Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SWP 2009 Demo Virus Alerts Disabling 1 UserID Account (other ID's appear fine)


  • Please log in to reply
5 replies to this topic

#1 MikePastor

MikePastor

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 26 December 2009 - 09:43 AM

We have a shared home computer plus I have a "me only" laptop. On the shared home computer (Windows XP Home w/Service Pack 3) we have two parent (administrator) User ID's which have no problems. A child's (restricted) ID appears to be infected. Every program I try to run is reported as INFECTED on the child's ID. Cannot go anywhere in browser. There is an "Antivirus Live" shield in system tray (only in Child's restricted user).

Ran Full Scan (from my Administrator ID) with TrendMicro Internet Security Pro (with latest available updates)...does not find anything except a few cookies and removes them. Do I need to run this from the infected user ID? Since no programs will run successfully there and all are "flagged as infected" including Windows Task Manager, WindowsSearch, etc.etc., I doubt I'd be able to even run the Trendmicro scan program.

There are pop-up windows titled SWP 2009 Demo. I also think I saw something like voyasysguard.exe in one of the message boxes that popped up.

Any suggestions???

BC AdBot (Login to Remove)

 


#2 MikePastor

MikePastor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 26 December 2009 - 04:01 PM

After reading some other posts/replies here, I downloaded and ran MalwareByte's Anti-Malware. The following log shows 4 threats found and NOT removed:


Malwarebytes' Anti-Malware 1.42
Database version: 3434
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/26/2009 2:57:28 PM
mbam-log-2009-12-26 (14-57-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 354475
Time elapsed: 2 hour(s), 53 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1234567890.exe (Security.Hijack) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Nina\Local Settings\Application Data\onxisc\voyasysguard.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Nina\Local Settings\Temp\56ba4b18.exe (Spyware.Passwords) -> No action taken.


Any assistance would be greatly appreciated...

...Mike

#3 MikePastor

MikePastor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 26 December 2009 - 04:31 PM

Well, I guess I should have done more research BEFORE posting here. Lesson Learned!!! I discovered that I should have run Malwarebytes's Anti-Malware in Safe Mode (with Networking). Hopefully, this will be the reason the 4 identified threats could not be removed.

I'm running MBAM again (in Safe Mode).

I did not reinstall MBAM in Safe Mode...if anyone knows that this will be an issue (that I installed MBAM in normal/infected mode) please let me know.

The tutorial that I found here on BleepingComputer.com (Remove Antivirus Live (Uninstall Guide)) indicated an issue with Internet Explorer proxy settings getting changed by the Antivirus Live infection. My user proxy settings are fine, but since my child's user ID is the one that has been "hijacked/infected", I'm sure her proxy settings will need to be fixed after MBAM finishes running.

I'll post again after the SAFE MODE Malwarebyte's Anti-Malware scan finishes running (in about 3+ hours).

...Mike Pastor

#4 MikePastor

MikePastor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 26 December 2009 - 06:49 PM

Well, the Safe Mode running of MalwareByte's Anti-Malware ran without detecting any threats or infected files. I thought that was odd and when I went to find the two infected registry settings and the two infected files listed in the first MBAM log, none were found.

I also thought it was unusual that I couldn't log into my daughter's (restricted user) account...is this normal in Safe Mode???

Well, I've restarted the computer in "normal" mode. I went to IE's proxy settings and removed the bogus settings and it seems to be working OK. I'm running a MBAM full scan from my daughter's (restricted user) account. So far (33 minutes into it), it has found 1 infected object.

I'll report back when this scan ends.

#5 MikePastor

MikePastor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 26 December 2009 - 08:00 PM

The Full Scan from MalwareByte's Anti-Malware found three infected registry keys and claims to have quarantined them. (SEE LOG BELOW and my plea for help below that)...

---------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.42
Database version: 3435
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/26/2009 7:49:28 PM
mbam-log-2009-12-26 (19-49-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 237940
Time elapsed: 1 hour(s), 20 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrlnuutv (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
---------------------------------------------------------------------------------------

Based on what I've read, I strongly doubt this is gone. I'll stop trying to self diagnose and prescribe. If any of you kind hearted techies have a suggestion or prescription I should follow, please share it with me.

#6 MikePastor

MikePastor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 27 December 2009 - 08:07 PM

:thumbsup: :inlove: :huh:
Well, I guess I should celebrate. It's been 24 hours and all appears to be well. Running MBAM in Safe Mode, even though it didn't detect any infections actually appears to have done the trick and the Antivirus Live fake infected program alerts are all gone and the hijacked IE browser (after fixing the TOOLS/INTERNET OPTIONS/CONNECTIONS/LAN SETTINGS (removed the proxy settings and re-checked the Automatically Detect Settings)) are all working fine.

I consider this done, resolved and closed. The resources available at this website really helped guide me through this.

I'll keep my fingers crossed that I won't have to come back here looking for more solutions. I'm really surprised this is actually gone...I'm keeping my fingers crossed.

...Mike... over & out (I hope) :flowers: :trumpet:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users