Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bogus security alerts led to still-wadded-up PC


  • Please log in to reply
3 replies to this topic

#1 Budward

Budward

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 16 January 2011 - 09:35 PM

Any and all help will be warmly appreciated. The infected PC is the work tool of a self-employed CAD professional working hourly. Thanks a bunch...

The computer
Toshiba Tecra A10 running Windows 7.
Windows Firewall
McAfee Internet Security (with real-time scanning regrettably turned off), subscription is current
IE8

The infection
It started as some unexpected and unwanted Internet Explorer redirections. Various destinations, all unsavory. Porn and the like. These were unfortunately ignored for about a day, in the press of urgent current issues. Then it sprang into full bloom. Popped up bogus Windows Security messages. Wanted to run a virus scan (not McAfee) - said no to that. Then it started trying to sell an AV package, the name of which we unfortunately didn't note. At one point, it reported an infection by Banker.Fox, but we haven't been able to find any of the files and registry entries that are listed in web notes on B.F. Powering down and rebooting, it progressed to the following:

Behavior at its worst
When you boot the PC normally, each time that it tries to load one of the many usual processes, a "Windows Security" message pops up and advises that the process is infected, offering to scan, etc. IE won't access the web at all. "Internet Explorer cannot display the webpage". Ctl-Alt-Del won't start Task Manager.

The PC will boot in safe mode. Even though "safe mode with networking" does connect to the wireless router successfully, IE8 still won't access the Internet. Same message. Task Manager will start.

Scans and so forth
A complete scan by McAfee reported the PC as clean, other than deleting a handful of tracking cookies. I ran HiJack This, DDS, and MER. I'm a total amateur at this, but the last entry in HKCU.../Run looks suspicious to me.

The first cut at a fix
I found a suspicious-looking entry in the registry at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Key is named tvkgjvcn
C:\Users\Ruthel~1\AppData\Local\Temp\agvybixft\ylkfpwquerb.exe

Search found another instance at:
HKEY_USERS\S-1-5-21-12969441257-2463508767-3586069847-1004\Software\Microsoft\Windows\CurrentVersion\Run
Same data as above


Renamed that exe with AAA at start of name. Rebooted.
Boot proceeded without bogus security alerts.
Task Manager runs, and doesn’t show any obviously bogus processes.
IE8 won’t access the Internet
“Toshiba Service Station” reports that it has stopped working
It accesses the internet to look for updates
Suspect that nothing can access the internet

Hope that's enough to get started.

BC AdBot (Login to Remove)

 


#2 datastream

datastream

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 16 January 2011 - 09:51 PM

that registry entry and file are definately bogus. if you go to start and then run and go to msconfig, are there any weird start up entries in there? also, if you pull up task manager and go to the processes tab. in the menu go to view and then select columns, check the boxes for image path name and command line then click ok. also make sure to show processes from all users. if there are any processes in the image path name that are running out of your user folder then they are probably bad. hope this helps.

#3 Budward

Budward
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 17 January 2011 - 02:25 PM

Looking at msconfig was a help - pointed out some stuff I'd overlooked. Still needing some help getting internet access restored - nothing works for now, not just IE8 but everything that should access the internet.

#4 datastream

datastream

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:01 AM

Posted 17 January 2011 - 10:47 PM

in IE on the menu, go to tool-->internet options-->connections-->lan settings. check and see if any of the boxes for proxy settings are checked. if they are, uncheck them and try browsing then. then download malwarebytes and run that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users