PDA

View Full Version : virus help please


jwb28
07-07-2010, 9:11 PM
I was over at my parents house today web surfing and their computer has a virus now.
When you load explorer8 all that will come up is "your system may be infected" and it boots you to an AVG page. if you turn down their subscription you cant do anything. every web page says may be infected. it's like stuck in a loop. I tried to uninstall AVG and it says it's "gone" on the program list but you still can't get past AVG page in explorer.
Tried to use a restore point and it won't let that run. tried to download a free version of Macafee. No dice
Firefox will let you surf, but you can't download anything and get it to run.

Am I just screwed and have to do a full system restore or what ever thats called. You know, where you lose everthing?
Any help appreciated.

freonr22
07-07-2010, 9:15 PM
get malwarebytes (maybe? .com) get microsoft security essentials, and ccleaner and spybot search and destroy all free, do the scans, and report back


ETA you may need to run in some kinda safe mode

Ricky-Ray
07-07-2010, 9:16 PM
When it pop's up with the "your system may be infected" in the upper left hand corner of the window does it say Antivirus 2010 or something like that?

If so more than likely you've been infected with sypware/malware and not a virus.

Best program that I've seen to remove one of these nasty ones is called Malwareybytes. http://www.malwarebytes.org/ Totally worth the 25 bucks it takes to purchase it. The free edition should get rid of it but if you pay it also provides real time protection something that might be good for your parent's computer if your not there to keep an eye on the computer all the time.

ojisan
07-07-2010, 9:28 PM
Sounds like the ever-popular Demo 99 virus.
It's evil.
Idiots fix (worked for me).

1. Go to another computer, hit the net and download a free copy of "Superantispyware". (.org???)
Burn it onto a CD.
2. Disconnect the infected PC from the internet.
Put the SAS CD in your infected PC.
The window should pop up, save to C...do it.
The virus will try to trick you and tell you the download failed.
Don't worry, the download worked.
3. Restart computer in safe mode. (Hit F8 during bootup)
Start and run the SAS program.
Wait 45min-1 hour.
SAS will give a report with results.
Worked perfect for me.

However, SAS will now hang around and put itself into your start menu.
It may conflict with other anti-spyware / virus software you have.
I liked the SAS but had to delete it due to conflict problems.
However, that SAS CD is right here at my side, ready to kick butt again.
And I lost nothing!
(They do ask for a donation, please consider it, fair is fair.)
Good luck.

cdj337
07-07-2010, 9:38 PM
Try system restore and go back to the restore point to when you when it was working. It might fix your issue. The easiest way in my opinion.

Marsoc1
07-07-2010, 9:40 PM
its not AVG, avg is legit company, i think ur talking about AV suite.
if u can confirm i can help manually remove it.
1. can u go any sites or does it redirect u to their antivirus site?
If so, go to internet options > connection > lan settings > and uncheck "proxy server", once thats done u can surf the web again.
2. Push ctrl, shift and esc and see if u find a program running as [random characters]tssd.exe, if its running i got the fix for it

PM me if u need help

jwb28
07-07-2010, 10:13 PM
Wow thanks for all the replies.
Right now the problem is I'm not at my parents house to mess with it. Can you download malwarebytes etc to a thumb drive and run them from there? Its not possible (atleast I can't figure out how to download them to the infected computer and have it run the program) everytime I try it comes up with file infected. not the one I'm downloading, but a "windows" file. abunch of different ones actually.
I'll try the proxy server thing tomarrow and if someone can tell me how to run MWB and the other free programs from a thumb drive. All I have is a netbook. no CDROM to burn to.
Thanks again

Marsoc1
07-07-2010, 10:15 PM
try the proxy thing, ill PM u with details

ocabj
07-07-2010, 11:06 PM
When it comes to my parents' computers, I just have a Ghost image of a freshly installed Windows OS, drivers, and all the applications they use. If they get infected with malware, I just reimage the drive for them from a bootable DVD. Takes all of 5 minutes to do.

Pyrodyne
07-08-2010, 7:39 AM
Here is my simple fix for this type of fake AV, requires no software to get rid of it.
1) Navigate to c:\Windows\system32
2) copy taskmgr.exe to the desktop
3) rename taskmgr.exe to iexplore.exe
4) kill any suspicious processes
5) once you find the fake AV, delete the file
6) Reboot and check if it's clear
7) Check IE proxy settings and clear if there is one set (most likely 127.0.0.1 port 5555)

Most fake AV's come as a rider to ask.com toolbar's such as "MyWebSearch", Weather Channel Desktop, ALOT toolbar, etc. Be sure to remove all toolbars. "Move networks" will also infect firefox, be sure to disable and remove anything from them.

If you are running 32-bit XP, try combofix after the fake AV is gone.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix This is the most powerful utility available for knocking out the strongest viruses and rootkits. DO NOT use this tool on vista or 7.

Follow up with MalwareBytes and then your AV of preference. I typically will also manually check the registry for shell execute hijacks which may break .exe file associations. HKEY_CLASSES_ROOT\exefile\shell\open\command value should be "%1" %*.

You can also check for open ports on your computer by dropping to the command prompt and running netstat -ao. Have task manager open and add "PID" from view->select columns. Look for socket state "LISTENING" and check each one against task manager to see what process is listening. Google search for "port xxxx" should show you what processes typically use that port, and if suspicious software is known to listen there.

Lancear15
07-08-2010, 7:50 AM
Never should have used Internet Exploder 8. Firefox w/ NoScript Add-on FTW, and you wont get a virus again, unless of coarse you are intentionally downloading crap you shouldn't be.

I don't run an anti-virus and haven't gotten a virus since I switched to Firefox. Anti-virus programs are a waste of money and just slow your computer down.

Lancear15
07-08-2010, 7:54 AM
To the OP, IMO The only way to be 100% sure the computer is virus free is to format the drive and reinstall the software.

jdberger
07-08-2010, 7:57 AM
Hey! I got the same virus!

It liked to redirect me to porn sites. At least it was normal porn.....

freonr22
07-08-2010, 9:47 AM
Hey! I got the same virus!

It liked to redirect me to porn sites. At least it was normal porn.....
sure;)

ojisan
07-08-2010, 10:56 AM
Hey! I got the same virus!
It liked to redirect me to porn sites. At least it was normal porn.....

Yes, when I got the Demo99 it linked to and opened porn sites to try and force you to accept their "offer".
I got it when loading pics of my son's birthday party from Photobucket to an email for my Mom.
Yes, I told my wife I was innocent!
The only porn I look at on my PC is gun porn!
She said OK...
Two days later, one of her girlfriends at work was surfing the net for women's clothes at lunch and got the exact same Demo99 virus which started opening up porn on the work PC.
So now my wife does believe I was innocent!
Phew!

So you can get this virus even if you are being good!

There are a lot of smart and savvy PC gurus here who know way more than me.
But as far as manual deletion goes, Demo99 installed itself or parts of itself in 87 different places in my PC according to SAS.
I think this would be tough for me to find them all manually...and if even one is left, it re-installs itself.
I see no reason a thumb drive could not work in place of a CD...as long as you can get around the virus and access the thumb to download.

Marsoc1
07-08-2010, 11:14 AM
Hey! I got the same virus!

It liked to redirect me to porn sites. At least it was normal porn.....

Its not the same, its called ransomware, basically locks u out to the net unless u buy their "anti-virus" program. Ive dealt with it a few time and manually removed it, its a sneaky one tho.

No need to reinstall ur OS every time u think u got a virus, a lil elbow grease can save ur OS. Honestly do u really wanna set up ur system the way u liked it all over again, did u write down every setting u changed to ur liking? might be a bigger headache than it already is.

Dankle
07-08-2010, 11:43 AM
We had the same infection on some of the work computers from people using the company internet for personal use. (Like I do daily, except I only visit Calguns and GDR :D) I used RKill (http://www.technibble.com/rkill-repair-tool-of-the-week/), to kill/end all known malicious processes, and Malwarebytes to rid the systems of the infection. If you go this route; you may have to open/run Rkill twice. With my infection I opened RKill and an error popped up saying some BS, I left the error message up (didn't click anything) and ran RKill again. After the second run of RKill I could tell it did what it was supposed to do. I then ran a full scan with Malwarebytes and it was G2G after that.

Yes, you can DL both programs to a flash drive and run them from it.

GunNutz
07-08-2010, 11:51 AM
If system restore doesn't get rid of the problem: download malwarebytes and closely watch the folder it installs to. (The exe mbam will often be deleted by malicious code, but you usually get a few seconds of slack.) Rename the file quickly. Run this reboot and run again. If the system keeps getting reinfected disable system restore and try again. (You may need to do this manually -I've seen some of these remove the option from the GUI.) Also download highjackthis and see what it comes up with.

Be sure to save the names of any malicious code which is identified during the scans. You can sometimes find manual removal instructions in case all automated tools fail.

Also, you may need to get something like killbox to assist in the "cleansing."

Good luck.

jwb28
07-08-2010, 7:34 PM
Update on my virus.
Well I couldn't remove it so I had onlinecomputerrepair.org do it. It took them 3.5 hr if you count download, wipe, and all the other processor time. I hope it's fixed, the computer was defraging when I had to leave. I'll find out for sure late tonight.
Should have waited and tried the copy and rename trick in post 7 or 8 but the online people were real nice. they used their fix it software and installed and ran Malwarebytes, Avast, and atleast rac CCleaner, not sure if they installed that one.
Thanks for all the help and the PMs. I tried to do what the site you recommended Marsoc1, but it wouldn't let me. I got the path to virus down but when I got to Apps... folder it would not give me access and the folder I thought held the virus I could not rename and delete. I guess the damn thing is evolving, or I had multiple problems. it was the AV security thing.
Anyway the last computer course I took was Fortran and we used a card reader to write our "programs" on.:) So I'm not tech savy. If it works when I get back call it lesson learned the hard way. Avast and Malwarebytes are on that computer now so hopefully no more problems.
Thanks agaain everyone

code33
07-09-2010, 9:49 AM
I've had good success with Kaspersky Rescue Disk. It boots to Linux and gets rid of OS infections well. Especially viruses that run during the boot process.

WTSGDYBBR
07-09-2010, 10:00 AM
I can't even reply to this thread looks like all the pros put everything you could do. Look into Kaspersky internet security and antivirus you will get 0 virus . The internet security will block worms remember you should buy a router to protect your internal IP's of your network. Many users will plug there pc direct into there Cable modem or dsl connection. When users plug direct into there modems your pc is exposed. Any open ports on your system firewall will get infected . If you fail to do your windows updates or IE updates you will also get owned. You should download Firefox as well.

bbguns44
07-09-2010, 11:52 AM
I had the same problem 2 days ago. The easy solution was to let Microsoft fix
it. Called their PC safety number & the tech took control of my PC & deleted all
of the virus files. 15 minutes, totally free. Interesting to watch her navigate around
my PC & delete files.

jwb28
07-09-2010, 1:24 PM
Whats the microsoft #. I didn't know you could that.
Anyway, Im on the problem computer now and it seems to be working fine. Also trying to use Firefox, but the favorites list thing I don't like. At least so far. Is there a Firefox for the computer challenged.
Like I said in the original post this computer is actually at my parents and they know pretty much nothing about them. Hell I'm not a whole lot better, but it took a while to get my dad to surf on IE. Now if he has to learn Firefox:eek:.
Anyway, to hijack my own post. Is avast and malwarebytes a decent level of protection? I'll try and find out about the program that starts with K. can't see the name right now.
Anyone remember Xtree and batch files? That's about when I felt half way competent messing with computers.:D
Thanks again

code33
07-09-2010, 1:32 PM
Avast & Malwarebytes are very good. Superantispyware is as well.
All free. Scan with those in conjunction with Kaspersky.

CAL.BAR
07-09-2010, 1:41 PM
WTF! Kaspersky saw the virus coming, warned me and then said it couldn't be quarentined. So I had to kill it 2x!.

code33
07-09-2010, 2:08 PM
Kaspersky Rescue Disk or the version installed in Windows?

Sinixstar
07-09-2010, 3:41 PM
Hey! I got the same virus!

It liked to redirect me to porn sites. At least it was normal porn.....

oh... uhh... yea.... that porno virus...yea... i got that one too.
Damn thing went out and ordered a freakin external drive from newegg, and filled it up with porn.

damn... viruses...

NIB
07-09-2010, 5:51 PM
I just got rid of it on my friends computer. It took a few hours but what I did is first run a virus scan in safe mode. That got rid of a bunch of stuff. Then I downloaded malwarebytes on my computer to a thumb drive and installed it on her computer. I then ran malwarebytes in safemode again and that took out about 130 different infected files. I then used Hijack This and took out anything suspicious looking. That took care of it but like I said it took a few hours to get it done.

Dangerpin
07-10-2010, 1:11 PM
With that heavy level of infection you might want to consider running Combofix or another rootkit detector on it as well.

todd2968
07-10-2010, 3:40 PM
System restore will not help
Go to www.filehippo.com and download malwarebytes it is the only thing that helped me it is free and it is priceless

FluorideInMyWater
07-16-2010, 5:33 PM
i've been hijacked. its a form of pc spycan crap. it takes over all the processes of the computer.

i've been able to fix this everytime by booting into safe mode and then running system-restore for a restore point. safe mode does not give the malware room to work in. i've literally done this 10+ times. give it a try.