Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection


  • Please log in to reply
5 replies to this topic

#1 TreeFitty

TreeFitty

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 17 March 2009 - 02:19 PM

System: Windows XP Home Service Pack 3

Yesterday When i started my computer in the morning my ZoneAlarm firewall didn't load automatically. Instead a screen came up that (I believe) only comes up when you first install ZoneAlarm (can't remember what it says, but you can either choose "yes" or "no, thanks" ) This seemed weird, but I was able to start ZoneAlarm manually, then checked to make sure it was still set to load at startup. The settings looked fine. I did some stuff in the Internet, left my computer for awhile, and when I came back I couldn't access the Internet. Whenever I tried to connect to a site my browser (Firefox 3) would just keep saying "waiting for (name of website)". I thought maybe my ISP was having trouble with their service (which does happen sometimes), so I decided to just wait and try again later. After a couple of hours went by and my Internet still wasn't working I decided to do a Malwarebytes scan. I found three results:

(from the scan log)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

As you see they were all deleted (I usually just quarantine items in case it's a false positive, but these got deleted. I don't know if I unintentionally deleted them or malwarebytes automatically deleted them) Now I'm getting a windows security alert telling me that ZoneAlarm is installed but it's status is "unknown", and that my anti-virus (avast) reports that it is turned off. The ZoneAlarm control center, however, lists "all systems active", and I can start avast with no problem. I still couldn't connect to the Internet, so I scanned with avast, superantispyware, spybot S&D and ad-aware. None of them found anything. By this time it was late and I decided to put it off until today. I'm still getting the windows security alert, but I can access the Internet now. I scanned again with superantispyware and did a boot-time scan with avast, neither found anything. I think there are two possibilities: either I am infected with something that my scanners aren't finding, or the results were false positives and it was just a coincidence that I couldn't access the Internet at the time. (I recently had some false positives with malwarebytes, but in that case I was able to restore the files.) If it was a false positive, what (if anything) can I do to replace the files that were deleted?

Thanks in advance for any responses.

Edited by TreeFitty, 17 March 2009 - 05:58 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:49 AM

Posted 17 March 2009 - 08:13 PM

Hello let's try one more scan here.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TreeFitty

TreeFitty
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 18 March 2009 - 10:07 AM

Thanks for the reply. I ran SDFix, and it didn't find any infections. I'm starting to really think that what MBAM found were false positives. Unfortunately it deleted the files instead of just quarantining them, so I can't restore them. Perhaps I'll just turn off the alerts in the Security Center.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:49 AM

Posted 18 March 2009 - 11:37 AM

Hi a little research tells me those we where Mbam rest th values.
Often times malware turns off windows updates, firewalls and antivirus, then disables those registry entries for security center to alert you.
The significance is now MBAM returns them to the default settings even if a user has had no malware and has or his software has turned it off.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 TreeFitty

TreeFitty
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 19 March 2009 - 05:22 PM

Alright, thanks for your help.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:49 AM

Posted 19 March 2009 - 07:40 PM

You're welcome!!

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users