Vista security center virus

By sam478516
Nov 1, 2009
Topic Status:
Not open for further replies.
  1. Good Afternoon, I apologize that i dont know very much about computers so I may not be the best at describing my issues. I use an HP Pavillion dv6700 with Windows Vista. Last night I was at the movies 25 website where I have streamed a movie before. I was sitting on the district 9 page for a couple of minutes and all of the sudden I started getting messages from Security Center saying I was being attacked by a virus and telling me to install block scanner to get rid of the viruses. A window also popped up that looked like the "my computer" window and under the C drive it said I had 8 viruses, 1 in the D drive and 9 in the E drive, which of course doesnt make sense. I was repeated prompted to run the block scanner program and asked if I would allow the program to run. I have Norton Antivirus so I ran a full scan, and when I woke up this morning it had come back with nothing but a tracking cookie. I am still receiving a popup window telling me im being attacked by a trojan blocker, except with a spelling mistake 'Troyan' and asking me if I want Block scanner to remove the virus. I click no but it just keeps coming back every 5 minutes or so. If i click yes it takes me to a website where i can buy block scanner. Last night I noticed that when the security center icon popped up at the bottom (red shield with white X) if i clicked on it i couldnt actually go to any of the things outlined in the window. for example "help for using Windows Security Center" would just send me to the block scanner webpage. Also the window that comes up from clicking the red icon is different than the security center window that comes up when i open it from my start menu. What is going on?
  2. lewislau957

    lewislau957 Newcomer, in training Posts: 23

    you've been infected with a virus. I've seen that popup thing as well, it's best when you see that to close the window right away using task manager, "x" button or pressing back asap. IT seems that your norton is not detecting the virus, so i suggest installing different antiviruses, and hopefully those can detect and remove it for you. Malwarebytes and AVG are both free, and work pretty well. Here are some links: http://www.malwarebytes.org/, http://free.avg.com/ww-en/homepage
  3. sam478516

    sam478516 Newcomer, in training Topic Starter

    I am now downloading malwarebytes anti malware software. I can also no longer open Norton thanks to this virus
  4. sam478516

    sam478516 Newcomer, in training Topic Starter

    It came back with 16 infected objects it looks like it removed them all, im gonna run it again to be sure. Thanks for you help

    Malwarebytes' Anti-Malware 1.41
    Database version: 3080
    Windows 6.0.6002 Service Pack 2

    01/11/2009 2:51:48 PM
    mbam-log-2009-11-01 (14-51-48).txt

    Scan type: Quick Scan
    Objects scanned: 161833
    Time elapsed: 12 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 12

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\BlockScanner (Rogue.BlockScanner) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wno2ebd.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockScanner (Rogue.BlockScanner) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Agent) -> Data: c:\windows\services.exe -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\System32\wno2EBD.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\cahE8B9.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\ezk390A.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\gmf7EDE.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\iiz8B6.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\ijy9108.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\iqyC2C1.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\izf2569.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\vtoD430.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\wno2EBD.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\sam\AppData\Local\Temp\xebD3E0.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Windows\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot, Sam. My apology for the delay. You were also given insufficient information. There is more to malware cleaning.

    Please follow the steps in out Virus and Malware Removal HERE:

    Run the programs in the order givern. That mean you will need to update Malwarebytes and rescan. Follow with SAS aans HijackThis.

    When finished:
    Attach logs for Mbam and SAS.

    Paste log for HJT.

    lewislau957, please visit Special governing rules for the Virus & Malware removal board HERE.
  6. sam478516

    sam478516 Newcomer, in training Topic Starter

    so i ran the crap cleaner twice then shut off my norton auto protect and updated malaware bytes. i ran it and it came back with this:

    Malwarebytes' Anti-Malware 1.41
    Database version: 3086
    Windows 6.0.6002 Service Pack 2

    02/11/2009 11:39:04 AM
    mbam-log-2009-11-02 (11-39-04).txt

    Scan type: Quick Scan
    Objects scanned: 93217
    Time elapsed: 5 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Now scanning with SAS. sorry the logs arent attached, im not entirely sure how to do that, id rather do it this way
  7. sam478516

    sam478516 Newcomer, in training Topic Starter

    completed all steps

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:22:35 PM, on 02/11/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18828)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    C:\Program Files\Lexmark 2300 Series\ezprint.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\vsnp2uvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
  8. sam478516

    sam478516 Newcomer, in training Topic Starter

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/02/2009 at 12:58 PM

    Application Version : 4.29.1004

    Core Rules Database Version : 4220
    Trace Rules Database Version: 2122

    Scan type : Complete Scan
    Total Scan Time : 01:08:22

    Memory items scanned : 826
    Memory threats detected : 0
    Registry items scanned : 8549
    Registry threats detected : 0
    File items scanned : 37428
    File threats detected : 15

    Adware.Tracking Cookie
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@ad.yieldmanager[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@apmebf[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@atdmt[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@collective-media[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@content.yieldmanager[2].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@content.yieldmanager[3].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@doubleclick[2].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@fastclick[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@insightexpressai[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@kontera[2].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@revsci[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@rotator.adjuggler[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@tribalfusion[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@www.googleadservices[1].txt
    C:\Users\sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@zedo[2].txt
  9. sam478516

    sam478516 Newcomer, in training Topic Starter

    all steps done, tunring back on norton. Hijack log is attached. all good?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you Sam. The main log I ask to be pasted is the HijackThis log- the others can be attached.

    Are you still having the original problem? There's not much in the HJT log.

    You have the Ask Toolbar installed, I would recommend you uninstall it. It is not a virus or malware- it's referred to as Foistware. It usually comes with another program without the users permission - decide after taking a look at this article:

    http://www.benedelman.org/spyware/ask-toolbars/

    I have coded the HJT entries for this program in green. Most of us encourage the removal of the AskBar.

    Please reopen HijackThis to 'do system scan only.' Check the following entries if present:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll Optional removal
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    Optional removal

    Close all Windows except HijackThis. Click on "Fix Checked."

    You can easily uninstall the AskToolbar using the instructions below for Windows Vista:

    • [1]. Close all open Web browsers
      [2]. From the "Start" menu in Windows, select "Control Panel"
      [3]. Under the "Programs" icon, select "Uninstall a program"
      [4]. Select the program with the Ask logo and the text "Ask Toolbar"
      [5]. Click "Uninstall" and then "Continue" to remove the Toolbar
      [6]. Use Windows Excplorer: right click on Start> Explore> Local Drive (C)> Progrqms> right click> delete on any 'Ask' entry.
    If you reopen your Web browser and still see the Toolbar, you may need to restart your computer for the uninstall process to be completed.

    I'd like you to run an online virus scanner:
    Open
    Kaspersky Online Scanner in Internet Explorer


    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    Attach the Kaspersky log. IF it's clean and if the originl problems have been resolved, I'll have you remove the cleaning toos and set new restore point.
  11. sam478516

    sam478516 Newcomer, in training Topic Starter

    No, after running malawarebytes the first time, after Lewis told me to, I stopped having any problems. and this morning trying to delete the ask toolbar when my computer restarted it could not reboot. I had to wipe my hard drive.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sam, removing the AskBar should not have caused a problem like that. Lewis is not one of our malware helpers- but even running Malwarebytes shouldn't have contributed.

    It is more likely in my opinion, that you either got other malware or had some system problem- even that at his point shouldn't have demanded a reinstall.

    But the system should be clean now. Here are some tips to keep it that way:
    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP1
    • Visit this site[Adobe Readeroften and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    [*]See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention back to the thread.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.