Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please!!


  • Please log in to reply
14 replies to this topic

#1 saradavi

saradavi

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 31 July 2013 - 12:29 PM

I'm pretty sure I've got a virus or some sort of malware infecting my laptop, and I need some advice please! I noticed a website that I regularly use was redirecting me to a different page where a 'Flash Security Warning' was showing up out of the blue. I closed the browser (Firefox) and ran Malwarebytes. It kept crashing a couple of minutes in (while scanning $Recycle Bin) and CTRL ALT DEL didn't work, it went to a black screen that said security options couldn't be displayed. Eventually the quick scan completed and showed 0 infections. I naively thought it was sorted! However, this morning, the redirecting happened again, and Malwarebytes crashed again. I'm really hoping someone can give me some advice as to what I can do next please?! Thanks in advance!

BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 31 July 2013 - 12:47 PM

:welcome:

 

:step1: Run Rkill http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/

 

       Note: Sometimes AV's thinks Rkill is infected, this isn't true, it's just a false-positive. Just let it terminate the malware processes. 

 

:step2: Provide the Rkill log.

 

:step3: Download Emsisoft Emergency Kit

  • Open EmsisoftEmergencyKit by  double-click Start.exe.
  • A new window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Deep Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply

 

:step4: Try now to run MBAM.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 saradavi

saradavi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 31 July 2013 - 01:06 PM

Thank you for replying! As you can tell, I'm a bit of a novice! Rkill is running now, and I'll provide the log and the Emisoft report in my next reply. Thanks again!



#4 saradavi

saradavi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 31 July 2013 - 01:12 PM

RKill log :

Rkill 2.5.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/31/2013 07:04:17 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!

  * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!

  * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to exefile!
  * HKCU\SOFTWARE\Classes\.exe has been deleted!
  * HKCU\SOFTWARE\Classes\exefile has been deleted!


Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * WinDefend [Missing ImagePath]
 * wscsvc [Missing ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 07/31/2013 07:07:58 PM
Execution time: 0 hours(s), 3 minute(s), and 40 seconds(s)
 



#5 saradavi

saradavi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 31 July 2013 - 01:49 PM

The Emsisoft scan seems to be stuck at the same point as Malwarebytes was jamming.... C:\$Recycle.Bin\...\$RVPLGPE.ipa is there any point in letting it run any longer? It's been stuck at this point for about 20 minutes.

#6 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 31 July 2013 - 01:50 PM

You may terminate the scan.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#7 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 31 July 2013 - 01:52 PM

Then reboot the computer in to safe mode and do scan with EEK, is the same issue happening now? Try also MBAM in safe mode.


Edited by GodfatherKing, 31 July 2013 - 01:53 PM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#8 saradavi

saradavi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 31 July 2013 - 01:58 PM

I tried to end the scan, but next thing it said the scan was complete, and that no suspicious files were detected, should I still try it in safe mode?

#9 saradavi

saradavi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 31 July 2013 - 02:01 PM

Emsisoft Emergency Kit - Version 4.0
Last update: 7/31/2013 7:26:38 PM
User account: Sara-PC\Sara

Scan settings:

Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\

Detect Riskware: Off
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    7/31/2013 7:27:07 PM

Scanned    321256
Found    0

Scan end:    7/31/2013 7:52:05 PM
Scan time:    0:24:58
 

321256 objects is what it said when it was jammed though, at about 75% progress, not sure if it makes a difference?



#10 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 01 August 2013 - 02:39 AM

Try to run again MBAM, is it still stuck at the same thing?


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#11 saradavi

saradavi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 01 August 2013 - 03:50 AM

Yes, still sticking at C:\$Recycle.Bin. Should I try Emsisoft or MBAM in safe mode?

#12 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 01 August 2013 - 04:18 AM

Let's try something else, do you have an (empty) USB-stick (flash drive) we can use?

 

 

USING THE RAR/ZIP ARCHIVE TO CREATE A USB BOOTABLE DEVICE

To create a USB flash drive variant of AVG Rescue CD, you will need to do the following:

  • Extract the archive downloaded from AVG web to your preferred location.
  • Double-click the extracted setup.exe file. It will guide you through the whole process. You will be able to select a USB drive from a listbox and setup will copy all necessary files to the selected USB drive and it will make the USB drive bootable.
  • Please be careful not to run the makeboot.bat file directly from hard drive of the computer! This would overwrite the boot record and make your system un-bootable.
  • After this process is finished (message will be displayed) you can close the window.

 

 

:step1: AVG Rescue:

 

Now plugin the USB-device with AVG-rescue on it.

 

1.  Reboot the computer and start the boot menu (F10 or F12). Then choose for the USB-device

 

2. At the Boot Menu: Choose AVG Rescue CD (1) and press Enter

3. Let it load, at the "Disclaimer Screen"... just choose I agree or not and press Enter

4. At the "Update Screen", choose Yes and press Enter

Next screen, Choose Update from Internet and press Enter

5. At the "Update Priority Configuration" window, choose Priority 2 Virus Database Update and press Enter

6. Let it update and when finished, Press any key to continue

7. You end up back at the "Update Screen", choose Return and press Enter

8. Your at the "Main Menu" screen, choose Scan, press Enter

9. "Scan Type Menu", choose "Volumes Scan - Selected Volumes" and press Enter

10. "Scan Volumes", choose "OK" and press Enter

11. "Scan Options", choose "OK" and press Enter

12. "Run Scan", choose "Yes" and press Enter

13. When scan is complete, Press any key to continue

14. "Info screen", choose "OK" and press Enter

15. To see the scan report, select "Report File" and press Enter
Please look over the list as some files can be crucial for the Windows system and deleting them can make it inoperative, if  in your not sure please Google the file or files.

16. "Scan Results Menu", use the up and down keys and choose "Select - Handle single or groups of infected files", press Enter
Go through the files and choose to Rename the infected file, don't choose Delete!
This is important....Rename<---

17. Read the "Warning Screen", "Yes" and Enter

18. Back to "Scan Results Menu", choose "Back or Return" to get to the "Main Menu" and then choose ---->Reboot System
Don't forget to take out the rescue cd.

19. All the malware files will be renamed to "_INFECTED.arl", to find all of these files....
Go to Start > Search > All Files and Folders > type "_INFECTED.arl" and click search.
  Example: malware.exe would be renamed to malware.exe_infected.arl


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#13 saradavi

saradavi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 01 August 2013 - 04:31 AM

I haven't got an empty usb stick handy, but I will get one today. Sorry to sound stupid, but do I do the first part (downloading AVG rescue) on my laptop, or on someone else's and then plug it into mine? Just want to be sure! Thank you for your help and patience.

#14 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 01 August 2013 - 04:36 AM

It doesn't make any difference if you do it on your laptop or on someone else one... It's mostly used when the OS isn't bootbable anymore, but that doesn't apply for your case. After you unpacked the ZIP, just the be sure only to run setup.exe. Don't run any other files of the unpacked ZIP.

If you wanted detailed information: It can be found here: http://www.avg.com/ww-en/226386


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#15 saradavi

saradavi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 01 August 2013 - 04:37 AM

Also, are these the files you mention that are crucial to run Windows? http://sourcedaddy.com/windows-7/important-startup-files.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users