help with virus-malware attack, MSE issues, Malwarebyte scan, etc.
Here is what happened:
I turned on my computer, opened Firefox, went to Hotmail, logged in. Hotmail and Firefox do not work well together. I often get a java scipt error bottom left corner. I have to reload the page, and then mark e-mails I want to delete, etc. Sometimes reloading is needed, and some times not.
So, one mouse click on reload did not work, so I clicked reload two more times.
Up pops a window claming to be Vista Anitvirus 2011 (unregistered version).
Is that a real program?
Why have I owned the computer for 2+ years and run an MSE scan every day, and never seen this Vista Anti-Virus 2011?
Some virus scans are phony. They want you to close, ok, cancel, abort, etc.
So, I avoided this scanner though it was proceeding to scan, and at one point showed found 27 infections. I always aborted the scan.
Then I rebooted in safe mode and ran a full scan using MSE and it found NOTHING.
While this scan was running, I got periodic popups like:
Rogue Malware
Trojan PSW.win32 Antigen.A from 94.89.60.244 port 41692
threat: macro point.shapesh.ft
I tried to open IE and I get this message:
IE is infected with trojan BNK.win32.keylogger.gen
some of the infections being found by this Vista Antivirus 2011 were:
Adobe - email worm
Adobe - IM worm
BWME.twelve.1378
attack from 75.84.23.141 port 6522 Backdoor.perl
The only choices I had for this Vista Anti Virus 2011, were:
activate (maybe risky)
continue and be unprotected (maybe risky)
Lower right hand tool bar showed the Windows shield, the small shield with the colors being red, greem blue, yellow.
Finally the MSE full scan ended after an hour. During this hour I got periodic warnings.
I then rebooted into safe mode and ran a quick scan using Malwarebytes.
It found only 8 infections and removed them.
I am trying to turn on "real time" protection on my MSE. I get an error message.
Before doing any of the above scans, I tried to open IE to come here, OE to get to my e-mails, and always got this Vista Anti Virus popup saying my Vista Firewall was "off."
So, should I remove my MSE and re-install?
I can not turn the real time protection on.
The MSE icon on my tool bar is RED and I can not turn on real time protection.
I can do scans, and just did a quick scan and it found nothing.
The message I get when I try to turn on real time protection is:
Security Essentials couldn't turn on real time protection, the operation returned because the time out period expired.
Any ideas?
Is ths Vista Antivirus 2011 a real program, and I should let it run?
Thanks.
I turned on my computer, opened Firefox, went to Hotmail, logged in. Hotmail and Firefox do not work well together. I often get a java scipt error bottom left corner. I have to reload the page, and then mark e-mails I want to delete, etc. Sometimes reloading is needed, and some times not.
So, one mouse click on reload did not work, so I clicked reload two more times.
Up pops a window claming to be Vista Anitvirus 2011 (unregistered version).
Is that a real program?
Why have I owned the computer for 2+ years and run an MSE scan every day, and never seen this Vista Anti-Virus 2011?
Some virus scans are phony. They want you to close, ok, cancel, abort, etc.
So, I avoided this scanner though it was proceeding to scan, and at one point showed found 27 infections. I always aborted the scan.
Then I rebooted in safe mode and ran a full scan using MSE and it found NOTHING.
While this scan was running, I got periodic popups like:
Rogue Malware
Trojan PSW.win32 Antigen.A from 94.89.60.244 port 41692
threat: macro point.shapesh.ft
I tried to open IE and I get this message:
IE is infected with trojan BNK.win32.keylogger.gen
some of the infections being found by this Vista Antivirus 2011 were:
Adobe - email worm
Adobe - IM worm
BWME.twelve.1378
attack from 75.84.23.141 port 6522 Backdoor.perl
The only choices I had for this Vista Anti Virus 2011, were:
activate (maybe risky)
continue and be unprotected (maybe risky)
Lower right hand tool bar showed the Windows shield, the small shield with the colors being red, greem blue, yellow.
Finally the MSE full scan ended after an hour. During this hour I got periodic warnings.
I then rebooted into safe mode and ran a quick scan using Malwarebytes.
It found only 8 infections and removed them.
I am trying to turn on "real time" protection on my MSE. I get an error message.
Before doing any of the above scans, I tried to open IE to come here, OE to get to my e-mails, and always got this Vista Anti Virus popup saying my Vista Firewall was "off."
So, should I remove my MSE and re-install?
I can not turn the real time protection on.
The MSE icon on my tool bar is RED and I can not turn on real time protection.
I can do scans, and just did a quick scan and it found nothing.
The message I get when I try to turn on real time protection is:
Security Essentials couldn't turn on real time protection, the operation returned because the time out period expired.
Any ideas?
Is ths Vista Antivirus 2011 a real program, and I should let it run?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Vista Anti Virus is a real program that would be considered malware.. You would want to avoid installing it, but it installs by clicking improperly on popups, and then you are infected and have to remove it.
I believe younghv gave the best advice above, I am just answering your secondary question.
I believe younghv gave the best advice above, I am just answering your secondary question.
ASKER
I rebooted, everything seems fine....
Why did a full scan by MSE find NOTHING....?
Why did a full scan by MSE find NOTHING....?
It could have just been a popup to try and get you to install it.
ASKER
But while Windows was giving all the warnings, while the MSE scan was being done, MSE found nothing.
It did not even find the 8 items that Malwarebytes found.
It did not even find the 8 items that Malwarebytes found.
Thanks Hutch.
Nick,
"So, the Vista Anti Virus 2011 is a fake program...?...to be avoided when it pops open?"
Please go to the link I gave you and read the details about this.
There are at least 40 variants of this malware (same infection - different names).
You will have to run a "Registry Fixer", a "Rogue Process" stopper, and then a freshly downloaded and updated Malwarebytes.
If you were running MSE and Malwarebyte Pro (on-access 24/7 protection), I do not think this infection could have started.
Nick,
"So, the Vista Anti Virus 2011 is a fake program...?...to be avoided when it pops open?"
Please go to the link I gave you and read the details about this.
There are at least 40 variants of this malware (same infection - different names).
You will have to run a "Registry Fixer", a "Rogue Process" stopper, and then a freshly downloaded and updated Malwarebytes.
If you were running MSE and Malwarebyte Pro (on-access 24/7 protection), I do not think this infection could have started.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You will have to run a "Registry Fixer", a "Rogue Process" stopper, and then a freshly downloaded and updated Malwarebytes.
............even though my system is seemingly fine and MSE is running in the background?
If you were running MSE and Malwarebyte Pro (on-access 24/7 protection), I do not think this infection could have started.
.............the fake vuris scan was showing MSE as "not" being real time protection.
This was the case AFTER Malwarebyte cleanup. I had to remove MSE and re-download it to get the "real time protection" to be on.
I've rebooted 3 times and see no ill effects.
............even though my system is seemingly fine and MSE is running in the background?
If you were running MSE and Malwarebyte Pro (on-access 24/7 protection), I do not think this infection could have started.
.............the fake vuris scan was showing MSE as "not" being real time protection.
This was the case AFTER Malwarebyte cleanup. I had to remove MSE and re-download it to get the "real time protection" to be on.
I've rebooted 3 times and see no ill effects.
Nick,
Let me walk through my previous comments a bit.
The list of three things you had to run were merely a recap of the advice posted at the "bleepingcomputer" link in my first comment.
Registry Fixer: FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
Rogue Process: RKill Download Link
http://www.bleepingcomputer.com/download/anti-virus/rkill
Finally "Malwarebytes".
Next, your system is NOT fine if you are getting the "Vista Anti-Virus 2011?" pop-up. That is a very distinct chunk of malware - also known as "scareware".
They (are many and varied) will show a ton of different messages trying to scare you into giving them your credit card info so that you can pay to have "all your problems" repaired.
They are fake - ignore them all and run the sequence of steps outlined in my very first comment.
MSE is in fact 24/7 on-access protection; as is Malwarebytes Pro.
The one thing I try to point out to everyone I help is that IF Malwarebytes can 'repair' an infection, it does an even better job of 'preventing' them.
If you haven't already bought your license for Malwarebytes, do it now. It will be the best security money you've ever spent.
Let me walk through my previous comments a bit.
The list of three things you had to run were merely a recap of the advice posted at the "bleepingcomputer" link in my first comment.
Registry Fixer: FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
Rogue Process: RKill Download Link
http://www.bleepingcomputer.com/download/anti-virus/rkill
Finally "Malwarebytes".
Next, your system is NOT fine if you are getting the "Vista Anti-Virus 2011?" pop-up. That is a very distinct chunk of malware - also known as "scareware".
They (are many and varied) will show a ton of different messages trying to scare you into giving them your credit card info so that you can pay to have "all your problems" repaired.
They are fake - ignore them all and run the sequence of steps outlined in my very first comment.
MSE is in fact 24/7 on-access protection; as is Malwarebytes Pro.
The one thing I try to point out to everyone I help is that IF Malwarebytes can 'repair' an infection, it does an even better job of 'preventing' them.
If you haven't already bought your license for Malwarebytes, do it now. It will be the best security money you've ever spent.
ASKER
Next, your system is NOT fine if you are getting the "Vista Anti-Virus 2011?" pop-up.
...........I am not getting that. The Malwarebyte scan got rid of it.
However, why did trying to reload my Hotmail window, using Firefox, open the door to this scareware?
I had to remove Malwarebytes because Windows kept trying to block it, on bootup.
So, MSE is working fine, my system seems fine.
Should I still need the registry tool?
I do not have Malwarebytes in the background,
and I'm wondering how my actions of reloading the page, caused this infection.
Is it a security issue with Firefox?
I had no e-mails open and clicked on no links.
Thanks.
...........I am not getting that. The Malwarebyte scan got rid of it.
However, why did trying to reload my Hotmail window, using Firefox, open the door to this scareware?
I had to remove Malwarebytes because Windows kept trying to block it, on bootup.
So, MSE is working fine, my system seems fine.
Should I still need the registry tool?
I do not have Malwarebytes in the background,
and I'm wondering how my actions of reloading the page, caused this infection.
Is it a security issue with Firefox?
I had no e-mails open and clicked on no links.
Thanks.
ASKER
I did not have my MSE real time protection turned OFF.
It was turned off by the infection I guess.
Because I had to un-install and re-install MSE, to get MSE real time protection to run.
I then did another scan with MSE and Malwarebytes and both found nothing.
The only issue was that Windows wanted to block MWB, so I just removed it.
I've had attacks, from websites before, so I know how they happen.
I'm not clear at all why "rapid reloading" of Hotmail using Firefox, caused this.
It was turned off by the infection I guess.
Because I had to un-install and re-install MSE, to get MSE real time protection to run.
I then did another scan with MSE and Malwarebytes and both found nothing.
The only issue was that Windows wanted to block MWB, so I just removed it.
I've had attacks, from websites before, so I know how they happen.
I'm not clear at all why "rapid reloading" of Hotmail using Firefox, caused this.
Hi again Nick.
To be really honest (and blunt) with you, it is very frustrating for me to post advice - that I know works - and to have you ignore what I am posting.
Repairing this type of infection is not a simple matter of running a scanner - especially not running a scanner in "Safe Mode".
"Vista Anitvirus 2011" is a very distinct variant of malware and I gave you all of the information you needed in my very first post.
The first step you were supposed to take was to use "FixNCR.reg" to repair the modifications to what happens when you start a program. Unless and until you fix the registry problems, you can't begin to solve the rest.
All of your follow up comments indicate that you have not yet followed the advice I first posted here: http:#a35500685
**************
"Because I had to un-install and re-install MSE, to get MSE real time protection to run."
Not true. If you had run the steps I gave you - in sequence - this would not have been necessary.
"The only issue was that Windows wanted to block MWB, so I just removed it."
A properly repaired Windows OS will NOT block Malwarebytes - they are fully and completely compatible with each other
MSE (alone) will NOT give you the protection you need - once again - read the Articles in my first post. The "Ounce of Prevention..." applies to all Windows users.
I am willing to continue trying to help you resolve this, but - with respect - I refuse to waste my time posting advice that gets ignored.
To be really honest (and blunt) with you, it is very frustrating for me to post advice - that I know works - and to have you ignore what I am posting.
Repairing this type of infection is not a simple matter of running a scanner - especially not running a scanner in "Safe Mode".
"Vista Anitvirus 2011" is a very distinct variant of malware and I gave you all of the information you needed in my very first post.
The first step you were supposed to take was to use "FixNCR.reg" to repair the modifications to what happens when you start a program. Unless and until you fix the registry problems, you can't begin to solve the rest.
All of your follow up comments indicate that you have not yet followed the advice I first posted here: http:#a35500685
**************
"Because I had to un-install and re-install MSE, to get MSE real time protection to run."
Not true. If you had run the steps I gave you - in sequence - this would not have been necessary.
"The only issue was that Windows wanted to block MWB, so I just removed it."
A properly repaired Windows OS will NOT block Malwarebytes - they are fully and completely compatible with each other
MSE (alone) will NOT give you the protection you need - once again - read the Articles in my first post. The "Ounce of Prevention..." applies to all Windows users.
I am willing to continue trying to help you resolve this, but - with respect - I refuse to waste my time posting advice that gets ignored.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So the issue is resolved but you just have a little question of how it(malware) came into the system.
"I often get a java scipt error bottom left corner. I have to reload the page, and then mark e-mails I want to delete, etc. Sometimes reloading is needed, and some times not."
And that time(unfortunately) wasn't just a normal reload of page it was a malware attack, and it's not so surprising as malware/viruses these days have many tricks in order to get into the system.
Users no longer have to click on any links, open an attachment or download files for the virus to get in.
Malware install can hide behind a fake BSOD etc.
That's why each time my IE crashes or not responding and had to end tasks or had to close all windows, the next time I open IE it prompts me whether I want to "restore IE's last session". I always choose to go to my home page as I don't want to reload whatever it was that caused IE to crash.
What happened to yours might've been a Firefox malware attack. Few years ago we all want to dump IE for Firefox as a secure browser but now malware writers have their eyes on Firefox. Firefox plugins are increasingly popular as a means of infection. The goored infection(with many variants) is one example.
"So, is my system clean or a registry cleaner is still needed?
MSE and MWB do not find anything."
If the PC is now clean, you don't need to run registry cleaner....you can clean the temp files and other junk if you must but i wouldn't worry about cleaning the registry, not necessary, sometimes they can do more harm than good, :).
But for 'peace of mind' you could always run other scanners and see if they come up clean too. Have you done younghv's suggestions and what the bleepingcomputer tutorial says to do? It's also posible that these rogues can come with rootkits etc, but for the fake antivirus rogue then MalwareBytes is sufficient.
"I often get a java scipt error bottom left corner. I have to reload the page, and then mark e-mails I want to delete, etc. Sometimes reloading is needed, and some times not."
And that time(unfortunately) wasn't just a normal reload of page it was a malware attack, and it's not so surprising as malware/viruses these days have many tricks in order to get into the system.
Users no longer have to click on any links, open an attachment or download files for the virus to get in.
Malware install can hide behind a fake BSOD etc.
That's why each time my IE crashes or not responding and had to end tasks or had to close all windows, the next time I open IE it prompts me whether I want to "restore IE's last session". I always choose to go to my home page as I don't want to reload whatever it was that caused IE to crash.
What happened to yours might've been a Firefox malware attack. Few years ago we all want to dump IE for Firefox as a secure browser but now malware writers have their eyes on Firefox. Firefox plugins are increasingly popular as a means of infection. The goored infection(with many variants) is one example.
"So, is my system clean or a registry cleaner is still needed?
MSE and MWB do not find anything."
If the PC is now clean, you don't need to run registry cleaner....you can clean the temp files and other junk if you must but i wouldn't worry about cleaning the registry, not necessary, sometimes they can do more harm than good, :).
But for 'peace of mind' you could always run other scanners and see if they come up clean too. Have you done younghv's suggestions and what the bleepingcomputer tutorial says to do? It's also posible that these rogues can come with rootkits etc, but for the fake antivirus rogue then MalwareBytes is sufficient.
nickg5,
When you said "registry cleaner" did you mean the FixNCR.reg?
If so, that's just a reg file to fix the changes that malware did so executables can't run...
If you're able to run mbam.exe or other executables then no need to run the FixNCR.reg. That's only needed when .exes can't run.
When you said "registry cleaner" did you mean the FixNCR.reg?
If so, that's just a reg file to fix the changes that malware did so executables can't run...
If you're able to run mbam.exe or other executables then no need to run the FixNCR.reg. That's only needed when .exes can't run.
ASKER
I did a scan with spyware doctor 8.0.0.651. It found alot of Firefox cookies.
I tried the "Rogue Process" stopperm and all it found was Yahoo Messenger.exe.
I have run Malwarebytes scan and MSe scan and they find nothing.
So, what is the conclusion I should make?
Can I manually remove tracking cookies from Firefox?
I used my internet options > delete temp. files and cookies > using my IE 9.0
I tried the "Rogue Process" stopperm and all it found was Yahoo Messenger.exe.
I have run Malwarebytes scan and MSe scan and they find nothing.
So, what is the conclusion I should make?
Can I manually remove tracking cookies from Firefox?
I used my internet options > delete temp. files and cookies > using my IE 9.0
ASKER
I removed spyware doctor. I do not have the money to subscribe.
It did a free scan before it asked for a credit card......
It did a free scan before it asked for a credit card......
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
-
ASKER
I rebooted and now MSE is real time protection.
So, the Vista Anti Virus 2011 is a fake program...?...to be avoided when it pops open?