Any suggestions on how to remove? Is bleepingcomputer.com and malwarebytes.com a reputable company/site? Am I just installing more viruses here?
What's frustrating is I have a competitor's up to date AV software installed and still got this. I called them and they said "Yeah we know about that and can remove it for you for $89."
If I knew NAV would remove it and protect me I'd be dumping that other Anti Virus software real fast.
My kids don't have admin rights to the computer so they can't install anything without a password.
Unfortunately, no one antivirus program is going to be 100 % effective all the time. The free version of Malwarebytes is often recommended in the Forum as an on demand scanner and so is SUPERAntiSpyware free version.
We also recommend some malware removal sites where they work with you on a 1 to 1 basis for free to help you remove malware for types where a simple scan with Norton security programs may not be able to clean the malware. All you have to do is sign up with one of them and they will tell you what scans to run and will tell you what programs are safe for you to run to clean up your computer.. We try and help our fellow Norton users get their computers clean and help with other problems as well. Here is the list of free malware removal sites that we recommend.
Please go to one of these free Forums for help in removing your bad malware or rootkits.
Once your computer is cleaned up, we can give you further instructions to install a Norton product and how to remove yout other security program if that is what you would like to do. Thanks.
One word of advice, if you are seeking help with removing viruses with one of the forums delph mentioned, DO NOT post in multiple forums as that would turn others away from helping you as the forums don't know who is helping whom. For example, if you post in bleeping and malwarebytes forum and the guys at bleeping found your other thread at malwarebytes, they would think you are receiving help from malwarebytes. So it is best to choose one forum and stick with it. It can also avoid confusion over what is being done. This may result in malware fragments being left behind.
Also, just curious, what AV are you using at the moment?
Also, the folks who are quailifed and volunteer their time to help on the malware forums mentioned are not that many in number and some work multiple forums, so they have a good idea of who is being helped on which forum. Most of the malware removal forums will close your thread if they are aware that you are seeking assistance on another forum. Almost all of the volunteers let you know this in one of their first responses.
It is not fair to the volunteers or others seeking assistance if you try to double post on different forums and take up the time of two volunteers.
Thanks for the all the suggestions. I'll stick to communicating within this forum.
Quads. I just gotta ask, Why would you infect your computer on purpose? That is exactly the issue I have. Also curious how would you know how to do it? I'd like to avoid it.
Sunday evening I'll get back to trying out the suggestions by malwarebytes and see how I do.
Someone posted that an antivirus program can't know about all the viruses out there and I completely understand that. What rubbed me the wrong way is that the company I had already paid said "We know about that and can remove it for you for the fee". I get automated updates so you would think I'm up to date. Maybe I'm too naive.
Quads is an expert malware removal person who has been trained to remove malware. He infects his computer on purpose in order to learn how to clean up the malware.
Unfortunately, many times the malware writers are like a step ahead of the antivirus programs. Almost as soon as a definition comes out to stop a type of malware, it has been altered just enough many times to slip thru the antivirus program.
This same sort of thing happens even in online gaming. There are certain programs that the servers use to try and keep out the people who cheat. Almost as soon as they come out with a new version of the anti-cheat program, it is already hacked and broken. It's a constant battle to try and keep up. That is why also we often recommend that running an on demand scanner can be helpful in catching the malware also. We often recommend the free versions of Malwarebytes and SuperAntispyware.
The malware removal forums are better for remediation because thay have people like Quads who are trained in safe removals, they have access to programs and scans, some of which are invented by themselves, in order to get the system clean. The forum assistance is restricted to those people who qualify in malware removals rather than everybody allowed to post suggestions. Some malware has to be removed in steps, and they use other programs that allow you to get back into your machine when it doesn't boot properly or at all.
Our forums are open and do not provide a safe environment.
Here is a screenshot of a FakeAV (System Restore) that does not even give any icons on the desktop, no Computer, Recycle Bin etc. and No Wallpaper.
I did find a way around it in Normal Mode, to get My Computer and Internet Connections as well as Control Panel. I also used Internet Explorer once I got to it, to be able to download Rkill while the FakeAV is still running.
Internet Explorer is allowed to run, you just have to get to it.
I got to thinking about infecting your own computer and it started to make sense seeing Quads history of helping people. Starting the process to remove this thing now.
So far so good except for the start menu shortcuts
rkill stopped the virus. I was in normal mode when I ran it and didn't have to boot to safemode.
the malwarebytes software found a number of infected files with the quick scan. Running the full scan now. Prior to running malwarebytes I ran my other install AV software and it came up empty. I'd be interested to hear from the experts what they used to remove it. I guess it sure pays to know the various options.
ran unhide as the admin and the missing files came back.
ran unhide as the user that was running when I got the virus and still missing my shortcuts on the start menu plus still missing some desktop icons.
Thinking I'm getting close to being cleaning this up, we'll see after the full scan and I reboot in the morning.
TREMENDOUS THANKS TO ALL.
This is scary stuff. Really wish I knew how I got it. Like I said I had a reputable AV software with real time protect, plus the everyday account doesn't have admin privs. If I have to get a virus I'd prefer to get this one that I know I got it. The dangerous ones are the ones that are there sniffing passwords and you don't know it.
I do assume you are getting these instructions from one of the malware removal sites? Also, you have mentioned that you use another company's antivirus program. If you are working with one of the removal sites, then you should be thanking them also.
Sometimes Unhide can't copy across the program links on some Computers, It is unsure why.
Backup locations of where all the shortcuts went and what location to copy them to for the links to come back in the menus
%Temp%\smtmp\1: ( for instance C:\Documents and Settings\John\Local Settings\temp\smtmp\1)
Windows XP: C:\Documents and Settings\All Users\Start Menu Windows Vista and Windows 7: C:\ProgramData\Microsoft\Windows\Start Menu
%Temp%\smtmp\2\: ( for instance C:\Documents and Settings\John\Local Settings\temp\smtmp\2)
Windows XP: C:\Documents and Settings\<your login name here>\Application Data\Microsoft\Internet Explorer\Quick Launch\ Windows Vista and Windows 7: C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\
%Temp%\smtmp\3\:
Windows XP: Not in XP Windows Vista and Windows 7: C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\: ( for instance C:\Documents and Settings\John\Local Settings\temp\smtmp\4)
Windows XP: C:\Documents and Settings\All Users\Desktop Windows Vista and Windows 7: C:\Users\Public\Desktop
Here is ascreenshot of the first folder with it's contents to COPY accross to the correct location.
There are other settings you may have to reset for the Start Menu settings, I did this first so with the Black Wallpaper variant (no wallpaper) I could get to the Internet Connections, My Computer and Internet Explorer.
Use the Start Menu properties to reset the Browser etc to be back on the Start Menu. If doing this at the start of the removal process just concentrate for the above 3 as the FakeAV will rest it back eventually to not seeing them. so if you do quickly just those 3 and afterwards open My Computer and Internet Explorer and leave them open. it then doesn't matter if the FakeAV hides them again as you already have the 2 windows open.
Tick the Internet and from the Drop down menu select Internet Explorer.
Then on the Advanced Tab select Display as Link for My Computer and Display as Connect To for Connections. Then press OK , Apply and OK again. as quick as possible.
This is what you end up with and allows you to get to My Computer (Computer) and Internet Explorer to open them.
Now you can get to download Rkill (as the name iexplore.exe version) Save and run it to stop the FakeAV (System Restore) then Download Unhide.exe and Malwarebytes to install update definitions and run a Scan to remove the files and registry entries. Do Not Restart the Computer until After Malwarebytes.
After that you can now go about copying the smtp folder contents across to the correct location, Reset the rest of the Start Menu options (Contol Panel, My Documents etc) and the Wallpaper setting if need be.