Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


URL fake scan then spyware which rkill barely beat

  • Please log in to reply
2 replies to this topic

#1 mikemongo


  • Members
  • 5 posts
  • Gender:Male
  • Local time:02:08 AM

Posted 29 March 2011 - 05:59 PM

A friend got this link in an email from a hijacked account.

It forwards to here:

This leads to a "STOP! You computer is infected"-type message pop-up which you can x out of or press "OK". [see screen grab]

Which then leads to a phony scan with another (flash? couldn't view source) pop-up window. [see screen grab 2]

Now clicking on that window, closing it out or otherwise (because it's not actually a window) downloads an .exe file called freesystemscan.exe.

Running that will (and in her case, did) lead to a full-blown take-over.

Here's where I come in. Usually I would run one malwarebytes in smart mode or one of the rkills. But as it turns out, this time none of them worked. Finally, I copied one to the rkill.exe file to the desktop, changed that files name to explorer.exe and then it ran.

The thing about this particular take-over's template on the fake interface is that it looked new.

It is unusual for the rkill files not to launch either copied to the hd or from a thumbdrive.

Is there someone I submit this link to? If you are into such things—and I am only peripherally as the guy people call when this happens—I was wondering how such a file gets downloaded and then disassembled to see how it knew the rkills.

Is there somewhere I forward the file to for review and decompiling?

Attached Files

Edited by Budapest, 29 March 2011 - 06:12 PM.
Moved from XP ~BP

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,070 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:08 AM

Posted 30 March 2011 - 07:28 AM

The screenshots are indicative of any number of Rogue security programs which use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. Please read How Malware Spreads - How did I get infected which explains the most common ways malware is contracted and spread.

You can always check suspicious sites using:-- I recommend using several different vendors when performing queries to confirm the results.

If you have experienced the anti-virus pop-ups or a similar scam, please notify the IC3 by filing a complaint at www.IC3.gov.

Internet Crime Complaint Center (IC3) - Filing a Complaint with IC3
Reporting Computer Hacking, Fraud and Other Internet-Related Crime
Reporting Internet Fraud

Other venues for reporting malicious software:
Malwarebytes > Research Center:
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 OldPhil



  • Members
  • 4,389 posts
  • Gender:Male
  • Location:Long Island New York
  • Local time:01:08 AM

Posted 02 April 2011 - 04:46 PM

There is an article floating around that massive attack on servers were hit with this, it is a money making scam.


Honesty & Integrity Above All!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users