Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is causing Internet Security 2010 to keep coming back?


  • Please log in to reply
8 replies to this topic

#1 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:03:57 PM

Posted 25 January 2010 - 08:46 AM

A friends computer got IS 2010 and between the lack of personal info to save and the OS (XP) was on SP2, I did a reformat and clean install with her recovery disc. I then downloaded and installed all of the updates for XP, Adobe, Java, and installed AVG Free 9.0, Malwarebytes, SAS, ATF. I ran scans with MBAM and SAS (in safe) mode and everything was clean. I returned the laptop to her and cautioned her and her daughter to avoid unknown websites and to make sure they were not involved with any P2P stuff.

The owner told me she had decided that the laptop was a "virus magnet" because she had reformatted and used the recovery disc several times to fix the computer. I figured she didn't completely wipe everything clean when she did her reinstalls and that since I had done so- all was good.

Apparently this isn't the case. Either that, or someone keeps going to unsafe websites. I showed both of them what to do if any pop-ups came up while they were browsing (open Task Mgr. and shut down the browser- DO NOT CLICK THE 'X' Button!!!!).

She called me last night crying and said she had Internet Security 2010 again. She said she was working on her taxes and the next thing she knows she had it. I haven't had a chance to look the laptop over yet- she is dropping it off this morning. However, I am not sure why this is happening.

Particulars:
Compaq Presario 6000V
Windows XP SP3
AVG Free 9.0, MBAM, SAS
Comcast ISP
Arris Cable Modem
Netgear wireless router (WEP key- I know, change this)

Is it possible that since she got this rogue antivirus it is coming back because of a compromise in her IP address?

I am clueless and need some help!

Thanks,

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 PM

Posted 25 January 2010 - 09:45 AM

How Malware Spreads - How did I get infected
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 golfdude

golfdude
  • Topic Starter

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:03:57 PM

Posted 25 January 2010 - 10:55 AM

Thanks for responding Quietman7 :thumbsup: ,

I actually printed the information you gave me the link to and gave it to the girl when I gave her computer back to her last week. I hope that was okay? She "claims" she didn't do anything wrong. However, she is a blonde :flowers: ......

I just transferred rkill and it took 3 attempts to finally shut down IS 2010. Ran MBAM (log attached at bottom for S&G's), restarted, updated MBAM, ran another scan (log attached), found another bug, shut down and restarted, updated MBAM, and ran another scan (log attached). All of the scans were "Quick Scans". Should I run a Full Scan?

In your opinion, would another program (Avira, Avast) do a better job than AVG?

Logs:

Malwarebytes' Anti-Malware 1.44

Database version: 3611

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702



1/25/2010 10:28:14 AM

mbam-log-2010-01-25 (10-28-14).txt



Scan type: Quick Scan

Objects scanned: 116868

Time elapsed: 5 minute(s), 3 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 9

Folders Infected: 1

Files Infected: 7



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.



Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.



Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.



Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.



Folders Infected:

C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.



Files Infected:

C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kelly D\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kelly D\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.44

Database version: 3635

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702



1/25/2010 10:39:49 AM

mbam-log-2010-01-25 (10-39-49).txt



Scan type: Quick Scan

Objects scanned: 117480

Time elapsed: 4 minute(s), 53 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\Documents and Settings\Kelly D\Local Settings\Temp\wvDF.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.44

Database version: 3635

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702



1/25/2010 10:48:49 AM

mbam-log-2010-01-25 (10-48-49).txt



Scan type: Quick Scan

Objects scanned: 117366

Time elapsed: 5 minute(s), 11 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

(No malicious items detected)

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 PM

Posted 25 January 2010 - 11:07 AM

She "claims" she didn't do anything wrong

Doesn't take much. Some of those pop up ads and malicious code on social sites can hit without warning. Find out what sites she is going to.

All of the scans were "Quick Scans". Should I run a Full Scan?

Malwarebytes Anti-Malware is designed to remove malware as effectively with a Quick Scan as it will with a Full Scan which takes much longer to complete. Both scans use heuristics that bypasses polymorphic blackhat packers & encryption, MD5, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple other malware checks which are not discussed in public to safeguard the program from malware writers. The Quick Scan looks at the most prevalent places for active malware so scanning every single file on the drive isn't always necessary. The Full Scan only has the ability to catch more traces in rare circumstances but it can be used to scan every drive (including removable) on the system.

As, such I always recommend doing a Full Scan after doing the Quick Scan.

In your opinion, would another program (Avira, Avast) do a better job than AVG?

My personal choice is NOD32 Anti-Virus if choosing a paid for program or avast! Free Antivirus if choosing a free one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 golfdude

golfdude
  • Topic Starter

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:03:57 PM

Posted 25 January 2010 - 11:20 AM

Quietman7,

Thanks again for the quick response. She said she was on TurboTax using the free tax software when the IS 2010 got her again. She uses Mozilla FireFox as her browser (which I am not really familar with)- is there some settings I can change that will give her more protection?

I am going to install Avast and remove AVG and see if that helps. I have better things to do than to keep cleaning her computer over and over....

Thanks again, and keep up the good work!

Tom

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:57 PM

Posted 25 January 2010 - 11:46 AM

Did she burn some data to a CD to save it and put it back on the reformatted computer?
The CD could be infected
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 PM

Posted 25 January 2010 - 11:52 AM

Is she using the most current version of Firefox (v3.6)? If not, it needs to be updated as newer versions include patches for vulnerabilities.

FireFox Options and Settings
Options window - Security panel
Pop-up Blocker Options
How to Set Security Options in the Firefox Browser <- for older versions

The CD could be infected

That is always a possibility depending on what type of files are there and where they were downloaded from.

When backing up data due to malware infection, , you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 golfdude

golfdude
  • Topic Starter

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:03:57 PM

Posted 25 January 2010 - 12:19 PM

Thanks Garmanma and Quietman7

Did she burn some data to a CD to save it and put it back on the reformatted computer?
The CD could be infected


The disc I used to reinstall the OS was a factory disc from HP. However, I will check with her and make sure she isn't trying to reload doc's and such from a disc she created. She hasn't mentioned doing this, but I haven't asked her.

She is running Firefox version 3.6, and as far as I can tell- all of the important settings are correct.

I am flushing restore points and creating a new restore point.

I am chalking this up to operator error, and will give her and her daughter another lecture on safe surfing.

Thanks to both of you again for making BC the best help website.

Consider the thread closed.

Tom

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 PM

Posted 25 January 2010 - 12:23 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users