Solved Virus "Please update your internet explorer" even after formatting

[Wintermoon1919]

the logs

 

[cottonball]

Wintermoon,

After looking at the results of the programs run, nothing pops out at me that could cause the warning.

Presuming IE 11 and Chrome are your browsers. Have you previously taken action to Reset both browsers?

Use the PC for a day or two, and post back if, or, whether the warning comes back.

It could be that turning the computer off, and then starting it again may have cleared the issue, since it appears you ran ADWCleaner and the Junkware Removal Tool.

 

[gregrocker]

Web pages often try popups or anything else to get your attention to click on something, but if you don't you are usually safe. If ever in doubt and you can't close the browser, just end the task in Task Manager or shut down the PC. As I said earlier I think that was what you saw, nothing more.

 

[UsernameIssues]

The FRST.txt file reports the DNS servers to be:
23.253.94.129 (Rackspace Hosting) Which seems a bit odd.
8.8.8.8 (Google's)

Wintermoon1919 stated that "...all the other computers in the house don't have the virus"...
...and they probably have the same DNS settings
...so this might not help, but I would consider using OpenDNS on the router
...and maybe on each computer too (in case the router gets reset someday).

 

[Wintermoon1919]

it's not a normal pop-up i cant close it and continue to surf the web normally

tomorrow i'll try other solutions and i'll keep you updated

 

[andrew129260]

The FRST.txt file reports the DNS servers to be:
23.253.94.129 (Rackspace Hosting) Which seems a bit odd.
8.8.8.8 (Google's)

Wintermoon1919 stated that "...all the other computers in the house don't have the virus"...
...and they probably have the same DNS settings
...so this might not help, but I would consider using OpenDNS on the router
...and maybe on each computer too (in case the router gets reset someday).

I agree with username issues. Open dns would be a smart idea. It will also help you avoid problems like this in the future since it uses malware blacklisting.

Is the problem still going on?

 

[Wintermoon1919]

yes i still have the problem

now i think that gregrocker will try to help me through TeamViewer

 

[Wintermoon1919]

a part form solving the problem what do you think about the issue? what could it be?
(still have the problem btw)
thanks

edit:

this is my "host" file and my "router home page"...is everything all right?

 

[gregrocker]

Connected for Wintermoon and found rootkit.necurs.GO and two Trojans with MBAM. Rootkit was in drivers folder, apparently imported into the clean install with a driver.

After MBAM reboots PC and shows clean, the problem with all browsers persists with no ability to connect to the internet, blocked by apparent continued infection.

TDSS Killer finds nothing. SFC shows clean.

Since OP claims nothing imported except from the actual Chrome and other sites, no drivers imported since all were provided during install or Windows Updates, we looked at his router to find Firewall is diconnected.

After reconnecting router firewall I suggested he scan all other home PC's with MBAM, scan Win7 DVD with MBAM, then wipe the HD with Diskpart Clean Command to reinstall, again only getting drivers from installer and Updates.

Import nothing until browsers are tested.

Security specialists may have other solutions for rootkit.necurs.GO

 

[andrew129260]

Where are you downloading the driver from? What site?

I had a feeling it was that driver. Thanks for the update gregrocker.

 

[Layback Bear]

Which driver is (that driver) and from where?

 

[gregrocker]

We're obviously on the same wavelength Jack as I just reconnected to copy out the driver location. Google doesn't recognize the driver so it may just be the infection itself.

Can we get some Security specialists on this? Thanks!

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 26/05/2014
Scan Time: 19:14:15
Logfile:
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.26.03
Rootkit Database: v2014.05.21.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Wintermoon

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 246339
Time Elapsed: 3 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32, Quarantined, [f80393c20378e4529d07e1b22bd87a86],

Registry Values: 1
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32|ImagePath, "C:\Windows\Installer\{00D50165-1656-0EEE-8910-812968BC3F0D}\syshost.exe" /service, Quarantined, [f80393c20378e4529d07e1b22bd87a86]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Rootkit.Necurs.GO, c:\Windows\System32\drivers\9f699c6cf9ca7339.sys, Quarantined, [b8439fb6304b65d1430fb4c458a9be42],

Physical Sectors: 0
(No malicious items detected)


(end)

It is clean now.

My suggestion at this point unless specialists feel it is worth trying to clean up, is to reinstall after wiping with Clean command, don't import anything before checking IE for infection, then if not infected install Chrome to check it. Check these before and after installing all rounds of Windows Updates, then check both again. Likewises check browsers immediately after installing each program and after activity on any other home PC.

 

[andrew129260]

Unfortunately greg with rootkits it is very hard to get enough info to know. That log unfortunately does not share much. I believe malwarebytes though if detected it as a rootikit.

Here is some info on the variant from 2012:

Necurs Rootkit Spreading Quickly, Microsoft Warns

http://artemonsecurity.blogspot.com/2012/12/necurs-rootkit-under-microscope.html

This seems to be an old strain of it. I wonder how long it was on the system...

 

[gregrocker]

He had just reinstalled. We went over everything he did after reinstall and nothing was imported except from the Chrome site and the virus solutions download sites from earlier in this thread.

This leaves the network, so we dialed into his router and the firewall was off. Now enabled, he's running MBAM scans on his other home PC's.

I still think he should reinstall after wiping with Clean command, don't import anything before checking IE for infection, then if not infected install Chrome to check it. Check these before and after installing all rounds of Important and Optional Windows Updates (after enabling Automatically deliver drivers via Windows Update (Step 3)), then check both again. Likewise check browsers immediately after installing each program and after activity on any other home PC.

I'm not sure the hardware firewall will block viruses from hiding on other home PC's, though, as my sister's Linksys didn't and we had viruses running from one PC to another to hide while scans were run until disconnecting each from web before scanning.

Any other ideas?

 

[Layback Bear]

In the Trial version of Malwarebytes do you have a option to select rootkit.
I noticed in post #52 this


Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

 

[andrew129260]

@Greg, I would have him reset his router with the reset button, or better yet see if an updated firmware update is available. Wipe to factory defaults again, and then Install it and make sure firewall is on. Then yes I would do a clean install, especially when rootkits are involved.

@ layback bear

Good suggestion, though I am confident greg chose this as it detected a rootkit, which it would not do if that was unchecked.

 

[Layback Bear]

Post #52 shows it wasn't selected. How Malwarebytes found the rootkit I don't know but their might be more.

 

[andrew129260]

Post #52 shows it wasn't selected. How Malwarebytes found the rootkit I don't know but their might be more.

 

[gregrocker]

Rescanning now with that box checked. It was checked before which makes me wonder how it got unchecked.

Thanks, guys.

Results:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 26/05/2014
Scan Time: 22:03:25
Logfile:
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.26.03
Rootkit Database: v2014.05.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Wintermoon

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 248404
Time Elapsed: 5 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

[UsernameIssues]

Post #52 shows it wasn't selected. How Malwarebytes found the rootkit I don't know but their might be more.

With the root kit option turned OFF...
...MBAM will still detect files that can be installed as a root kit.

With the root kit option turned ON...
...MBAM will scan for active root kit infections.