Fake "Interner Security" virus

[dickster]

First off, let me say that I do not have access to this pc at the moment. It is my bosses laptop, and he has it locked in his office. I'll be working on it again tomorrow. But so far it is a tough one.

 

Any time you start it up it automaticcly starts a scan. You can stop the scan but it prompts you to activate the product. (Buy it) Try opening most any program and it blocks it saying it is infected with the Blaster virus. Ran Symantics blaster removeal tool in safe mode and it found nothing. Malwarebytes and Superantispyware found some stuff in safe mode, and removed it. But still the virus remains. His McAfee is out of date. I'll be removing it and installing Avast tomorrow.

 

I've googled fake Internet Security and tried some of the things I found. Did a system restore to before he "thinks" he got infected, but still no help. Anyone dealt with this nasty before? Suggestions on how to get rid of it? A clean sweep is not an option, as he has his past income tax and other important files on the laptop. Also, I have no way to run it online at work without goint through another guys cell phone.

 

Any ideas appreciated!!

Edited May 7, 2013 by dickster

[Tx Redneck]

Pull the hdd and slave it on a clean pc to scan outside of Win.

[Jacee]

dickster, there may be other problems, such as a 'Rootkit', but look at this page ... http://deletemalware.blogspot.com/2011/01/how-to-remove-w32blasterworm-uninstall.html

 

If a "no go" using any of these tools, post in our Have I Been Hijacked Forum http://forums.pcpitstop.com/index.php?/forum/25-have-i-been-hijacked/

[oftentired]

I like the Redneck suggestion to remove the drive and deal with it when it is not the boot drive. However, I'd first boot from it and get to add/remove programs and have a very close look at each entry. I'd especially check for something installed recently. After looking at add/remove I'd run IE and look at all the categories of crap listed as add-ons. I'd disable and delete the whole lot of them. Anything that is actually needed will eventually come back again after the problem is resolved. If another browser besides IE is used check IE anyway and of course check the other browser for the same stuff; disable delete.

 

Getting back to rednecks suggestion. After isolating the drive and not using it as a boot drive.

 

I'd clean the thing top to bottom with every reliable cleaner that comes to hand

 

I'd remove all the restore points, the hibernation file, and the page file; completely eradicate them.

 

Then I'd run every reliable maleware and antivirus and trojan software solution that can be found starting with the stand-alones and then progressing to the ones requireing installation. Eventually you'll see a common report from them that you can narrow your focus on. Could easily be more than one active maleware.

 

Of course the really good highly trained and experienced and certified I've Been Hijacked peoples can probably take you down the road faster than my ideas but I'm a loner and I prefer to go it on my own before admitting defeat

[JonTom]

Hi dicksterI'm going to move this thread so we can talk in a little more detail.Give me a moment....

[JonTom]

Hello dickster

Rogue security programs are indeed difficult to remove as Jacee points out.

 

saying it is infected with the Blaster virus

Ran Symantics blaster removeal tool in safe mode and it found nothing

The Blaster detection is just a red herring created by the malware (which is why the removal tool found nothing), but the machine is definitely infected.

Before we do anything else however, let me thank you for informing us that this is a business machine. I am more than happy to try and help with your/your bosses problem, but given the (potentially) sensitive nature of the data that may be stored on this system I can only assist you on the understanding that it is at your own risk and PCPitStop cannot be held liable if any proprietary (business) information is disclosed during the course of our analysis/fix. Let me also advise you now to back up all of the data on this machine before we do any fixing.


Can you tell me the operating system of the infected machine and the name of the rogue security product (when it opens and starts its "scan" it will most likely have an "interface" which should not be touched, but will hopefully provide the name of the rogue).

 

Also, I have no way to run it online at work without goint through another guys cell phone

Thats not good. It would be much better to be able to get "hands on" with this machine. If you are not able to run the machine outside of work I would suggest that you boss register here and I can help him once he has done so. Working remotely through another device is not a good idea.

It would be a massive help if we can get some diagnostic scans from this machine.

Lets try the following from Normal Mode first and if there is no luck, we can try them from Safe Mode:

• [*]

Please perform the following scan

• [*]Please download DDS from

here and save it to your desktop. [*]Disable any script blocking protection (How to Disable your Security Programs) [*]Double click on the DDS icon to run the tool (may take up to 3 minutes to run). if you are running Vista/Win 7, Right click on the DDS icon and select "Run as Administrator" to run the tool. [*]When done, DDS.txt will open. [*]After a few moments, attach.txt will open in a second window. [*]Save both reports to your desktop. [*]Please post the contents of the DDS.txt and Attach.txt logs in your next reply.

[*]aswMBR

• [*]Download

aswMBR.exe to your desktop. [*]Double click the aswMBR.exe to run it. [*]When asked if you want to download Avast's virus definitions please select Yes. [*]Click the "Scan" button to start scan.

• [*]On completion of the scan click

save log, save it to your desktop and post in your next reply.

If the scans are able to complete please post them in your next reply.

If you encounter any problems with the scans please descibe exactly what happens when you try to run them

 

 

 

[dickster]

Thanks to all that responded. I am "happy to say that my boss informed me that he resolved the issue" but I doubt it's resolved. It's his laptop and he is happy that he "fixed" it, so he doesn't need my help any more. So I thank you, and will probable resurrect this thread when he comes back to me with his infected laptop wanting my help again.

 

BTW... The infection was (is) "Internet Security 2013" on a Win7 OS.

[JonTom]

No problem.You know where to find us if you need us

 

[JonTom]

As this issue appears to be resolved I'll close this one out.

 

Should you need any further assistance, just let me know