Jump to content

Infected with Win 7 Home Security Virus


Recommended Posts

I have a rather new PC that is now infected with Win 7 Home Security Virus. I have stated my PC in Safe Mode with Networking and downloaded your Malwarebytes Antimalware. However, when I try to execute it it will not execute... what can I do?

Please help!

Tx,

Bito

Update on this issue:

I started the PC in Safe Mode with Networking and now it will not let me open any of the browsers. If I start Firefox it opens a window and says: Chose the program you want to use to open this file. ... and the only option it gives me is Internet Explorer. Then if I say OK it asks me download firefox.exe from C:\Program Files (x86)\Mozilla Firefox

My PC is connected to Internet via wifi.

Please help as now this PC is totally stuck!

Link to post
Share on other sites

Delete the MBAM you have now and try this:

  • Please download Malwarebytes' Anti-Malware from here
    If you are unable to do this from the infected computer directly, transfer the file from another computer.
  • Download the mbam-setup.exe to your desktop.
  • Now make sure extensions are shown. To do this, please look here
  • Then rename the mbam-setup.exe: mbamsetupexe.png to explorer.exe: mbamsetupexplorer.png
  • Then launch explorer.exe in order to install Malwarebytes' Anti-malware
  • Once Malwarebytes' Anti-Malware is installed, navigate to your Program Files\Malwarebytes' Anti-Malware folder and locate the mbam.exe in there:
    mbamexe.png
    rename it to iexplore.exe:
    rename.png
  • Now doubleclick iexplore.exe to launch Malwarebytes' Anti-malware.
  • Click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart, so please allow MBAM to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Please don't attach the scans / logs, use "copy/paste".

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hi,

I downloaded the file, renamed it explorer.exe, put it on Usb card and tried to execute it on the infected PC bot under normal and Safe Mode with Networking. However in both cases, it says that it is starting to download but in reality it does not download anything. A blue bar runs across the File Download box and does not show any info for Estimated time left and Transfer rate. It just sits there.

What do you suggest that I do next?

Tx.

Link to post
Share on other sites

Hi,

I was trying to do the restore but as I was doing so I was able to run Malwarebytes and remove some infected items. Now the PC seems to run ok.

Here is the log that it produced... do I need to perform some other actions?

Please let me know and thanks so much for your help.

Log:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6863

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/15/2011 3:44:12 PM

mbam-log-2011-06-15 (15-44-12).txt

Scan type: Quick scan

Objects scanned: 164329

Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile)

-> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Vito\AppData\Local\fah.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted

successfully.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default)

(Broken.OpenCommand) -> Bad: ("C:\Users\Vito\AppData\Local\fah.exe" -a

"%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Vito\AppData\Local\Temp\icreinstall\pdfconvertersetup.exe

(Adware.Agent) -> Quarantined and deleted successfully.

c:\Users\Vito\downloads\pdfconvertersetup.exe (Adware.Agent) ->

Quarantined and deleted successfully.

c:\Users\Vito\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit)

-> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi,

I ran it again and performed a full scan. No problems were found. what is next?

Here is the log:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6864

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/15/2011 8:10:15 PM

mbam-log-2011-06-15 (20-10-15).txt

Scan type: Full scan (C:\|)

Objects scanned: 294287

Time elapsed: 54 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Good job thumbup.gif

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.