Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scary Virus?? What Can I Do?


  • Please log in to reply
23 replies to this topic

#1 jpeg

jpeg

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 22 January 2012 - 08:49 PM

Yesterday I was sitting at my computer and suddenly all my programs closed down. When I tried to reopen them (any of them), nothing happened. I clicked on the desktop icons one at a time, and nothing would open. I'd get a momentary "hourglass"' then nothing.

I then went into the Program Files and tried opening a program directly by double-clicking its .exe file. Still nothing. The only .exe file on my computer that seems to work is photoshop.exe, oddly enough. I can't even get into the Internet, because it's an .exe file! I can't run Malwarebytes or my antivirus program (AVG), because they also are .exe files.

I tried to install HijackThis, thinking that it might be important in solving this, and I get the message, "Installation Directory Must be on a Local Hard Drive". How more local can I get than C Drive?

I booted up into Safe Mode and the same problem exists there. I can't open .exe files.

I did a System Restore to as far back as I could go (about 2 weeks). It didn't help. :(

I made a CD from the AVG site called AVG Rescue Disk, which is supposed to clean viruses when the actual AVG Antivirus program can't be run. I booted up with the disk and ran the program, and it found no viruses. So that was useless.

Every possible program I can find on the Web that might help clean viruses is an .exe file. Which, as explained, I CAN'T RUN!!!

Can anybody tell me what this problem is? Can anybody tell me how to solve it -- or even how to run one of those online virus programs. And please don't say, "Reformat your computer". That's a last resort!

Is it a rootkit virus? I'm not sure what that is, but I read about them (reading can be dangerous).

I am so DESPERATE at this point. Thanks for any and all help anyone can come up with! I'll try anything!

Peg

PS: I'm running Windows 7, 64 bit.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:32 PM

Posted 22 January 2012 - 09:07 PM

Hello Peg, Lets try this.

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.



Next run MBAM (MalwareBytes):Can also be run off a CD or flash drive.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 22 January 2012 - 11:16 PM

Hi, Boopme! I did what you said and ran FixNCR.reg from a flash drive on the infected computer. It announced that it had made changes to the registry.

I then downloaded Malwarebytes onto my flash drive. I tried to run it from both my flash drive AND then copied it to my desktop and tried initiating it from there. In both cases, the computer exhibited the same symptoms. It wouldn't run the mbam-setup.exe installation file, because it ended in .exe. :(

Peg

#4 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 23 January 2012 - 03:04 PM

Hmm. Is that it? What do I do now?

Peg :(

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:32 PM

Posted 23 January 2012 - 08:27 PM

Sorry nutty day.
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now try MBAM again.


OR try openining a diiferent user account and see if you can scan from there.

Open task manager ... do you see a process similar to this 3203397148:3809022017.exe ...numbers colon numbers ???
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 24 January 2012 - 11:47 AM

Ho, boopme!

I put exeHelper.com on my Desktop and double clicked it. The "Command Prompt" screen flashed on for about 1/4 of a second then disappeared. It created no exehelperlog.txt (I even did a search for it!). And MBAM still won't run.

Opening in a different account makes no difference.

In task manager, there is no process running with numbers in it :(

Peg

AAARGH!

#7 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 24 January 2012 - 12:02 PM

Something else I tried last night that DIDN'T work:

I ran Microsoft's Beta program, "System Sweeper". It's a bootable CD that scans the system without going into Windows. It took about 5 hours to scan. DIDN'T FIND ANYTHING! :smash:

Peg

Edited by jpeg, 24 January 2012 - 12:02 PM.


#8 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 24 January 2012 - 04:04 PM

All right. Let me ask this question, since I don't seem to be getting anywhere. If all else fails, and I have to reformat my hard drive. My hard drive is partitioned into C: and E: drives. Will I have to reformat both partitions, or can I just reformat C: Drive? What about a second physical drive (also partitioned) that I have in my computer?

Peg

:killcomp:

#9 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 25 January 2012 - 02:45 PM

Surely there's SOMEBODY who can answer my questions. :( :question: :(

#10 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:32 AM

Posted 25 January 2012 - 06:07 PM

Let's see if I can help in one way or another ...

boopme has asked for some help with your post:

If all else fails, and I have to reformat my hard drive. My hard drive is partitioned into C: and E: drives. Will I have to reformat both partitions, or can I just reformat C: Drive? What about a second physical drive (also partitioned) that I have in my computer?


Re: "can I just reformat C: Drive?"
Yes, you can simply reformat C: drive and proceed to re-install Windows 7 on that partition (presumably that's the drive it is currently on). That should not affect E: drive or any other attached internal hard drive. Of course, you would need to backup any personal files (and ONLY personal files, so you don't risk transferring the infection) to one of the other drives or to an external hard drive before you format C: drive.

I should advise you here, that the above is not the best option under the circumstances (unknown malware infection). A preferable course of action to ensure that malware does not persist on the hard drive would be to also backup E: drive to another separate hard drive. Disconnect the second internal hard drive. Delete all partitions on the main hard drive. Then proceed to partition, format the partition(s) and install Windows 7. This will definitely ensure that malware does not survive the re-installation of the operating system on that hard drive.

I have noted your expressed reluctance to perform a re-installation of the Windows 7 operating system.

And please don't say, "Reformat your computer". That's a last resort!


Fair enough: Let me make a couple of suggestions, in that case that might enable some progress to be made in cleaning up the malware infection on the existing operating system. Try the following two approaches: If the first doesn't make any progress, perhaps the second will ...

:step1: Download Rkill (in one of its various extensions, hoping that if one extension is not allowed, perhaps another will be allowed to run) and run it before attempting to run anything else (including exeHelper and then MBAM), and see if that will stop the malware and allow other fixes to be run.

See the following for more information: For those having trouble running Malwarebytes Anti-Malware


:step2: Are you able to run dds.scr and create a log? Please follow the instructions in the

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.
When you have done that, post your log in the "Virus, Trojan, Spyware, and Malware Removal Logs forum", NOT here, for assistance by the Malware Response Team experts. Please let us know, here, if you have been able to successfully start your new topic.

Please let us know whether or not you are able to make any progress with the above steps.

Edited by AustrAlien, 25 January 2012 - 06:15 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#11 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 25 January 2012 - 08:22 PM

Re: "can I just reformat C: Drive?"
Yes, you can simply reformat C: drive and proceed to re-install Windows 7 on that partition (presumably that's the drive it is currently on). That should not affect E: drive or any other attached internal hard drive. Of course, you would need to backup any personal files (and ONLY personal files, so you don't risk transferring the infection) to one of the other drives or to an external hard drive before you format C: drive.

I should advise you here, that the above is not the best option under the circumstances (unknown malware infection). A preferable course of action to ensure that malware does not persist on the hard drive would be to also backup E: drive to another separate hard drive. Disconnect the second internal hard drive. Delete all partitions on the main hard drive. Then proceed to partition, format the partition(s) and install Windows 7. This will definitely ensure that malware does not survive the re-installation of the operating system on that hard drive.


Thanks for your reply, Alien. I've decided to reformat the hard drive. Should I reformat the second hard drive also -- could it be hiding the virus also?. I've already copied the data from the partitions (and from my second internal drive) onto a separate external drive.

How do I go about doing this? I thought that reinstalling the Windows 7 operating system would also format the drive, but this didn't prove to be the case. After reinstalling Windows, a lot of my personal files (data) were still on the drive, so installing Windows obviously doesn't clean the disk (or the virus either, I wouldn't think).

So how do I actually REFORMAT the drive(s) since the Windows installation doesn't do it? I know that in Windows XP, I would simply go to the command prompt and type format c: /s. Is it the same with Windows 7? Should I delete all partitions first, then add them back after formatting the entire drive? And then copy my data back. (I've also got Genie backups of each of my drives on a separate external drive -- I'm going to assume they're clean.)

Another question: I made a System Image of the computer a couple of months ago (to an external drive). If I restore that System image after reformatting, will that work? It would sure save me days and days of reinstalling programs!

Sorry to be such a pest, but I want to be sure this virus never rears its head again!

Peg

#12 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:32 AM

Posted 25 January 2012 - 09:25 PM

I made a System Image of the computer a couple of months ago (to an external drive). If I restore that System image ...... will that work? It would sure save me days and days of reinstalling programs!

That sounds like a very good option. Did you image the whole hard drive or just the C: (Windows system) partition?

If you restore an image of the whole hard drive that would do the job very nicely. You can go ahead and do that without needing to perform any other steps.

However, restoring an image of only the C: drive would not completely remove the possibility of malware persisting. In this case, you should firstly delete all partitions on the hard drive, and then restore the image.

When booting to the Win7 installation disk, you should see an option to delete partitions: Choose to do that. If you were going to then install Windows, after deleting all partitions, you would then need to create a partition on which to install Win7. After deleting all partitions, the hard drive will be "empty". One of the most secure ways of making sure the hard drive is wiped clean is to use something like dban to wipe the hard drive before installing Windows.

Whether you format the other internal hard drive is up to you. I do not think it poses any risk at all if you leave it as is. The only risk that may exist is in the files that you have now backed up to an external hard drive. Before restoring any of this material to a clean computer, you should thoroughly scan the contents of the external hard drive for malware.
=================

I'll include my instructions for using dban in case you wish to wipe the hard drive: It will take a considerable length of time to run 3 passes, but you can always stop it after 1 pass.

Wipe the HDD with an application such as dban or killdisk run from a bootable CD.

Step 1: Download dban (Darik's Boot and Nuke):

"Darik's Boot and Nuke ("DBAN") is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction."

If you do not already have a suitable burning program for writing .ISO images to disc ...
  • Download and install ImgBurn.
    Ensure that you UN-check the box agreeing to install the Ask toolbar during the installation.
  • Place a new (blank) CD disc in the drive tray.
  • Choose Write image file to disc.
    • Under Source, click on the Browse button: Navigate to and select the .ISO file that you wish to burn.
    • Place a check-mark in the box beside Verify.
  • Click Posted Image

    When the CD has been burned and verified as successful, it will be bootable.

Step 2: Disconnect ALL hard drives (including external hard drives and flashdrives) except for the hard drive that you wish to wipe.

Warning: The following procedure will completely wipe ALL hard drives connected to the system!


Step 3: Boot from the CD, and with ONLY the one hard drive connected to the system ...
  • Warning: This will completely wipe ALL hard drives connected to the system!
  • Type autonuke at the prompt and press the <ENTER> key.
  • Allow to complete.
    Please be patient: It may take some considerable time, depending on the size of the HDD.
If you are pressed for time .... it should be OK to stop dban after it has completed one full pass of wiping the HDD (autonuke will wipe the HDD three times, by default).
=================

Edit: Summary of a plan ...
  • Wipe the one (or both) hard drives with dban.
  • Restore the system image that you previously made (restore "as is", do not expand to fill the whole hard drive space). To do this of course, you will need to already have made the appropriate bootable CD to enable you to restore the system image.
When your Win7 installation is up and running again, you can then partition and format the remainder of the main hard drive, and also the second hard drive.

Edit2: re "Should I delete all partitions first, then add them back after formatting the entire drive?"
Just to try to clarify your thoughts here, formatting only applies to a partition: You format a partition or drive. When you delete a partition or all partitions, you must then firstly create a partition before you can format it (it being the partition). If you are restoring an image of the system drive, you may need to create a partition (but I don't think so), but you do not need to format it beforehand, since restoring the image will overwrite it.

Edited by AustrAlien, 25 January 2012 - 10:35 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 26 January 2012 - 05:28 PM


"When booting to the Win7 installation disk, you should see an option to delete partitions"


Hi Alien! The Windows 7 installation disk never offered me the option to delete partitions. However I did find the "Advanced" key, which allowed me to format the drive while installing Windows. It also, without asking, apparently formatted the 2nd partition.

I then disconnected all drives except C: and ran DBAN. It ran for a few seconds and then said, "DBAN finished with non-fatal errors" "ERROR /dev/sde (process crash)".

Both drives seem to be formatted, but I would still like to thoroughly clean them if possible. Is there a program other than DBAN that can do this? Or do you know how to make DBAN work? Or should I just go ahead and assume the rootkit might be gone (don't like this last idea).

Peg

#14 jpeg

jpeg
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, Georgia
  • Local time:03:32 PM

Posted 26 January 2012 - 05:34 PM

Wait a minute! Did DBAN crash because I had already installed Windows???? If so, is there a way to format the hard drive without installing Windows?? Would DBAN work if there was NOTHING on the hard drive?

Just thinkin'.

Peg

#15 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:32 AM

Posted 26 January 2012 - 08:44 PM

"DBAN finished with non-fatal errors" "ERROR /dev/sde (process crash)".

I suspect you have a card reader connected to the system, and that is causing the problem. Please disconnect it and try again. Success?

make sure all unnecessary usb devices, usb hubs, memory
card readers (whether internal or usb), multi-function printers (because
most have memory card readers) are disconnected before using dban.

Source: http://sourceforge.net/tracker/index.php?func=detail&aid=2988662&group_id=61951&atid=498945
>>> Comments: Date: 2010-06-02 22:04:24 PDT Sender: ultracombo

Edited by AustrAlien, 26 January 2012 - 08:53 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users