Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FakeSecSen? Spy Sheriff? ISP flagged a virus.


  • Please log in to reply
1 reply to this topic

#1 lil.sput

lil.sput

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 16 August 2015 - 04:39 PM

Our family received a very similar message to the one described by idunnolol in his June 20, 2015 post ,"ISP flagged virus."  Last week, we received a message from our ISP stating that one of the devices behind our modem appeared to have connected to a command and control server affiliated with "FakeSecSen or SpySheriff virus".  Per ISP's advice, we ran Norton Power Eraser and Microsoft Safety Scanner, but nothing was detected.  In general, our internet has been running very slow on the desktop we believe has been infected (as opposed to our other devices, which are running fine.)  The desktop will repeatedly disconnect from the server.  When we run Google Chrome on the desktop, a security message pops up stating that a large amount of suspicious outbound traffic has been detected.

 

We ran the first steps of the fix suggested by Inadequate Infirmity with the following modifications (logs are included below.)

 

1.  Run Wipe

2.  We did NOT run System Ninja because Norton seemed quite insistent that it was not safe.  Please advise if we should override and try again.

3.  Run CCleaner.  There was no option to either enable or disable our Antivirus from Startup.

4.  Run eScanAV.  There was no option to Scan Spyware, but we scanned and cleaned otherwise (log included)

5.  We did NOT run Zemana because the link didn't work.

6.  Run Junkware Removal Tool (log included)

7.  Run AdwCleaner (log included)

 

Any help or suggestions that anyone could offer would be immensely appreciated.

 

k

 

eScanAV

 

13 Aug 2015 22:43:09 [0618] - **********************************************************

13 Aug 2015 22:43:09 [0618] - MWAV - eScanAV AntiVirus Toolkit.

13 Aug 2015 22:43:09 [0618] - Copyright © MicroWorld Technologies

13 Aug 2015 22:43:09 [0618] - **********************************************************

13 Aug 2015 22:43:09 [0618] - Version 14.0.203 (C:\USERS\THE THIRD\APPDATA\LOCAL\TEMP\MEXETMP.EX~)

13 Aug 2015 22:43:09 [0618] - Log File: C:\Users\The Third\AppData\Local\Temp\LOG\MWAV.LOG

13 Aug 2015 22:43:09 [0618] - MWAV Registered: TRUE

13 Aug 2015 22:43:09 [0618] - User Account: The Third (Administrator Mode)

13 Aug 2015 22:43:09 [0618] - OS Type: Windows Workstation [InstallType: Client]

13 Aug 2015 22:43:09 [0618] - OS: Windows 8.1 64-Bit [OS Install Date: 22 Aug 2014 17:21:16]

13 Aug 2015 22:43:09 [0618] - Ver: Personal Build 9200

13 Aug 2015 22:43:09 [0618] - System Up Time: 22 Minutes, 11 Seconds

 

13 Aug 2015 22:43:09 [0618] - Windows Root  Folder: C:\WINDOWS

13 Aug 2015 22:43:09 [0618] - Windows Sys32 Folder: C:\WINDOWS\system32

13 Aug 2015 22:43:09 [0618] - DHCP NameServer: 68.105.28.11 68.105.29.11 68.105.28.12

13 Aug 2015 22:43:09 [0618] - Interface0 DHCPNameServer: 192.173.2.1

13 Aug 2015 22:43:09 [0618] - Interface1 DHCPNameServer: 68.105.28.11 68.105.29.11 68.105.28.12

13 Aug 2015 22:43:09 [0618] - Local Fixed Drives: c:\,d:\

13 Aug 2015 22:43:09 [0618] - MWAV Mode(A): Scan and Clean files

13 Aug 2015 22:43:09 [0618] - [CREATED ZIP FILE: C:\Users\The Third\AppData\Local\Temp\pinfect.zip]

13 Aug 2015 22:43:09 [0618] - Command Line Options Given: /xsign

13 Aug 2015 22:43:11 [0618] - Latest Date of files inside MWAV: Fri Aug 14 05:34:31 2015.

13 Aug 2015 22:43:11 [0618] - WARNING!!! INVALID SYSTEM DATE 13-08-2015 !!!

13 Aug 2015 22:43:11 [0618] - Loading/Creating FileScan Cache Database C:\ProgramData\MicroWorld\MWAV\ESCANDBY.MDB [Log: C:\Users\The Third\AppData\Local\Temp\LOG\ESCANDB.LOG]

13 Aug 2015 22:43:11 [0618] - Loaded/Created FileScan Cache Database...

13 Aug 2015 22:43:11 [0618] - Loading AV Library [DB]...

13 Aug 2015 22:43:20 [0618] - ArchiveScan: DISABLED

13 Aug 2015 22:43:20 [0618] - AV Library Loaded - MultiThreaded - 8 : [DB-DIRECT].

13 Aug 2015 22:43:20 [0618] - MWAV doing self scanning...

13 Aug 2015 22:43:20 [0618] - MWAV files are clean.

13 Aug 2015 22:43:25 [0618] - ArchiveScan: DISABLED

13 Aug 2015 22:43:25 [0618] - Virus Database Date: 13 Aug 2015

13 Aug 2015 22:43:25 [0618] - Virus Database Count: 5879877

13 Aug 2015 22:43:25 [0618] - Sign Version: 7.62022 [520774]

 

13 Aug 2015 22:44:43 [0618] - **********************************************************

13 Aug 2015 22:44:43 [0618] - MWAV - eScanAV AntiVirus Toolkit.

13 Aug 2015 22:44:43 [0618] - Copyright © MicroWorld Technologies

13 Aug 2015 22:44:43 [0618] -

13 Aug 2015 22:44:43 [0618] - Support: support@escanav.com

13 Aug 2015 22:44:43 [0618] - Web: http://www.escanav.com

13 Aug 2015 22:44:43 [0618] - **********************************************************

13 Aug 2015 22:44:43 [0618] - Version 14.0.203[DB] (C:\USERS\THE THIRD\APPDATA\LOCAL\TEMP\MEXETMP.EX~)

13 Aug 2015 22:44:43 [0618] - Log File: C:\Users\The Third\AppData\Local\Temp\LOG\MWAV.LOG

13 Aug 2015 22:44:43 [0618] - User Account: The Third (Administrator Mode)

13 Aug 2015 22:44:43 [0618] - Windows Root  Folder: C:\WINDOWS

13 Aug 2015 22:44:43 [0618] - Windows Sys32 Folder: C:\WINDOWS\system32

13 Aug 2015 22:44:43 [0618] - OS: Windows 8.1 64-Bit [OS Install Date: 22 Aug 2014 17:21:16]

13 Aug 2015 22:44:43 [0618] - Ver: Personal Build 9200

13 Aug 2015 22:44:43 [0618] - Latest Date of files inside MWAV: Fri Aug 14 05:34:31 2015.

13 Aug 2015 22:44:43 [0618] - Priority: NORMAL

13 Aug 2015 22:44:43 [0618] - WARNING!!! INVALID SYSTEM DATE 13-08-2015 !!!

 

13 Aug 2015 22:44:43 [0c18] - Options Selected by User:

13 Aug 2015 22:44:43 [0c18] - Memory Check: Enabled

13 Aug 2015 22:44:43 [0c18] - Registry Check: Enabled

13 Aug 2015 22:44:43 [0c18] - StartUp Folder Check: Enabled

13 Aug 2015 22:44:43 [0c18] - System Folder Check: Enabled

13 Aug 2015 22:44:43 [0c18] - Services Check: Enabled

13 Aug 2015 22:44:43 [0c18] - Scan Archives: Disabled

13 Aug 2015 22:44:43 [0c18] - Drive Check: Enabled

13 Aug 2015 22:44:43 [0c18] - All Drive Check :Disabled

13 Aug 2015 22:44:43 [0c18] - Drive Selected = C:\

13 Aug 2015 22:44:43 [0c18] - Folder Check: Disabled

13 Aug 2015 22:44:43 [0c18] - SCAN: All_Files [ANSI]

13 Aug 2015 22:44:43 [0c18] - MWAV Mode( B): Scan and Clean files

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 7.5.6 (08.10.2015:1)

OS: Windows 8.1 x64

Ran by The Third on Fri 08/14/2015 at  8:40:40.00

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Tasks

 

 

 

~~~ Registry Values

 

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\browserpluginhelper

 

 

 

~~~ Registry Keys

 

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\APN PIP

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\PIP

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9DFED8EF-3328-4BD2-AC91-4A112C7C3A27}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{052A7B63-F445-4310-A4C3-749C74F517D7}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{2C606696-1E29-4BEA-8E0B-D44D0D63843F}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{324AB55D-8ACC-4D8C-957E-0FDFA4CA784F}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{3EAB7E87-379D-4362-86EE-24D642D7A4DE}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{68B1F4FD-F7BC-449F-9BBF-CF4D23D69607}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{7C8655BA-BAFA-4836-8D09-9729B9EEA96B}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{88042C7A-F71A-4B32-9BCA-BAC588149622}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{887AD027-D213-4812-9923-077ED7240567}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{AD2C8A3C-F092-4549-B2FE-9B9998A11A61}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{B39F65CF-C482-42F4-BFC6-964AF0D5193D}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{BCB2AB30-7AD8-4143-AC72-4BD19567585D}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{C10712FF-5FBA-48E3-B483-BB917C808BB2}

Successfully deleted: [Empty Folder] C:\Users\The Third\Appdata\Local\{FE4732BF-F987-4153-AC46-57DEA9B492AF}

Successfully deleted: [Folder] C:\Program Files\005

Successfully deleted: [Folder] C:\ProgramData\google

Successfully deleted: [Folder] C:\ProgramData\3e3412d73103906f

 

 

 

~~~ FireFox

 

Successfully deleted the following from C:\Users\The Third\AppData\Roaming\mozilla\firefox\profiles\05ph70o8.default-1412265524589\prefs.js

 

user_pref(browser.search.hiddenOneOffs, Bing,Amazon.com,DuckDuckGo,eBay,Secure Search,Twitter);

Emptied folder: C:\Users\The Third\AppData\Roaming\mozilla\firefox\profiles\05ph70o8.default-1412265524589\minidumps [9 files]

 

 

 

~~~ Chrome

 

Successfully deleted: [Folder] C:\Users\The Third\Appdata\Local\Google\Chrome\User Data\Default\Extensions\chgdeabpmphfhkoemjjglmilajldekbp

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\chgdeabpmphfhkoemjjglmilajldekbp

 

[C:\Users\The Third\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

 

[C:\Users\The Third\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

 

[C:\Users\The Third\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

 

[C:\Users\The Third\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Fri 08/14/2015 at  8:43:49.97

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

# AdwCleaner v4.208 - Logfile created 14/08/2015 at 09:04:43

# Updated 09/07/2015 by Xplode

# Database : 2015-08-12.1 [Server]

# Operating system : Windows 8.1  (x64)

# Username : The Third - MOTHERSHIP

# Running from : C:\Users\The Third\Desktop\adwcleaner_4.208.exe

# Option : Cleaning

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\Users\The Third\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijacdiajfhmmglphbglbgjjldcpfkglj

File Deleted : C:\Users\The Third\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ijacdiajfhmmglphbglbgjjldcpfkglj_0.localstorage

 

***** [ Scheduled tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{892cc6a3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36D96925-ABFA-4EB8-B630-305E905A930D}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{36D96925-ABFA-4EB8-B630-305E905A930D}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

Key Deleted : HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}

Key Deleted : HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}

Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~3\PERFOR~1\PERFOR~2.DLL

 

***** [ Web browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17840

 

 

-\\ Mozilla Firefox v40.0 (x86 en-US)

 

 

-\\ Google Chrome v37.0.2062.124

 

[C:\Users\Brooklyn\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}

[C:\Users\Brooklyn\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

[C:\Users\Brooklyn\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=retail&geo=US&ver=21&locale=en_US&gct=kwd&qsrc=2869

[C:\Users\Brooklyn\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF

[C:\Users\Talia\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}

[C:\Users\Talia\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

[C:\Users\Talia\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF

 

*************************

 

AdwCleaner[R0].txt - [3542 bytes] - [14/08/2015 09:02:35]

AdwCleaner[S0].txt - [3307 bytes] - [14/08/2015 09:04:43]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3366  bytes] ##########


Edited by lil.sput, 16 August 2015 - 04:45 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,301 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:21 PM

Posted 17 August 2015 - 05:07 AM

Welcome to BC !

Suggest you scan ALL Windows computers with the two programs below and AdwCleaner, Junkware Removal Tool and CCleaner.

But post only the results using the programs below for the desktop mentioned in your opening post.

 

Download Malwarebytes' Anti-Malware from Here
Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users