Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VIRUS ALERT MALWARE & LINK HIJACK


  • This topic is locked This topic is locked
124 replies to this topic

#1 vertigoboy1981

vertigoboy1981

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 20 August 2011 - 06:46 PM

This has happened to me before, but not to the degree it is now. This antivirus alert Malware has installed itself and won't allow me to run any programs. I have downloaded rkill but it will not allow me to run Malwarebytes. Malwarebytes simply shuts off after a few seconds...as does any program I try to use. After it shuts off it won't allow me to restart it unless I re-download it...and then I go in circles.

Also, clicking on links is useless as it's redirecting me to spam sites. Looks like I've been hijacked. How can I run Malwarebytes if this virus keeps killing the process?
:wacko:

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,913 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 20 August 2011 - 08:01 PM

Hello and welcome.. This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 vertigoboy1981

vertigoboy1981
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 20 August 2011 - 08:18 PM

Thanks! I appreciate the help! Ok...it says it was successfully entered into my registry. Now what?

Edited by vertigoboy1981, 20 August 2011 - 08:18 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,913 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 20 August 2011 - 08:21 PM

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 vertigoboy1981

vertigoboy1981
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 21 August 2011 - 03:43 PM

Unfortunately, once I start running Malwarebytes, this virus shuts the program down after about 10 seconds of scanning.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,913 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 21 August 2011 - 06:40 PM

I am assuming there is no error message when MBAM stops.

Lets try this way.

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now reboot to Normal and run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 21 August 2011 - 06:41 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 vertigoboy1981

vertigoboy1981
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 22 August 2011 - 03:12 AM

Wow, this is so frustrating. It seems to even be shutting off both the normal version of the SuperAntiSpyware and the portable version. I've tried several of the different Rkill versions too. It found one tracking cookie and then quickly shut off. When I tried to run it again, it shut me off before it could even start scanning. The same still goes for Malwarebytes.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,913 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 22 August 2011 - 01:53 PM

Do you have another user account you can log in from and try from there?

Or try AVIRA RESCUE CD
Try creating this disk and boot off of it. You will need another computer to make this disk on.
Avira AntiVir Rescue System
Tutorial for Avira Rescue CD
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 vertigoboy1981

vertigoboy1981
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 23 August 2011 - 12:45 PM

Avira AntiVir Rescue System ran and caught 39 infections along with several alerts. It allowed me to run Windows normally without the malicious "virus scan" starting up. I also ran SuperAntiSpyware and Malwarebytes....both of which caught some more problems after the fact.

However, when I ran my CC Cleaner it caught several components of programs (such as my Seagate wireless adapter) to be missing. I noticed that several programs do not seem to work now. More importantly, I cannot connect to the Internet no matter what I try. Could this virus have damaged my programs to the point that they don't work now?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,913 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 24 August 2011 - 09:40 PM

Hello, I had to replace my NIC card so I could not get back on until now.

Very common with malware that it corrupts files. So do registry cleaners.

What is the operating System??

We can try these.ou mat need to re install the adapter software.

For the connection try these...

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.
Now check if the internet is working again.

OR

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.

If needed : type these one line at a time, press enter after each line. See if it works after each.


netsh interface ipv4 reset
netsh interface ipv6 reset
ipconfig /flushdns
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 vertigoboy1981

vertigoboy1981
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 August 2011 - 04:00 AM

I'm using a Dell....operating system is Windows XP.

1.) It still won't connect. Tried to reinstall Linksys wireless adapter but now the wireless connections won't load. It says it can't configure the connection. Linksys monitor says "you are connected to the access point but the Internet can't be found.

2.) I typed in the commands you listed. The first one worked and then I rebooted and did the others. I got these responses:

Following command not found: interface ipv6 reset. Ipv6 is not installed.

Successfuly flushed the dns resolver cache.

3.) When trying to open programs like Itunes, I get the message, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." When I go to a file, such as an mp3, it has no program to open it.

4.) Are programs such as Registry Mechanic or CCcleaner no good?

5.) Tried to revert my system to an earlier date with system restore but it won't allow me.

***I appreciate your patience. I would have no issue reformatting the computer. However my biggest worry is losing Itunes data, as I need to open the program to properly organize everything onto my external hard drive. Is there any hope in getting the Internet and my programs running without a wipe??

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,913 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 25 August 2011 - 11:38 AM

Hello,Registry Mechanic or CCcleaner no good? I would lose the Reg Mech, CC is good. But I would avoid regitry cleaning as much as possible.

First restart your computer in Safe Mode with Networking (only XP and Vista) and see if you can open the file or programs in question. If so, it’s not a “real” permission issue, it’s a program or process on your computer that is giving the error.


If you get Net access then...
Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.

If neede do the one that worked agin and that's all.
Was it this one?
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.


Also if you connect again do the MBAM scan in post 6.



If you have an Install CD run SFC

Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 vertigoboy1981

vertigoboy1981
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 August 2011 - 12:38 PM

1.) I will try that when I go home. However, I do remember in Safe Mode that I could not open Itunes. It said something about not being able to use sound or something I believe. I will try this later and let you know.

2.) I ran Avira again in Boot mode (hitting F12) before bed. It ran the scan and picked up the same problems that it did the first time. I know it says it changed the names or something so that the Malware wouldn't run on startup. Does this not remove them? I believe the instructions said to run Avira again in normal Windows mode. I have not been able to do this. I go to my CD drive and click on Avira but it says that Windows cannot open the program and asks me to select a program to open it with. I believe the extension of the Avira file is .ICO. What should I do? Does this mean the Malware still exists?

Thanks,

Mike

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,913 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 25 August 2011 - 12:53 PM

OK,let me know. If you have access to another PC you can either connect this one as a Slave drive and scan it from there or back off your ITunes so you can reformat.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 vertigoboy1981

vertigoboy1981
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 August 2011 - 01:08 PM

I don't understand how to do that I don't believe. Do you mean for Avira scan? I don't have another computer but maybe I can ask someone to help me. Can you explain a little more?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users