Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am unable to open or run programs, including DDS.SCR


  • This topic is locked This topic is locked
28 replies to this topic

#1 downtime

downtime

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 15 March 2012 - 06:26 AM

I've had a malware problem for about a month. Every time I remove it with malwarebytes or adaware, it will come back again as soon as I would use the internet (particularly if I did a search on google). I would usually get redirected to another site advertising something. Last night, I got redirected and quickly tried closing the tab before it could load, but instead, my computer rebooted itself and now I am unable to run any anti-malware programs (or even access the internet directly with firefox or explorer). I've tried renaming the mbam.exe as was suggested in another forum but that did work either. And I've tried to create a log so I can post it here but it won't let me download and open the DDS.SCR program. What should I do?

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:18 PM

Posted 17 March 2012 - 09:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Print out these instructions as we may need to close every window that is open later in the fix.

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Using the infected computer or the method above download these files.

RKill Download Link

FixNCR.reg

===

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes.

Download FixNCR.reg

Once that file is downloaded and saved on a removable devices, insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer. You should now be able to run your normal executable programs and can proceed to the next step.

If you do not have any removable media or another clean computer that you can download the FixNCR.reg file onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer's icon, or any other browser's icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password.

Once you enter the password, your browser will start and you can download the above FixNCR.reg file. When saving it, make sure you save it to a folder that can be accessed by your normal account. Remember, that you will be launching the browser as another user, so if you save it to a My Documents folder, it will not be your normal My Documents folder that it is downloaded into. Instead it will be the My Documents folder that belongs to the user you ran the browser as. Once the download has finished, close your browser and find the FixNCR.reg file that you downloaded. Now double-click on it and allow the data to be merged. You should now be able to run your normal executable programs and can proceed to the next step.
===

Before we can do anything we must first end the processes so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with the Rogue program.
===

Do not restart the computer.

You should now be able to download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Include the result of this scan also.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

Let me know what problem persists.

#3 downtime

downtime
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 17 March 2012 - 01:34 PM

Hi, Thanks for responding!

I actually already had rkill.exe and malwarebytes installed.

I was able to download the FixNCR, (it's only 2kb,right?). I ran it, and it said that it would make changes.

So then I clicked on rkill and I was asked if I wanted to allow the program to make changes, and I said yes, but nothing happened after that. I did the same with mbam and nothing happened with that either.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:18 PM

Posted 18 March 2012 - 07:53 AM

Remove you version of DDS and download the .com version from the link I gave you.

#5 downtime

downtime
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 19 March 2012 - 04:22 PM

I tried the .COM(and then the other ones as well). It will ask me if I want to allow the program to make changes to my computer, but when I click yes, nothing happens :/

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:18 PM

Posted 20 March 2012 - 01:21 PM

If you can please run the Malwarebytes tool.

Run also the following tools and post the logs.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

#7 downtime

downtime
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 20 March 2012 - 04:11 PM

As with the other programs, was able to extract the TDSSKiller, but when I run it, it asks me if I'm sure that I want the program to make changes to the computer, but nothing happens when I click yes.

The same with aswMBR.exe and malwarebytes.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:18 PM

Posted 21 March 2012 - 07:24 AM

I think that the User Account Control is interfering with running programs.

If you have Windows vista or Windows 7 right click on the .exe file and select Run As Administrator.

#9 downtime

downtime
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 21 March 2012 - 09:34 AM

Windows 7.
I tried that as well, no difference.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:18 PM

Posted 21 March 2012 - 09:46 AM

From post no 2.Download FixNCR.reg.

That .reg file is a registry file. Run it as As Administrator.
If you get any error message please post it.

#11 downtime

downtime
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 22 March 2012 - 06:46 PM

The only programs I can choose "run as administrator" are .exe ... it doesn't give me that option for FixNCR.reg (or the .coms)

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:18 PM

Posted 23 March 2012 - 08:48 AM

Try to run this tool.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

#13 downtime

downtime
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 23 March 2012 - 08:54 PM

I tried to run it, nothing happened. I tried to run it as an administrator - nothing. I changed the extention to .com - nothing. Sane as any other program I try to run.

(except the one I'm using to access the internet oddly enough. I can't use firefox or IE, but I had an application from e*trade that, although the application itself won't run, it opens up an internet window and I can change the web address to any internet site I want - including bleeping computer)

Oh and I couldn't disable any protective programs, because they are not running in the system try (I assume they are not running at all)

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:18 PM

Posted 24 March 2012 - 07:51 AM

Can you start the Computer in Safe Mode with Internet connectivity and run ComboFix?

Post the log if you can.

#15 downtime

downtime
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 24 March 2012 - 11:31 AM

Nope. Safe mode doesn't make a difference. (I tried each of those programs and "run as admin", but same results - it will ask me if I'm sure I want to run the program, I click yes, but then nothing happens).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users