Page 1 of 2 12 LastLast
Results 1 to 15 of 26
  1. #1
    3 Star Lounger Omega3's Avatar
    Join Date
    Jan 2004
    Location
    Los Angeles, California, USA
    Posts
    343
    Thanks
    2
    Thanked 1 Time in 1 Post
    My son has a maleware bug in his PC. He gets frequent popups saying there is a virus and to click ok to run an antivirus program. No program name is mentioned. Luckily he didn't click Ok.

    He tried to run his own antivirus software (nod32) and it found a virus. But then his PC was rebooted right away probably so the antivirus program would not remove the bug.

    He then tried to install Adaware to get rid of it but when the install started, it immediately rebooted his PC. He went into safe mode to install it but a message popped up wanting a few things like C++ programs which is probably in his PC. But because it is running safe mode the install probably doesn't find them.

    He'll try installing Spybot and Microsoft Maleware remover but he might have the same problem as Adaware.

    Will restoring the system to a previous point physically remove the maleware file?

    What else can he try to get the maleware removers installed and running?
    You know it's time to diet when you push away from the table and the table moves.

  2. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    He should try booting in safe mode with with networking, which will allow him to access the internet and download malware bytes anti malware. Maybe that will be enough. If he is stopped from installing something even in safe mode, you may have to download a bootable CD from an antimalware vendor, boot the PC with it and let the software try to get rid of the malware.
    Rui
    -------
    R4

  3. #3
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,585
    Thanks
    5
    Thanked 1,059 Times in 928 Posts
    Try the free version of Malwarebytes' Anti-malware. You may need to boot into safe mode to get it installed and run.

    A System Restore would not hurt if there is a restore point to a time when he knows it was working correctly.

    Try a repair disk such as the one discussed at http://bro.ws/780869L

    Joe
    Joe

  4. #4
    Super Moderator Deadeye81's Avatar
    Join Date
    Dec 2009
    Location
    North Carolina, USA
    Posts
    2,654
    Thanks
    7
    Thanked 113 Times in 97 Posts
    Along with the previous suggestions, if your son has access to another computer, this How To Geek tutorial shows how to create a bootable Kaspersky Rescue Disk that can be updated via the Internet with fresh definitions after booting to it so scans can be conducted while Windows is not running.

    Also SuperAntiSpyware Portable can be downloaded and placed on a USB flash stick. It is routinely available with fresh definitions and a new random file name so malware does not recognize it. With this you must be able to boot into Windows to run the program from your USB flash stick.
    Deadeye81

    "We make a living by what we get, we make a life by what we give." Sir Winston Churchill

  5. #5
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Calif
    Posts
    182
    Thanks
    0
    Thanked 14 Times in 13 Posts
    Hi Omega :

    Your son's computer is displaying the classic symptoms of what the
    Expert malware-fighting community calls a "Rogue" or "Fake" security
    program . Usually it mentions a "Name", so it is unusual for it not to do
    so; otherwise, a preliminary specific removal plan could be
    recommended . Usually a removal plan starts with something other
    than running Malwarebytes Anti-Malware ( either "RKill" or
    "exeHelper", such as the procedure mentioned at
    http://www.bleepingcomputer.com/viru...us-system-2011 .
    So IF running "RKill" or "exeHelper" as the starting point does not
    lead to the removal of the "rogue", I recommend you seek help from
    that Expert, certified, Volunteer, malware-fighting community, such as
    the Ones at http://www.geekstogo.com/forum/forums.html .
    For the BEST in what counts in Life :

    http://www.ctftoronto.com

  6. #6
    3 Star Lounger Omega3's Avatar
    Join Date
    Jan 2004
    Location
    Los Angeles, California, USA
    Posts
    343
    Thanks
    2
    Thanked 1 Time in 1 Post
    Reporting back. We didnít try everything mentioned but this is what happened. We ran SuperAntiSpyware in safe mode. It gave the message: Adware.Tracking Cookie 483 found. It quarantined those. Thatís all it found. Ran Malwarebytes in Safe mode and found nothing.

    Booted to normal mode and the virus popup warnings about a virus started again as well as IE starting by itself to porno sites. Ran Nod32 antivirus and it found nothing.

    Tried to run Malwarebytes and SuperAntiSpyware in normal mode and neither would run. Excel and Word would not run. Task Manager, System Maintenance, Windows Defender, and System Restore do not run. The uninstall programs did run so it isnít every program just most programs.

    Something opens behind any window that is open that we launch a program from but then disappears. I think it may be the virus program intercepting most programs that are trying to launch.

    Weíll try a few more things suggested but is there anything else we could try?

    How the bug may have happenedÖ
    He was doing a google on: *Watch V*. V is a tv show that he wanted to see. He clicked on a link and thatís when the popups started. I guess V in this case meant Virus.

    He has some programs he downloaded not long ago that I donít recognize but I think they are safe. They are: Steam, Panda Media Booster, AA2Deploy, and PunkBuster Services.
    You know it's time to diet when you push away from the table and the table moves.

  7. #7
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 577 Times in 480 Posts
    You really MUST follow all instructions given in the antimalware forums.

    I use the Read and run first instructions given at Majorgeeks, read the first page very carefully then follow the link for the Windows version in question. Make notes of all error/warning messages. Then create a new thread in the Malware forum there and attach the required logfiles for expert analysis and further instructions for your problem.

    Following advice given in other threads for similar problems to yours is often not enough.

    Even after all traces of malware have been removed, certain parts of Windows may not function correctly due to damage caused by the earlier infection(s). Have on hand, or be prepared to create, a Windows CD of the same Service Pack level that your Windows version is at. A Repair install may be enough to get the PC back to normal - no guarantees, though. The safest method of cleaning is wiping the drive, renewing the MBR/bootsector and a clean install.

    EDIT: I enjoyed watching V, seems like a long time ago now .

  8. #8
    3 Star Lounger Omega3's Avatar
    Join Date
    Jan 2004
    Location
    Los Angeles, California, USA
    Posts
    343
    Thanks
    2
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Andy Rowlands View Post
    You really MUST follow all instructions given in the antimalware forums.
    The instructions do not mention safe mode. Since we are having problems running programs in normal mode will it still help us if we run them in safe mode when the virus/rootkit is not active?
    You know it's time to diet when you push away from the table and the table moves.

  9. #9
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by Omega3 View Post
    The instructions do not mention safe mode. Since we are having problems running programs in normal mode will it still help us if we run them in safe mode when the virus/rootkit is not active?
    You can even use safe mode with networking, which will allow you internet access and download any tool you may need. Maybe you will be able to solve it that way. I am not sure all AV and malware tools will run in safe mode, but you can always try.
    Rui
    -------
    R4

  10. #10
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Quote Originally Posted by Omega3 View Post
    The instructions do not mention safe mode. Since we are having problems running programs in normal mode will it still help us if we run them in safe mode when the virus/rootkit is not active?
    If you're referring to the MGs link I posted, the following quote is from the section immediately before STEP 1:
    If you cannot boot in Normal Boot mode or can boot but not properly run in normal mode but your PC runs in safe boot mode, you can ignore our note about Normal Startup and just complete as much as you can in safe boot mode. Some programs may not install in safe boot mode.
    Which is why I wrote:
    read the first page very carefully then follow the link for the Windows version in question. Make notes of all error/warning messages.
    I would class being unable to run something in Normal mode as an error and should be noted down and passed on to your malware helper.

    The main reason that some programs will not install in Safe Mode is that the Windows Installer Service is disabled in that mode; this immediately rules out installing *.msi and some other installer packages. Sometimes you can install in Normal Mode but only run the program in Safe Mode.

  11. #11
    3 Star Lounger Omega3's Avatar
    Join Date
    Jan 2004
    Location
    Los Angeles, California, USA
    Posts
    343
    Thanks
    2
    Thanked 1 Time in 1 Post
    Update
    We booted his PC in normal mode to try some out some suggestions and his NOD32 antivirus lite up red saying there was a virus in RAM. So before doing anything else we ran another full scan and this time it found two files that it deleted. The are...

    C:\Users\Matt\AppData\Local\Microsoft\Windows\Temp orary Internet Files\Content.IE5\N6SNXRQN\na[1] - Win32/Adware.SpywareProtect2009 application - cleaned by deleting

    C:\Users\Matt\AppData\Local\Temp\00154995.exe - a variant of Win32/Kryptik.JLH trojan - cleaned by deleting

    We rebooted and this time found a different problem. The virus popups have gone away so it appears that NOD32 did its job. Seems we're almost back to normal. HOWEVER, Firefox and IE cannot connect to the internet. We think the virus changed a setting and we need to undo it so the browsers work.

    When browsers are launched we get the message - Proxy Server is refusing connection. Now we can ping to the internet say www.yahoo.com and we get a good connection. His Steam application pops up a window from the system tray now and then about someone being online. Seems as though his PC (Windows 7) can receive information but can't use a browser.

    We did download a new version of Firefox from another PC and installed it on his but we have the same problem.

    Any suggestions?

    P.S. He doesn't have a software firewall. He uses the hardware firewall on his router.
    You know it's time to diet when you push away from the table and the table moves.

  12. #12
    3 Star Lounger Omega3's Avatar
    Join Date
    Jan 2004
    Location
    Los Angeles, California, USA
    Posts
    343
    Thanks
    2
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Andy Rowlands View Post
    If you're referring to the MGs link I posted, the following quote is from the section immediately before STEP 1:
    Which is why I wrote:
    I would class being unable to run something in Normal mode as an error and should be noted down and passed on to your malware helper.

    The main reason that some programs will not install in Safe Mode is that the Windows Installer Service is disabled in that mode; this immediately rules out installing *.msi and some other installer packages. Sometimes you can install in Normal Mode but only run the program in Safe Mode.
    Andy, thanks for those details!
    You know it's time to diet when you push away from the table and the table moves.

  13. #13
    3 Star Lounger HeyJude's Avatar
    Join Date
    Dec 2009
    Location
    Ohio, USA
    Posts
    332
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Omega3 View Post
    When browsers are launched we get the message - Proxy Server is refusing connection. Now we can ping to the internet say www.yahoo.com and we get a good connection. His Steam application pops up a window from the system tray now and then about someone being online. Seems as though his PC (Windows 7) can receive information but can't use a browser.

    We did download a new version of Firefox from another PC and installed it on his but we have the same problem.

    Any suggestions?

    P.S. He doesn't have a software firewall. He uses the hardware firewall on his router.
    Go to your Control Panel >Internet Options>Connections and uncheck anything that has to do with proxies or proxy servers and see if that helps.

    In FF go to Tools>Options>Advanced>Network and check the network settings there to see if something got changed.
    Take a sad song and make it better

  14. #14
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Should his browsers be configured to use a proxy? What proxy are the browsers configured to use?
    Rui
    -------
    R4

  15. #15
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,436
    Thanks
    372
    Thanked 1,457 Times in 1,326 Posts
    I'd suggest you try some of the Root Kit finders like Root Kit Reveler.
    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •