help with virus-malware attack, MSE issues, Malwarebyte scan, etc.

Posted on 2011-05-01
Medium Priority
Last Modified: 2013-11-22
Here is what happened:
I turned on my computer, opened Firefox, went to Hotmail, logged in. Hotmail and Firefox do not work well together. I often get a java scipt error bottom left corner. I have to reload the page, and then mark e-mails I want to delete, etc. Sometimes reloading is needed, and some times not.
So, one mouse click on reload did not work, so I clicked reload two more times.
Up pops a window claming to be Vista Anitvirus 2011 (unregistered version).

Is that a real program?

Why have I owned the computer for 2+ years and run an MSE scan every day, and never seen this Vista Anti-Virus 2011?

Some virus scans are phony. They want you to close, ok, cancel, abort, etc.
So, I avoided this scanner though it was proceeding to scan, and at one point showed found 27 infections. I always aborted the scan.

Then I rebooted in safe mode and ran a full scan using MSE and it found NOTHING.
While this scan was running, I got periodic popups like:
Rogue Malware
Trojan PSW.win32 Antigen.A from port 41692
threat: macro point.shapesh.ft

I tried to open IE and I get this message:
IE is infected with trojan BNK.win32.keylogger.gen

some of the infections being found by this Vista Antivirus 2011 were:
Adobe - email worm
Adobe - IM worm
attack from port 6522 Backdoor.perl

The only choices I had for this Vista Anti Virus 2011, were:
activate (maybe risky)
continue and be unprotected (maybe risky)

Lower right hand tool bar showed the Windows shield, the small shield with the colors being red, greem blue, yellow.

Finally the MSE full scan ended after an hour. During this hour I got periodic warnings.

I then rebooted into safe mode and ran a quick scan using Malwarebytes.
It found only 8 infections and removed them.

I am trying to turn on "real time" protection on my MSE. I get an error message.

Before doing any of the above scans, I tried to open IE to come here, OE to get to my e-mails, and always got this Vista Anti Virus popup saying my Vista Firewall was "off."

So, should I remove my MSE and re-install?
I can not turn the real time protection on.
The MSE icon on my tool bar is RED and I can not turn on real time protection.
I can do scans, and just did a quick scan and it found nothing.
The message I get when I try to turn on real time protection is:
Security Essentials couldn't turn on real time protection, the operation returned because the time out period expired.

Any ideas?

Is ths Vista Antivirus 2011 a real program, and I should let it run?


Question by:nickg5
  • 9
  • 4
  • 3
  • +3
LVL 38

Accepted Solution

younghv earned 500 total points
ID: 35500685
Hi again Nick.
Is this the same computer that we've worked on in the past few weeks?
I've given you the links to these EE Articles before and the advice applies to all Windows OS's.

Running MSE with Malwarebytes PRO - plus the other advice is going to prevent this from happening in almost all situations.

Read through them again and take the steps listed.

http://www.experts-exchange.com/A_1958.html (MALWARE - "An Ounce of Prevention...")
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

The problem you're describing today is is one of the "name changer" variants.
Detailed removal instructions here:

LVL 25

Author Comment

ID: 35500819
I have not had any issues the past few weeks with MSE or MWB.

I rebooted and now MSE is real time protection.

So, the Vista Anti Virus 2011 is a fake program...?...to be avoided when it pops open?
LVL 10

Expert Comment

ID: 35500826
Vista Anti Virus is a real program that would be considered malware.. You would want to avoid installing it, but it installs by clicking improperly on popups, and then you are infected and have to remove it.  

I believe younghv gave the best advice above, I am just answering your secondary question.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 25

Author Comment

ID: 35500908
I rebooted, everything seems fine....

Why did a full scan by MSE find NOTHING....?
LVL 10

Expert Comment

ID: 35500920
It could have just been a popup to try and get you to install it.
LVL 25

Author Comment

ID: 35500925
But while Windows was giving all the warnings, while the MSE scan was being done, MSE found nothing.
It did not even find the 8 items that Malwarebytes found.

LVL 38

Expert Comment

ID: 35501197
Thanks Hutch.


"So, the Vista Anti Virus 2011 is a fake program...?...to be avoided when it pops open?"
Please go to the link I gave you and read the details about this.
There are at least 40 variants of this malware (same infection - different names).

You will have to run a "Registry Fixer", a "Rogue Process" stopper, and then a freshly downloaded and updated Malwarebytes.

If you were running MSE and Malwarebyte Pro (on-access 24/7 protection), I do not think this infection could have started.
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 500 total points
ID: 35501279
@younghv's advice is good.  The screen that "Vista Anti Virus 2011" is a fake, it's not running a scan at all.  So are the popups from it.  They are trying to get you to pay them to 'remove' whatever they say.  If you pay them, as some of my customers have done, you will simply lose money because they will not remove anything or even turn off the warnings.

One of today's projects for me is finishing cleaning up a computer that had one of the fake anti-virus programs.  When I have to get rid of one of these, I run many scans with different programs because each one finds different things.  On the computer I'm working on today, I've run Combofix, McAfee, and now I'm running MalwareBytes.

One of the reasons that anti-virus programs don't detect some of these things is because the virus always comes first and the anti-virus programs play catchup try to find and remove them.
LVL 25

Author Comment

ID: 35501572
You will have to run a "Registry Fixer", a "Rogue Process" stopper, and then a freshly downloaded and updated Malwarebytes.
............even though my system is seemingly fine and MSE is running in the background?

If you were running MSE and Malwarebyte Pro (on-access 24/7 protection), I do not think this infection could have started.
.............the fake vuris scan was showing MSE as "not" being real time protection.
This was the case AFTER Malwarebyte cleanup. I had to remove MSE and re-download it to get the "real time protection" to be on.

I've rebooted 3 times and see no ill effects.
LVL 38

Expert Comment

ID: 35501645
Let me walk through my previous comments a bit.
The list of three things you had to run were merely a recap of the advice posted at the "bleepingcomputer" link in my first comment.

Registry Fixer: FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)

Rogue Process: RKill Download Link

Finally "Malwarebytes".

Next, your system is NOT fine if you are getting the "Vista Anti-Virus 2011?" pop-up. That is a very distinct chunk of malware - also known as "scareware".

They (are many and varied) will show a ton of different messages trying to scare you into giving them your credit card info so that you can pay to have "all your problems" repaired.

They are fake - ignore them all and run the sequence of steps outlined in my very first comment.

MSE is in fact 24/7 on-access protection; as is Malwarebytes Pro.

The one thing I try to point out to everyone I help is that IF Malwarebytes can 'repair' an infection, it does an even better job of 'preventing' them.

If you haven't already bought your license for Malwarebytes, do it now. It will be the best security money you've ever spent.
LVL 25

Author Comment

ID: 35501680
Next, your system is NOT fine if you are getting the "Vista Anti-Virus 2011?" pop-up.
...........I am not getting that. The Malwarebyte scan got rid of it.

However, why did trying to reload my Hotmail window, using Firefox, open the door to this scareware?

I had to remove Malwarebytes because Windows kept trying to block it, on bootup.

So, MSE is working fine, my system seems fine.
Should I still need the registry tool?

I do not have Malwarebytes in the background,
and I'm wondering how my actions of reloading the page, caused this infection.
Is it a security issue with Firefox?
I had no e-mails open and clicked on no links.

LVL 25

Author Comment

ID: 35501718
I did not have my MSE real time protection turned OFF.
It was turned off by the infection I guess.
Because I had to un-install and re-install MSE, to get MSE real time protection to run.

I then did another scan with MSE and Malwarebytes and both found nothing.
The only issue was that Windows wanted to block MWB, so I just removed it.

I've had attacks, from websites before, so I know how they happen.

I'm not clear at all why "rapid reloading" of Hotmail using Firefox, caused this.

LVL 38

Expert Comment

ID: 35688700
Hi again Nick.

To be really honest (and blunt) with you, it is very frustrating for me to post advice - that I know works - and to have you ignore what I am posting.

Repairing this type of infection is not a simple matter of running a scanner - especially not running a scanner in "Safe Mode".

"Vista Anitvirus 2011" is a very distinct variant of malware and I gave you all of the information you needed in my very first post.

The first step you were supposed to take was to use "FixNCR.reg" to repair the modifications to what happens when you start a program. Unless and until you fix the registry problems, you can't begin to solve the rest.

All of your follow up comments indicate that you have not yet followed the advice I first posted here: http:#a35500685

"Because I had to un-install and re-install MSE, to get MSE real time protection to run."

Not true. If you had run the steps I gave you - in sequence - this would not have been necessary.

"The only issue was that Windows wanted to block MWB, so I just removed it."

A properly repaired Windows OS will NOT block Malwarebytes - they are fully and completely compatible with each other

MSE (alone) will NOT give you the protection you need - once again - read the Articles in my first post. The "Ounce of Prevention..." applies to all Windows users.

I am willing to continue trying to help you resolve this, but - with respect - I refuse to waste my time posting advice that gets ignored.
LVL 61

Assisted Solution

mbizup earned 500 total points
ID: 35688903

I'm not looking for points here because everything in this post has already been said.

I removed a variation of what you are describing recently, and the order of steps is important (Have you followed all of the suggested steps in order?).

Look at younghv's advice as a 'checklist' of things you need to do *in sequence* rather than a list of things you can try...

1.  Run the registry tool
2. Stop rogue processes using RKill or RogueKiller (these kill processes that are actively preventing your other tools from running)
3. *Without rebooting* (which may allow rogue processes to start back up), Run a follow-up scan using MBAM

A couple of notes...

- Make sure you are using these tools in Normal Mode (not Safe Mode)

- If you cannot download the tools for whatever reason, you may need to get creative and download them onto a 'clean' computer and use a CD or other means to put them on the desktop of your infected computer (and you may need to rename the executable for it to run).

- If you have multiple accounts on this computer, you should repeat those three steps, in order on each account.
LVL 47

Expert Comment

ID: 35689242
So the issue is resolved but you just have a little question of how it(malware) came into the system.

"I often get a java scipt error bottom left corner. I have to reload the page, and then mark e-mails I want to delete, etc. Sometimes reloading is needed, and some times not."

And that time(unfortunately) wasn't just a normal reload of page it was a malware attack, and it's not so surprising as malware/viruses these days have many tricks in order to get into the system.
Users no longer have to click on any links, open an attachment or download files for the virus to get in.
Malware install can hide behind a fake BSOD etc.
That's why each time my IE crashes or not responding and had to end tasks or had to close all windows, the next time I open IE it prompts me whether I want to "restore IE's last session". I always choose to go to my home page as I don't want to reload whatever it was that caused IE to crash.

What happened to yours might've been a Firefox malware attack. Few years ago we all want to dump IE for Firefox as a secure browser but now malware writers have their eyes on Firefox. Firefox plugins are increasingly popular as a means of infection. The goored infection(with many variants) is one example.

"So, is my system clean or a registry cleaner is still needed?
MSE and MWB do not find anything.

If the PC is now clean, you don't need to run registry cleaner....you can clean the temp files and other junk if you must but i wouldn't worry about cleaning the registry, not necessary, sometimes they can do more harm than good, :).

But for 'peace of mind' you could always run other scanners and see if they come up clean too. Have you done younghv's suggestions and what the bleepingcomputer tutorial says to do? It's also posible that these rogues can come with rootkits etc, but for the fake antivirus rogue then MalwareBytes is sufficient.
LVL 47

Expert Comment

ID: 35689417

When you said "registry cleaner" did you mean the FixNCR.reg?
If so, that's just a reg file to fix the changes that malware did so executables can't run...
If you're able to run mbam.exe or other executables then no need to run the FixNCR.reg.  That's only needed when .exes can't run.
LVL 25

Author Comment

ID: 35693307
I did a scan with spyware doctor It found alot of Firefox cookies.
I tried the "Rogue Process" stopperm and all it found was Yahoo Messenger.exe.
I have run Malwarebytes scan and MSe scan and they find nothing.

So, what is the conclusion I should make?

Can I manually remove tracking cookies from Firefox?

I used my internet options > delete temp. files and cookies > using my IE 9.0
LVL 25

Author Comment

ID: 35693367
I removed spyware doctor. I do not have the money to subscribe.

It did a free scan before it asked for a credit card......

LVL 47

Assisted Solution

rpggamergirl earned 500 total points
ID: 35694955

"I removed spyware doctor. I do not have the money to subscribe."

We know Spyware Doctor won't remove anything it finds for free, not even cookies, that's why no one here had suggested it. We only use tools/scanners that are free when cleaning up infected systems.
It might also help you to try and response to all questions that were being asked here and letting us know if you don't want to follow some advice as some Experts might feel they're being ignored and might unsubscribe from your thread.

As for tracking cookies;
I wouldn't worry about them, they are just text files, they are not executed, don't replicate, they are not viruses. Some users don't like them for privacy concern but they are harmless and sometimes good if you're a frequent visitor of some sites which means they already know you and it's not like visiting that site for the very first time.
If you're worried about tracking cookies just configure your browser to block all cookies.

To delete cookies in Firefox:
Click Tools > Options > Delete cookies
Click on "Privacy" then "Show Cookies" tab.
You can then select the cookies you want to delete and click "Remove Cookie"
or just click the "Remove All Cookies" tab to remove all cookies.
LVL 25

Author Closing Comment

ID: 35712845

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question