Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Security Protection' virus + redirect


  • This topic is locked This topic is locked
13 replies to this topic

#1 vile whale

vile whale

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 21 August 2011 - 06:37 PM

Hi guys,

Thanks for reading and helping with my problem. A couple days ago the fake "Security Protection" program virus started showing up on my computer. I went into safe mode and tried to run Malwarebytes and other programs, but they would shut off almost immediately. Finally I (accidentally) deleted my Windows profile, opened a new one, and ran Malwarebytes again, and the log said it had removed said virus. However, it showed up again the next day.

Now, when I go to safe mode, the keyboard won't work at all. Google redirects me to other sites when I search. And only once the "security protection" program has popped up. If I run Malwarebytes, SuperAntiSpyware, etc., they shut down almost immediately. RKill works, but doesn't find any programs to disable. I tried searching manually for the files per a different site's instructions, but didn't see any files matching the ones they listed.

I also downloaded Malwarebytes, etc. as different names to a flash drive, but they still shut down when I run them. This thing seems like one tough cookie, but I hope someone can help me.

Much appreciation for all your good work. Please let me know if there's something else I can try. I've read all the tutorials, etc. and still can't make any progress.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 21 August 2011 - 07:04 PM

Hello, let's see if you can do this,
This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.



Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
[color=green]Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 22 August 2011 - 01:40 PM

Thanks, boopme.

I followed your instructions and downloaded FixNCR at the library and brought it home on a flash drive and opened it. It seemed to do its job. However, when I ran TDSS it shut down almost immediately, even after I renamed it with a ".com" extension.

Is there something else I should try?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 22 August 2011 - 02:11 PM

AVIRA RESCUE CD
Try creating this disk and boot off of it. You will need another computer to make this disk on.
Avira AntiVir Rescue System
Tutorial for Avira Rescue CD
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 22 August 2011 - 03:08 PM

Cool. Do I need to burn a disc or can I save it to a flash drive? I can't burn discs at the library.

Also, does it matter whether I download the .exe or the .iso?

#6 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 22 August 2011 - 03:12 PM

Also, this file is so large that I do not have enough time to download it at the library (two hour limit!). Can I try to download the file at home see if it will work, or is that no good? Thanks.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 22 August 2011 - 03:29 PM

Try it at home.
Exe

Edited by boopme, 22 August 2011 - 03:30 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 HateViruses1

HateViruses1

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 22 August 2011 - 04:54 PM

Hi Vile Whale,
I think I have the same virus as you. I have started a thread about it, (http://www.bleepingcomputer.com/forums/topic415406.html) and am starting to get help. Hopefully, you can use it as a reference. If I get it fixed, I'll let you know how it was done.

#9 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 22 August 2011 - 05:24 PM

AVIRA RESCUE CD
Try creating this disk and boot off of it. You will need another computer to make this disk on.
Avira AntiVir Rescue System
Tutorial for Avira Rescue CD



Tried it at home. Didn't seem to work.
Can I boot this from a flash drive?

Edited by vile whale, 22 August 2011 - 05:30 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 22 August 2011 - 07:05 PM

I believe so but to prevent cross infection,Install this tool on your clean computer first.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 22 August 2011 - 09:24 PM

I can't get the program to run from the usb drive or the desktop, even if renamed.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 22 August 2011 - 10:44 PM

Uggh.. can we do this..
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 23 August 2011 - 10:26 AM

I was able to run DDS but Gmer shut down after a few minutes. My new topic per your instructions is here: http://www.bleepingcomputer.com/forums/topic415764.html

Edited by vile whale, 23 August 2011 - 11:11 AM.


#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:02 PM

Posted 23 August 2011 - 12:13 PM

Hello,

Now for the hard and frustrating part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users