What is causing Internet Security 2010 to keep coming back?

A friends computer got IS 2010 and between the lack of personal info to save and the OS (XP) was on SP2, I did a reformat and clean install with her recovery disc. I then downloaded and installed all of the updates for XP, Adobe, Java, and installed AVG Free 9.0, Malwarebytes, SAS, ATF. I ran scans with MBAM and SAS (in safe) mode and everything was clean. I returned the laptop to her and cautioned her and her daughter to avoid unknown websites and to make sure they were not involved with any P2P stuff.

The owner told me she had decided that the laptop was a "virus magnet" because she had reformatted and used the recovery disc several times to fix the computer. I figured she didn't completely wipe everything clean when she did her reinstalls and that since I had done so- all was good.

Apparently this isn't the case. Either that, or someone keeps going to unsafe websites. I showed both of them what to do if any pop-ups came up while they were browsing (open Task Mgr. and shut down the browser- DO NOT CLICK THE 'X' Button!!!!).

She called me last night crying and said she had Internet Security 2010 again. She said she was working on her taxes and the next thing she knows she had it. I haven't had a chance to look the laptop over yet- she is dropping it off this morning. However, I am not sure why this is happening.

Particulars:
Compaq Presario 6000V
Windows XP SP3
AVG Free 9.0, MBAM, SAS
Comcast ISP
Arris Cable Modem
Netgear wireless router (WEP key- I know, change this)

Is it possible that since she got this rogue antivirus it is coming back because of a compromise in her IP address?

I am clueless and need some help!

Thanks,

How Malware Spreads - How did I get infected

Thanks for responding Quietman7 ,

I actually printed the information you gave me the link to and gave it to the girl when I gave her computer back to her last week. I hope that was okay? She "claims" she didn't do anything wrong. However, she is a blonde ......

I just transferred rkill and it took 3 attempts to finally shut down IS 2010. Ran MBAM (log attached at bottom for S&G's), restarted, updated MBAM, ran another scan (log attached), found another bug, shut down and restarted, updated MBAM, and ran another scan (log attached). All of the scans were "Quick Scans". Should I run a Full Scan?

In your opinion, would another program (Avira, Avast) do a better job than AVG?

Logs:

Malwarebytes' Anti-Malware 1.44

Database version: 3611

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702



1/25/2010 10:28:14 AM

mbam-log-2010-01-25 (10-28-14).txt



Scan type: Quick Scan

Objects scanned: 116868

Time elapsed: 5 minute(s), 3 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 9

Folders Infected: 1

Files Infected: 7



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.



Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.



Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.



Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.



Folders Infected:

C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.



Files Infected:

C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kelly D\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kelly D\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.44

Database version: 3635

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702



1/25/2010 10:39:49 AM

mbam-log-2010-01-25 (10-39-49).txt



Scan type: Quick Scan

Objects scanned: 117480

Time elapsed: 4 minute(s), 53 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\Documents and Settings\Kelly D\Local Settings\Temp\wvDF.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.44

Database version: 3635

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702



1/25/2010 10:48:49 AM

mbam-log-2010-01-25 (10-48-49).txt



Scan type: Quick Scan

Objects scanned: 117366

Time elapsed: 5 minute(s), 11 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

(No malicious items detected)

She "claims" she didn't do anything wrong

Doesn't take much. Some of those pop up ads and malicious code on social sites can hit without warning. Find out what sites she is going to.

All of the scans were "Quick Scans". Should I run a Full Scan?

Malwarebytes Anti-Malware is designed to remove malware as effectively with a Quick Scan as it will with a Full Scan which takes much longer to complete. Both scans use heuristics that bypasses polymorphic blackhat packers & encryption, MD5, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple other malware checks which are not discussed in public to safeguard the program from malware writers. The Quick Scan looks at the most prevalent places for active malware so scanning every single file on the drive isn't always necessary. The Full Scan only has the ability to catch more traces in rare circumstances but it can be used to scan every drive (including removable) on the system.

As, such I always recommend doing a Full Scan after doing the Quick Scan.

In your opinion, would another program (Avira, Avast) do a better job than AVG?

My personal choice is NOD32 Anti-Virus if choosing a paid for program or avast! Free Antivirus if choosing a free one.

Quietman7,

Thanks again for the quick response. She said she was on TurboTax using the free tax software when the IS 2010 got her again. She uses Mozilla FireFox as her browser (which I am not really familar with)- is there some settings I can change that will give her more protection?

I am going to install Avast and remove AVG and see if that helps. I have better things to do than to keep cleaning her computer over and over....

Thanks again, and keep up the good work!

Tom

Did she burn some data to a CD to save it and put it back on the reformatted computer?
The CD could be infected

Is she using the most current version of Firefox (v3.6)? If not, it needs to be updated as newer versions include patches for vulnerabilities.

FireFox Options and Settings
Options window - Security panel
Pop-up Blocker Options
How to Set Security Options in the Firefox Browser <- for older versions

The CD could be infected

That is always a possibility depending on what type of files are there and where they were downloaded from.

When backing up data due to malware infection, , you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

Thanks Garmanma and Quietman7

Did she burn some data to a CD to save it and put it back on the reformatted computer?
The CD could be infected

The disc I used to reinstall the OS was a factory disc from HP. However, I will check with her and make sure she isn't trying to reload doc's and such from a disc she created. She hasn't mentioned doing this, but I haven't asked her.

She is running Firefox version 3.6, and as far as I can tell- all of the important settings are correct.

I am flushing restore points and creating a new restore point.

I am chalking this up to operator error, and will give her and her daughter another lecture on safe surfing.

Thanks to both of you again for making BC the best help website.

Consider the thread closed.

Tom

You're welcome on behalf of the Bleeping Computer community.