Jump to content

Virus Closing All Files!


Recommended Posts

Hello guys, I need your help. My PC has been infected with a virus I cannot fix on my own. What it is is the fake Antivirus software. The obviously fake Antivirus software is preventing me from opening Internet Explorer and opening any programs, even the Task Manager.

I tried putting the Malwarebytes .exe file onto a flash drive and then downloading it onto my PC. The virus automatically closed it saying the file was infected.

Next, I tried downloading Process Installer (http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx) and opening that. The virus also closed this immediately.

After that, I tried going to Start>Run> and then typing "d.....exe" as stated on another topic, but the virus closed that process too.

What is there left to try? :) Any help would be appreciated. I can't use my PC at all as of now.

Thanks guys,

Leo

Link to post
Share on other sites

Sorry to hear of your problems but a couple of essential things before we begin with troubleshooting:

Next, I tried downloading Process Installer (http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx) and opening that. The virus also closed this immediately.

1. The name of the program is Process Explorer and not Process Installer! The only reason I'm pointing this minor mistake out is to illustrate to you that it's very important for You to specify things exactly when doing online correspondence troubleshooting.

2. Please tell me exactly what fake Antivirus software has taken over your PC - what is the exact name of the program? What have you done to try to correct it other than what You've mentioned already?

3. What is your operating system and is it 32 bit or 64 bit, and what security software do you have installed?

Once I have your answers, we'll get started with removing this nasty infection!

Link to post
Share on other sites

1. The name of the program is Process Explorer and not Process Installer!

Sorry, I wasn't thinking straight at the moment :/

2. Please tell me exactly what fake Antivirus software has taken over your PC - what is the exact name of the program? What have you done to try to correct it other than what You've mentioned already?

It seems to be called "Antivirus Scan". Here are some pictures. Sorry for the quality, it wouldn't allow me to take screenshots.

IEError.jpg

Error in Internet Explorer

AntivirusScan.jpg

What happens if you click one of the links (all links take you here).

Nice spelling error. "Standart"

errormessege.jpg

What happens when trying to open a program.

Ascan.jpg

The scan window that pops up randomly telling me it's scanning.

I've also tried what this topic suggests.

http://forums.malwarebytes.org/index.php?showtopic=17583

Here's the part I tried.

If MBAM is not installed

Download the following file and save to your desktop.

http://live.sysinternals.com/procexp.exe

Rename the file to winlogon.exe and the run it.

Inorder to get MBAM installed you will need to identify and terminate/kill the SystemSecurity process.

As you see from the screenshot it very easily identified by its shield icon and use of random numbers for its executable. eg 1234567.exe 638476435.exe 453732.exe and the list goes on.

Highlight the shield icon/random.exe line and rightclick and select kill process.

When I tried to run "winlogon.exe", the virus just closed it and wouldn't let me do anything.

3. What is your operating system and is it 32 bit or 64 bit, and what security software do you have installed?

I have McAfee installed but was not monitoring it frequently. A mistake on my part.

My computer info

Untitled-1.jpg

(Sorry, the cropped/rotated image isn't showing up)

Link to post
Share on other sites

Thank You for answering all my questions with illustrations - very helpful!!

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Download rkill.com:

http://download.bleepingcomputer.com/grinler/rkill.com

1. Once it is downloaded, double-click on rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.

2. Please be patient while the program looks for various malware programs and ends them.

3. When it has finished, the black window will automatically close and you can continue with the next step. Please post back the rkill log that is generated.

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly named EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the Quick scan report to the windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.

If you could not get the rootkit scan to run just keep going with the directions!!

Please download Combofix from one of these locations:

HERE

In the Combofix Guide at Bleeping Computer aka A guide and tutorial on using ComboFix

http://www.bleepingcomputer.com/combofix/h...se-combofix#use

Using ComboFix ->

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

VERY IMPORTANT: Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Launch Combofix (iexplore.exe) from the Run Line, as follows:

Navigate to Start --> Run, and copy/paste this command exactly as shown, then hit Enter:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of C:\Combofix.txt in your next reply with the exehelper log, kill.txt and ARKQ.txt.

Note: Do NOT mouseclick combofix's window while it is running. That may cause your system to stall/hang.

ONLY If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading normally, the Advanced Options Menu should appear;
  • Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
  • Choose your usual account, and launch Combofix as instructed above.

NOTE: Here is a Antivirus Scan Removal Tutorial:

http://www.bleepingcomputer.com/virus-remo...-antivirus-scan

You can try to follow these directions if you ran into an impasse.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.