Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security tool hijacks my computer


  • Please log in to reply
5 replies to this topic

#1 Taysons

Taysons

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 14 February 2010 - 12:33 PM

I am using window xp, service pak 3. My computer was hijacked by Security tool. All they were doing was running a fake virus log and pushing me to buy their software to clean it up. All I had a blue screen and the start menu left. All Icons were gone. I could not run any .exe file, not even load word, excel etc.

Read the blog on Melwarebyte anti malware, it looked like that will work. However, I could not download the software as my USB port to which my wireless was connected was isolated, Mozilla and IE files deleted. While reading different postings on this blog, one of them said that it went away after sometimes while she continued to say no to the purchase. I realized it was a time based virus, so I went in and changed my computer date by 10 days plus. It worked, the security tool control was gone and I can work on my word and other docs. Now was time to download and run Malwarebyte to get rid of the security tool, I did download it on another computer and ran the tool. It detected about nine items and suggested that they will be deleted at restart. Checked again, Rootkit.agent was not deleted. I was able to bring up my wireless network and download Mozilla. The virus sitting in my computer or may be another new infection took over without me having any idea. They started sending bulk email from my account to sell Viagra. Had my account suspended for misuse by RR. Got it reinstated with the condition that I will work my tail to get rid of the virus.

Called RR security they suggested Combofix.exe. They also suggested to change file name before I run it. Tried to download combofix on the infected computer. The file was downloaded but it vanished. Search for Combofix did not work. Looks like it was not downloaded at the desk top and the file name was also changed by the virus. It may be sitting somewhere in my computer under a different name.

Used another computer to download combofix, renamed it to Alpha and ran alpha.exe. Before doing so, I ran malwarebyte anti malware updated version, also isolated the window firewall and closed all open programs. Things went all well as shown in the bleepingcomputer guidelines. When combofix tried to create the Window recovery console, My computer was not connected to the internet. The scanning process progressed without the recovery console. Went through different stages of scanning and then the blue screen box appeared saying "Creating Log Report", do not run any program until combofix has finished.

Usual time should have been 10-20 minutes, waited patiently, Left it on for 12 hours as of now. It is a blue screen with the same message. My screen does displays the start menu and all my icons on the desk top. What should I do now. Just restart the computer and run combofix again or ????. Picture of the screen is attached.

Attached File  DSC02249.JPG   137.82KB   16 downloads

BC AdBot (Login to Remove)

 


#2 petewills

petewills

  • Members
  • 1,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:04:08 AM

Posted 14 February 2010 - 12:42 PM

When you say you've read the blog, do you mean this guide?

http://www.bleepingcomputer.com/virus-remo...e-security-tool

Probably be best if you re-post in the 'Security Am I Infected/ What do I do?' forum.

#3 Taysons

Taysons
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 15 February 2010 - 12:54 PM

Yes I did read from the site you referred. Also from bleepingcomputer site, when you try to download combofix, they give you instructions and how your screen will appear as you run the program.

I was not sure which one is the most appropriate place. Now it has been moved to "Am I infecrted... " Hope I get some response.
BTW, I ran malwarebyte anti malware agin after that unsuccessfull run of Combofix. The Rootkit.agent file still exists at two different locations. 1. D:\Qoobox|Quarrantine|D|window system 2. D:\system volume information|_restore (4DF1.....

I guess I will continue to read the blog while I wait for some suggestions.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:08 PM

Posted 15 February 2010 - 03:45 PM

Please DO NOT USE COMBOFIX on your own without supervision!!!
Look at this Pinned thread thank you.
ComboFix usage, Questions, Help? - Look here
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jan-C

Jan-C

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 20 February 2010 - 05:39 PM

I followed all the instructions for removing Security Tool, until I got to deleting the HOSTS file; being fairly cautious, I only renamed the file. I use XP Professional (SP2 or 3) on a Point-Of-Sale, with F-PROT Anivirus for Windows. I don't see any difference between the downloadable HOSTS file and the one on my machine. Does this mean the HOSTS file wasn't affected, even though the malware behaved exactly as you described?

Edited by Jan-C, 20 February 2010 - 05:58 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:08 PM

Posted 20 February 2010 - 07:41 PM

Try changing the Hosts file like this then...
Download hosts.zip and extract (unzip) to its own folder C:\hosts
(Click here for information on how to do this if not sure.)
You can read more about what we are doing here.

Open up the hosts folder and double-click on the mvps.bat file.
The script will rename your present HOSTS file to HOSTS.MVP and copy the new HOSTS file to the correct location on your system. Here are the MVPS HOSTS File Install Instructions with graphics if you need them.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users