Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on March 26, 2015, 04:07:43 AM
-
Hi dear friends, it seems I may need your help one more time :(
My PC seems to have, maybe, gotten a virus. It started when I clicked on an update from Malwarebytes, when I clicked on it a few popups came up saying Malwarebytes stopped a malicious site. After that, I am unable to download anything on my computer, not even malwarebytes, which I can not open to run it. I tried also downloading ADWCleaner but can not downloaded it, and my Google browser is not working either, it was the browser I was using when this happened. I can open IE , but I can not download it seems, like nothing.
I run an Avast full scan but it got stuck at 19%, it run for 3 hours, but stuck at 19%. I started the full scan again and it is stuck now at 19% again.
Can you please help me? Since I can not download anything on that computer, I can not follow your recommendations and I do not know what to do. I do have this laptop and an iPad that are OK.
The computer infected is a Dell, Windows Vista, has ( or I should say had at the time of possible infection ) Malwarebytes Premium and Avast Premier 2015. Google Crome not working at the moment and IE is working so far..
Thank you so much!
-
I do have this laptop and an iPad that are OK.
good .....
first install MCShield on your lappy http://www.mcshield.net
then see instructions here https://forum.avast.com/index.php?topic=53253.0
download Farbar Recovery Scan Tool on your lappy, then move it over with a USB stick, run as instructed, move the two logs back to the lappy and attach here
-
Thanks Pondus! Should I also install mcshield on my infected PC too?
Do I need it in my laptop if I have malwarebytes premium too?
-
Thanks Pondus! Should I also install mcshield on my infected PC too?
Do I need it in my laptop if I have malwarebytes premium too?
It is recomended to have on all computers. This is a special scanner that protect against malware that use removable drives to spread
it is a install on forget tool, it use no recours except for when you plug in a USB device and it scan for a few seconds
lots of info / reviews on MCShield website
-
Hi Pondus, I plugged in the USB on my PC, but it won't open. I can not either open anything on the Start menu, I can not even shut down or use Sleep on it, It won't respond.
Should I just turn off the PC by pressing the power button and see what happens? and then once restarted try again or shutting it down will make it worse?
I am thinking that maybe Vista is frozen , but I can open some stuff like IE, Avast ( even thou the scanning stops at 19%, it won't go further) also Windows update opens up, but if click on the USB or Start menu, there is no response, can not open Google either...
Avast safe Zone does not open either...
I just tried running a quick scan with Avast, the screen went black, then all white and it says Avast is not resppnding... all the screen is white with light blue borders around it
-
What version of windows do you have and is it 32 or 64 bit ?
-
Hi Essexboy! The computer infected is a Dell, Windows Vista, had at the time of possible infection Malwarebytes Premium and Avast Premier 2015. I can not remeber if is 32 0r 64 and at the moment I can not check that as the screen continues to be for the last 2 hours all white with light blue border and the mousse symbol is circling continuosly...
Should I turn it off and on manually by pressing the Power button? it has been on since yesterday...
-
Yes turn it off I will give links for both 32 and 64 bit, but try 32 bit first. Links sent by PM
Download the following three programmes to your desktop :
1. Rufus (http://rufus.akeo.ie/)
For 64bit systems
2. Windows Vista 64bit RC
3. Farbar Recovery Scan Tool x64 (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)
For 32bit systems
2. Windows Vista RC
3. Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)
Insert the USB stick Then run Rufus
(https://dl.dropbox.com/u/73555776/rufus.JPG)
Select the ISO file on the desktop via the ISO icon.
Press Start Burn
(https://dl.dropbox.com/u/73555776/RufusISO.JPG)
Then copy FRST to the same USB
(http://dl.dropbox.com/u/73555776/frstwintoboot.JPG)
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here (http://lifehacker.com/5991848/how-to-boot-from-a-cd-or-usb-drive-on-any-pc)
Windows 7 and Vista screenshots
When you reboot you will see this.
Click repair my computer
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg)
Select your operating system
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg)
Select Command prompt
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg)
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe or e:\frst.exe dependant on system
and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
(https://dl.dropboxusercontent.com/u/73555776/frst.JPG)
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
Thanks! I will do that. Is it safe to reinsert the USB I have already inserted on my contminated PC, on my laptop again or should I get a new one?
-
No need for a fresh one as Rufus will wipe the drive before it copies the boot data to it
-
OK! should I use:
Rufus 2.1 (788 KB) or
Rufus 2.1 Portable (788 KB)
-
when I inseted the USB on my laptop, MCShield run and said it was infected, but stopped it. This is what the note pad showed in case it helps:
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
>>> v 3.0.5.28 / DB: 2015.3.23.1 / Windows 7 <<<
3/26/2015 3:10:30 PM > Drive E: - scan started (KINGSTON ~15262 MB, FAT32 flash drive )...
>>> E:\autorun.inf > Legitimate file.
> Resetting attributes: E:\urDrive < Successful.
=> Hidden folders : 1/1 unhidden.
____________________________________________
::::: Scan duration: 15sec :::::::::::::::::
____________________________________________
-
I used the Rufus Portable, as the other did not work...
-
Hi, I used the Rufus portable download and pressed start and this is what showed up - attached file for Rufus screen shot and warning screenshot. Even thou I made sure it looks like the screnn shot you sent me...
Should I uncheck : Create a bootable disk...
and press start again?
I am confused....
I do not see : Select the ISO file on the desktop via the ISO icon.
As I do not see any ISO on my desktop.... where will it be..?
So I guess I am stuck on the warning showed in attachment Rufus 5, as I have no idea of what to do next...
So sorry that I am so inexperienced with this stuff... it is probably simple. but...
-
Insert the USB stick Then run Rufus
(https://dl.dropboxusercontent.com/u/73555776/RufusISO.JPG)
Select the ISO file on the desktop via the ISO icon.
Click the ISO image button and select the Vista RC that you downloaded to your desktop then press burn
-
Hi!
-
Hi Essexboy!
here is the log
Thanks fo ryour help....
-
Nothing really jumps out at me there, so I will remove a few entries that are possible causes and reset the network
Download the attached Fixlist.txt to the same location as FRST (USB)
Start FRST as before and press fix
Once it has completed reboot to normal windows and try a download again
-
Hi Essexboy, I followed your instructions and the computer is now working great! Better than in a very long time ;D
I am very grateful once more for your help...
I will like to ask you a favor, if you could please look at the attached log from my laptop after running the Farbar Recovery Tool program, as this laptop is not working very well and stalling a lot for a while now. I have tried other tools but nothing seems to help. I was wondering in the Frst tool will show something I can improve it.
I am sorry if it is too much to ask after how busy you must be...
Thank you so much for all the help you give to all of us here...
Wishing you the best to you and your family...
-
Glad the main computer is now OK
Let me know if this helps the laptop
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-1442282352-1916392805-3601698020-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: No Name -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKU\S-1-5-21-1442282352-1916392805-3601698020-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
2015-03-03 14:44 - 2015-03-03 14:44 - 00000000 __SHD () C:\Users\Anjana\AppData\Local\EmieBrowserModeList
2011-06-21 15:03 - 2011-06-21 15:03 - 0000000 _____ () C:\Users\Anjana\AppData\Local\{1D3BE3F2-AAFE-4F6E-A363-7778C8B0B62D}
2011-07-06 21:23 - 2011-07-06 21:23 - 0000000 _____ () C:\Users\Anjana\AppData\Local\{B9D37718-0FD9-47E0-8C12-943635DCCFEF}
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Thanks !
Here is the log...
-
How is the laptop now ?
-
It looks better, I will wait and see in the next 24 hours how it goes, as it usually the issues happen when is on for awhile...
I wanted to thank you once again for your help...
I wish I could do something for you in return...
;)
-
Let me know when you are happy and I will tidy up
-
Thanks Essexboy, my laptop is definetely working much better, none of the issues I had before....
The only thing still happening in my laptop, and there may be no fix for it as it may be normal computer running, as I had it for 3-4 years, is that the vent starts running on and off frequently, soon after I turn it on...as it is heating up fast, is this common?
If it is then everything is fine now, thanks to you, with both my computers!!!
I am a happy camper :)
Thank you!
-
Sounds like old age to me :)
Use the following on each system as applicable
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix (http://www.bleepingcomputer.com/download/delfix/)
Select the options as shown
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/)
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
If you do need to keep Java then download JavaRa (https://singularlabs.com/software/javara/javara-download/)
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version
(https://dl.dropboxusercontent.com/u/73555776/javara.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Unchecky (http://unchecky.com/)
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
Thanks!
I followed all your instructions. Below are the logs that came up after running Delfix.
I installed Cryptoprevent in my 2 computers , I paid for the Premium as it was only $15 and I like to support these companies if I can...
This window came up after installing Crytoprevent, attached also below and I do not know if to respond yes or no.... I imagine I should pick Yes?
It's also asking me to give them my gmail address and password in order for them to send me notifications. I imagine is safe, but if you could please confirm if I should do that. thanks!
My 2 computers keep running fine, better than in a long time, so a big, huge thanks again!!!
-
Yes whitelist the current data. They are a secure company :) But I think they mean for you to make a password, not give them the Gmail one
-
OK! I clicked on yes, thanks for clarifying...
Re: CryptoPrevent, they do actually want my Gmail email address password, but if it is a safe company, I guess I'll do it, as it is the only way I will receive emails from them regarding problematic issues
This is what some of they say in the page link:
http://www.foolishit.com/vb6-projects/cryptoprevent/cryptoprevent-auto-update/cryptoprevent-email-setup-faq/
"Why does CryptoPrevent need my email password?'
While CryptoPrevent can send email TO your specified address, it also sends that email FROM your address, and in order to send email from your email address on your behalf, it needs your password. This is because CryptoPrevent (or any program that sends email for that matter) needs an email (SMTP) server in order to send email, and it is expecting to use YOUR server, NOT MINE. For this reason, CryptoPrevent needs both your email address (which is your server login) and your email password (again, also required to login to your server.) By YOUR server I mean the server provided to you by your email host, e.g. Gmail, Yahoo, Hotmail, your ISP, or whoever provides your ‘domain’ (the @whatever.com part of your address.)
Thanks Essexboy!!!
-
Intriguing that but the write up on why and how is logical