We help IT Professionals succeed at work.

weird virus or just fake messages

kevluck373
kevluck373 used Ask the Experts™
on
Hello,
I’ve have some weird virus issues going on at work, and I do believe this are the most weird virus issues I’ve deal w/.

It’s hard to say if this is really a virus. I’ve scanned w/ malwarebytes & the Norton Corporate version we use and no infections were found. I’ve cleaned out all the temporary files through Windows & CCleaner.

I’ve included some screen shots of the infection screens.

As of now the infection(s) only seem to work w/ Internet explorer & not fire fox; she’s been using fire fox for a while and haven’t heard back from her about virus messages.
Another very strange part of this is as you see in 1 of the screen shots I get the access denied message when trying to use msconfig under her account in Windows. I login to Windows as administrator and her account is in the Administrator group. I’ve also done antivirus scans using the administration account but still none found. If I login as administrator and remove her account and the recreate her account the denied messages go away and I can run msconfig, but I don’t see anything suspicious in startup or services.  

I’ve been surfing the internet over this infection and found something about this being fake Microsoft security essentials warnings; even if you don’t have Microsoft security essentials. I’ve installed Microsoft Security Essentials and no infections were found.
I’ve included the web page that talks about 1 of the infections and all the settings you need to remove or change in the registry. I thought I’d ask if anyone has ever dealt w/ this same problem(s) before and knows something to remove the infections with. I’d rather not start editing the registry unless I have to, or re image the PC because this lady has a lot of specialized software on it.

I’ve been trying what’s on this website but no luck yet.
http://www.spywarevoid.com/remove-fake-microsoft-security-essentials-alert.html
Anyone have any ideas, saw this before, or had any experience w/ this?
Thanks
Linda.jpg
Linda2.jpg
Linda3.jpg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hello,

Can you check the proxy settings for IE?  There may be an entry for 127.0.0.1 and try turning that off.  If it comes back, there is the problem.  Please confirm and I will provide more troubleshooting steps.
Michael CarrilloInformation Systems Manager
Top Expert 2012

Commented:
This really looks like spyware/malware.  I would first try downloading one of the free anti spyware programs like ad-aware or spybot. It this doesnt work, I would recommend SuperAntiSpyware which does cost, but, I personally use it and found it to work very well.

Afterwards, run Windows Update to ensure that Windows is fully up to date.
The virus/malware is located in her profile. I have seen similiar and only that profile has issues. Look for an odd named folder usually in the local application folder. Add OLD to the folder and see if the problem continues. Uninstall IE or upgrade to newer version. Log on as her in safe mode and run scans.

Author

Commented:
Hello,

I tried another utility--guess you'd call it a utility--called combo fix. I really couldn't tell if anything was infected or repaired looking looking at combo fix's log.

I didn't see or notice any weird account names by looking on c:\users, but what I have done is uninstall & reinstall IE 8.

I'll ask her near the end of the day tomorrow to see if she's had anymore false messages or screens, and if I get a no from her, I suppose I'll consider this fixed.

It'd be great to know what site, email, whatever this infection came from to try & block this so it doesn't happen again.
Michael CarrilloInformation Systems Manager
Top Expert 2012

Commented:
As you have already uninstalled and reinstalled, it is probably a mute point.  Do you know if she recently installed any new toolbars or add ons to her browser?
kevluck373, Can you post the combofix log and use TheKiller instead of rkill using these instructions.

I would also like to warn you to never use CCleaner as a infection cleaning tool. These types of malware come in a variety of nasty flavors, once version of this includes moving all your shortcuts to the temporary directory where if you use a tool like CCleaner or a disk cleanup kills your chance of getting the links back to normal as they where before requiring you to reinstall other software wasting your time and money.

Author

Commented:
I talked to the lady this morning did any of the infected messages come up Friday, and her reply was no.

Thanks everyone for your help
Excellent! That what I like to hear.