Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I am infected with virus please help


  • Please log in to reply
17 replies to this topic

#1 Mar56

Mar56

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 08 June 2011 - 08:59 PM

While on the Internet yesterday my virus checker popped up and then quarantined a win 32 kryptic virus. After closing out Internet explored I tried to open up my mahjong game and I was given the message that there was no programs associated with file extension exe. I get the same message for essentially any program that I try to run including Internet explorer. Because i couldnt open any exe files i tried to install an update ti windows 7 and it just seemed to compound the issue. I tried to run glary utilities from a memory stick and I get same message when trying to install. I use windows 7 any help would be appreciated thank you in advance. Mar56

Edited by Mar56, 08 June 2011 - 09:40 PM.


BC AdBot (Login to Remove)

 


#2 Mar56

Mar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 09 June 2011 - 06:23 AM

Please let me know if u need more info to be able to help me I am desperate as this is my work computer I am a self employed accountant and work from my home I do not have access to an IT department

Edited by Mar56, 09 June 2011 - 07:26 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 09 June 2011 - 07:20 AM

Since you say this a work computer, have you contacted and advised your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We will not assist with attempts to circumvent those policies or security measures.

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. At most community security sites like this, we do not have the staff or resources to deal with numerous client machines or the complexities of network disinfection. A lot of helpers are not familiar with Servers and many of the tools we use are restricted to non-commercial use by their creators. Further, we are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system.

A business IT staff generally has established procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office as doing so could interfere or cause problems with their removal methods. The malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate disinfection measures.

If you're reluctant or embarrassed to inform the IT Team, keep in mind that they can easily trace the source of the infection. It is much better to bring this to their attention than to deal with the consequences of violating security policy once the IT Team and your supervisor finds out.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Mar56

Mar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 09 June 2011 - 07:25 AM

I am self employed I have no IT department I put that in my request for help so that someone would see the urgency of it!!!!!!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 09 June 2011 - 07:52 AM

I understand and that's not a problem but I always ask first. You would not believe how many folks try to circumvent their employers work policies by hiding infections and seeking help elsewhwere in order to avoid responsibility. As such, I'm sure you can appreciate I was looking out for the IT folks as well by checking.

Please download FixExe.reg and save it to your Desktop.
  • Double-click on that file to run.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Choose "Yes" when prompted to add it into the registry.
  • Once that is completed you should be able to run other programs.

Please download Malwarebytes' Anti-Malware and save it to your desktop.
  • Double-click on the setup file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

-- Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware as you may need to rename it or use RKill by Grinler.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Mar56

Mar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 09 June 2011 - 08:35 AM

I have a couple of questions before I do this I have no Internet access on my laptop that has the problem and it won't allow me to execute any programs If I use my daughters laptop and a USB stick and then insert that into my laptop will the USB stick become infected? It's the only one I have at this time? And thank you for helping!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 09 June 2011 - 09:44 AM

External storage media and flash (usb, pen, thumb, jump) drives are prone to infections as one in every eight malware attacks occurs via a USB device so you need to take prevention measures to protect them:
USB Protection Tools:
Some USB flash drives have a "write protect" read-only switch integrated on the side or on the back for preventing the content from being erased or overwritten. If you're not familiar with this feature, see Looking for a USB Flash Drive with Read Only or Write Protect Switch. However, even with such a device you still need to be careful when using public computers as explainend here.

If your USB drive does not have such a read-only switch, there are alternatives and third-party utilities which can provide this type of protection.IMPORTANT NOTE: DSi USB Write-Blocker advises USB devices you wish to write-block must be disconnected from the computer before the write block is enabled.

Always scan USB flash drives after they have been used with other computers and never connect them to an untrusted computer or one without an anti-virus. In fact, you can install USBVirusScan, a freeware tool by Didier Stevens that triggers your antivirus to scan a USB drive each time it is inserted in your computer.

Tip: As an extra precaution, hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Mar56

Mar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 09 June 2011 - 12:23 PM

As requested, here is my initial log from Malwarebytes Anti Malware

**********

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

09/06/2011 11:06:02 AM
mbam-log-2011-06-09 (11-06-02).txt

Scan type: Quick scan
Objects scanned: 167755
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Marion\AppData\Local\nny.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*****************************

The program quarantined the above item shown re Registry Data Items Infected and gave me an option to delete it so I did.

here is the second scan after I deleted it:

********************
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6819

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

09/06/2011 12:29:18 PM
mbam-log-2011-06-09 (12-29-18).txt

Scan type: Quick scan
Objects scanned: 170280
Time elapsed: 13 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


*******************
the anti malware program successfully updated its virus definitions when I first used it, via my wireless internet connection, but I can't access the internet with internet explorer nor with my tax program's internet access program.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 09 June 2011 - 12:28 PM

Have you tried using an alternate browser like Firefox to see if the same problem occurs?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 09 June 2011 - 12:36 PM

There are various ways a malware infection can cause browser issues, loss of connectivity and redirects so try these steps:

:step1: Some infections will alter the Proxy settings in Internet Explorer which can affect your ability to browse, update or download tools required for disinfection. Check/Reset Proxy Server Settings. To do that, please refer to Steps 4-7 under the section Automated Removal Instructions for System Tool using Malwarebytes' Anti-Malware in this guide.

Alternatively, you can press the WINKEY + R keys on your keyboard or click Posted Image > Run..., and in the Open dialog box, type: inetcpl.cpl
Click OK or press Enter. Click the Connections tab and continue following the instructions in the above guide.

If using FireFox, refer to these instructions to check and configure Proxy Settings under the Connection Settings Dialog.


 :step2: Reset Internet Explorer or use Microsoft's Fix it to automatically reset registry keys and the browser back to the way it was when initially installed. If you check the Delete personal settings checkbox in Advanced settings, it will reset the home page(s), search providers and Accelerators to their default values. It will also delete temporary Internet files, history, cookies, web form information (passwords) and InPrivate Filtering data.

-- Note: Microsoft Fix it does not work in Windows 7. Instead, you can use the Internet Explorer troubleshooters to achieve this automatically.itially installed. Then clear your browser history.

If using FireFox, refer to these instructions to reset all user preferences, toolbars and search engine to their default settings using Firefox Safe Mode.


 :step3: Reset the IP address:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Click OK or press Enter. A dos Window will appear.
  • At the command prompt C:\>_, type: ipconfig /release
  • Press Enter.
  • When the prompt comes back, type: ipconfig /renew
  • Press Enter.
  • Close the command box and and see if that fixes the connection. No reboot needed.
-- XP users can refer to XP ipconfig Tutorial: Step 4
-- Vista users can refer to Vista ipconfig Tutorial: Step 4

Flush the DNS resolver cache:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Click OK or press Enter. A dos Window will appear.
  • At the command prompt C:\>_, type: ipconfig /flushdns
  • Press Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.

 :step4: Check/reset your network settings and Configure TCP/IP to use DNS.
  • Go to Posted Image > Control Panel, and choose Network Connections.
  • Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  • Under the General tab, write down any settings in case you should need to change them back.
  • Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  • Select the button that says "Obtain DNS servers automatically".
  • If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
-- Vista users can refer to How to Change TCP/IP settings.
-- Windows 7 users can refer to How to Change TCP/IP settings.

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address, then you may proceed.


 :step5: If using a router, disconnect from the Internet and reset your router with a strong logon/password. Many users seldom change the default username/password on the router and are prone to some types of infection. If you're not sure how to do this, refer to the owner's manual for your particular router model. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference.

Consult these links to find out the default username and password for your router and write down that information so it is available when doing the reset:These are generic instructions for how to reset a router,:
  • Unplug or turn off your DSL/cable modem.
  • Locate the router's reset button.
  • Press, and hold, the Reset button down for 30 seconds.
  • Wait for the Power, WLAN and Internet light to turn on (On the router).
  • Plug in or turn on your modem (if it is separate from the router).
  • Open your web browser to see if you have an Internet connection.
  • If you don't have an Internet connection you may need to restart your computer.

 :step6: Clear your Web browser cache. As you browse web pages, the browser stores a copy of the pages you view on your local hard drive; this is called caching. Clearing the cache forces the browser to load the latest versions of Web pages and programs you visit.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Mar56

Mar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 09 June 2011 - 01:26 PM

Quietman7, I did the first item re proxy settings and internet explorer and I was able to get onto the internet with Internet Explorer and was able to file the tax returns over the internet via my tax program - is there more that I should do? Such as a registry cleanup?

thanks so much for your help.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 09 June 2011 - 02:03 PM

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.


is there more that I should do? Such as a registry cleanup?

Anytime you encounter a malware infection on your computer, especially if that computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean clean computer as a precaution, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

:step1: Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

:step2: Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

:step3: Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

:step4: Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

:step5: The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


Edited by quietman7, 09 June 2011 - 02:05 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Mar56

Mar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 09 June 2011 - 05:08 PM

I ran the ESAT online scanner and here is the log from that:

C:\Users\Marion\AppData\Local\Temp\jar_cache2034837907999866436.tmp probably a variant of Win32/TrojanDownloader.Agent.HLVMROK trojan

******
I did not delete the above noted threat.

Next steps???

Marion

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 09 June 2011 - 05:46 PM

Your scan results indicate a threat(s) was found in the Web browser cache.


I recommend clearing the entire cache manually to ensure everything is cleaned out:

Edited by quietman7, 09 June 2011 - 05:47 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Mar56

Mar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 09 June 2011 - 09:28 PM

All caches and temporary files noted in your previous email have been cleaned. did another of the online scans to ensure problems eliminated - the scan is now "clean"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users