Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ughhhhhh


  • Please log in to reply
5 replies to this topic

#1 billfaith

billfaith

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 04 March 2011 - 10:32 AM

I have never seen this virus/malware before. A google search doesnt bring up anything.

Windows xp. Shut down yesterday on its own. After restarting, a message box said there was a disk failure. once past that, windows go's into a fake safe mode. A program comes up, called windowssafemode. It does a fake scan and asks you to buy it. I have run across these fakeware programs before but never one like this.

When you tell it to "fix" your computer, it tries to take you to a webpage, hxxps://www.windows-safemode.com


It runs in any profile
It runs in all the safe modes
IT disables task manager
it never allows you to get to an actual windows screen

I took the hard drive out, put it into my scanning computer, ran everything imagineable.

Each scanner removed a few things.

Put the hard drive back in the computer, and it seemed fine. Windows came up. I ran tdsskiller and it found something. I rebooted like instructed and everything seemed great. About 10 minutes later, computer shuts itself down, upon reboot, it says disk is corrupted, wala right back to the fake scanner.

I hadnt even plugged my network cable back in yet so i could not have downloaded anything again.

I AM LOST beyond lost!!!!!!

Edited by Orange Blossom, 04 March 2011 - 12:03 PM.
Deactivated link. ~ OB


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:10 PM

Posted 04 March 2011 - 12:03 PM

Hello,

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 billfaith

billfaith
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 04 March 2011 - 12:18 PM

I cant get into the machine at all!!!!! Even every safe mode comes up with the fake scanner.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 PM

Posted 05 March 2011 - 09:24 AM

Hello, can you boot in safe mode, but instead of clicking your userprofile, click on the Administrator account? If you don't use the Welcome screen, but the logon box, type Administrator as username, and leave the password blank. Let me know if the fake scanner comes up that way as well.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 TheHaaz

TheHaaz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 08 March 2011 - 02:02 AM

This thing frustrated me before I went to work and after I got off I messed with it for a half hour or so. Not sure if this is different with different OS's or not but for me (XP PRO SP3) I found something easy that worked. After booting in any mode, sign in to any account, NOTE: DO NOT CLICK ANYTHING HAVING DO TO WITH THE POPUPS...once you click something it kicks in...if you leave it alone it will just sit there...you may get a few system tray baloons but ignore them. Once I got the dialog box speaking of boot disk failure I just opened utility manager with windows+U, then clicked the help button on the utility manager, when the help index came up I clicked options and internet options. From there I clicked settings under browsing history, then clicked view files. I was then given an explorer menu and subsequently explorer finished booting. At this point I still had task manager disabled by "administrator" so I navigated through the registry to hkey_current_user/software/microsoft/windows/currentVersion/policies/system and deleted the value called DisableTaskMgr...(or set the value to "0"). Once I was able to open task manager I closed the processes I found harmful and continued searching for those .exe files on the disk. I still consider myself a novice at this type of thing, but I guess I managed to get rid of all the crap associated with it. I ran a scan and fix with AdAware free version and I guess that cleaned up a bit more. After a reboot I have had no problems in the last 24 hours or so. (fingers crossed) I hope this helps.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 PM

Posted 08 March 2011 - 08:18 AM

so I navigated through the registry to hkey_current_user/software/microsoft/windows/currentVersion/policies/system and deleted the value called DisableTaskMgr...(or set the value to "0"). Once I was able to open task manager I closed the processes I found harmful and continued searching for those .exe files on the disk.

It is not recommended to manually edit the registry without first making a backup! Likewise I do not recommend to delete files if you are not absolutely sure what they are.

Furthermore, please make sure to read this topic: Instructions for posting advice in Am I Infected

A good way to back up the registry is Erunt:

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users