Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious malware attack


  • Please log in to reply
6 replies to this topic

#1 Faizur_89

Faizur_89

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 10 May 2018 - 09:54 PM

Hi Guys.

I m very sure my laptop has been infected. I cant run malware bytes, chameleon, any of rkill, not even FRST. I cant open Task Manager or Device Manager as well.

The warning message i get is "Windows cannot find {file path}. Make sure you type the name correctly and try again".

I hv tried scanning using AVAST on full pc scan and boot-time scan too. Nothing seems to detect or remove the malware. Im so clueless at the moment.

Yesterday i tried Safe Mode. I can open mbar and rkill but they cant detect anything. I can also open task manager in Safe Mode.

I noticed that all this started since the day i let my friends use their usb flash drive on my computer. Some also downloaded .pptx files frm email for our presentation that day.


I am using Windows 8.1.


Please help.
 
 
Moved from Windows 8
NickAu

Edited by Faizur_89, 10 May 2018 - 11:15 PM.
Mod Edit


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:09:07 AM

Posted 15 May 2018 - 09:31 AM

In this case you should run RKill first, leave it running and then run the other scans.

 

Please run the scans suggested below in the order that they are requested and post the logs in the same order.  Unless otherwise instructed post the logs in your topic, do not use a host website to post these logs.   Please do not wrap your logs in quotes or code brackets or use use spoilers.


Please download and run RKill

RKill attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections.  RKill will not remove any of the processes it stops, you will need to run security scans to remove any malware found.  These settings will remain until the computer is rebooted, for this reason you must run your security applications before the computer is restarted.  

Please download RKill and install it.

When RKill is run it will display a console screen similar to the one below:

Z40Tp3r.png

After this has run you will see another image explaining that RKill has finished running and you should be able to run the scan.  You need to click/tap on OK.

2Q1rnlf.png

When RKill has finished running a log will be displayed showing all of the processes that were terminated by RKill.

AttentionAt this time you need to run your security applications listed below.  When the scan has finished running a lot will be posted in Notepad.  Copy and paste this log in your topic.

Importanat: There is a possibility that malware may recognize RKill and keep it from running, if this is the case do the following.

If while RKill is running you may see a message from the malware stating that the program could not be run because it is a virus or is infected.  This is the malware trying to protect itself.  Two methods that you can try to get past this and allow RKill to run are:

1)  Rename Rkill so that it has a .com extension.

2)  Download a version that is already renamed as files that are commonly white-listed by malware. The main Rkill download page contains individual links to renamed versions.  

After the application has run successfully and you have run the requested scans you should reboot the computer to restore the processes and Windows Registry entries.


Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.

The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
3.  Click Start Scan and allow the scan process to run.

yEt9i3P.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.  If threats are not found you will see a screen like the one below.

DOrb0BK.png
 
***Do NOT select Delete!

Click on Continue.
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (in most cases this is c: Drive) and paste it into your next reply.

Note:  The log may be very long.  You may need to break it into parts to post the whole log in your topic.



Please run Malwarebytes AntiMalware

Please download Malwarebytes Anti-Malware 2.2.

1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.

2)  Malwarebytes will automatically open.  You will see an image like the one below, click on Update Now.  

4YSU8ND.png

3)  Click on Settings, you will see a image like the one below.

35AFYEE.png

When Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits

4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.

5)  When the scan is complete the results will be displayed.  Click on Delete All.

jEVtTTK.png

6)  Please post the Malwarebytes log.

To find the Malwarebytes log do the following.  Copy and paste the log in your topic.

*Open Malwarebytes Anti-Malware.
*Click the Scan Tab at the top.
*Click the View detailed log link on the right.
*Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
*Alternatively, you can click Export and save the log as a .txt file on yout Desktop or another location.
*Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Please download AdwCleaner and install it.

When AdwCleaner opens click on Scan to start the scan.

ZQk62WV.png

Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.

If there are no malicious programs are found you will receive a message informing you of this.  
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  

CsqnoTW.png
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.


Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • If threats are found click on Save to text file in Documents.
  • Open Documents, find the report, copy and paste it in your topic.

 


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 Faizur_89

Faizur_89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 16 May 2018 - 04:26 AM

Hi Treehugger,

 

Thank you for your response. However, as i have posted in my earlier post, I AM UNABLE TO OPEN ANY OF RKILL APPLICATIONS. I have downloaded rkill.exe, rkill.scr, rkill.com, ieXplore.exe, rkill-unassigned.exe. None of them can be opened. I seem to have lost my Administrator privilege. I cant even open Task Manager. I only get warning message "Windows cannot find 'C:\WINDOWS\system32\taskmgr.exe. Make sure you typed the name correctly, and then try again".

 

I get the same message when i try to run any of the Rkills, adware cleaner, TDSS and Malware Bytes.

 

Also, as I mentioned in my previous post, I can run all of the above in Safe Mode but nothing was detected.

 

Please advise. Thanks.



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:09:07 AM

Posted 16 May 2018 - 08:12 AM

Are you using an Administrator account when you tried to run RKill?

 

If this works in Safe Mode there could be a third party service which is causing this problem.  To determine if this is the case you need to perform a Clean Boot.

 

A Clean Boot is basically a process of elimination.  You isolate the Windows services and disable the third party services,  then restart the computer.  After restarting the computer to see if the problem continues, if the problem does not continue you know that one of the third party services is causing this problem.  This is where the process of elimination comes into play.  You will add checks to half of the services, then restart the computer, one of these halves will contain the problematic service if there is one.  The half with the checks that causes this problem is the half you want to continue to divide in half and restart till you eventually find the services causing the problem.

 

How to perform a Clean Boot.

Warning:  Disabling items in Services or Startup may leave your anitivius disabled until the process is ended.  For this reason I would suggest that you perform this process off line.

 Press the Windows key OS4o0pO.png and the R key to open Run, then type msconfig in the search box.  This will open System Configuration.

If you are prompted for an administrator password or for confirmation, you should enter the password or provide confirmation.

1. Click/tap on the General tab.   

2. Click/tap on the Selective startup option.

3. Remove the check mark in the Load startup items  check box.

clean-boot-1.png

4.  Click on the Services tab.

5.  Place a check mark in the Hide all Microsoft services check box, this will remove the Microsoft Services from the list but will still be running.

6.  Click Disable all, this will remove all of the check marks in the Services list.

clean-boot2.png

7.  Click on Hide all Microsoft services.  Click on Apply then OK  

clean-boot3.png

Click on Restart in the window that opens.

When the computer is restarted it will boot normally.  

If the problem does not continue after the restart please do the following.

8.  Divide the number of these services by two and you place checks in the first half of these, then restart the computer.
 
9.  If the problem doesn't return in those services remove the checks and place checks in the remaining services and restart the computer.

10.  When you find which half the service is in go on to the next step.  

11. The half which has the service causing this problem remove half of the checks as you did previously to see which half has this service.  Restart the computer.  

12.  If it isn't in the first half of these services, do the same with the last half of the services.

13.  Once you have narrowed it down to the last three or four services remove the checks one at a time till you find the service at fault.

Once you have found the service post it in your topic.  


 


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 Faizur_89

Faizur_89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 18 May 2018 - 12:30 AM

Hi,

I did as advised. I am the Administrator and i am running it on the Administrator windows.

However, i cant run msconfig. I am getting the same error message

Windows cannot find 'C:\WINDOWS\system32\msconfig.exe'. Make sure you typed the name correctly, and then try again.


I did try it on Safe Mode. It worked. I disabled all the non-Microsoft products and restarted. But the problem persists. Once im logged in the normal mode, i cant run msconfig or rkill again.

Please advise. Tq

#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:09:07 AM

Posted 18 May 2018 - 08:04 AM

It's beginning to look like you have some corruption in the operating system.  Please do the following to reinstall the operating system.

 

How to perform a Windows 10 Refresh from Installation Media

A Refresh will basically reinstall Windows 10.  You will have the options to keep your personal files, but it will uninstall any third party programs you installed.  You will be offered a list of the programs which will be uninstalled, you can use this list as a reference to these programs.

To do a Refresh on a computer which can not boot you will need Windosw 10 Installation Media.

If you don't have installation media you can use the Windows 10 Media Creation Tool to create installation media for either a disc or flash drive.  Follow the instruction for the second option Using the tool to create installation media (USB flash drive, DVD, or ISO file) to install Windows 10 on a different PC.

In order to use either form of installation media you may need to change the boot order in the BIOS so that the type of media (disc or USB flash drive) is the first device in the boot order, and the ssd/hdd the second device.

If you are using a disc place it in the tray of your optical drive, close the door and restart the computer.  When the computer recognizes the disc it will instruct you to press any key to boot from the disc.

If you are using a USB flash drive place it in a USB port and restart the computer.  You will receive the message to press any key to boot from the device.

Connect the installation media you created to your nonfunctional PC, and then turn it on.

On the initial setup screen, enter your language and other preferences, and then select Next. If you're not seeing the setup screen.

Select Repair your computer.

On the Choose an option screen, select Troubleshoot. From there.  Select Reset this PC.


There is a very good tutorial available, you will find it here.



 


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 Faizur_89

Faizur_89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 18 May 2018 - 07:48 PM

Hi dc3,

As i mentioned in my first post,

I AM USING WINDOWS 8.1

For those who are facing the same issue, i did a few things to get rid of this issue.

First, i booted on Safe Mode and then uninstalled all the applications that i think is causing this issue, ie: Avast, malwarebytes, Adobe, all broadbanf and mobile modems and pc suites. Basically i removed almost all the external applications.

Then i open command promt (since it is already in safe mode, it was opened in Administrator privilege). Type sfc/scannow then wait for it to complete. It did detect something and then repaired the error.

Then i restarted my pc. Now all the issues seems to have disappeared. But i wont take the chances. The next thing i m plnning to do is to reinstall all Avast, Malwarebytes, Adware Cleaner, TDSS and run all the scans.

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users