Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winrar archive pops up on startup


  • Please log in to reply
8 replies to this topic

#1 bellcher

bellcher

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 31 May 2014 - 07:21 AM

Hi,

this is my first post on this forum and hopefully you can help with my malware issue.

Basically I get a winrar archive box (in german) pop-up after the system has booted.

This only happens on one user account.

 

I've used Malwarebytes and Spybot, which appears to have helped a bit. Initially the pop-up auto booted and started to try and load until my Free AVG kicked in.

After I ran Malwarebytes and Spybot and took out all references I could see in the registry, the pop-up just sits there apparently doing nothing until I shut it down.

 

I've hopefully attached a picture of the pop-up.

Any help would be appreciated.

Cheers

 

Attached File  WinRar Popup.pdf   482.27KB   2 downloads


Edited by hamluis, 31 May 2014 - 09:31 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 PM

Posted 31 May 2014 - 07:32 AM

It would appear that you have the WINRAR install file, or at least a short cut to it in the "Startup" folder.  On Windows 8, it is located here:

C:\Users\(userid)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Windows 7 will have a similar location, or maybe the same location.  The folder is hidden, so you have to allow hidden folders/files to be seen.  Once you're there delete the shortcut/file.
 

Best of luck.


Edited by scotty_ncc1701, 31 May 2014 - 07:32 AM.


#3 bellcher

bellcher
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 31 May 2014 - 07:45 AM

Hi Scotty,

I've found the file as suggested but I cant delete it. It says I need permission even though I'm administrator.

I noticed that this program was in my startup list when I was trying to fix the issue earlier but I couldn't delete it using msconfig.

The .exe file is called xsytzecrn from a company Red Gate Software Ltd

The file description is .NET reflector Consol Application File version 8.2.0.7

Cheers



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:36 PM

Posted 31 May 2014 - 11:31 AM

Please run the following scans.

Please run the ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

Please download Malwarebytes Anti-Malware.  After clicking on the link the download will start automatically.
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  If this is the first time you have run this version of Malwarbytes you will see an image like the one below.
 
mbam1_zps95cc812c.png
 
Click on Update Now, after Malwarebytes is updated click on Scan.
 
If this isn't the first time you have run this version, then you will see an image like the one below.  Click on Scan
 
mbam1_zps98e7fba9.png
 
You will be prompted to update Malwarebytes, to do so click on Update Now.
 
 mbam2_zps85f38f0c.png
 
3)  The scan will automatically run now.
 
mbamreplace_zps3ead4824.png
 
 
4)  When the scan is complete the results will be displayed.  Click on Quarantine All, then click on Apply Actions
 
mbam4_zps23e52ad4.png
 
 
5)  To complete any actions taken you will be asked if you want to restart your computer, click on Yes
 
 mbam4_zps490948cc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 bellcher

bellcher
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 31 May 2014 - 11:49 AM

Hi,

thank-you for all the help. Problem cured...I think ! I managed to delete the file mentioned above by changing the permissions to the folder rather than the file. This then allowed me to delete the file.

I've rebooted several times and no pop-up. I ran Malwarebytes again and no problems detected. So i'm guessing its ok.

Again thanks for the assistance.

Bellcher



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:36 PM

Posted 31 May 2014 - 11:58 AM

You should still run the scans.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 PM

Posted 31 May 2014 - 12:26 PM

When you have ownership issues, you can always use takeown:


c:\TEMP02\>gt;takeown/?

TAKEOWN [/S system [/U username [/P [password]]]]
/F filename [/A] [/R [/D prompt]]

Description:
This tool allows an administrator to recover access to a file that
was denied by re-assigning file ownership.

Parameter List:
/S system Specifies the remote system to
connect to.

/U [domain\]user Specifies the user context under
which the command should execute.

/P [password] Specifies the password for the
given user context.
Prompts for input if omitted.

/F filename Specifies the filename or directory
name pattern. Wildcard "*" can be used
to specify the pattern. Allows
sharename\filename.

/A Gives ownership to the administrators
group instead of the current user.

/R Recurse: instructs tool to operate on
files in specified directory and all
subdirectories.

/D prompt Default answer used when the current user
does not have the "list folder" permission
on a directory. This occurs while operating
recursively (/R) on sub-directories. Valid
values "Y" to take ownership or "N" to skip.

/SKIPSL Do not follow symbolic links.
Only applicable with /R.

/? Displays this help message.

NOTE: 1) If /A is not specified, file ownership will be given to the
current logged on user.

2) Mixed patterns using "?" and "*" are not supported.

3) /D is used to suppress the confirmation prompt.

Examples:
TAKEOWN /?
TAKEOWN /F lostfile
TAKEOWN /F \\system\share\lostfile /A
TAKEOWN /F directory /R /D N
TAKEOWN /F directory /R /A
TAKEOWN /F *
TAKEOWN /F C:\Windows\System32\acme.exe
TAKEOWN /F %windir%\*.txt
TAKEOWN /S system /F MyShare\Acme*.doc
TAKEOWN /S system /U user /F MyShare\MyBinary.dll
TAKEOWN /S system /U domain\user /P password /F share\filename
TAKEOWN /S system /U user /P password /F Doc\Report.doc /A
TAKEOWN /S system /U user /P password /F Myshare\*
TAKEOWN /S system /U user /P password /F Home\Logon /R
TAKEOWN /S system /U user /P password /F Myshare\directory /R /A

I know that is is in Windows 7 and 8. Don't know about vista.

Edited by scotty_ncc1701, 31 May 2014 - 12:27 PM.


#8 bellcher

bellcher
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 31 May 2014 - 12:42 PM

Cheers guys,

have ran Malwarebytes and no threats found. Will run ESET.



#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:36 PM

Posted 31 May 2014 - 02:01 PM

To take ownership of a file, follow these steps:
 
   1. Right-click the file that you want to take ownership of, and then click Properties.
   2. Click the Security tab, and then click OK on the Security message (if one appears).
   3. Click Advanced, and then click the Owner tab.
   4. In the Name list, click Administrator, or click the Administrators group, and then click OK.
 
      The administrator or the administrators group now owns the file. 
 
To change the permissions on the file that you now own, follow these steps:
 
   1. Click Add.
   2. In the Enter the object names to select (examples) list, type the user or group account that you want to have access to the file. For      example, type Administrator.
   3. Click OK.
   4. In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
   5. When you are finished assigning permissions, click OK.
   6. You can now access the file.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users