Blocking a recurring incoming trojan(?) attack

Topic

New Reply

First of all, my frustration and the following questions all pertain to the following Dell Inspiration 1720 laptop:

O/S – Vista Home Premium with current updates and SPs.
Browser – IE9
AV software/firewall – McAfee Total Protection with current updates.

For more than a month now, my daughter’s (an adult, not a kid) laptop has gotten something called “Vista Internet Security 2012” error an average of once a week, sometimes more. If you are unaware, that is a “rogue software” that gets in while surfing, and scares you into thinking you are under virus attack, and of course they can stop it. . . .for a cost. She knows not to click on anything and always brings it to me, and SO FAR I have had no trouble curing the problem by returning to the previous System Restore point but it is getting very frustrating having to do this so often and I am wondering if this thing can be blocked either by IE9s security settings or else McAfee’s firewall, if not both. It just occurred to me that if I am correct and this thing is buried in some webpage somewhere waiting to strike, that maybe I can get a URL for it and block it on IE9, but I’ve not tried that yet so I can’t say much more about that than just that.

If anyone out there has any ideas on how to block this darned thing and end our frustration, he/she will become my hero. Is there anyone out there who has any knowledge of this thing, and how to stop it from coming back again? I’ve done some research online on it, but I am in no way “a techie” and reading some of the info confuses me further, but the only thing I do understand is that this thing is going around right now (my wife’s desktop got it too, but it has not returned there YET), but I would sure like to know how to block it if that is possible.

Any ideas or suggestions out there? I thank you in advance for anything you can offer.

Reply | Quote

Replies

I doubt whether your System Restores have been completely removing it. If your daughter knows not to click on anything it seems unlikely that she has been continually re-infected by any web page. I think you should follow one of the many comprehensive removal guides.

Bruce

Reply | Quote

If you haven’t already, try a full system scan with Malwarebytes free. Also, System Restore may be infected as stated by BruceR. I would clear all restore points and create a new one after running Malwarebytes.

JB

Reply | Quote

If you haven’t already, try a full system scan with Malwarebytes free. Also, System Restore may be infected as stated by BruceR. I would clear all restore points and create a new one after running Malwarebytes.

JB

I will take a look at this, it has got to be worth a try. I have run full scans with McAfee each time, and have use it for years with no doubts about the protection at all, but I guess there is never any guarantee.

Reply | Quote

I doubt whether your System Restores have been completely removing it. If your daughter knows not to click on anything it seems unlikely that she has been continually re-infected by any web page. I think you should follow one of the many comprehensive removal guides.

Bruce

I realize there is never any guarantee, but any recommendation for a good one that ought to work? I’ve always been happy with the protection we got from McAfee, and have always run a full scan of all files with that afterwards, but I’m to the point now where I am ready to try anything.

Reply | Quote

This trusted site is recommended by Microsoft:

Remove Vista Internet Security 2012 (Uninstall Guide)

Bruce

Reply | Quote

If Malwarebytes doesn’t fix the problem consider Microsoft Standalone System Sweeper Beta.

JB

Reply | Quote

You could also try the Windows Defender Offline (beta) app.

Reply | Quote

Help is coming in faster than I can digest it all, so kindly let me get some thoughts together and figure out a proper (hopefully) course of action. At first glance right now, it appears that “Malwarebytes” would be a good first step, but I will see what I can do and let you all know the results. Thank you, folks.

Reply | Quote

For future reference; Avoid relying on system restore and start getting into the habit of doing system level imaging instead.

System Restore is intended as a quick means of restoring system functionality. It is a band aid solution at best, and is of no use when it comes to virus or malware infection removal.

Reply | Quote

For future reference; Avoid relying on system restore and start getting into the habit of doing system level imaging instead.

System Restore is intended as a quick means of restoring system functionality. It is a band aid solution at best, and is of no use when it comes to virus or malware infection removal.

I never realized that. I am not “a techie” as I said in the beginning though, just an old retired fogey trying to learn how to use a computer, so I have no doubt that I am saying and/or doing some things that most of you folks find odd. Thanks for the information.

Reply | Quote

System restore can also be infected, to make sure it is not after you get system cleaned delete all restore points, create a new system restore point with a given name.

Reply | Quote

Whether or not System Restore can help recover from an infection depends on the nature of the infection. Most people who use System Restore only use it to recover from a bad software installation including a faulty driver update.

Joe

--Joe

Reply | Quote

While using an Image Backup is by far the more preferred recovery mechanism, System Restore can be used very effectively as part of a recovery from these scareware infections.

One key thing is to note that the infection is not a single standalone infected file. It is often a suite of executables and infected system files that drop the trojan into your system. I have found from experience that many of these scareware programs rely on the Windows networking components to be activated – though this may evolve over time. Booting into Safe Mode you have the option not to launch any networking system components and most often this prevents the rootkit from being triggered.

Thus the first port of call is to boot into Safe Mode without networking. From there, run a System Restore to a point where you are certain the infection was not present. Upon completing the System Restore, it is necessary to return to Safe Mode without networking, otherwise the restore will not be complete and the rootkit not removed. Booting into Safe Mode with networking has in the past activated the rootkit for all future session in Safe Mode, so it important to choose correctly when booting into safe mode.

If you have already booted with Safe Mode (with networking), the infection may now be more deeply embedded into your system: I would suggest running Autoruns, search for the infection and prevent it from running on startup – but this requires knowledge of what to look for.

After sucessfully running a System Restore from Safe Mode without networking, you should be able to run MalwareBytes and other programs such as TDSS Killer, Autoruns and others to clean up the remains of the infection.

Reply | Quote

Here is your fix. The Trojan file infects under a number of different names and is scattered at random throughout the web although it predominates on sites you can and should avoid. The odds of getting this just surfing regular sites is low to moderate. More than once in 3 to 6 months you should be paying
close attention to the site preceding the infection and staying away from it!

First do a Search/Find and download onto a USB storage device the following:
FixNCR.reg
Rkill.com
Malwarebytes

Bootable Windows Defender
HijackThis

The purpose of having them on a USB is that this Trojan can sometimes corrupt files enough that you cannot access or run correctly the ones on your computer. You may also get locked out of internet access as well.
SAVE this USB as your emergency back up and run the files from there when needed. You can run these files from the USB in Normal startup but they are
most efective if run in SAFEMODE. You can do both.

RUN FixNCR.reg ( This will replace the damaged registration point of entry)
RUN Rkill.com ( locates and kills Rootkits)
Run Malwarebytes Full Scan and eliminate any malware found.
( You should be free after your reboot! Though I suggest running it in safemode and running your virus software like AVIRA Freeware as soon as possible
because other things often sneak in with this Trojan.)
Still have a problem?
Bootable Windows defender will locate and destroy almost any rootkit and or trojan but is usually not needed. the above processes above should
have taken care of your problem.

If you get out of your depth in a bad infection then run Hijack this and printout the damaged files list for your tech guy.
Hijackthis ( to be used to get information for your tech if all else fails to repair damaged files )

Reply | Quote