Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

More VBS Malware-Gen :( Help me Please


  • This topic is locked This topic is locked
52 replies to this topic

#1 Animalwithin

Animalwithin

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 23 February 2017 - 01:57 AM

Last night, Avast kept sending me messages every several seconds saying it has blocked VBS Malware-Gen. I decided to run a boot time scan and what followed was over an hour of Avast deleting HUNDREDS of infected files (many Internet Explorer files, apps, etc.).

I had to stop the scan as I was afraid it was deleting important files and it unfortunately did. I now can't play any media; pictures, videos, and audio files won't play and I'll get an error message saying there is data missing.

I'm going to take my PC in and get the drive for step and Windows completely reinstalled (please let me know if this is the right course of action).

I am concerned about my external hardrive though. This past saturday I backed up most of my files and tonight I saved the rest and now I'm afraid the external might be infected. Is this possible? How can I make sure the external hardrive is clean before putting the files on my computer after windows has been cleaned/ reinstalled?

Thank you for your time and advice

Forgot to mention that Malwarebytes failed to detect the malware

Edited by Animalwithin, 23 February 2017 - 02:17 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,737 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 27 February 2017 - 09:48 PM

Greetings Animalwithin and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

A fresh operating system is always beneficial. Once that is completed you can follow the below to scan your external drives.

===================================================

Malwarebytes Anti-Malware Including External Drive Option

----------
  • If Malwarebytes is already installed launch the program, update the database if necessary, attached any external drives you want to scan, and go directly to the Scan instructions below
  • If Malwarebytes is not installed download Malwarebytes Anti-Malware and save it to your desktop
  • Right click the desktop icon and select Run as administrator
  • Click OK for English, then click Next
  • Select I accept the agreement then continue to click Next then finally click Install
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
  • If you are notified the Database is out of date click Update Now
  • Hold down the Sift key then attach any external drives you want to scan
  • Click the Scan button near the top
  • Select Custom Scan then click Configure Scan
  • Place a check mark in Scan for rootkits, Scan Startup and Registry Settings, the C: drive, and any additional drives you would like to scan
  • Click Scan now
  • Note: If Malwarebytes will not launch stop and let me know
  • When completed review the Scan Results list and uncheck any items you want to keep (if there are identified items)
  • Click Quarantine threats
  • If requested restart your computer
  • Relaunch Malwarebytes
  • Click the Reports tab
  • Place a check mark in the most recent Scan Report then click View Report
  • Click Export, then select Text File (/txt)
  • Save the file on your Desktop as MBAM.txt
  • Copy and paste the contents of the report in your reply
===================================================

ESET Online Scanner Including External Drive Option

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK
  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • MBAM log
  • ESET log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Animalwithin

Animalwithin
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 28 February 2017 - 12:52 AM

Dear Oh My!

Thank you so much for assisting me with this issue, I truly appreciate it.

Unfortunately my problem has evolved. I had to act in haste as I use my PC a lot (I run an ecommerce business), and I had the drive reformatted and then a clean install of Windows 7 (origional OS). I then continued upgrades to Windows 10 and downloaded a few apps (Malewarebytes, Avast, and Emsisoft). I scanned with Emsisoft and Avast just to be safe and nothing was found.

I then scanned with Malewarebytes and it found roughly 50 infected files. I quarantined them all and restarted my PC. Restart failed a few times and said that windows had errors. It said I can continue to attempt to restart to fix errors or it allowed me to troubleshoot. I did a reset of Windows removing all applications/programs and files.

After a very slow start up, all apps/programs/settings no longer work (error 0xc0000005). I downloaded all of them once again (including ESET) and even the installer pops up that error message. Photos and videos can't be viewed (more error messages), and I am afraid to stay on the the internet too long as I still don't know if the origional malware (VBS Malware-Gen) is truly gone or not. Furthermore, the computer fails to start up correctly unless I try it a few times and it's running very slow.

This is such a mess and very disheartening with a lot of time spent thus far trying to fix this.Thank you again for your help with this, I'm very grateful.

Edited by Animalwithin, 28 February 2017 - 01:15 AM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,737 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 28 February 2017 - 10:05 AM

Greetings,

Sorry to hear of your continued troubles. When you reinstalled the Operating System did things work fine until you connected an external drive? Did you transfer backed up data files back onto the clean installation?

If your external device is attached please remove it then attempt the below. If you need to boot into Safe Mode with Networking feel free to do so.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your Desktop. <<< Important
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Animalwithin

Animalwithin
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 28 February 2017 - 12:15 PM

Oh My!, I have not connected any external hardrive/USBs or transferred any data on to the computer since the I reinstalled the OS. I'm worried that those are potentially infected and I don't want to reinfect the computer.

Unfortunately, Farbar doesn't work either, I get the same 0xc0000005 error and it fails to load. This is also the same error I receive when I start up the computer and it fails to start unless I shut down and turn on multiple times (bwm.exe error)

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,737 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 28 February 2017 - 12:20 PM

Did you start the computer in Safe Mode with Networking and try to run FRST?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Animalwithin

Animalwithin
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 28 February 2017 - 12:23 PM

I've tried to initiate safe mode but I get no response when I press F8, I either get the bwm.exe error message or it boots up fully to desktop

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,737 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 28 February 2017 - 12:34 PM

Thank you,

Please attempt the following in Normal Boot if you can then try to run FRST.

===================================================

Rkill

-------------------
  • Please download Rkill by Grinler from one of the 3 links below (if one of them does not work try another...) and save it to your desktop:

rkill.scr
rkill.com
rkill.exe

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista or above, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. As a reminder, you may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
===================================================

Run FRST.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • RKill log
  • FRST log
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Animalwithin

Animalwithin
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 01 March 2017 - 12:07 AM

I downloaded RKill using all three links and nothing happens upon clicking all three.



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,737 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 01 March 2017 - 10:33 AM

OK, thank you for at least trying.

Please do this.

===================================================

Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.
  • From a working computer please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key (possibly another key) until Advanced Boot Options appears
  • Use the arrow keys to select the Repair your computer menu item
  • Select English as the keyboard language settings, and then click Next
  • Select the operating system you want to repair, and then click Next
  • Select your user account and click Next
Option #2

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc
  • Restart your computer
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings
  • Click Repair your computer
  • Select English as the keyboard language settings, and then click Next
  • Select the operating system you want to repair, and then click Next
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter
  • Under File menu select Open
  • Select Computer and double click on your flash drive
  • Locate and double click frst.exe or frst64.exe to launch the program
  • When the tool opens click Yes to disclaimer
  • Press Scan button
  • A FRST.txt file will be saved on the flash drive
  • Copy and paste it to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • FRST.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Animalwithin

Animalwithin
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 01 March 2017 - 11:40 PM

I inserted the installation disc and restarted the computer, however the computer was unresponsive to this; it simply booted up to desktop and did not prompt me press any keys. The computer is unresponsive to command prompt as well, I can't check the BIOS

 

Thank you again for taking all this time to help me, it's truly appreciated, even if we haven't yet found a solution



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,737 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 02 March 2017 - 05:34 PM

When you boot your computer start tapping keys like Esc, F2, F9, or a different key to either get to the boot device option or the BIOS screen. If you get to the boot device option simply scroll down to the CD and hit the Enter key.

https://www.howtogeek.com/129815/beginner-geek-how-to-change-the-boot-order-in-your-computers-bios/
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Animalwithin

Animalwithin
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 02 March 2017 - 06:38 PM

I've unfortunately tried this; the computer is completely unresponsive to any key while booting up :( 



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,737 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 02 March 2017 - 07:13 PM

Transfer FRST.exe onto a USB drive, right click on the icon, select Rename and rename it to FRST.com.  Double click the icon and see if FRST will launch. If so, click Scan.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Animalwithin

Animalwithin
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 02 March 2017 - 11:02 PM

Sadly, nothing happened :( I still get the same 0xc0000005 application error






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users