1 2 3 Previous Next 26 Replies Latest reply on Sep 7, 2011 5:41 AM by Peter M

    Firewall Disabled By Infection That Total Security Totally Didn't Stop

      Hi,

       

      I just installed the trial version of Total Security and a little over an hour ago it allowed rogue security software to be installed on my computer. I have since removed one program that I know of that was installed to C://ProgramData/defender.exe, but more viruses have popped up and my firewall is disabled.

       

      Viruses

       

      The viruses turned up in my latest scan include trojans one of which was Generic BackDoor!dl for whcih quarantine failed.

       

      Firewall Problems

       

      I keep getting an error that my Firewall is disabled and whenever I click the button to turn it back on it works for a brief second before turning back off.

       

      Activities Leading Up to Attack

       

      A few days ago I uninstalled Norton and replaced it with McAfee. I kept McAfee on default setting for the most part, but in order to use FileZilla I had relax some firewall restrictions.

       

      Earlier today I had been uploading files via FTP using Filezilla to some website that I am building. I had been tinkering with form authentication settings in ASP.Net trying to see why files on my server result in users being timedout long before the specified timeout in my web.config file. I had just uploaded fresh batch of files, logged in to one site, and when I logged out I got hit by a fake antivirus scan. I immediately unplugged my computer from the internet, turned it off, and restarted it before running a virus scan using McAfee Total Security which produced clean results.

       

      Over the past couple weeks I've been getting really annoying redirects from Google searches in every browser I use to spam sites full of PPC ads. Before installing McAfee I cancelled my Norton AntiVirus subscription because of poor service due to their software being unable to remove a trojan called Tojan Tracur. My Norton firewall had blocked the virus trying to access the internet multiple times, but never quarantined or removed it. Every time I ran a virus scan it failed to detect it even when I used their Power Eraser and Bootable Recovery Tools. When my trial expired and they billed me I called their customer service people and demanded a refund on the grounds that they engaged in false advertising by claiming that their software detects and removes viruses.

       

      Previous Infections

       

      A month ago my computer was completely hijacked by a Gumblar variant called Win 7 Home Security 2012. The program took over parts of my Windows Control Panel, started running fake virus scans, and stole my FTP credentials. It used the latter to hack several of my sites before appending vicious scripts to all my Default.aspx pages. I installed Norton AntiVirus, but it failed to detect the rogue software and I had to use Malwarebytes to remove it.

       

      Before that I some mild issues with adware including something called Facemoods and I also was using a Firefox addon called SEO Quake that created a number of ad related annoyances.

       

      Current Situation

       

      I am at a loss what to do. The infected computer is my primary development computer used solely for building new ASP.Net sites using Visual Studio 2010 and FTP is a necessity for fixing anything. I've already used the computer I am typing on now to change my FTP credentials on potentially compromised sites, but after learning how Gumblar works I am afraid that any attempts to upload my work will result in my sites getting hacked. Two of them already got red flagged by McAfee and even though they have been clean for over 2 week they are still listed as attack sites in SiteAdvisor which strangely flagged them even though they never downloaded malware to anyone due to the malicious scripts causing runtime errors on all the pages.

       

      The only thing I can think of doing would be to see if McAfee has a competing bootable recovery tool that actually works. If they don't then I think I will have to reformat my hard drive unless one of McAfee's competitors an antivirus product that actually locates and removed viruses.

       

      TOTAL SECURITY MY ***!

        • 1. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop
          Peter M

          I'm assuming you mean Total Protection.  McAfee like Norton, Kaspersky etc. blocks millions of infections but none of them, I repeat none, are guaranteed to stop everything out there.  There is no such software.

           

          Surf wisely, be careful what you download, always keep your machine and its software totally up to date and arm yourself with some extra anti-malware tools.

           

          There are a few listed here:  https://community.mcafee.com/docs/DOC-2168

           

          In your case perhaps booting into 'Safe Mode with Networking' and seeing if you can download, update and run (it works in that mode) the free version of THIS software.

           

          You can do that by tapping F8 repeatedly while booting up and it's usually #2 on the ensuing menu.

          • 2. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop
            Hayton

            McAfee has a Stinger utility designed to remove Rogue software such as Win7 Total Protection 2012. For some reason this one is known to McAfee as "FakeAlert-Rena" and has a couple of dozen variants listed in the Stinger database. To download it go to https://community.mcafee.com/message/195573#195573 and follow the instructions.

             

            If what you have is a new variant, or it isn't for some reason removed, the following advice from one of the Microsoft forums might be useful -

            Your computer has been infected by a known rogue that invades computers and then attempts to extort payment for removal.  Instructions for removing this malware are located here

            If you have difficulty with the removal and/or prefer to have direct assistance, you may wish to pursue cleaning your system by getting assistance at a free online forum  that specializes in resolving such issues.  You will need to register first.

            Answer
            Your computer has been infected by a known rogue that invades computers and then attempts to extort payment for removal.  Instructions for removing this malware are located here.

             

            If you have difficulty with the removal and/or prefer to have direct assistance, you may wish to pursue cleaning your system by getting assistance at a free online forum  that specializes in resolving such issues.  You will need to register first.
            ccccccccccc
            • 3. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop
              Hayton

              For some reason I can't edit the previous post, so .....

               

              I am assuming that something from your earlier infection is still present on your machine. If Stinger turns up nothing, you can run GetSusp (which looks for anything that's not on the recognised-program whitelist). If that turns up nothing, run a full scan with Malwarebytes or SuperAntiSpyware.

              • 4. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

                I tried the McAfee programs GetSusp and Fake Alert Stinger, but they didn't turn up much. Fake Alert Stinger detected nothing and GetSusp flagged programs that were installed on my computer before I bought it.

                 

                C:\ProgramFiles(x86)\jmesoft\hotkey.exe

                C:\ProgramFilex(x86)\Lenovo\FanSpeedControl\LenovoFSC.exe

                 

                I don't know what the first file is, but the second is in a folder containing stuff specific to Lenovo brand computers. I don't feel the need to purchase Malwarebytes at this time because the free trial was already successful at removing Win 7 Home Security 2012 over 3 weeks ago.  My current problem seems to be with something other than that.

                 

                I'm currently waiting for the results of a SuperAntiSpyware scan, but I am going to be hopping mad if they detect stuff and demand payment before attempting to remove them. Their format looks a lot like StopZilla who wasn't confident enough with their service to remove detected malware for free at least once, so naturally I was not inclined to pay for a program not guaranteed to work.

                • 5. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

                  Well, it looks like running SUPERAntiSpyware in safe mode has frozen my computer. It won't even turn off when I hit the power button, so it looks like the only thing I can do is unplug the power cable and try again.

                   

                  BTW, thanks for the replies. I was in a really bad mood when I started this thread and can get quite mood when this kind of stuff happens.

                  • 6. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop
                    Hayton

                    I don't recommend programs that you have to pay for. You've already paid once for McAfee protection, so any backup programs I mention are free. In any case you said you already have Malwarebytes, so I didn't bother with a link to the free version, which I normally provide. SuperAntiSpyware is or should be free - I have it and run it occasionally and it's never asked for payment yet. If it ever does then it gets uninstalled pronto.

                     

                    StopZilla I never recommend. It's got too many bad reviews in too many places. If in doubt about a product, go to the pages on SiteAdvisor and WOT for the company making the product and read the user comments.

                     

                    If you ran Malwarebytes 3 weeks ago I would say run another scan now, and make it a Full Scan. I give my machine a weekly check with Malwarebytes just to be on the safe side. SuperAntiSpyware I only run every 8 or 10 weeks, and that's plenty enough. It can though sometimes find things that other malware detectors miss.

                     

                     

                    EDIT - Just saw the post you sent while I was busy typing. I never had SAS freeze up on me - are you sure it wasn't locked up on some really big file? AV programs generally don't like compressed files, zipped files, cabinet files, and - especially - encrypted files.

                     

                    Message was edited by: Hayton on 05/09/11 23:26:32 IST
                    • 7. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop
                      Peter M

                      SuperAntispyware wont run in Safe Mode as far as I know.

                       

                      Hotkey is probably a keyboard application such as OneTouch Hotkey so is most likely harmless.

                       

                      Malwarebytes FREE is all you require from them, forget about trial versions of the paid software.

                       

                      Uninstall the version you have and install the FREE version from here:  http://www.malwarebytes.org/products/malwarebytes_free

                       

                      The only difference basically is that you have to remember to update it every time you run it.

                       

                      Malwarebytes will most definitely run in Safe Mode, and in 'Safe Mode with Networking' which is #2 on that menu, it will even install and.or update if needed.

                       

                      Message was edited by: Ex_Brit on 05/09/11 6:29:01 EDT PM
                      • 8. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop

                        Also, the more I fight this the more I believe that I may be dealing with a rootkit infection. My theory behind this is the ability of multiple trojans to go undetected for the most part when being scanned by Norton and McAfee combined with its ability to disable features in legitimate security software like the McAfee Total Protection firewall.

                         

                        I believe that the rootkit is what downloaded the rogue security software programs that stole my website FTP information in the first place. It was so powerful that only Malwarebytes could remove the rogue security software it installed and I wouldn't have even know that anything was still wrong these past couple weeks if it were not for one weakness. The infection when trying to access the web couldn't bypass the Norton firewall, so I knew that something called Trojan Tracur was trying to access the web from my system. I believe this rootkit took advantage in weaknesses in McAfee, FileZilla, or both to download a different rouge security program last night which I was able to remove manually because they put a shortcut icon on my desktop that I used to find program.

                        • 9. Re: Firewall Disabled By Infection That Total Security Totally Didn't Stop
                          Peter M

                          By the way last time I tried to run SuperAntispyware in Safe Mode on my machine exactly the same thing happened, it seized solid as a rock and I had to pull the plug despite having a lot of resources, so nothing new there I assure you.

                           

                          Get MBAM Free as I just posted, update it and then try running it in Safe Mode.  Besides McAfee has problems with the paid version of MBAM which possibly could be part of your problem.  No problems with the FREE version apart from MBAM having to be off the machine if you are reinstalling McAfee, but OK to install afterwards..

                           

                           

                           

                           

                           

                          .

                           

                          Message was edited by: Ex_Brit on 05/09/11 6:37:37 EDT PM
                          1 2 3 Previous Next