Hi Quads and all :
thanks so much for jumping in here to help.
I'm going to try to recap to make sure I have the process....
download the malwarebytes from link provided on other computer.
rename file.
put on memory stick
reboot in safe mode (which disconnects from the internet)
run the program
is this right?
ruthmaugeri wrote:Hi Quads and all :
thanks so much for jumping in here to help.
I'm going to try to recap to make sure I have the process....
download the malwarebytes from link provided on other computer.
rename file.
put on memory stick
reboot in safe mode (which disconnects from the internet)
run the program
is this right?
Only partially.
Don't reboot unless you have no recourse. If you can install malwarebytes or syperantispyware from the stick, and update it on your system, that would be best. If not, then shutting down, running the Norton Recovery Tool, with the computer wired to the internet, will allow the NRT to update itself with the latest signatures and might provide some help fighting the virus.
Also, if you have a rootkit, the NRT through its Advanced button will allow you command line access to your computer, and you can follow Quads advice posted hereabouts for replacing the atapi file (please do a search on that to find out what we're talking about). After that, you can boot to Safe Mode and try working there.
You can also visit any of the following sites that will walk you through similar cleanup routines. They won't help you immediately because this latest round of malware is hitting a lot of people and cleanup is NOT easy. But they are good people and will work with you eventually.
www.bleepingcomputer.com
http://www.geekstogo.com/forum/
http://www.cybertechhelp.com/forums/
Hi Mijcar:
I don't have rootkit and/or a memory stick... and I'm a little timid about deleting things... I do have malwarebytes running now ... a quick scan to see what I get... and then I was going to run a full scan. We rebooted in safe mode (unfortunately) but were able to install the malwarebytes program.
I hope I haven't caused myself more issues... will let you know how this goes and will re-read the other posts. Thanks.
ruthmaugeri wrote:Hi Mijcar:
I don't have rootkit and/or a memory stick... and I'm a little timid about deleting things... I do have malwarebytes running now ... a quick scan to see what I get... and then I was going to run a full scan. We rebooted in safe mode (unfortunately) but were able to install the malwarebytes program.
I hope I haven't caused myself more issues... will let you know how this goes and will re-read the other posts. Thanks.
I hope you don't have a rootkit. You've made the same mistake I made when I first saw the word. It sounds like a good thing. It isn't. It's a form of malware that embeds itself deep (hence "root") into your computer so that it can take over the function of the computer. A memory stick is another name for those portable USB drives, usually available really cheaply and truly invaluable, particularly in a situation like this one.
I want everything you are doing to work out for you and they may well do that. What makes me suspicious that they might not is that the infection did slip by your Norton defenses, which makes it most likely a new form of infection, and most of the new ones are quite bad.
For that reason I want to take a "worse case" approach in my suggestions. One good thing about these suggestions is that they consist for the most part of things you should have been doing all along and that will benefit you in the long run.
1. After the malwarebytes and superantispyware has run, please put your computer into suspension instead of rebooting it.
2. Get yourself a USB drive or a USB external hard drive (a large one of 150 Gigs runs under $50 now) if you can.
3. Even in Safe Mode, your computer should recognize and work with the USB drive and it's 50-50 that it will work with the external hard drive (more suggestions later if it won't; for now I will assume that it will work).
4. Copy everything that is important to you to the USB drive or external hard drive. Think: Taxes, Spreadsheets, Photos, Music, Documents, Letters, Money-related, friend-related, activation codes for products you purchased if you stored those on your computer, email. If you use Outlook, you can backup your entire Outlook database using their import/export function. Easiest is probably to back it up to an Excel file - that would be your choice. AOL allows you to save your correspondence online on their site with one key click ... if not too much time has passed. If not, you can copy your entire PFC (personal filing cabinet) which you will find under your screenname in a folder called Organize somewhere in AOL and Application Data - you will have to search for it.
If you can't get to your USB drive or external harddrive, you may have to boot up in Normal Mode and try from there.
Or you can look for a product called Acronis PC Backup and Recovery which will allow you to boot from their CD and recover whatever you need from your computer. It's a good product to have for ultimate backup, but that isn't the present issue.
Okay, take a breath. If you have gotten this far, you have preserved all that is important. One way or another you should be able to restore you system. You will need advice for that and it may take a number of hours. But computers are replaceable and data is not.
I and others will check back tomorrow to see how things are and where you have gotten.
Good luck,
Good morning:
I have successfully run malwarebytes twice. Once with the quickscan which picked up several things that I quarantined. Log files say they were quarantined and deleted successfully. Then I ran a full scan of all drives and it picked up nothing additional. I was going to paste the log files but because I started the PC in safe mode I can't connect to that machine. I'll manually type a recap:
Memory Processes Infected: 0
Medmory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 19
Registry Data Items Infected: 1
Folders Infected: 0
Files Intected: 1
Registry Key Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) - Quarantined and deleted successfully
Registry Values Infected: (all were quarantined and deleted successfully)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_command (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_file (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_idproject (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pauseopt (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pausecert (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_reserv (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_certs (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_options (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_ss (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pstorage (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_forms (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletecookie (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletesol (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_newversion (Backdoor.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcyuamin (Trojan.FakeAlert)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcyuamin (Trojan.FakeAlert) ,,,, this is correct, it was noted twice
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected: (No malicious items detected)
Files Infected:
C:\Documents and Settings\Ruth Maugeri|Local Settings\Application Data\wrijds\upofsysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
----------
The second scan was completely clean.
Hi
I just wanted to point out something about fixing rootkit problems. I believe even if a rootkit has the same name as a previous rootkit, the process of fixing the rootkit is an individual matter. Looking back for solutions for a rootkit isn't a good idea in my opinion. It may be ok if the search results in someone finding that they should use a basic program to just scan to see if they have a rootkit. Not every rootkit damages the same system in the computer. These cures and scans have to be customized to the particular computer at the particular time. Looking back at past solutions can sometimes result in people trying to use certain programs which are dangerous in the hands of those who don't know how to use them.
Hi Floplot:
I'm not sure I understand what you're advising me to do?
Hi Ruth
I was just pointing out that in general, I don't think it's good to go searching for solutions for rootkits in the forum here. That's just my opinion. I think if you have a rootkit, then it's a better idea to go to a site where they can give you step by step instructions that is customized to your computer at the time that they give you the instructions.
Someone had mentioned in another post that you could look at how other rootkits had been fixed or look at a step in that process and see how it was done at that time.
Hello Ruth,
Perhaps I have missed this, but are you now able to start the computer in normal mode?
If so, what are your observations?
[edit: clarified]
Hi Phil:
I've hesitated restarting in normal mode until someone who has some experience gives me some input... I'm rerunning the malwarebytes scan againi now. The last one came up completely clean (as you can tell from my earlier post).
Do you think it's safe to restart now in normal mode?
Hi Ruth
Please don't forget to update malwarebytes before every scan you run. They do update their programs quite often. It looks like it found the rogue antivirus program, but I am not qualified to say if you have a rootkit. Malwarebytes doesn't usually show them I don't think, but it is helpful in cleaning up the malware that a rootkit can cause to be downloaded to you.
Hi floplot:
I tried to update it, but got an error... I don't think my internet connection is on in safe mode.
Restarting in normal mode will give you an idea of how you have progressed with the removal.
And, although Malwarebytes found items in Safe Mode, it is actually designed to work best in Normal Mode. More items may be found in a normal mode scan.
There are no 100% guarantees and the choice is yours, but if it were my computer, I would restart in normal mode, observe the behavior and then update and run another Malwarebytes scan. It would also be a good idea to delete your Windows %temp% folder.
Quads is the expert in Malware Removal. You certainly do have the option to wait and get more input.
[edit: grammar]
Hi Phil:
I'm going to restart in normal mode, check for updates and rescan. Will post my results. Thank you.
Hi Ruth
It would also be a good idea to empty out your recycle bin and also remove any system restore points if they are still turned on. Can you open up things like task manager, command prompt once you are in normal mode?
Hi Floplot:
I'm not familiar with those type of actions... Not a command-prompt type of gal. I did empty the recycle bin and am running another scan. I'm not able to update malwarebytes. I get an error 732(12029.0)
Hi Ruth
I would say that you can't update malwarebytes is a sign that you still have an infection there and I think most likely a rootkit. I would go to one of the sites mentioned in one of the other posts in this thread and have them rule out that you don't have a rootkit or that you do. If you do have a rootkit, the more you use the computer, the worse the rootkit will get.
floplot wrote:Hi Ruth
I would say that you can't update malwarebytes is a sign that you still have an infection there and I think most likely a rootkit.
Or the setting for the net has not been reset.
Quads
Hi Quads:
I'm running the scan again in normal mode now. It should be just about done. How would I reset the "net" as you say. So far this scan is also coming up clean.
ruthmaugeri wrote:Hi Quads:
I'm running the scan again in normal mode now. It should be just about done. How would I reset the "net" as you say. So far this scan is also coming up clean.
Sorry I'm late getting back.
One scanner is not enough with the stuff going on. Please, please download, update, and run superantispyware from the site I gave you.
As Flo said, not being able to update could be an issue. And as Quads said, you may need to reset your connections.
But I would really run a different scanner. They search based on different signatures and employ different strategies. In this case, more is more.