Total Security SCAMWARE

[TerryHough]

A friend using my notebook succumbed to the SCAMWARE called "Total Security" links that occasionally popup on some contaminated websites.

It has totally mucked up the XP Home operating system and Internet Explorer. Initially, it would even boot without giving the "total security" warning designed to instill paranoia in the user. Once I got past that, it refuses to allow various antivirus programs to run or install.

Google references indicate several "fixes", but none have gotten me to the point that I can install MalwareBytes or Spybot Search & Destroy, etc.

Anyone else had a similar problem and found a good fix?

Terry

[garretthylltun]

Back up any documents and items you wish to keep, wipe the HD and reinstall XP. That's the most sure way of removing such parasites from your computer.

[rsts]

Back up any documents and items you wish to keep, wipe the HD and reinstall XP. That's the most sure way of removing such parasites from your computer.

My wife got one on hers and after several hours chasing my tail, that's what I did. It's a pretty tough nut to crack, not impossible, but much quicker in the long run to start fresh.

cheers

[Rook Zimbabwe]

I have booted into safe mode and run MALWAREBYTES well... I have also dragged an installed copy ON to the HDD from a CD ROM and then run it... One of them there trojans shut it down and rebooted the OS though!

Wipe... it is indeed the only way!

[Sparkie]

Have you tried this one?
http://www.bleepingcomputer.com/virus-r ... l-security

[codewalker]

You want to clean up 100 % your computer after this what happened ? Forget about any anti virus or anti whatever because it is already too late. The damage is done and can't be undone 100 %. Just backup your personal files, pictures, documents, emails etc. First empty the mbr, then repartition your hdd. Use at least 2 partitions, one for windows (about 25Gb should be enough) and one for storing your personal data. You see many people store their stuff inside the folder My Documents. But that's dumb because My Documents is part of the os. If the os goes down, anything inside My Documents is not so easy to access anymore. Better keep it on it's own partition. This will also save you the time to backup anything that is inside My Documents and on the C: drive, in case the OS goes down. After you reinstalled the OS you will have immediate access again to anything that resides on the second partition. So after reinstalling the OS just reinstall the drivers for your vga - lan - wlan - sound - smbus - modem - whatever hardware is inside your computer. Finally install your user programs and you 're done, knowing 100 % sure that your pc is clean again Oh and if there is a serial ata harddisk inside your computer, the windows xp installation cd might not have the drivers for it. In that case use nlite to add your serial ata hdd drivers to your windows xp installation cd. All this is a couple of hours work, but then when all is installed and configured and tuned to your wishes, then you make a clone of the C: drive and store it on the second partition. When one day you get hit again by some webshit, all you have to do is to reload your clone back on the C: drive, and this my friend will only take 5 minutes ! Further more I recommend not to install the win vista os - as it sucks 3 times : 1. it is more complicated to use 2. it eats a lot of your pc resources 3. it is not compatible with some xp user programs. I recommend kaspersky anti virus to protect your pc as I have good experience with it compared to the others.
cw

[TerryHough]

Thanks to all who replied!

@Sparkie... yes, been there and it is good advice. However, still could not get MalwareBytes to run (or any other antispyware program). Don't know how this could disable such programs.

I got past the boot problems and had it running pretty well after removing some of the Scamware's debris and reloading Internet Explorer.

But, then while trying to get to the point of being able to run MalwareBytes, something killed the boot again.

Ended up reloading Windows.

This thing is truly malicious!

[SFSxOI]

Thanks to all who replied!

@Sparkie... yes, been there and it is good advice. However, still could not get MalwareBytes to run (or any other antispyware program). Don't know how this could disable such programs.

I got past the boot problems and had it running pretty well after removing some of the Scamware's debris and reloading Internet Explorer.

But, then while trying to get to the point of being able to run MalwareBytes, something killed the boot again.

Ended up reloading Windows.

This thing is truly malicious!

Yeah, it can get pretty nasty. Its not uncommon for stuff like this to affect the proper operation of anti-virus/anti-spyware software. The only anti-virus that I know of and we have tested (and we test a ton of them) that would not have been overcome by just about anything out there is Avast. There is a difference between infection and infestation. Infection is usually single point source at its beginning and is cured usually by removing the source but it can attack along several vectors, infestation is usually system wide at its beginning and can have multiple vectors as its source. It sounds more like you were infested, simply reloading windows doesn't always get rid of an infestation (rarely does it ever, and if your that lucky then go visit a casino or enter the lottery now ) even though it may seem like it did as there can still be a piece dormant and waiting for the right conditions. A diskpart and reformat would probably be the best in your case and the only way you will ever be sure (at least some). Usually though there is some type of strange behavior in a distributed sense, odd things here and there, before it completly steam rolls the system (like it seems yours did or was trying to do), you didn't notice anything odd or out of place in the days leading up to the obvious?

[garretthylltun]

I should have also noted partitioning the HD over again too, as that is a must in these types of situations. Sorry about that and very glad others brought it up.

[idle]

one of my neighbors got this on their XP machine, It's easy enough to find and remove manually but it also changed a few registry keys and changes how exe files are run the file itself lurks under local_user\application_data as yji.exe but could be named something else.
I ended up resorting to a Google search after removing the file since exe files wouldn't run and found an answer here

http://www.bleepingcomputer.com/virus-r ... urity-2011

you shouldn't need malware bytes to get rid of it just log in as admin in safemode browse to the users profile and delete the exe then apply the registry fix.

http://download.bleepingcomputer.com/reg/FixNCR.reg

[MachineCode]

Does XP Home have the System Restore feature? If so, restore back to about a week before the scamware was installed. Works great, and is exactly what this situation is intended for. People seem to overlook and/or underestimate it, for some reason. Always give it a go before doing a fresh install; it's so much quicker!

[idle]

I tried that, it didn't fix the registry entries

[Rook Zimbabwe]

myself have written about this crap... here is the basic UNIVERSAL fix...

1. Remove the HDD and get a hammer
2. Smash HDD repeatedly intil it is a new piece of pop art
3. Buy a new HDD and reinstall all basics
3 1/2. Install SandboxIE and explain that it MUST be used to look at ANYTHING on the internet!
4. If buddy succumbs AGAIN to this crap use hammer to adjust buddys thinking!

Good luck!

[Rook Zimbabwe]

Does XP Home have the System Restore feature? If so, restore back to about a week before the scamware was installed. Works great, and is exactly what this situation is intended for. People seem to overlook and/or underestimate it, for some reason. Always give it a go before doing a fresh install; it's so much quicker!

The new versions apped their crap to the backup... not to be trusted!!!

[idle]

4. If buddy succumbs AGAIN to this crap use hammer to adjust buddys thinking!

and drink all their beers while fixing problem!