Jump to content

Security Protection Recurs


Elm

Recommended Posts

I managed to get my computer infected with "Security Protection" one of the many Malwares that pretends to be a security program. It prevents me from running any programs or taskmanager in the standard boot mode. It has had no affect on Safe mode which I have used to download Malwarebytes and run malewarebytes. After running a full scan in safe mode and then rebooting into standard I get somewhere between 20 minutes and 8 hours of uninhibited use of my computer then "Security Protection" returns. (The number of infections has varied between ~3-8) I have repeated this process a few times without any appreciable additional progress. Do you have any recommendations about what I should try? Thank you. Here is the log from the most recent Malware scan:

Malwarebytes' Anti-Malware 1.51.1.2000

www.malwarebytes.org

Database version: 7616

Windows 6.1.7601 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.7601.17514

8/31/2011 11:13:06 PM

mbam-log-2011-08-31 (23-13-06).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)

Objects scanned: 574391

Time elapsed: 1 hour(s), 3 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Rogue.SecurityProtection) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\programdata\defender.exe (Rogue.SecurityProtection) -> Quarantined and deleted successfully.

c:\Users\Elmiras\AppData\Local\Temp\B7DA.tmp (Malware.Gen) -> Quarantined and deleted successfully.

c:\Windows\scvhost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

Hi!

Okay, in that case my inclination is to go ahead and reformat. I just have a few questions and concerns.

When the infection hit I was in the middle of writing a word document application so I (somewhat stupidly) transfered that document via email to another computer which has not had any problems that Malwarebytes can detect. Is the second computer likely to be secure? (The second computer is a netbook running windows 7 starter if that is of any importance.)

I have several word documents and photos on my infected and insecure computer that I would like to keep, are they likely to be clean now? If they aren't would it be possible to clean them and then transfer them via either email or cd/dvd to another computer?

I have not accessed my online banking site for several months, am I correct to assume I still need to change my username, password, etc.?

Finally, how do you recommend I go about reformatting my computer? My computer is a Asus G51J which did not come with a Windows boot disk. When I called tech support and asked how to go about reformatting/reinstalling they told me that I could do that all from a hidden partition of the hard drive. If I reformat from this partition would my installation be secure or still insecure because the partition could have been infected?

Thanks Again!

Link to post
Share on other sites

  • Staff

Hi,

Word documents are very unlikely to be infected. Same for photos. Feel free to backup (sooner rather than later).

Yes change all applicable passwords.

The recovery partition should be a full destructive format of the hard drive, so it should be fine to use without worry of reinfection.

More importantly, you need to be protected to prevent this in the future.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is imperative that you have an antivirus. You are basically asking for infection without one. :lol:

All of the following are excellent free antiviruses. Be sure to only install one.

Microsoft Security Essentials

AntiVir

avast!.

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.