Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus that's blocking my cmd, task manager, and many programs!


  • Please log in to reply
6 replies to this topic

#1 Matthias Cheah

Matthias Cheah

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 05 November 2010 - 05:48 AM

Hey guys, looks like I'm getting caught in this Spanish virus.. my laptop's been hit by this virus nearly a month ago, actually this is my second time encountering it, and it got me again thanks to my absent mindedness... it came from my flash disk.. what should I do? I've attempted to access a few anti-malware sites (like www.malwarebytes.org) but once I've entered that site, my browser will automatically close down? Please help me! What should I do? Reformatting is not an option as it'll infect every single flash disk that I insert in it and I've got a lot of important stuffs in it!

Currently using my old desktop to post here, here's my laptop's specs

Intel Centrino 2 P8700 2.51Ghz
Nvidia Geforce 9600M GT 256MB
500GB HDD
Windows 7 Home Premium (genuine)
4GB DDR2 800Mhz (around that, not too sure)

Thanks!

BC AdBot (Login to Remove)

 


#2 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:02:36 PM

Posted 05 November 2010 - 05:49 PM

Hi, download Malwarebytes on a different computer, but BEFORE saving the file, rename it to abcd.exe. Then save it onto a flash drive, or other removable media to transfer it to the infected computer.
Now simply double click abcd.exe and install malwarebytes. Once installed, UPDATE the program, and run a quick scan.
Post the log in your next reply.

#3 Matthias Cheah

Matthias Cheah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 05 November 2010 - 07:46 PM

thanks for assisting, I'll do that now. Gimme 30 minutes.

#4 Matthias Cheah

Matthias Cheah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 05 November 2010 - 07:57 PM

I'm back, it didn't work, I've renamed my installer for malwarebytes to abcdef.exe, transfered it into my flash disk, and attempted to install it (both safe mode and normal) once I start the installer in normal mode, the installer closes by itself after selecting language, as for safe mode, I've managed to install it just in time before the installer closes up by itself. What should I do?

#5 Matthias Cheah

Matthias Cheah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 06 November 2010 - 07:53 AM

hi again, can anyone assist me here? :thumbsup: Still no use so far.. it's stubborn!

#6 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:02:36 PM

Posted 06 November 2010 - 10:15 AM

You say that it installed in safe mode, will it allow you update and run malwarebytes in safe mode?

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


#7 Matthias Cheah

Matthias Cheah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 07 November 2010 - 08:30 AM

MalwareBytes didn't work in safemode, only managed to install, so I ran Dr. Web, here are the results.

winlogon.exe;C:\Windows\system32\config\systemprofile\423405D215E45424;Trojan.Inject.12684;Incurable.Moved.;
winlogon.exe;C:\;Trojan.Inject.12684;Incurable.Moved.;
winlogon.exe;c:\programdata\microsoft\windows\start menu\programs\startup;Trojan.Inject.12684;Incurable.Moved.;
winlogon.exe;c:\users\benq\15e45424;Trojan.Inject.12684;Invalid path to file ;
winlogon.exe;c:\users\benq\appdata\roaming\microsoft\windows\start menu\programs\startup;Trojan.Inject.12684;Incurable.Moved.;
wlo.exe;C:\Documents and Settings\BENQ\BENQ1;Win32.HLLW.Autoruner.34179;Incurable.Moved.;
winlogo0.exe;C:\Documents and Settings\BENQ\DoctorWeb\Quarantine;Trojan.Inject.12684;Incurable.Moved.;
winlogo1.exe;C:\Documents and Settings\BENQ\DoctorWeb\Quarantine;Trojan.Inject.12684;Incurable.Moved.;
winlogo2.exe;C:\Documents and Settings\BENQ\DoctorWeb\Quarantine;Trojan.Inject.12684;Incurable.Moved.;
winlogo3.exe;C:\Documents and Settings\BENQ\DoctorWeb\Quarantine;Trojan.Inject.12684;Incurable.Moved.;
winlogon.exe;C:\Documents and Settings\BENQ\DoctorWeb\Quarantine;Trojan.Inject.12684;Incurable.Moved.;
wlo.exe;C:\Documents and Settings\BENQ\DoctorWeb\Quarantine;Win32.HLLW.Autoruner.34179;Incurable.Moved.;


OH, by the way, Dr. Web didn't get interrupted by the worm or anything, but get this, right after scanning and rebooting, curing and stuff, my browser's back to normal, it doesn't spam on my msn messenger contacts and stuff, but I see that my task manager is still disabled, and I'm not sure whether it will infect my flash disks or not, as for the Flash_Disinfector thing, i've tried double clicking the .exe, nothing happens after that? I thought it could be the ESET Nod 32 blocking it, but added into exclusions, still the same, is it important?


Oh my God the express scan took a long time but the complete scan took more than 4 hours! And it wasn't even halfway there! So I'm forced to turn it off halfway (complete scan) managed to complete express though. Did every step you told me to...

and my regedit, msconfig and all the stuff are GONE. What am I supposed to do??

Edited by Matthias Cheah, 07 November 2010 - 08:57 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users