Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem with Scare/Ransom ware...

Status
Not open for further replies.

Albion

IS-IT--Management
Aug 8, 2000
517
US
One of my users somehow got the "AV Security Suite" scare/ransom ware on his desktop. I followed instructions from a few different sites in order to remove it. Both Spybot and MalwareBytes (in safemode) found the malware and claimed to remove it. I also searched the registry and removed any lingering entries I could find for the malware.

When I reboot, the fake AV software seems to be gone. It no longer appears claiming that my computer is infected. Programs like task manager, msconfig, regedit have all started working again. And IE is no longer proxied to 127.0.0.1 (localhost). For all intents and purposes it looks to be gone.

Then I tried a search. I get "Officescan has detected a Web security policy violation and blocked the URL(s) listed below" " characters>.com/<random characters>" from Trend Micro Officescan when I do a search on Google, Bing, or Yahoo. Other search engines like Lycos and Altavista are not effected. The security violation seems to appear whether I do a search from a toolbar (google toolbar), the IE Search Box, or the search engines web page.

I've checked add-ons in IE, running processes with Process Explorer from sysinternals, and have run a Spybot scan again. I've also reset IE to it's default settings "Internet Options->Advanced->Default" None of them seem to work. I continue to get the security warning. Could they have modified my IE in order to force IE to another page before the search commences? Should I try to reinstall IE.

Does anyone know how to resolve this issue?

thanks
 
Another tool you can give a shot with is SuperAntiSpyware. I usually look to it as my #2 tool behind Malwarebytes for this sort of thing. It's far better than Spybot for sure. It sometimes finds pieces the others miss.

 
Delete all temporary files, cookies and browsing history. Run a HijackThis scan and see what it finds. Post results here if you're in doubt...

ROGER - G0AOZ.
 
Delete all temporary files, cookies and browsing history." with CCleaner would be my recommendation.

You have to run it while logged in as EACH USER on the machine as it is user-specific when run - unlike other programs which scan the entire PC (anti-virus software for example).
 
Have you checked to make sure no proxy servers have been selected in the Internet Connection? Just a quick thought.
 
Albion,

Since this thread has been bumped back to life, did you ever try any of the suggestions offered? Or did you correct the issue by some other means? Any updates at all?
 
I apologize... I just ran MalwareBytes one more time in full mode. It found 5 or 6 more things that it didn't find the last time I had run it. After that the messages went away.
 
As a point of interest on this subject, a relative of mine appears to have contracted this thing. I suggested MB, but they are pretty much a novice and weren't able to remove it, so they took the PC to the local service store.

Turns out they had a whole shelf full of PCs that all had this same bug that had been brought in during the last week. It appears that there is a surge in infection coming from somewhere. In this case, the suspect is watching some online videos.
 
FaceBook is a (or at least was, not sure about now) a nice way to pick them up.

FREE anything sites can be nice places to pick them up.

Sometimes just random sites that even look like local news sites or school sites but are malicious can do that... or perhaps those were just hijacked... also possible.

It pays to have the right stuff installed ahead of time, and to run with reduced priviledges for sure! I'm still trying to remember to finish moving my systems accounts for daily usage to "standard" users from admin level. It's a hard practice to adopt if you've been use to admin-level stuff your whole life, PC-wise.
 
Almost any site that has been cracked can deliver this junk. I was looking for clock parts at a reputable manufacturer and nearly got this thing when their site was hi-jacked.



James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
True. And there are still possibilities of picking up such bugs just by being connected at all. I had one machine, fresh install of everything, a couple years ago, I was about to say "totally finished", and unplug it, when one of those ransomware doohickies showed up! I used it for practice in eliminating it, but then went ahead and wiped, reinstalled again just to be sure. I didn't want to configure a new machine, and have it infected right away...

I definitely understand the thought behind some to go to Macs or to Linux to get away from the larger universe of malware threats on Windows machines. Not saying Windows is less secure, just there are so many more out to get them, being the market leader.
 
I've had at least 5 instances of the above problem on my network in the last week. Although users will deny they did anything, I've traced it back to phishing emails. We had a crap load of email come in from UPS, Western Union, and eBay. All the messages had html attachments. My guess in each of the 5 instance the user clicked on the attachment.

I also had 2 machines in the last week that would cycle reboot with a "DCOM Server Process Launcher Terminated Unexpectedly" error. Funny thing about that one, when I went out to the net to search the error I came across a ton of search results that took me to auto-app installers and redirectors. Like the authors knew people would search google for a solution, so they created a bunch of dummy domains with more malware to hopfully catch more machines.

The thing that really scares me is the malware that doesn't announce it's arrival. How much code is sitting on a machine doing a wonderful job of staying in the shadows just waiting for a signal to go. I have Trend Micro Scanmail (w/ anti Spam), and Officescan, at work, I have AVG on my machine at home, and my wife uses McAfee. Not one of those packages with all their protection, and my diligence at keeping signatures updated caught those UPS and Western union phishing emails (and they still don't). I had to add .html files to attachment blocking. If it weren't for the malware failing to work with the system properly, I'd probably have never known they were there until disaster struck. If my security software (all with anti-spam mind you) didn't catch the very visible phishing emails, what else aren't they catching?
 
Albion,

For your home machines, you'd be far better off with the likes of Eset Nod32 (paid), Avira Antivir (Free or Paid), or Microsoft Security Essentials (free).

For the business, you might also want to consider some alternatives. Where I work, we've got Symantec's Corporate System for everything, and it seems to work very well. Far better, I think, than their home stuff. The Symantec email part is BrightMail, or at least that's what the user interface shows. I've no idea of what's behind it. But it works VERY well. We didn't always use it, and we did have some problems in the past. Of course, that's not the only protection, I'm sure. I'm sure some here could recommend some better corporate level stuff.

These are my opinions based on systems I've built, worked on, fixed, owned, etc. McAfee is at the bottom of my list for sure, period, well of those I might would ever consider. Well, they're based on my opinions, and on what I've read of others here, and from legitimate "review" websites, particularly . If you've never looked at it, it's an extremely good reference, whether it's your first, last, or somewhere in the middle, it's at least worth a look.
 
Oh, you might also want to do some further checking into other settings - your router(s) and related, Windows updates and security settings there, whether your users are allowed to run as admin-level all the time, or as user-level access, etc..
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top