02-13-2010 09:06 AM - last edited on 02-13-2010 10:07 AM by shannons
I hope this is in the right forum guys! sorry if its not =/
I am currently on a different computer workstation in the house. But, about an hour ago, I was on the computer in my study room, when Norton AntiVius popped up in the corner with 'processing threats'. This was then followed by multiple other messages from my other antivirus software (AdAware, Superantispyware and Malware Bytes). At the time, I was downloading a .rar file, from a website I have used a hundred times before and that I've always known to be pretty trustworthy.
Instantly thinking that I must be downloading something ominous, I cancelled my download (which was around 2 minutes in/5% complete) and closed the windows I had up, to return to my desktop, and my anti-virus software icons. When I got there, I saw that my desktop wallpaper had now been changed from a default black appearance to a bright green wallpaper stating, in black and red text in the centre of the screen, something along the lines of 'warning! your system is infected. immediately run anti-virus software, and do not continue to use the computer until you have done so'. Thinking this to be a 'fake alert' (ive had a fakealert trojan before), I went straight to Malwarebytes and ran a quick scan. Norton was also scanning automatically.
The scan found 20 infected items.. all named 'Trojan.fakealert' and '.fakedisplay', '.displayprompt' and the like. I selected for Malwarebytes to remove the items, and pressed remove.. It said all the items had been quarantined but to complete the removal process, my computer had to be restarted. I obliged. Norton said the same thing in a pop up box in the corner of the screen - that it needed to restart to clear the infected items!
My computer restarted as normal, and came to the blue screen where you select your name/picture and it logs you in. I clicked my name/picture as always, and it said 'logging in' ...but then instead of showing my desktop loading, it just showed a black screen with the cursor, then after around 20 seconds, went back to the blue log-in screen, and said 'logging off....shutting down processes' etc. It seems norton and malwarebytes didnt do a good enough job of quaranting/removing the trojans.. and they are preventing my system from now loading :(
any help on this would be GREATLY appreciated!
[edit: Clarified subject.]
ps, my operating system is XP
02-13-2010 09:41 AM
02-13-2010 12:15 PM - edited 02-13-2010 12:20 PM
The only antivirus program you have installed is NAV according to what you have mentioned in your post.
This was then followed by multiple other messages from my other antivirus software (AdAware, Superantispyware and Malware Bytes)
These other programs you have listed are not antivirus programs. If you have the paid versions of Malwarebytes and SuperAntiSpyware, they will interfere with your Norton product. Depending on the version of Adaware, that will also interfere. The free versions of Malwarebyes and SuperAntiSpyware are ok to use as on demand scanners.
I would not recommend using advanced programs such as combofix without directions from an expert. You may end up with worse problems than you have now.
Success always occurs in private and failure in full view.
02-13-2010 05:30 PM
You should not have more than one antivirus program in your computer at one time. You should also have a good fire wall installed since NAV has no firewall at all.
Success always occurs in private and failure in full view.
02-15-2010 09:24 AM
Hi guys, been away for the valentines weekend but now im back and focused on trying to get my computer to work again!
Yeah, thats right, the only Antivirus software I have is NAV,
the versions of adaware, malwarebytes and superantispyware that I have, are free ones. and dont intefere with norton.
So if you say that it would be unwise to use an advanced program such as combofix, then how can I fix my problem?
=( is there anything else I can do in 'safemode with networking' that may be able to get rid of those virus's?
or do you think i may just have to call out a professional?
any help would be welcomed!
thanks a lot.
02-15-2010 10:36 AM - edited 02-15-2010 10:39 AM
"=( is there anything else I can do in 'safemode with networking' that may be able to get rid of those virus's?"
Do you have Safe Mode, without the logon / logoff loop
02-15-2010 10:43 AM
no, I cant load the system in safe mode either :(
I havnt tried loading it in 'safemode with networking' yet though. should I try that??
In general, im dubious about what I'm doing because im a bit of a noob, and I dont want to somehow infect the rest of the houses computers. eep.
02-15-2010 11:37 AM
You could have had a Trojan that either infects or is a complete Malware version of "userinit.exe" in the legit location or the likes of a registry entry pointing to the wrong file sort of thing, Trouble is I did come across a Malware version of "userinit.exe", wrong size, and not legit but because it's in the system32 folder that means the Windows version is Gone from that folder.
But When Norton detects and removes it, next restart the logon / logoff loop occurs
One thing If you are uncomfortable doing the likes of below, go to a PC tech
Things to looks at are this post http://community.norton.com/t5/Norton-Internet-Sec
and (but not if you have an OEM Windows install and you would probably have to install some programs etc after)
02-15-2010 11:56 AM
If you got alerts from Malwarebytes' and SUPERAntiSpyware, then this leads me to believe that you do have the Paid Versions of this products, because the non-paid ones do not display Alerts as they are only used as On-Demand Scanners.
If you currently use Norton Antivirus 2009/2010, then please have a look at this Thread which lists some Firewalls you can use along-side your Norton Product.
02-15-2010 08:49 PM - edited 02-15-2010 08:59 PM
You are getting a lot of good advice, but some vital things are missing.
1. While it's alright to run the free version of malwarebytes on the same computer as NIS or NAV, it is not good practice to have them both scanning at the same time; especially if both require a reboot to finish cleaning up. What will happen is that both programs will embed scripts in the DOS level (so-to-speak) boot up to perform their particular clean-up routines. It is inevitable that those two scripts will interfere with one another. This could also apply to other active software. It could be a mess!
2. Most important is to not lose any vital data. Invest in a relatively cheap power-on backup-and-recovery program. This is a program that runs before Window loads; it runs from a CD when you power on the computer. Acronis is a good such program.
You don't need to have previously installed Acronis (or other such programs). You can run it at power on, and backup to a flash-drive or external harddrive everything important to you on the affected hard-drive ... it is hasn't been made inaccessible. Even if your computer cannot boot from that drive, Acronis will probably be able to access it and collect whatever you need. Think carefully about everything you want to recover (letters, tax documents, financial data, media files like music, videos, pictures, etc, email, irreplaceable downloads). Be careful about such things as applications as they might be infected with unfixed malware, and re-infect your fixed computer -- when you do restore things like outlook files, be very careful to scan them immediately before using them.
3. Once you have recovered everything you need, re-image your hard-drive with a prior backup or by using whatever means your computer manufacturer provided (CD, DVD, restore sector -- may be inaccessible) to restore it to original factory condition. It's not as bad as it sounds. When you update the restored system, it will skip a lot of unnecessary prior updates and you should find your computer in better shape than ever.
Also, get into the habit of making regular updates (of both data and system images) using that Acronis program you purchased (or whatever you got).
Note: if your computer will only re-image from a restore partition and it turns out that partition is not accessible because of damage to the zero sector, MBR of your drive, there is an alternative possible and worth considering (I just did something like this in a similar situtation to a client's computer):
First, use Acronis to make a copy of the entire system.
Second, find a Windows installation disk of the same version you have on your computer and resinstall windows. It will fix your drive from scratch during the installation. If this is your Windows disk, you can consider rebuilding the rest of your computer by downloading all apps and drivers from your manufacturer's website.
Or (and especially if this not your Windows disk), you can then use Acronis to restore your backed up system. It is quite possible that the newly formatted hard-drive will take the restoration image and work with it. But remember that it has been infected and will need thorough and careful cleaning.
I suggest all this because, frankly, I have found very few good technicians at repairing computers. They work for competitive wages and just want to get the job done as quickly as possible. From your point-of-view, you need all your important stuff without paying a couple of hundred dollars from the labor. If you can get what you need and also learn something about saving your computer yourself, you will definitely come out ahead.
Good luck and let us know how things work out.