Jump to content



Photo

Need help removing virus/malware

fbi moneypak

  • Please log in to reply
37 replies to this topic

#1 jerzdawg

jerzdawg

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-October 02
  • Location: new jersey

Posted 18 November 2012 - 15:53

Ok, I'm fixing a pc for a friend. When I turned on the computer I was blocked out by some dumb message about copyrights and wanting to pay $200. Finally was able remove some of the files, delete from start up, etc. installed spy bot search and destroy, ran the scan and removed all entries. Used the pc on and off for a few days. No issues. Gave the pc back... Within 2 days...it's back. Is there a better freeware scanner/remover for this. I'm at my wits end with this.


#2 ButteIrishProud

ButteIrishProud

    Neowinian

  • Joined: 17-November 12

Posted 18 November 2012 - 15:57

Download Malwarebytes and run a FULL scan in Safe Mode.

#3 Javik

Javik

    Beware the tyrrany of those that wield power

  • Tech Issues Solved: 2
  • Joined: 21-May 12

Posted 18 November 2012 - 15:58

Or install Avast and do a boot time scan.

#4 Detection

Detection

    Detecting stuff...

  • Joined: 30-October 10
  • Location: UK
  • OS: 7 SP1 x64

Posted 18 November 2012 - 16:15

1. Boot in safemode
2. Empty ALL temp folders, including user temp folders, not just windows
3. Reset IE, checking the box to delete everything
4. Open regedit:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete any suspicious looking entries

Also delete anything in HKEY_CURRENT_USER\Software and HKEY_LOCAL_MACHINE\SOFTWARE that look malware related

Open MSCONFIG and disable anything that looks suspicious in there too

----------

Reboot in normal mode, and run a full scan with a fully updated malwarebytes

You have already scanned with spybot but do it again anyway

Another good thing is installing Avast Free, and do a "Boot Time Scan" this will be able to remove malware that can not be killed inside of windows

Download and run a scan with "Hijack This" remove any suspicious entries in there too

Scan a couple of times with all the above programs until they all return a clean result

If you still have a problem after all that, wipe > reinstall windows

#5 OP jerzdawg

jerzdawg

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-October 02
  • Location: new jersey

Posted 18 November 2012 - 16:34

What exactly would be considered suspicious? I'd assume they would label anything that would set off red flags..

#6 Detection

Detection

    Detecting stuff...

  • Joined: 30-October 10
  • Location: UK
  • OS: 7 SP1 x64

Posted 18 November 2012 - 16:36

What exactly would be considered suspicious? I'd assume they would label anything that would set off red flags..


Well just anything you don't recognise as being installed on the machine as a genuine app, a lot of malware will have registry keys with weird symbols, such as !"£$%^&*&()_) or the name of the fake AV that pops up

Normally pretty easy to spot, the first 2 keys I mentioned are what windows calls to startup with windows, so if you don't want anything starting up with windows, delete those keys, and in MSCONFIG

#7 OP jerzdawg

jerzdawg

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-October 02
  • Location: new jersey

Posted 18 November 2012 - 17:01

Running avast scan now, once that is done ill post the hijack this report

#8 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 28
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 November 2012 - 17:27

where you live? I am in warren county. I could get it fixed up for you. also don't use that old pos hijackthis...use olt
http://www.geekstogo...ldtimer-listit/

#9 Detection

Detection

    Detecting stuff...

  • Joined: 30-October 10
  • Location: UK
  • OS: 7 SP1 x64

Posted 18 November 2012 - 17:33

where you live? I am in warren county. I could get it fixed up for you. also don't use that old pos hijackthis...use olt
http://www.geekstogo...ldtimer-listit/


What is wrong with HijackThis ? Its a great piece of software

#10 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 28
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 November 2012 - 17:53

Latest version is 2.04....It doesn't work properly with 64bit oses. It also doesn't dig as deep as otl.

Compare a hjt log with a otl log.

sample otl log
http://www.bleepingc...opic313328.html

sample hjt log
http://www.techsuppo...down-14837.html

which do you think is more thorough and can help you better find the cause?

#11 Detection

Detection

    Detecting stuff...

  • Joined: 30-October 10
  • Location: UK
  • OS: 7 SP1 x64

Posted 18 November 2012 - 17:55

Latest version is 2.04....It doesn't work properly with 64bit oses. It also doesn't dig as deep as otl.

Compare a hjt log with a otl log.


Ok, never used OTL, still HijackThis is a decent app, using both would be better than not using HJT, never had a problem with HJT and 64bit OSs though

#12 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 28
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 November 2012 - 18:02

read about hjt and 64 bit, while this isn't necessarily a problem people unfamiliar with it will go to disable critical processes and screw their computers up more. I don't recommend running this as a novice, nor do I recommend running it over the internet being that people can be tempted to try to fix it themselves causing more issues. bottom line, it doesn't work well with 64 bit oses and otl produces the similar findings as hjt with many more pieces to the os puzzle (more files, more reg entries, more points of infection, etc). Running otl with a good rootkit detection software, like gmer, will allow you, the tech, to actually find something useful and be able to repair the computer.
http://www.experts-e...it-Systems.html

That being said, it may take a few hours to go through and verify a otl report.

#13 Detection

Detection

    Detecting stuff...

  • Joined: 30-October 10
  • Location: UK
  • OS: 7 SP1 x64

Posted 18 November 2012 - 18:06

read about hjt and 64 bit
http://www.experts-e...it-Systems.html


Well that doesn't render HJT useless on 64bit systems, we're not looking for missing file entries, we're looking for malware entries, make no difference if HJT can't find 64bit files

And more to the point, I don't know many 64bit versions of malware

#14 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 28
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 November 2012 - 18:12

Well that doesn't render HJT useless on 64bit systems, we're not looking for missing file entries, we're looking for malware entries, make no difference if HJT can't find 64bit files

And more to the point, I don't know many 64bit versions of malware

not exactly useful either. if it is not useful, it is useless IMO.

#15 Deleted Bye

Deleted Bye

    Neowinian Senior

  • Joined: 17-June 09

Posted 18 November 2012 - 18:20

you could do what others said and waste your time, or do what will be the easiest. Download a 10 meg file mawarebytes.com from here (filehippo link) on to a usb key. Boot into safe mode, install, run a scan, let it remove it. Done. If you want to do it the hard way, follow the other posts above.