Total Security - Beware, it will hijack your computer...

[munitalP]

As all of us here use computers for work or play, I thought I would share this - my blood has just stopped boiling and I have wasted most of my day fixing my desktop...

After being hijacked by Total Security, (your desktop changes and the virus puts your computer into a loop where you cant run any .exe files, and it shuts down any anti virus programs you have running etc) I have used a combination of a number of methods to fix my problem - it has taken all day.

step 1. START / RUN / Documents and Settings/All users/Application Data
step 2. Open folder 11914534 or look in all folders until you find the total security .exe file.
step 3. rename it to something that stands out from a crowd - I called mine ZZZZzzzzZZZZ
step 4. rename the other 2 files anything you want, put a .txt end on them
step 5. reboot your computer, and press CTRL/ALT/DEL opening task magager while it is booting
step 6. as your file ZZZZzzzzZZZZ.exe opens, hit DEL then Enter/Return - this file will reappear a few times.

Your computer will have now rebooted without Total Scurity running.
Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop

Go to http://www.bleepingcomputer.com/virus-removal/remove-total-security

and follow the instructions from there. This works with the version of Total Security presently infecting the web - you don't need luck, just follow the instructions for success.

Now, I want to track the writers of this software down and seriously hurt them....

Mr!

:evil:

 

[jas]

Nasty piece of work that one. Spent the best part of last week on-and-off getting rid of it off a PC at work. Would have been easier just to wipe and re-image the thing...

 

[FlyboyAl]

Is this the mob who have been advertising on TV? I saw an ad last week while I had the laptop on and decided to have a look at the website to find out more about what it could do for me. Next thing sirens are sounding and bells are ringing (avast anti virus) so I steered away from it. May not be related, but I was not impressed at the time!

 

[simongr]

How did you get infected? I rely (at work) on not opening anything bascially - and at home have the same policy but using a mac makes this less risk.

I am intrigued (and concerned) how a competent user gets stung!

 

[anat0l]

It seems you can gain this software by clicking on errant web ads that say "Your computer is not protected" or to that effect.

I wonder how it installs itself on your system, e.g. ActiveX, via cookies, Shockwave/Adobe, Javascript, etc. FWIW with my using Firefox rarely anything punches through the web unless it is specifically told to install.

But I could be very naive here....

 

[jas]

Whatever it is is fairly nasty. It managed to get its way onto a work PC where the users don't have local admin access... still don't know how!

 

[reflector]

I had a similar issue just recently while i've been travelling through the states. The laptop i'd borrowed from my parents suddenly started redirecting webpages, which rung major alarm bells for me. Soon after, exe files were locked out, and all sorts of crazy warnings were popping up left right and centre. I checked the running processes and closed down the main program, but it respawned itself very quickly, within 30 sec. I jumped in to safe mode and managed to get around the browser hijack using chrome. I got online and downloaded a few reputable scanning tools, as well as hijack this. I manually deleted the files (after killing the processes and services) and using text searches, deleted it's registry keys, and any files referred to in registry keys. All seemed to be well, and the computer was back to normal.

HOWEVER

7 days later it was back! i couldn't believe it... every trace had been removed, but there it was, once again stopping my exe files from running. Thankfully it only seems to change the exe association once, doesn't keep scanning it to make sure it's down, so i fixed that. At this point i was EXTREMELY suspicious that there was a hidden backdoor in my computer somewhere. I used a rootkit scanner, and lo and behold, there was a rootkit; 6 filles hidden in the hard drive where windows API can't see them. Silently downloading the program back onto the computer after i'd deleted it. Well i trashed the rootkit, then got rid of the stupid "security" program again. Finally my system was all good again, but overall i'd spent a good 5 hours attacking it.

I'm still not sure how the program got in, but the fact that it managed to subvert my current protection was disturbing. It sure as hell wasn't browser ads, i suspect it might have been through warez, but i can't confirm that. (not that you should be downloading warez in the first place ) For anyone else having problems, check for a rootkit when you attack it, or you might just find it coming back again.

 

[munitalP]

How did you get infected? I rely (at work) on not opening anything bascially - and at home have the same policy but using a mac makes this less risk.

I am intrigued (and concerned) how a competent user gets stung!

I downloaded an app for creating a javascript calendar from a reputable source - at least thats what my virus checker said on the website. Anyway, this must have been hidden in the software somewhere because it got me straight after installing the calendar app...

looking at reflectors post, the virus/spy scanner I supplied a link to is reccomended by MS, so lets hope it does not come back in a week's time... Oh yeah, it mutates rearly fast as well, on my first attempt at deleting the files, I renamed the <original file name> + xx_. I missed closing every opening attempt in task manager and had to reboot. The virus reopened and in task manager you could see the file name had changed - it's a pity these coughs don't put equal effort into designing good software as they do bad...

I still want to hunt them down like rabid dogs....

Mr!

:shock:

 

[anat0l]

it's a pity these coughs don't put equal effort into designing good software as they do bad...

[off-topic]

A lot of convicted hackers have moved on to work as computer security consultants either for themselves or high-profile companies.

[/off-topic]


Cold comfort, I know. Plus I don't know many virus, malware or worm writers that have ended up anywhere good.

 

[Flashback]

I had a similar issue just recently while i've been travelling through the states. The laptop i'd borrowed from my parents suddenly started redirecting webpages, which rung major alarm bells for me. Soon after, exe files were locked out, and all sorts of crazy warnings were popping up left right and centre. I checked the running processes and closed down the main program, but it respawned itself very quickly, within 30 sec. I jumped in to safe mode and managed to get around the browser hijack using chrome. I got online and downloaded a few reputable scanning tools, as well as hijack this. I manually deleted the files (after killing the processes and services) and using text searches, deleted it's registry keys, and any files referred to in registry keys. All seemed to be well, and the computer was back to normal.

HOWEVER

7 days later it was back! i couldn't believe it... every trace had been removed, but there it was, once again stopping my exe files from running. Thankfully it only seems to change the exe association once, doesn't keep scanning it to make sure it's down, so i fixed that. At this point i was EXTREMELY suspicious that there was a hidden backdoor in my computer somewhere. I used a rootkit scanner, and lo and behold, there was a rootkit; 6 filles hidden in the hard drive where windows API can't see them. Silently downloading the program back onto the computer after i'd deleted it. Well i trashed the rootkit, then got rid of the stupid "security" program again. Finally my system was all good again, but overall i'd spent a good 5 hours attacking it.

I'm still not sure how the program got in, but the fact that it managed to subvert my current protection was disturbing. It sure as hell wasn't browser ads, i suspect it might have been through warez, but i can't confirm that. (not that you should be downloading warez in the first place ) For anyone else having problems, check for a rootkit when you attack it, or you might just find it coming back again.

Which app did you use to scan/detect the rootkit?

 

[reflector]

Which app did you use to scan/detect the rootkit?

I believe it was avast!

 

[anat0l]

There are many anti-rootkit utilities that are standalones, or are released as standalones by security companies (e.g. Symantec, Grisoft, etc.). Sometimes, searching for the symptoms and thus the rootkit is more useful than just looking for any old app that is anti-rootkit, but like all these things YMMV.

In any case, 5 hours to beat some meticulous rootkit isn't that bad - yes, it's time you won't get back, but sometimes repairing the damage from some computer failures - notwithstanding malicious ones like rootkits and viruses - can take more than that and sometimes days.

 

[samm]

It can happen even with familiar programs... I hate viruses...

 

[munitalP]

#### UPDATE ####

Bigpond rang me today - someone has access to my email account and is spamming big time. Bigpond asked me to enter webmail and change my password as they could only delete the account and didn't want to do that straight up. :shock:

I tried this but to no avail - my new password would not accept and it kept reverting back to the old one or it wouldn't save, one or the other... :evil:

I had to delete my mail account - I've had that account for years - it so sucks. :evil:

I am guessing I will be able to reinstate the account after a while, but I am very annoyed. :evil:

All web password accounts have now been changed and I am seriously considering FDISKing my computer

TOTAL SECURITY - Beware folks....

Mr!

:evil: