I’m confused. So my nephew comes to me with his laptop (which has XP on it) saying it won’t let him connect to the internet and a bunch of stuff pops up to try install an obviously bad AV (System Pro Alert).
So I take a look at it and first thing that came to my mind is some sort of adware thing. First I scanned the system with avast virus cleaner, it came up with nothing. I installed the full version of Avast and did a boot time scan, it came up with nothing. I tried to install Spybot and then adaware but it wouldn’t allow the installation. Also whenever I try start up spybot installer a window pops up saying that the file is infected (it says everything is infected) and if I would like to activate my antivirus software (obviously the bunk AV) no matter how many times I click no or ignore it it will not allow anything to happen. Also, if you let the computer sit there without touching anything, stuff will start popping up like fake security warnings ect…frustrating, really…
So are there any “temporary” malware removers out there, sort of like Avast virus cleaner, that doesn’t require any installation? Whatever this infection is it will not allow internet access or anything to install (only avast and hijack this, but thats it).
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under custom scans copy and paste the following:
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
%systemroot%*. /mp /s
c:$recycle.bin*.* /s
CREATERESTOREPOINT
[/b]
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
Well I am in the process of using the uninstall method that was first posted, but it wil not allow Rkill to run at all, no matter how many times I start it…it gets shut down immediately, not even giving it a chance to terminate the infection. So I don’t think thats going to work.
Also whatever this is, it will not allow ANY access to the internet, only itself and the random adult websites that pop up. I am on my laptop right now and using a USB key to transport information from one to another, but I will try the second suggestion right now.
Thank you for your help so far…hopefully I can do this without having to take it in.
It’s not allowing me to do anything. As soon as I click on something it gets terminated immediately.
I’m going to try installing some anti-malware in safe mode…
Are you able to access safe mode ? Reboot the computer and as soon as the bios screen comes up press F8 repeatedly. You should then see a menu, select safe mode with networking first, if that fails just select safe mode. Retry OTS in safe mode, if that fails then download Kill.scr and follow the instructions below
Double-click on rkill.com to run it. You may need to run this program a few times to stop the malware process running (up to 7 or 8 ) it may appear to do nothing but it is. The malware will probably complain about being stopped but please ignore this. Do not reboot your computer after running rkill untill AVZ does as the malware programs will start again.
[*]Save/transfer to your desktop
[*]Double click on Kill.scr to run it.
[*] Choose from the menu “File” => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.
When restarted
[*] Start AVZ.
[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis " check box.
[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to Mediafire and post the sharing link
Okay so after slamming my forehead on the desk a few times, and ripping a few tufts of hair out…I figured it out ;D
Went into safe mode, installed Malwarebytes (it was the only AM program that would install in safemode) did a scan, found the infected files/ key entries, removed them…and that was that jaw drop It was as simple as finding the right program and installing it in safe mode. My God am I ever rusty…or just lost my touch. Then again I am 9 months pregnant so my brain isn’t working properly ;D
Thank you all SOOOOO much for your help,
Hugs
PS they had Norton on this system before (gag) so I removed that junk and installed trusty ol Avast along with Spybot. Also hid the IE icon and installed Fire Fox…hopefully these kids stop opening crap they get on email or Facebook…it will be a long journey ahead haha
For future reference, this might help also in such a case. I does require internet access on an alternate computer, and a usb thumb drive in order to be an effective strategy.
You can download the files free on an alternate computer, save them to a USB Thumb Drive, Install the USB Thumb Drive into USB Slot on infected Computer, boot that computer and then run a Deep Scan. I am not 100% sure if this will work in Safe Mode, but it would be a good idea to try it that way first.
As an additional Recovery tool in this current infection, perhaps download A Squared Free
and install it and then run a Deep Scan in Safe Mode. I find A Squared run in Safe mode to be a Powerful Malware removal Tool. However, A Squared may give some False Positives so I suggest googling anything A Squared suggests for removal unless you are 100% sure it is actual Malware. Best of luck to you.
I can’t get the brats off the darn thing since it got fixed! hahaha, but everything seems to be fine now, I have a much better AV and AM on it so it should be alright. Thank you all for your help and I will bookmark this thread for future reference. ;D