with infection via the router. Didn't you just report that your phone browser became similarly infected when you connected?

If your router is less than a year old it has manufacturer's tech support who can help you reset it and may know about this issue and additional steps including possibly flashing/reflashing a firmware update. I don't know where a virus would hide in a router but apparently there is a way a router becomes infected. I have seen viruses run all over my sister's network to hide until we unplugged all devices until they were each cleaned.

 

[Wintermoon1919]

yes my phone browser becomes infected when i connect to my home internet
maybe i should call a technician

 

[andrew129260]

I would just buy a new router. Only way to be sure it is gone. If you have a router/modem all in one unit, just get a modem yourself, or just a modem from your ISP. Then buy a new router




And yeah cottenball, hide known file extensions is the default. I am just more surprised that that is the only thing panda cloud cleaner found. And normally antivirus apps do not report on setting change like that one. Things like the firewall being disabled and other stuff yeah, but not the fact that hide known file extensions was not enabled. It was just odd thats all.

 

[gregrocker]

What button was used to reset router? It's often recessed. Once the reset button is pushed you need to dial back in to set up your password again, enable Firewall.

If you've provided everything requested by Security experts after the last reinstall and are ready to connect to the net to see if the problem persists, I suggest you plug into only the Modem and exclude the router. Run all rounds of Important and Optional Windows Updates after enabling Automatically deliver drivers via Windows Update (Step 3), until there are no more. Install Chrome from the Google site and test it. Do normal internet browsing with no programs installed yet.

 

[cottonball]

Just to make sure we left no stone unturned, please follow the previous instructions:

Note that a file named MBR.dat is also created on the Desktop. Please do not open it!!!

Just upload MBR.dat for analysis to the following online service that analyzes suspicious files:
Jotti's virusscan

Click: Browse
At the Choose file to upload prompt, navigate to the MBR.dat
Press: Submit file

:ar: Please post the link for the file analysis in your reply.

 

[Wintermoon1919]

ok guys so i did another reset on the router and before connecting to any site i activated the firewall and the SPI(wich i dont know what is ) and now everything seems to work normally on the pc and even on the phones....
i think the problem was the fact that i didn't activated the firewall and the SPI before the malware took over
i'll tell you if the problem will appear again or else i'll mark as solved

thank you for your patience and your precious help btw

 

[cottonball]

Here is some info on Service Pack 1 (SP1):
Service Pack and Update Center - Microsoft Windows

Service Pack 1 was already installed as shown in the FRST report:
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Italian

Anyway, glad the issue is not appearing any longer. Use the computer for a few days, and keep us posted on how it goes.



Good luck, Wintermoon1919!!

 

[gregrocker]

Please let us know exactly what was done so it will help others in this situation as all of these threads are found later in searches.

 

[andrew129260]

I believe he meant SPI guys. Not service pack 1. In fact the post states that.

A firewall that performs stateful packet inspection (SPI) is supported on most routers. It is an extra security measure. Here is a link about it:

http://en.wikipedia.org/wiki/Stateful_firewall

 

[Wintermoon1919]

i simply resetted the router and before connecting to internet i activated the firewall and the SPI(wich is an extra-firewall or something like that ) and now everything works perfectly

thanks guys

 

[gregrocker]

Nice work, all.

 

[Slartybart]

i simply resetted the router and before connecting to internet i activated the firewall and the SPI(wich is an extra-firewall or something like that ) and now everything works perfectly

thanks guys

This was a sticky one, great work determining the root cause.

Wintermoon1919: Thanks for your patience, for posting the resolution that worked for you, and for marking the thread solved.

Bill
.

 

[ElctrcRngr]

This is my first day on this forum. I just read this entire thread and would like to say how impressed I am with the tenacity of all the members who helped WinterMoon1919 and, of course, WinterMoon herself. This makes me quite proud to be a member of the Windows community. Kudos to all of you!