I’ve used the “move to chest” function and tried to delete it, but when I do it says "Cannot process “C:\WINDOWS\Temp\wpv051250047226.exe\install.exe” file.
I also went to the temp folder itself to try and delete it manually. Now the file from temp is gone, but the warning in avast still pops up. And there is also the “install.exe” application in list over processes. I’ve tried to terminate the process, but nothing happens… After that I tried running Malwarebytes’ Anti-Malware, but the scan got stuck 1 min and 15 sec into the scan. It stopped at C:\install.res.1031.dll. I’ve now also tried to terminate the Malwarebytes program, but it also won’t quit. Now I am completely out of ideas and afraid to turn off my computer…
When I downloaded avast I thought it would protect me from this kind of stuff, not just be on my computer, take space and not work… I don’t know for what reason.
So I would very much appreciate if someone could please help me out here.
[Update] Now I got 5 apps in the process list called “dumprep.exe” which I can’t end either…
Hi, welcome to the forum.
It looks like a rootkit has been installed by a trojan. Such things usually install either by taking advantage of a security vulnerability in out of date software, or by the user clicking on a link disguised to look like something else.
Using a browser that permits scripts to be run without user intervention can be a hazard these days, though I’m not saying that is the case here…it might be.
I’m not really expert enough to tell you exactly what to do.
Others who use this forum are, however.
You may want to wait to get an answer from someone more expert at malware removal.
What I would do is schedule a boot scan with Avast, exit MBAM, disconnect from the internet and reboot. I think that what you have is similar to (or the same as) this. So what else I would do is copy the filenames and regkeys indicated to notepad, reboot into safe, and see if manual deletion was possible. Then reboot to normal and run MBAM again. (disconnected.)
You might need to run some anti rootkit applications. Here is a site with reference/links to quite a few. I’d probably start with the Trend Micro one, then maybe the Avira, or the Sophos, or rootrepeal.
Avast has a rootkit scanner built in, based on Gmer. Appears it was unable to stop this one, for whatever reason.
Did you have any other AV installed before Avast?
(Apart from MBAM) any other security software active? Firewall on?
To answer your question about other security programs. I have avast, mbam, spybot s&d, ad-aware, super antispyware free edition, hijackthis, combofix, ccleaner, diskeeper. Installed on my computer and windows firewall on yes(always on). I’m not an expert on using these programs however. avast, super antispyware and diskeeper was running at the time I got the virus.
And post a hijackThis log, please.
Open Hijack this, select “perform a scan and save a log”. At the scan completion, a logfile will open. Post that as an attachment, or c&p directly onto your next post. It probably won’t fir into one post; you might have to break it up.
easier to post as an attachment. (Select all, save as, probably to the desktop would be easiest, then add as an attachment by using the “additional options” link at the bottom left of the reply window in this forum.
When I scan with RegRun, some files keep reappearing all the time. No matter how many times I reboot they are still there. How can I get rid of them?
And how can I be absolutely sure that they are gone?
Hi there could you run two programmes for me please
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
[]Click on the Log tab.
[] In the Write to log box select all items.
[] Click on the Create Log button on the bottom right.
[] After a few seconds a new Window should appear.
[] Make sure Scan all drives is selected and click on the Start button.
[] When it is complete a new Window will appear to indicate that the scan is finished.
[*] The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
THEN
To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - File Associations
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
So there it is… Just lying there and I can’t seem to do anything about it.
Also I can’t seem to find the path "c:\System Volume Information". Don’t know if it’s normal…
“System volume information” is where the restore points are kept.
Don’t worry about it for now.
When the cleanup is complete, and all is working normally, it will be advisable to turn system restore off, reboot, then turn it back on.
That will clear all system restore points, and with them, any malware.
The only way I know of that malware can infect you from system restore is if you actually use a restore point that is infected. (So don’t.)
You know you can attach images and txt files (up to 200K, I think) directly to the forum post?
See “additional options” at the bottom left of a reply window.
I see that you have run a fair few tools - could you post the combofix log, it should be at c:\combofix
During this run you will lose all processes as they are closed, this is normal
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> winstart.bat -> C:\WINDOWS\winstart.bat
[Files/Folders - Modified Within 30 Days]
NY -> winstart.bat -> C:\WINDOWS\winstart.bat
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
I ran OTS following your instructions and it was very short indeed.
After a few seconds I got blue screen and when the computer rebooted itself this message was displayed: