Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Pc-security-updates.com Problem


  • Please log in to reply
21 replies to this topic

#1 RVman

RVman

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 20 September 2008 - 08:14 PM

My computer got infected with some malware (not sure what it is) but its symptoms were:
(1) It would pop up balloons cautioning that my computer was infected, slow etc.
(2) It would suddenly open up a browser window and take me to pc-security-updates.com
(3) The computer desktop background got changed and with a message appearing that warned about malware infection and with a link that goes to pc-security-updates.com
(4) Task manager was not working (Ctrl-Alt-Del wouldn't work)

I did clean up with Ad Aware and Spy Bot S&D and while they identified and got rid of various spyware, they were unable to identify or get rid of the malware causing the pc-security-updates.com problem

I then ran Malwarebyte's program, and it appeared to detect several other spyware and seemed to successfully delete them. I was able to re-boot the computer normally and got my desktop background back to normal -- Task manager also seems to be working now. However, the shading of the area underneath each file/folder name on the desktop is now grey (i.e., names are in a grey box now).

I have attached the Malwarebyte program's log below -- I have 3 questions.
(A) Can you verify that it was successful in removing the malware that was causing the pc-security-updates.com problem?
(B) How can I be certain that my computer is now clean of all malware?
© I have Symantec's Antivirus Corporate Edition on my computer (and it does in real-time identify malware from any sites that I am visiting, and quarantines them, etc.) Yet when I run Windows Update, it gives a security warning stating that it cannot find any antivirus on my computer.

I would greatly appreciate your advice and help so that I can start using the computer confidently again.

- RVman

Malwarebytes' Anti-Malware 1.28
Database version: 1182
Windows 5.1.2600 Service Pack 3

9/20/2008 7:10:10 PM
mbam-log-2008-09-20 (19-10-10).txt

Scan type: Full Scan (A:\|C:\|D:\|F:\|K:\|L:\|M:\|N:\|O:\|)
Objects scanned: 262191
Time elapsed: 2 hour(s), 10 minute(s), 8 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 40

Memory Processes Infected:
C:\WINDOWS\system32\uesiuqcr.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\getsn32.msiesn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{252874d8-5b00-4b93-a282-4ca656598278} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e221c81b-e518-4f93-b0d2-14e52065417a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e6be5e3a-23f3-4ec2-b9b7-bcd9a601f2a3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38754e01-ac2e-482b-95fa-f1aee41823c4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9f146720-43f3-4fa6-b9e5-4fb13f8c2ffd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\uesiuqcr.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\uesiuqcr.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uesiuqcr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\getsn32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smwin32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1194\A0278462.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1194\A0278463.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1195\A0278618.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1195\A0278619.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1195\A0278621.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1195\A0278622.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1195\A0278649.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1195\A0278650.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1195\A0278663.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1195\A0278664.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1197\A0278677.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1197\A0278678.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1198\A0278694.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1198\A0278695.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1199\A0278724.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1199\A0278725.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1199\A0278733.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1199\A0278734.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1199\A0278743.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1199\A0278744.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1200\A0278771.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1200\A0278772.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1200\A0278781.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1200\A0278782.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1201\A0278790.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1201\A0278791.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278798.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278799.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278806.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278807.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278815.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278816.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278828.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278829.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 RVman

RVman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 20 September 2008 - 08:36 PM

Minor correction to my original post -- The greying of the text area associated with file/folder names on the Desktop must have been temporary -- The names now appear fine (i.e., without any box around them).

I am re-running Ad-Aware and S&D to see if any spyware are still lingering.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:03 PM

Posted 20 September 2008 - 08:39 PM

Hello,please reopen MBAM and select Update,then rescan and post the new log.

Yet when I run Windows Update, it gives a security warning stating that it cannot find any antivirus on my computer.

Did you mean to say Windows One care?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 RVman

RVman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 20 September 2008 - 11:28 PM

Boopme, Thanks for the response. As you have suggested, I re-opened MBAM, updated it and re-ran the scan. Given below is the log. It found 2 objects again (Trojan.FakeAlert). Not sure how these were missed when I did the first scan, or how they came back again. (Was it hiding somewhere, e.g., in a system restore point file?)

How do I know the computer is fully clean now of all malware?

==================================================================

Malwarebytes' Anti-Malware 1.28
Database version: 1184
Windows 5.1.2600 Service Pack 3

9/20/2008 11:20:42 PM
mbam-log-2008-09-20 (23-20-42).txt

Scan type: Full Scan (A:\|C:\|D:\|F:\|K:\|L:\|M:\|N:\|O:\|)
Objects scanned: 262609
Time elapsed: 2 hour(s), 12 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1202\A0278838.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:03 PM

Posted 21 September 2008 - 12:01 AM

MBAM is about the best program out there right now, but after seeing how badly norton's, spybot and AdAware failed you why would you expect MBAM is work in just one pass or even by itself. Modern infections are like layers of an onion, you peel one back and another shows up.

When a few good prgrams all give up a clean scan then you are clean, but only if there was no sign of a nasty infection that involved rootkits and/or backdoor trojans
Chewy

No. Try not. Do... or do not. There is no try.

#6 RVman

RVman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 21 September 2008 - 08:07 AM

Ran S&D today -- Found a couple of things and fixed it (apparently) -- Don't know what they mean -- Any thoughts/comments?


Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $B2E55F62] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:03 PM

Posted 21 September 2008 - 08:15 AM

http://www.bleepingcomputer.com/forums/ind...st&p=940180

Would you run ATFCleaner and SAS from safe mode?
Chewy

No. Try not. Do... or do not. There is no try.

#8 RVman

RVman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 21 September 2008 - 08:31 AM

When I re-booted the computer after running S&D, a red shield appeared in the bottom toolbar with a pop message indicating that Windows did not find antivirus software in my computer (even though I have Symantec installed).

When I click on the red-shield it pops up a page with the heading Security Center, Help protect your PC and with the sections "Firewall (on)", "Automatic updates (on)" and "Virus Protection (not found)". When I click on "Recommenations" in the "Virus Protection (not found)" section, it gives me the option of choosing "I have an antivirus program that I will monitor myself" or gives link to "Get another antivirus program" which leads to a microsoft.com page on Windows XP Security Software Providers.

This was the issue that I referred to in my original post when I said that Windows thinks I have no anti-virus.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:03 PM

Posted 21 September 2008 - 08:33 AM

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride



you are still infected?

there are a few more steps in a cleaning
Chewy

No. Try not. Do... or do not. There is no try.

#10 RVman

RVman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 21 September 2008 - 08:37 AM

By the way, S&D is popping up with warning such as

Category: System startup user entry
Change: Key changed
Entry: ctfmon.exe
Old data: "C:\WINDOWS\system32\ctfmon.exe"
New data: C:\WINDOWS\system32\ctfmon.exe

and asking whether to allow change or deny change -- Not sure if this change from within quotes to without quotes is serious or not.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:03 PM

Posted 21 September 2008 - 08:50 AM

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.



This a standard procedure before attempting malware removal
Chewy

No. Try not. Do... or do not. There is no try.

#12 RVman

RVman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 21 September 2008 - 08:59 AM

I am going to run ATF-Cleaner and SUPERAntiSpyware as suggested.

By the way, after I ran S&D last, and rebooted the computer, and I got the red shield, the Webroot Spy Sweeper has been popping up every few seconds to tell me that "The Internet Communications shield has blocked access to" various spyware sites. --- Obviously still some problems remain.

#13 RVman

RVman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 21 September 2008 - 09:22 AM

I ran ATF in safe-mode -- seemed to go fine.

THen when I tried to run SUPERAntiSpyware I ran into the following problem and was unable to run the program -- popup saying
"Windows Installer - The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode or if the Windows Installer is not correctly installed. Contact your support personnnel for assistance."

Please advise.

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:03 PM

Posted 21 September 2008 - 09:35 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry940180

reread or print the directions, they are complexe and need to be followed exactly.

When I first did it I had to go thru them 3 times, install and update in normal mode
Chewy

No. Try not. Do... or do not. There is no try.

#15 RVman

RVman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 21 September 2008 - 09:41 AM

Uggh -- the shortcut to SUPERAntiSpyware was not visible -- Now found it -- Will try to run it now




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users