cancel
Showing results for 
Search instead for 
Did you mean: 

Firewall Disabled By Infection That Total Security Totally Didn't Stop

Hi,

I just installed the trial version of Total Security and a little over an hour ago it allowed rogue security software to be installed on my computer. I have since removed one program that I know of that was installed to C://ProgramData/defender.exe, but more viruses have popped up and my firewall is disabled.

Viruses

The viruses turned up in my latest scan include trojans one of which was Generic BackDoor!dl for whcih quarantine failed.

Firewall Problems

I keep getting an error that my Firewall is disabled and whenever I click the button to turn it back on it works for a brief second before turning back off.

Activities Leading Up to Attack

A few days ago I uninstalled Norton and replaced it with McAfee. I kept McAfee on default setting for the most part, but in order to use FileZilla I had relax some firewall restrictions.

Earlier today I had been uploading files via FTP using Filezilla to some website that I am building. I had been tinkering with form authentication settings in ASP.Net trying to see why files on my server result in users being timedout long before the specified timeout in my web.config file. I had just uploaded fresh batch of files, logged in to one site, and when I logged out I got hit by a fake antivirus scan. I immediately unplugged my computer from the internet, turned it off, and restarted it before running a virus scan using McAfee Total Security which produced clean results.

Over the past couple weeks I've been getting really annoying redirects from Google searches in every browser I use to spam sites full of PPC ads. Before installing McAfee I cancelled my Norton AntiVirus subscription because of poor service due to their software being unable to remove a trojan called Tojan Tracur. My Norton firewall had blocked the virus trying to access the internet multiple times, but never quarantined or removed it. Every time I ran a virus scan it failed to detect it even when I used their Power Eraser and Bootable Recovery Tools. When my trial expired and they billed me I called their customer service people and demanded a refund on the grounds that they engaged in false advertising by claiming that their software detects and removes viruses.

Previous Infections

A month ago my computer was completely hijacked by a Gumblar variant called Win 7 Home Security 2012. The program took over parts of my Windows Control Panel, started running fake virus scans, and stole my FTP credentials. It used the latter to hack several of my sites before appending vicious scripts to all my Default.aspx pages. I installed Norton AntiVirus, but it failed to detect the rogue software and I had to use Malwarebytes to remove it.

Before that I some mild issues with adware including something called Facemoods and I also was using a Firefox addon called SEO Quake that created a number of ad related annoyances.

Current Situation

I am at a loss what to do. The infected computer is my primary development computer used solely for building new ASP.Net sites using Visual Studio 2010 and FTP is a necessity for fixing anything. I've already used the computer I am typing on now to change my FTP credentials on potentially compromised sites, but after learning how Gumblar works I am afraid that any attempts to upload my work will result in my sites getting hacked. Two of them already got red flagged by McAfee and even though they have been clean for over 2 week they are still listed as attack sites in SiteAdvisor which strangely flagged them even though they never downloaded malware to anyone due to the malicious scripts causing runtime errors on all the pages.

The only thing I can think of doing would be to see if McAfee has a competing bootable recovery tool that actually works. If they don't then I think I will have to reformat my hard drive unless one of McAfee's competitors an antivirus product that actually locates and removed viruses.

TOTAL SECURITY MY ASS!

0 Kudos
26 Replies
exbrit
Level 21

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

I'm assuming you mean Total Protection.  McAfee like Norton, Kaspersky etc. blocks millions of infections but none of them, I repeat none, are guaranteed to stop everything out there.  There is no such software.

Surf wisely, be careful what you download, always keep your machine and its software totally up to date and arm yourself with some extra anti-malware tools.

There are a few listed here:  https://community.mcafee.com/docs/DOC-2168

In your case perhaps booting into 'Safe Mode with Networking' and seeing if you can download, update and run (it works in that mode) the free version of THIS software.

You can do that by tapping F8 repeatedly while booting up and it's usually #2 on the ensuing menu.

0 Kudos
Hayton
Level 17

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

McAfee has a Stinger utility designed to remove Rogue software such as Win7 Total Protection 2012. For some reason this one is known to McAfee as "FakeAlert-Rena" and has a couple of dozen variants listed in the Stinger database. To download it go to https://community.mcafee.com/message/195573#195573 and follow the instructions.

If what you have is a new variant, or it isn't for some reason removed, the following advice from one of the Microsoft forums might be useful -

Your computer has been infected by a known rogue that invades computers and then attempts to extort payment for removal.  Instructions for removing this malware are located here

If you have difficulty with the removal and/or prefer to have direct assistance, you may wish to pursue cleaning your system by getting assistance at a free online forum  that specializes in resolving such issues.  You will need to register first.

Answer
Your computer has been infected by a known rogue that invades computers and then attempts to extort payment for removal.  Instructions for removing this malware are located here.

If you have difficulty with the removal and/or prefer to have direct assistance, you may wish to pursue cleaning your system by getting assistance at a free online forum  that specializes in resolving such issues.  You will need to register first.
ccccccccccc
0 Kudos
Hayton
Level 17

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

For some reason I can't edit the previous post, so .....

I am assuming that something from your earlier infection is still present on your machine. If Stinger turns up nothing, you can run GetSusp (which looks for anything that's not on the recognised-program whitelist). If that turns up nothing, run a full scan with Malwarebytes or SuperAntiSpyware.

0 Kudos

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

I tried the McAfee programs GetSusp and Fake Alert Stinger, but they didn't turn up much. Fake Alert Stinger detected nothing and GetSusp flagged programs that were installed on my computer before I bought it.

C:\ProgramFiles(x86)\jmesoft\hotkey.exe

C:\ProgramFilex(x86)\Lenovo\FanSpeedControl\LenovoFSC.exe

I don't know what the first file is, but the second is in a folder containing stuff specific to Lenovo brand computers. I don't feel the need to purchase Malwarebytes at this time because the free trial was already successful at removing Win 7 Home Security 2012 over 3 weeks ago.  My current problem seems to be with something other than that.

I'm currently waiting for the results of a SuperAntiSpyware scan, but I am going to be hopping mad if they detect stuff and demand payment before attempting to remove them. Their format looks a lot like StopZilla who wasn't confident enough with their service to remove detected malware for free at least once, so naturally I was not inclined to pay for a program not guaranteed to work.

0 Kudos

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

Well, it looks like running SUPERAntiSpyware in safe mode has frozen my computer. It won't even turn off when I hit the power button, so it looks like the only thing I can do is unplug the power cable and try again.

BTW, thanks for the replies. I was in a really bad mood when I started this thread and can get quite mood when this kind of stuff happens.

0 Kudos

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

Also, the more I fight this the more I believe that I may be dealing with a rootkit infection. My theory behind this is the ability of multiple trojans to go undetected for the most part when being scanned by Norton and McAfee combined with its ability to disable features in legitimate security software like the McAfee Total Protection firewall.

I believe that the rootkit is what downloaded the rogue security software programs that stole my website FTP information in the first place. It was so powerful that only Malwarebytes could remove the rogue security software it installed and I wouldn't have even know that anything was still wrong these past couple weeks if it were not for one weakness. The infection when trying to access the web couldn't bypass the Norton firewall, so I knew that something called Trojan Tracur was trying to access the web from my system. I believe this rootkit took advantage in weaknesses in McAfee, FileZilla, or both to download a different rouge security program last night which I was able to remove manually because they put a shortcut icon on my desktop that I used to find program.

0 Kudos
exbrit
Level 21

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

By the way last time I tried to run SuperAntispyware in Safe Mode on my machine exactly the same thing happened, it seized solid as a rock and I had to pull the plug despite having a lot of resources, so nothing new there I assure you.

Get MBAM Free as I just posted, update it and then try running it in Safe Mode.  Besides McAfee has problems with the paid version of MBAM which possibly could be part of your problem.  No problems with the FREE version apart from MBAM having to be off the machine if you are reinstalling McAfee, but OK to install afterwards..

.

Message was edited by: Ex_Brit on 05/09/11 6:37:37 EDT PM
0 Kudos

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

Here is something strange. When in safe mode my infected computer gets redirected to a different location than my clean one when clicking on the download now buttons for the free version of Malwarebytes at http://www.malwarebytes.org/products/malwarebytes_free. This could be just an issue of Malwarebytes serving different links to different users for bandwidth reasons, but there is something fishy about one of them.

The download redirects for Malwarebytes are as follows:

Infected Computer: http://majorgeeks.com/download.php?det=5756

Clean Computer: http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

The funny thing about the MajorGeeks URL is that when visiting its home page on my clean computer I got a warning from McAfee at the top of the page stating that parts of it had been blocked for containing content from potentially dangerous or suspicious sites. I also noticed last night that any attempt to visit the Malwarebytes website on my infected computer resulted in either a redirect to some spam site or the display of a different page on a different site even though http://www.malwarebytes.org was the URL in the browser.

I also realzed when downloading the file from Major Geeks that its name was a duplicate of the file I downloaded 3 or 4 weeks ago to install Malwarebytes the first time, so it looks like I already had the free version and had to remove it when installing McAfee.

Message was edited by: nolimitlist.com on 9/5/11 6:53:07 PM CDT
0 Kudos
exbrit
Level 21

Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

That redirection is normal.   If you had the free software installed it wouldn't be telling you it's a free trial.  If it wasn't then you are fine.

0 Kudos