Internet access blocked and can't run scans

[MarkR17]

My Dell Inspiron laptop running Windows 7 Pro and IE got infected today and I am stymied. Started getting error messages stating "invalid security certificates" on websites & couldn't open anything.  I shut down and reopened in Safe Mode. Did a System Restore and restarted in Safe mode again.  Ran a scan in Symantec which found nothing but problems were still there.  Day and time settings had changed to 1/1/20013; I couldn't change them back.  I downloaded Malwarebytes onto a flash drive on another computer and tried to run it on the infected one but it couldn't load.  Tried Chameleon but none worked.  Tried Avast also could not load.  I have never encountered anything like this and would welcome suggestions of where to start.  Thank you. 

[kevinf80]

Hello MarkR17 and welcome to Malwarebytes,

Download Farbar Recovery Scan Tool and save it to your Flash drive, transfer to sick PC. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin

Edited January 27, 2018 by kevinf80
typing error

[MarkR17]

Thanks, Kevin.  I copied FRST 64 bit 21.01.2018 to flash drive and tried to run it on the infected computer.  It opened to the first screen then I got a pop-up stating "Farbar Recovery Scan Tool has stopped working. Windows will close the program..."   I renamed a copy of the FRST file and tried running that one but got essentially the same result.  I am stymied.

[kevinf80]

Do you have access to another PC...?

[MarkR17]

Yes.  That's what I'm using to download programs onto a flash drive.  It's an older Dell laptop running Windows 7 Pro.

[kevinf80]

Thanks, can you check the following on the sick PC:

Check for and delete untrusted root CA certificates:   Select Windows key and R key together,, In the Run dialog box type MMC, and then click OK. The Microsoft Management Console (MMC) appears. In the MMC, on the Console menu, click File then Add/Remove Snap-in.... In the Add or Remove Snap-in dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, click My User Account, and then click Finish. click OK on Add or Remove Snap ins. Expand the Certificates Current User node by double click Expand UnTrusted Certification by double click Double Click Certificates Trust List. The details pane appears, showing all of the root CA certificates that are currently untrusted. If there are untrusted Certificates listed for Malwarebytes, FRST or any other Security Programs delete them all.... Let me know the outcome

[MarkR17]

I got to the Certificates-Current User screen.  When I double-clicked on that, it opened a window named "Extensions for Certificates" with 2 radio button choices - "always enable all available extensions" or "enable only selected extensions".  I clicked on "enable all".  It brought me back to the previous screen, but there are no lists of certificates showing.

I am running the infected computer in Safe Mode.

Just FYI, I earlier tried to open a couple of Office files in Word and Excel and in each case they opened briefly and then a pop-up appeared saying the certificate couldn't be trusted and the file was closed.

[kevinf80]

Hello MarkR17,

As you have spare PC and Flash drive see if you can run the following:

Plug USB Flash Drive into spare PC, navigate to that drive and Right click on it directly, select > Format. The quick option is adequate. When the format completes download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Do NOT plug the Flash drive into the sick PC untill booted to the Recovery Environment If you are using Vista or Windows 7 enter System Recovery Options as follows. Enter System Recovery Options I give two methods, use whichever is convenient for you. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you may get the following options: Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt   Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Thanks, Kevin...

[MarkR17]

didn't work, sorry.  I got as far as clicking "open" on the notepad screen and then it just froze.  Would not let me open, close, or select anything.   I started over and repeated all the steps with the same result.

[kevinf80]

How did you access System Recovery Options.... did you use F8 method or Installation DVD

[MarkR17]

I use F8

[kevinf80]

Ok, your spare PC has same version of Windows, you can use that to create System Repair CD, that is a bootable CD with System Recovery Options.  You can then boot sick PC with that CD to access System Recovery Options. From there follow the instructions I posted in reply #8

Full instructions here: https://support.microsoft.com/en-gb/help/17423/windows-7-create-system-repair-disc

 

[MarkR17]

My second computer is running the 32-bit version of Windows and that's what was automatically downloaded onto the disk. It doesn't work n the infected computer (64 bit). I can't see a way to get to the 64-bit version on the Microsoft site.  I don't have the license keys documentation here. 

Is there any other way to use the tool? 

[kevinf80]

See if it will create on infected PC.....

[MarkR17]

Infected laptop can't access the internet.  I get "security alert" messages about certificates and pages won't load.

[kevinf80]

Why do you need internet access..?

[MarkR17]

Good question! I got confused for a moment.  But anyway, I wasn't able to create a disc on the infected computer,  It stopped writing about 1/2 way through, several times.

[kevinf80]

Check your PM`s

[kevinf80]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks