Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coworkers Work Laptop - Sales Rep and Programmer


  • Please log in to reply
6 replies to this topic

#1 Chrislorious

Chrislorious

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 29 September 2011 - 01:01 PM

I am an Intern here under the Network Admin so I do a lot of IT stuff for him. One of my Co-Workers has a Vista 32 bit machine that has come down with a virus of some sort. It has the redirect crap for searches and such. It hid all of the history in the browser so we can't see the possible place where it came from. There doesn't appear to be any suspicious software to be found on the computer.

I have tried several things to get rid of this. The first thing we noticed was that it had disabled MSE. I tried reinstalling it, MalwareBytes, and even tried an online scanner all in safe mode. Each time it crashes out the program scanning and locks the program out. I have used Inherit.exe to make them usable and tried them with changed settings several times with the same results. Even when I did the online scanner it took out Firefox which then needed Inherit.exe. The virus is hidden in the task manager as well. I tried running Kaspersky from 2 different USB devices and from a disk with no luck. It loads up, I run in English, it goes through the large list of things it loads then just goes to a black screen that never goes away and it never responds to any commands other than Ctrl+Alt+F2 in which case it places 2 lines on the screen...

Unless you guys have some other method for me to attempt, we are down to the point where we are just going to have to clear the HDD and re-install Windows Vista. This is going to be very tedious because he has an extreme amount of documents in random places all over the computer and a ton of stuff installed for the job here. It is going to be very difficult to track down all of the files that need to be kept. After reinstalling Windows, it will take at least 6 hours just to reinstall all of the necessary software.

Do you guys have any suggestions on something else to try?

Edited by Orange Blossom, 29 September 2011 - 01:13 PM.
Moved to AII from Vista. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 29 September 2011 - 01:55 PM

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Chrislorious

Chrislorious
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 29 September 2011 - 02:11 PM

I really do not think that this is the case but I will try it. Like I said, the correct programs are opening, it's after it hits a certain place it tries to scan that it activates the infection that changes the settings of the program. I have already used Inherit.exe to make those programs work again several times. Is this going to do anything different that Inherit.exe?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 29 September 2011 - 02:23 PM

Try it, sometimes we need a few steps

If needed next use

EXE HELPER
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Chrislorious

Chrislorious
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 29 September 2011 - 04:16 PM

The exehelperlog.txt is not coming up with any answers, but after running it rkill and mbam both lose right again which I can regain with Inherit. I tried running those and FixNCR and now Mbam isn't even scanning any of the windows stuff, it can't get past the Enumerating registry objects prior to scan.

#6 Chrislorious

Chrislorious
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 29 September 2011 - 04:21 PM

Even if I try to do the scan with Firefox it blocks it out then I have to Inherit to firefox.exe to make it work again. It had a Windows update with the Malicious Software Removal tool which I imagine doesn't do jack but I'm doing it as an attempt.

Edit: Just figure out how the virus probably got to him... He's still service pack one...

Edit: Virus let it go halfway through the update then ended explorer.exe...

Edited by Chrislorious, 29 September 2011 - 04:31 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 29 September 2011 - 08:42 PM

Looks like we need to use the AVIRA RESCUE CD
Try creating this disk and boot off of it. You will need another computer to make this disk on.
Avira AntiVir Rescue System
Tutorial for Avira Rescue CD
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users