Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Microsoft Security Essentials virus has attacked me


  • Please log in to reply
7 replies to this topic

#1 lgish

lgish

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 17 February 2011 - 07:19 AM

Hello. Long time reader, first time poster.

Yesterday one of my co-workers had a fake Microsoft Security Essentials pop-up that said she had been infected by a Win32 trojan. Unfortunately, she clicked as instructed and was taken to the internet, however, she DID NOT download anything else.

Last night I worked for about 4 hours on it. I did an extensive set of internet searches and tried quite a few things that were recommended, including the recommendation from this site. Here is a summary of all I tried. After starting in safe mode, I was able to use rkill to stop it from running so I would run Malwarebytes, but it DID NOT find anything. I then ran SUPERAntiSpyware, which did find about 100 files (mostly advertising cookies, but it also found some trojan files). I quarantined those, rebooted, and the MSE fake popup came back.

I have looked in the file structure and the registry for the suggested files (antispy, hotfix, etc.), but haven't found anything.

I also tried to run Spyware Doctor, but it wants to update and can't get online to do that, so it shuts down.

I tried to do a system restore, but it would not let me do it in Safe Mode and I can't use rkill in normal mode, so I'm sure this trojan won't let me run system restore in normal mode.

I also ran hijack this to look for the couple of 04 entries I read about on a post somewhere, but they were not part of the scan report.

I'm looking for other suggestions to fix this without having to backup everything and do a complete restore.

Thank you in advance for any suggestions you have.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:22 PM

Posted 17 February 2011 - 12:50 PM

Hello,could we see the trojan portion of the SAS scan.
SUPERAntiSpyware, which did find about 100 files (mostly advertising cookies, but it also found some trojan files).



Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lgish

lgish
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 17 February 2011 - 08:04 PM

Thank you for the help.

TDSSKiller did not find anything.

I cannot get connected to the Internet, even in Safe Mode, so I cannot update MalwareBytes as suggested. I ran it without updating and didn't find anything.

I re-ran SuperAntiSpyware and here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/17/2011 at 06:59 PM

Application Version : 4.47.1000

Core Rules Database Version : 6003
Trace Rules Database Version: 3815

Scan type : Quick Scan
Total Scan Time : 00:09:00

Memory items scanned : 300
Memory threats detected : 0
Registry items scanned : 2188
Registry threats detected : 1
File items scanned : 5734
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Executive Director\Cookies\executive_director@serving-sys[1].txt

Malware.Trace
HKU\S-1-5-21-654486303-728759079-2543550002-1005\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Trojan.Agent/Gen-IEFake
C:\DOCUMENTS AND SETTINGS\EXECUTIVE DIRECTOR\LOCAL SETTINGS\TEMP\RARSFX3\H\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\EXECUTIVE DIRECTOR\LOCAL SETTINGS\TEMP\RARSFX4\H\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\EXECUTIVE DIRECTOR\LOCAL SETTINGS\TEMP\RARSFX4\PROCS\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\DOCUMENTS AND SETTINGS\EXECUTIVE DIRECTOR\LOCAL SETTINGS\TEMP\RARSFX3\PROCS\EXPLORER.EXE
C:\DOCUMENTS AND SETTINGS\EXECUTIVE DIRECTOR\LOCAL SETTINGS\TEMP\RARSFX4\PROCS\EXPLORER.EXE

Trojan.Agent/Gen-IExplorer[Fake]
C:\DOCUMENTS AND SETTINGS\EXECUTIVE DIRECTOR\LOCAL SETTINGS\TEMP\RARSFX4\NIRD\IEXPLORE.EXE


Would appreciate additional suggestions now.

Thank you, again.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:22 PM

Posted 17 February 2011 - 08:14 PM

For the connection,Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 lgish

lgish
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 17 February 2011 - 10:08 PM

Glad to report that I re-ran SAS and was then able to update and run MalwareBytes, which found 13 items that are now taken care of. I'm re-running them both again, but it looks like the problem is now taken care of. Thanks again!!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:22 PM

Posted 17 February 2011 - 10:37 PM

If all's good after that. Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 WibbleNZ

WibbleNZ

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 21 February 2011 - 02:45 AM

Thought I'd add my two cents worth as I have just removed this pest from a system. I had the problem of being unable to run either mbam setup (MalwareBytes) or even use the 'rkill' program suggested elsewhere here to try to prevent the fake alert popup and subsequent prevention of any tool or method to kill it. Task manager wouldn't start either so no hope of killing a process normally (well without a lot of work anyway).

Here's what I did - it might help someone.

Firstly, start in Safe Mode of course, then use {Win} + F (Search) and use the advanced search method to find all *.exe files created/modified in the date range when the infection occured - if you don't know exactly use a larger range! I found a .exe file created on the date the infection began in the AppData/Roaming folder (Vista).

I renamed it by adding .bak to the end of the file then restarted in Safe Mode. This time the fake warning didn't appear and I could install/update/full scan using MBAM and cleared the registry entries and the renamed malware exe file.

As this nasty one seems to now create random-named exe files, the previous method of searching for 'hitbox' 'defender' doesn't work and searching for a recently created file is the only way to find and then kill it!

Good luck to all who encounter this one.
Wibble

#8 lunch

lunch

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 14 May 2011 - 05:18 PM

Agter much searching and my own work on the two trojans that kept popping up, Iexplore [Fake] and Gen-PEC. The above advice about finding the files when it happened worked wonders. I searched for the files in Safe mode on the time in question, located some suspicious files looked up each on the internet and find that some could go either way but deleted them anyway, emptied the recycle bin as well. I even went as far to look at where the infected iexplore.exe and explorer.exe files kept popping up and deleted those directories plus a few others that had files that were created or accessed approximately the time of restarts when the files would come back. After I did this I ran Rkill and there was nothing. Then I ran Superantispyware and nothing. I rebooted to normal and no more problems with any of them. Rechecked with more reboots and checking the file locations and they were gone.

This worked. Spent 8 hours on this over two days and doing that search in the timeframe of the problem I fould and got rid of the cause of the return of the iexplore.exe and explorer.exe.

This needs to be looked into and tried for the other forums on her that I read with the same problem. The fix can be hard with trying to locate the right files, some were look-a-likes to the Combofix. Deleted those as well as they were listed at times before I installed Combofix. I deleted from the search where they were dated at the time of the virus problem beginning. I believe it also had to do with a Java applet running on a webpage in order to load in the virus.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users