Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SCAREWAREVam infected FAKE Spyware Protection


  • This topic is locked This topic is locked
21 replies to this topic

#1 KarenR

KarenR

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 29 December 2010 - 11:03 PM

Windows Vista

nothing works
have used another computer per bleeping instructions to download malware bytes onto portable storage
and cannot install the mbam setup or FIX EXE from portable drive- no programs work
was on Firefox and clicked website for ModX
nothing works except IE
firefox web browser does not work


fake windows security shield and "Full PC scan"
tried to start a fake scan and stopped but it was showing the fake files that are infected

I stopped the fake progam scan and did not "purchase" their security program

everything I do generates a balloon about "---.exe cannot start is infected with W32 BLASTER WORM (this is fake I guess?) ..." "security warning-malicious has been detected click here to protect your computer"

also firewall warnings

cannot take a screen shot

Edited by KarenR, 29 December 2010 - 11:08 PM.


BC AdBot (Login to Remove)

 


#2 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 30 December 2010 - 07:57 AM

UPDATE

it is the next morning

seems the warnings have stopped

was able to start malwarebytes from the portable
it is scanning now

though I forgot the part where they say to open any program

the fake Windows security shield icon has gone

as if after enough hours this thing gives up and goes away if you do not PURCHASE?

maybe I did not get infected?

#3 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 30 December 2010 - 09:37 AM

#2 UPDATE found virus

Avira just found
EXP/Java.Agent.C.2

this Avira scan is after MBAM scan found nothing

#4 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 30 December 2010 - 10:53 AM

#3 UPDATE
Avira quarantined and removed EXP/Java.Agent.C.2 EXPLOIT

did ATF cleaner to clean Java cache
emptied JAVA cache from java console

am rescanning with MBAM now
and will do the Avira scan again after to see if still detects

EXP/Java.Agent.C.2 EXPLOIT
* noticed this had the word EXPLOIT after

#5 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 30 December 2010 - 06:54 PM

FINAL UPDATE - CLEAN
- for anyone with similar FAKE Windows Security warnings
this Bleeping Computer page was VERY HELPFUL for this SCAREWARE stuff
pertaining to WINDOWS

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010



"...What this infection does:

XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro are all new rogues that are exactly the same program. They are just shown with different names and interfaces depending on the version of Windows that it is run on. This guide run under quite a few different names, which I have listed below based upon the version of Windows:..."



One thought - it disappeared overnight - the constant warnings and blocking of everything

So would the Moderaters here recommend just leaving it for a while?

I could do nothing except IE Explorer - not even Firefox was usable

I could not even use the the Malware Bytes program I downloaded to the USB portable - as instructed - using a neighbour's computer.

One thing ...I never did purchase their FAKE Security - but I considered it in desperation - so that I could use the malware program to clean it out.


My final log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5426

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

30/12/2010 6:23:24 PM
mbam-log-2010-12-30 (18-23-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 285618
Time elapsed: 1 hour(s), 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 04 January 2011 - 05:59 AM

NEW UPDATE FILE INFECTED
Last night - wondering why MBAM found it only now?

Files Infected:
c:\Users\staples\AppData\Roaming\microsoft\Windows\start menu\spyware protection.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.




Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5451

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

04/01/2011 5:49:12 AM
mbam-log-2011-01-04 (05-49-12).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 285196
Time elapsed: 1 hour(s), 1 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\staples\AppData\Roaming\microsoft\Windows\start menu\spyware protection.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 AM

Posted 04 January 2011 - 10:26 AM

Please download SUPERAntiSpyware Free and follow these instructions for performing a scan.

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Be sure to update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download them from here.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
  • Please copy and paste the Scan Log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.

-- Alternatively, you can try downloading and using the SUPERAntiSpyware Portable Scanner or performing the SUPERAntiSpyware Online Safe Scan (both listed under Popular Links) instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 05 January 2011 - 07:27 AM

THANK YOU for your help and - sorry about new topic



Note-
Karen did not checkmark the scanner option to:
"Terminate Memory Threats before Quaranting" in SUPERAntiSpyware


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/04/2011 at 09:34 PM

Application Version : 4.47.1000

Core Rules Database Version : 6130
Trace Rules Database Version: 3942

Scan type : Complete Scan
Total Scan Time : 00:42:47

Memory items scanned : 652
Memory threats detected : 0
Registry items scanned : 8608
Registry threats detected : 0
File items scanned : 29170
File threats detected : 1

Adware.Tracking Cookie
C:\Users\staples\AppData\Roaming\Microsoft\Windows\Cookies\staples@collective-media[1].txt


C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined


Karen note-ESET
did I do correct? your instruction did not mention this?
- on FINISH page - a box for either DELETE QUARANTINED FILES or UNINSTALL
I checkmarked DELETE QUARANTINED FILES - then I clicked FINISH

#9 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 05 January 2011 - 08:36 PM

it has happened again - simply searching web for paint samples
- got a "INFECTION WARNING - all over the place - what is going on??????

I need to do another scan

I need to show you a screen shot of alerts not sure if FAKE
- how do I do - have no Url for images

#10 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 06 January 2011 - 08:28 AM

ESET was no issues at this morning scan

last night SAS ...I deleted the items from the quar this morning

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2011 at 09:21 PM

Application Version : 4.47.1000

Core Rules Database Version : 6139
Trace Rules Database Version: 3951

Scan type : Complete Scan
Total Scan Time : 00:41:33

Memory items scanned : 636
Memory threats detected : 0
Registry items scanned : 8615
Registry threats detected : 0
File items scanned : 29214
File threats detected : 3

Adware.Tracking Cookie
C:\Users\staples\AppData\Roaming\Microsoft\Windows\Cookies\Low\staples@ehg-eset.hitbox[1].txt
C:\Users\staples\AppData\Roaming\Microsoft\Windows\Cookies\Low\staples@hitbox[1].txt
C:\Users\staples\AppData\Roaming\Microsoft\Windows\Cookies\Low\staples@eset.122.2o7[1].txt

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 AM

Posted 06 January 2011 - 07:24 PM

Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.
Link 1
Link 2Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool to automatically remove viruses
  • Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to select your language and install the utility.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • When the 'Setup page' appears, click Next, check the box 'I accept the license agreement' and click Next twice more to begin extracting the required files.
  • Setup may recommend to scan the computer in Safe Mode. Click Ok.
  • A window will open with a tab that says Autoscan and one for Manual disinfection.
  • Click the green Start scan button on the Autoscan tab in the main window.
  • If malware is detected, you will see the Scan Alert screen. Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
  • Copy and paste the report results of any threats detected and if they were successfully removed in your next reply. Do not include the longer list marked Events.
  • When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.
-- If you cannot run this tool in normal mode, then try using it in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 06 January 2011 - 07:38 PM

THANK YOU
will do

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 AM

Posted 06 January 2011 - 07:57 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 KarenR

KarenR
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 07 January 2011 - 06:31 PM

I could not stay for the duration
there was no Alert screen with any exclamation marks - when I returned - and scan was finished

I had "prompt For Action" selected

not the auto disinfect

curious what the "events: 2" means?

KASPERSKY
Autoscan: completed 8 hours ago (events: 2, objects: 580763, time: 03:25:39)
07/01/2011 10:22:31 AM Task completed
07/01/2011 6:56:52 AM Task started

Edited by KarenR, 07 January 2011 - 06:33 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 AM

Posted 08 January 2011 - 12:03 AM

Events can be attributed to the following types:
1. Critical events. Events of a critical importance which indicate problems in Kaspersky Internet Security operation, or vulnerabilities in the protection on your computer. They include, for instance, detection of a malware or an operation failure. If malware is detected, it will show in the log.

2. Important events. Events that should always be attended to since they reflect important situations in the application's operation, for example, the terminated event.

How is your computer running now? Are there any more signs of infection, strange audio ads, unwanted pop-ups, security alerts, or browser redirects?

Edited by quietman7, 08 January 2011 - 12:05 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users