Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake windows security alert and McAfee


  • Please log in to reply
11 replies to this topic

#1 Green617

Green617

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 30 April 2016 - 09:53 PM

Hi i am new here so i don't how this here go

my computer is windows 10 home x64

 

I think infected, start up my computer what whatever start a programs it close by it self

i see a pop up of windows security alert and McAfee, I don't have McAfee or windows security alert, if I stay to long a images show up about Trojan zeus?

only get two screenshots the other one i can't not get.

 

Here some screenshots
 

windows security alert:

http://i1096.photobucket.com/albums/g326/mypic612/nun1_zpsl9tac74k.png

 

McAfee

http://i1096.photobucket.com/albums/g326/mypic612/nun2_zpsaxeitjiv.png


the pop up show i go task manager and show locating

Program Files (x86)\Microsoft Corporation

I don't know is that the virus?

 

try ran in full system scanning have to go boot safe with this software

AVG

SUPERAntiSpyware

Kaspersky TDSSKiller

RKill

Malwarebytes Anti-Malware

HitmanPro

Emsisoft Emergency Kit

Microsoft Windows Malicious Software Removal Tool (only quick scan)

 

I trying everything i got nothing also somehow it work checking normal startup on system configuration

it clean and work some reason next day boom back again.

 

i been doing for three day now, somehow not infected other user account only mine, the account even not a administrator account

 

can you help me please and thank you


Edited by Green617, 30 April 2016 - 09:56 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 02 May 2016 - 08:03 AM

Hi Green617 :)

My name is Aura and I'll be assisting you with your issue. Follow the instructions below please.

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:
  • Download Autoruns.zip from the Sysinternals Suite webpage;
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
  • Accept the EULA on opening, then wait for all the entries to load;
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file;
  • Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Green617

Green617
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 03 May 2016 - 01:32 PM

hi aura i don't know how to replay this here the link

https://www.dropbox.com/s/pn2bv9w0ciiymil/my%20log.arn?dl=0



#4 rpbtf

rpbtf

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:38 PM

Posted 03 May 2016 - 03:06 PM

Hello,

your my log.arn contains all entries you can see in Autoruns under "Everything". Just upload it as mentioned above.

Ralf



#5 Green617

Green617
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 03 May 2016 - 04:26 PM

Hello,

your my log.arn contains all entries you can see in Autoruns under "Everything". Just upload it as mentioned above.

Ralf

i don't get it



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 03 May 2016 - 05:25 PM

Thank you for the log :) Next, you'll run Autoruns as Administrator again, and you'll delete the entries shown in the screenshots below. To delete an entry, simply right-click on it and select Delete. They are listed in the order they are displayed in your logs, and the ones I'm asking them to delete are all highlighted in yellow (but you are not deleting ALL of the yellow ones).

d5bDiA7.png
ouGmzvu.png
fDhLb0a.png
9ujqmMH.png
EUtfHQb.png
dT4zGzY.png
glQeExJ.png
HdMuTn5.png
PN3UCvU.png
EjvUfBa.png
mDFEEtr.png
Ev7wz7B.png
Once done, please save a new Autoruns (.arn) file, and upload it for me to review.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Green617

Green617
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 05 May 2016 - 09:21 AM

to aura

 

here my after delete highlighted on the list

https://www.dropbox.com/s/z5dv0rlc72401oc/my%20log%202.arn?dl=0



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 05 May 2016 - 09:24 AM

Good :) Now follow the instructions below please.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Green617

Green617
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 May 2016 - 02:44 PM

HERE ALL THE LOG

 

 

 

 

JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64
Ran by username (Administrator) on Sat 05/07/2016 at 17:42:23.81
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dajedkncpodkggklbegccjpmnglmnflm (Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 05/07/2016 at 17:48:57.52
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

AdwCleaner clean log;

# AdwCleaner v5.115 - Logfile created 07/05/2016 at 20:37:15
# Updated 01/05/2016 by Xplode
# Database : 2016-05-04.2 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Edwin - TELLEZ
# Running from : C:\Users\Edwin\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

[-] File Deleted : C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.mpc.am_0.localstorage
[-] File Deleted : C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.mpc.am_0.localstorage-journal

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}

***** [ Web browsers ] *****

[-] [C:\Users\test\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : search.yahoo.com
[-] [C:\Users\test\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\test\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : searchinterneat-a.akamaihd.net
[-] [C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : mpc safe search
[-] [C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : search.mpc.am
[-] [C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Default_Search_Provider_Data] Deleted : hxxp://search.mpc.am?q={searchTerms}&cx=partner-pub-3796753109442372:3837783968
[-] [C:\Users\Edwin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Deleted : search.mpc.am
[-] [C:\Users\max\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\max\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [14995 bytes] - [16/04/2016 22:10:30]
C:\AdwCleaner\AdwCleaner[C2].txt - [1292 bytes] - [16/04/2016 23:19:19]
C:\AdwCleaner\AdwCleaner[C3].txt - [2705 bytes] - [07/05/2016 20:37:15]
C:\AdwCleaner\AdwCleaner[R0].txt - [3340 bytes] - [08/08/2015 19:37:17]
C:\AdwCleaner\AdwCleaner[S0].txt - [3224 bytes] - [08/08/2015 19:43:08]
C:\AdwCleaner\AdwCleaner[S1].txt - [16606 bytes] - [16/04/2016 22:04:15]
C:\AdwCleaner\AdwCleaner[S2].txt - [1124 bytes] - [16/04/2016 23:13:48]
C:\AdwCleaner\AdwCleaner[S4].txt - [1442 bytes] - [26/04/2016 17:52:16]
C:\AdwCleaner\AdwCleaner[S5].txt - [3044 bytes] - [07/05/2016 19:02:20]

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [3217 bytes] ##########

 

 

Malwarebytes clean log;

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/7/2016
Scan Time: 8:45 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.07.05
Rootkit Database: v2016.05.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Edwin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 525267
Time Elapsed: 1 hr, 18 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.DNSio, HKLM\SOFTWARE\CLASSES\CLSID\{FD20C151-A061-4097-955D-682F317A7035}, Quarantined, [7f920dc67425a1955a8279c9dd250cf4],
PUP.Optional.IDSCProduct, HKLM\SOFTWARE\MICROSOFT\TRACING\idscservice_RASAPI32, Quarantined, [30e17e554851a39372ab7e4e7a891de3],
PUP.Optional.IDSCProduct, HKLM\SOFTWARE\MICROSOFT\TRACING\idscservice_RASMANCS, Quarantined, [d33e785b960344f2889518b4c73c6e92],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 08 May 2016 - 08:56 PM

Good :) Do you still have the pop-ups mentionned in your first post?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Green617

Green617
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 15 May 2016 - 03:09 PM

yes work now also delete Program Files (x86)\Microsoft Corporation too



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 15 May 2016 - 03:10 PM

So is there any issues left that needs to be addressed?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users