Author Topic: How can I get rid of Internet Security scan (MERGED)  (Read 3008 times)

0 Members and 1 Guest are viewing this topic.

Offline WildBill

  • Newbie
  • *
  • Posts: 4
    • View Profile
How can I get rid of Internet Security scan (MERGED)
« on: May 05, 2013, 02:33:37 AM »
Is there anything I can do to stop an "Internet Security" scanning for virus on my computer that won't stop and it says I have Trojan horse and worm viruses.  It just popped up and wants me to purchase it to clear the virus.  I cannot access the internet nor download/install the programs you wanted me to install from the instructions before posting this message.  Basically it has me at a standstill and there is nothing I can do to stop the scan or add/remove programs or connect to the internet.  Any help will be appreciated.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Hi, WildBill.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.  In the event you are not able to download the necessary tools with Safe Mode with Networking, it will be necessary to transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

1.  Please restart your computer in Safe Mode with Networking. (To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.) 

2.  Without restarting the computer, please download please download RKill to your desktop from here, selecting the  iExplore.exe download link.
  • Double-click on the iExplore.exe desktop icon to run the tool.  Note:  For Windows Vista or Windows 7, please right-click and select "Run As Administrator".
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Note:  Do not restart the computer, or you will need to run the application again.

3.  Please download Malwarebytes' Anti-Malware to your desktop from here.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    -- Update Malwarebytes' Anti-Malware and
    -- Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, check the following settings:
    -- On the Scanner tab, check Perform full scan.
    -- On the Settings tab, Scanner Settings, leave the default boxes checked but change the drop-down boxes to Show in results list and check for removal.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  • Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please post contents of that file in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

4.  Following that, please copy/paste the logs in the Log Posting Instructions topic as well as the results of the MBAM scan.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline WildBill

  • Newbie
  • *
  • Posts: 4
    • View Profile
I was able to perform all the tasks you requested although I did have to restart the process once.  I am not sure how to post the logs and/or what logs.  I am going to paste here what I have.  It appears the problem is resolved as I am able to get in without entering through the safe mode.  Does this mean it is completely fixed or are there other steps necessary?

Rkill??:

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/05/2013 09:00:51 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Manual

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic

 * Automatic Updates (wuauserv) is not Running.
   Startup Type set to: Automatic

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 05/05/2013 09:01:33 PM
Execution time: 0 hours(s), 0 minute(s), and 42 seconds(s)




MBAM results??:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.06.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.5730.13
bill :: ADMIN-201 [administrator]

5/5/2013 9:15:22 PM
mbam-log-2013-05-05 (21-15-22).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: Registry
Objects scanned: 587323
Time elapsed: 1 hour(s), 8 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE (Trojan.Dropper.BU) -> Quarantined and deleted successfully.

Registry Values Detected: 8
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Apple (Trojan.Tracur.DL) -> Data: rundll32 "C:\Documents and Settings\bill\Local Settings\Application Data\ApplicationHistory\Apple\kdpcoxvjb.dll",DllRegisterServer -> Quarantined and deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Apple (Trojan.Tracur.DL) -> Data: rundll32 "C:\Documents and Settings\bill\Local Settings\Application Data\ApplicationHistory\Apple\kdpcoxvjb.dll",DllRegisterServer -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Visan (Trojan.Tracur.DL) -> Data: RUNDLL32.EXE "C:\Documents and Settings\bill\Local Settings\Application Data\Visan\rqnhmviy.dll",NKWkISSLmuTZtcuVhhlunGflEWp -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Screen Saver Pro 3.1 (Backdoor.Bot.ED) -> Data: C:\Documents and Settings\bill\Application Data\ScreenSaverPro.scr -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Obbkby (Backdoor.Bot.ED) -> Data: C:\Documents and Settings\bill\Application Data\Microsoft\Obbkby.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Internet Security (Trojan.Agent.BEWGen) -> Data: C:\Documents and Settings\All Users\Application Data\amsecure.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|cbfbeecebbcabad (Trojan.Dropper.BU) -> Data: C:\Documents and Settings\bill\Application Data\c7038bfb-7e9e-4ce1-bbc4-a8131679b328ad\cbfbeecebbcabad.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Java (Trojan.Inject) -> Data: C:\Documents and Settings\bill\Application Data\Java\javax.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 32
C:\System Volume Information\_restore{7836A790-F133-4152-978B-2D58E547688D}\RP1242\A0153001.old (Trojan.Tracur.DL) -> No action taken.
C:\System Volume Information\_restore{7836A790-F133-4152-978B-2D58E547688D}\RP1242\A0153004.scr (Backdoor.Bot.ED) -> No action taken.
C:\System Volume Information\_restore{7836A790-F133-4152-978B-2D58E547688D}\RP1242\A0153036.scr (Backdoor.Bot.ED) -> No action taken.
C:\System Volume Information\_restore{7836A790-F133-4152-978B-2D58E547688D}\RP1242\A0154052.exe (Backdoor.Bot.ED) -> No action taken.
C:\System Volume Information\_restore{7836A790-F133-4152-978B-2D58E547688D}\RP1242\A0154053.scr (Backdoor.Bot.ED) -> No action taken.
C:\Documents and Settings\bill\Local Settings\Application Data\ApplicationHistory\Apple\kdpcoxvjb.dll (Trojan.Tracur.DL) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Application Data\Visan\rqnhmviy.dll (Trojan.Tracur.DL) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Application Data\ScreenSaverPro.scr (Backdoor.Bot.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Application Data\Microsoft\Obbkby.exe (Backdoor.Bot.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\amsecure.exe (Trojan.Agent.BEWGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Application Data\c7038bfb-7e9e-4ce1-bbc4-a8131679b328ad\cbfbeecebbcabad.exe (Trojan.Dropper.BU) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\D5BC.tmp (Trojan.Agent.BEWGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\acrobat.exe (Trojan.Dropper.BU) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\alg.exe (Trojan.Dropper.BU) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\googleupdate.exe (Trojan.Dropper.BU) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\iexplore.exe (Trojan.Exploit.T2) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\mstsc.exe (Trojan.Dropper.BU) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\rundll32.exe (Trojan.Dropper.BU) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\teamviewer.exe (Trojan.Exploit.T2) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\windowsupdate.exe (Trojan.Exploit.T2) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Application Data\temp.bin (Backdoor.Bot.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Temp\0.37263868591174154 (Trojan.Dropper.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Temp\01367120399265.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Temp\01367120399359.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Temp\1D5.tmp (Trojan.Agent.BEWGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Temp\1D6.tmp (Trojan.Agent.BEWGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Temp\1D9.tmp (Trojan.Agent.BEWGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Temp\L2rKEs8.exe (Backdoor.Bot.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Local Settings\Temp\kdpcoxvjb\kdpcoxvjb.dll (Trojan.Tracur.DL) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Application Data\Java\javax.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Application Data\48.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\bill\Application Data\4F.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Hi, WildBill.

That certainly gave you some breathing room.  Without further information, I can't see what may be left on your computer.  Please post the logs from the Log Posting Instructions topic.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline WildBill

  • Newbie
  • *
  • Posts: 4
    • View Profile
Following Corrine's Instructions to remove malware
« Reply #4 on: May 08, 2013, 12:48:18 AM »

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Following Corrine's Instructions to remove malware
« Reply #5 on: May 08, 2013, 01:28:58 AM »
Hi, WildBill.

I'll merge your topics later.  In the meantime, oh my!  It is no wonder your computer was hit so hard.  You have some really old Java versions installed on your computer with a very long history of being the cause of infections.  (See Java, The Never-Ending Saga)  Please uninstall all of the outdated, vulnerable Java programs on your computer ASAP, including the following:

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
Java(TM) 6 Update 3
Java(TM) 6 Update 30
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1


Is it even possible to update the version of ESET NOD32 installed on your computer?  Do you have a valid license for it?  If not, please also uninstall it.  In the interim, install Microsoft Security Essentials.  It is free and available from here:  http://www.microsoft.com/en-us/download/details.aspx?id=5201

It appears you have two versions of Google Chrome installed.  If that is the case, please remove the old version.  If you no longer use Firefox, you should uninstall it.  Otherwise, its time to update that as well.

Adobe Reader is also out of dated and even the most recent version has security vulnerabilities that have yet to be patched.  If you don't use it often, I suggest uninstalling it and replacing it with Sumatra PDF.  (See my blot post Replacing Adobe Reader with Sumatra PDF.



Now, after you've completed that, please restart your computer and let's see if there are any leftovers from that nasty Internet Security rogue.  Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline WildBill

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: How can I get rid of Internet Security scan (MERGED)
« Reply #6 on: May 13, 2013, 01:50:06 AM »
Hi Corrine,

I am making this harder than it should be.  I cannot delete the NOD32 because I don't have complete administrator rights on this computer.  When I tried to do one of the processes it said it couldn't complete it because of the security software was not diabled.  I am having trouble finding the tabs/links on the instructions for disableing the security software.  I am really appreciating your help but got lost on this one.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: How can I get rid of Internet Security scan (MERGED)
« Reply #7 on: May 13, 2013, 01:06:44 PM »
Hi, WildBill.

Is there a family member who has access to the Admin account?  If not, please see this Microsoft KB article for accessing the Administrator account: Error Message: Unable to Log You on Because of an Account Restriction.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.