Please help - virus attack
Per Ardua ad Astraeus
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
I will chuck in my oft-posted suggestion too that a boot-time AV scan is an excellent weapon in the armoury. Avast offers such. This scans your system BEFORE Windows activates (which is where a large number of viruses etc lurk). It finds those that 'hide' themselves in Windows.
Join Date: Nov 2000
Location: Cambridge, England, EU
Posts: 3,443
Likes: 0
Received 1 Like
on
1 Post
In particular any PC used by a child is likely to have a useful life measured in months if not weeks
The first time a child got a nasty I pulled their network connection until such time as I had time to clean up their PC. So, no internet for a week. I explained that each time this happened it would take me twice as long to get round to dealing with it. Some child downloaded and installed and ran a virus a second time. Two weeks with no internet.
That was sufficient to get them to believe me. That was several years ago now. There have been no problems since - none of them wants to live without the internet for a month.
Join Date: Oct 2009
Location: Greece
Age: 84
Posts: 63
Likes: 0
Received 0 Likes
on
0 Posts
I disagree with IO540's generalisation that the only way to effectively resolve issues is to reinstall a disk image. That is what professionals do because a) it is simple and b) they cannot spend the time doing othyerwise.
What I find is that I spend far longer than a paid technician could reasonably charge for. I do not charge and I do it purely for the fun of it.
What I find is that I spend far longer than a paid technician could reasonably charge for. I do not charge and I do it purely for the fun of it.
Besides. Some may install a rootkit which is virtually undetectable.
Boot time virus checks may help, but add to your boot time, encouraging you to not reboot at all (which negates the value of boot checks)
You can EASILY become infected behind a router or firewall if you access the net at all.
Comodo Antivirus/Firewall is very effective even though the false alarm 'training' is somewhat annoying initially.
Per Ardua ad Astraeus
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by tsc
Boot time virus checks may help, but add to your boot time, encouraging you to not reboot at all
Thread Starter
Join Date: Jul 2001
Location: UK
Posts: 162
Likes: 0
Received 0 Likes
on
0 Posts
Again, thanks for all your help.
M.Mouse, the instructions on your link look as if they'd certainly do the job, but unfortunately, I can't do anything at all on my computer, it seems to be completely disabled. If I try to run the add/delete programs, it won't let me, and an 'infected' message pops up.
The same happens if I try to right-click on the anti-virus icon that has been installed. I can't get on the internet at all, and programs such as Word, etc. will not run, just bringing the pop up message 'infected, buy and run our program to clean' (or words to that effect), up.
I'm going to try the boot in safe mode suggestion tonight, but am not sure whether it'll let me do that or not, I suppose it is determined by how soon after applying power to the computer does the virus activate.
I've encountered a few virus' in the past, but nothing that AVG couldn't get rid of, and certainly nothing as vicious as this one appears to be.
M.Mouse, the instructions on your link look as if they'd certainly do the job, but unfortunately, I can't do anything at all on my computer, it seems to be completely disabled. If I try to run the add/delete programs, it won't let me, and an 'infected' message pops up.
The same happens if I try to right-click on the anti-virus icon that has been installed. I can't get on the internet at all, and programs such as Word, etc. will not run, just bringing the pop up message 'infected, buy and run our program to clean' (or words to that effect), up.
I'm going to try the boot in safe mode suggestion tonight, but am not sure whether it'll let me do that or not, I suppose it is determined by how soon after applying power to the computer does the virus activate.
I've encountered a few virus' in the past, but nothing that AVG couldn't get rid of, and certainly nothing as vicious as this one appears to be.
Controversial, moi?
For the others of us whom have 'real lives' and 'other things to do', copying off the useful stuff and reinstalling /re imaging/reformatting IS the best and most intelligent course of action.
Besides. Some may install a rootkit which is virtually undetectable.
You can EASILY become infected behind a router or firewall if you access the net at all.
G String
You will be able to boot into safe mode. The initial actions to remove malware can be a little difficult and slow because the malware itself often obstructs attempts to remove it and also blocks access to helpful internet sites if not all internet access.
Do you have access to another PC? If so one useful technique is to download the programs you need to a USB memory stick and run them from there. You sometimes have to rename the programs you wish to use to prevent the malware recognising the program you are trying to run.
Last edited by M.Mouse; 7th Nov 2010 at 13:28.
Tsamaya sentle
Join Date: Apr 2001
Location: Germany
Posts: 154
Likes: 0
Received 0 Likes
on
0 Posts
Agree with MMouse that whatever you do must be done methodically. Erratic deletion etc. will make matters worse. If internet connection is impossible you will have to revert to another computer to download whatever is needed.
Per Ardua ad Astraeus
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by MM
You will be able to boot into safe mode
Join Date: Jan 2003
Location: holland
Posts: 26
Likes: 0
Received 0 Likes
on
0 Posts
I had the same problem on a computer a few weeks ago. Reboot in safe mode didin't help. Couldn't open taskmanager either (to kill the process). The virus acted as a popupblocker and blocked taskmanager.
What to do:
press CTRL-ALT-DEL AND KEEP IT PRESSED !!!! This way task manager will open a few dozens of taskmanagerwindows at the same time and the blocker can't keep up with this. So you will have your taskmanager again.
Then go to processes and look for a process with some random letters/numbers with the .EXE extension. For example hjapgkwagnz.exe or qkwcrrwagnz.exe. Killing this process gave me control over the internet explorer again.
Then I went on the net, downloaded and installed malwarebytes, ran a scan and the program was removed.
Hope this helps and good luck
What to do:
press CTRL-ALT-DEL AND KEEP IT PRESSED !!!! This way task manager will open a few dozens of taskmanagerwindows at the same time and the blocker can't keep up with this. So you will have your taskmanager again.
Then go to processes and look for a process with some random letters/numbers with the .EXE extension. For example hjapgkwagnz.exe or qkwcrrwagnz.exe. Killing this process gave me control over the internet explorer again.
Then I went on the net, downloaded and installed malwarebytes, ran a scan and the program was removed.
Hope this helps and good luck
Join Date: Jul 2001
Location: U.K.
Posts: 805
Likes: 0
Received 0 Likes
on
0 Posts
Although all of us here rekon that Malwarebytes is a good program for getting rid of nasties, my wife was complaining that she was getting fed up of windoze (XP) repeatedly crashing recently. It was only a few months ago that I rebuilt XP on her machine. A scan with Avast revealed nothing, Malwarebytes found nothing, so in desparation I tried good old windoze defender. It found a nasty trojan which it managed to remove. This was clearly well embedded as when windoze boots now it complains that it cannot find a certain .dll but still runs happily. Problem appears to be solved.
P.P.
P.P.
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
PP: it may be that the .dll in question is a valid Windoze one that the trojan "modified", but that it provides a function that you don't use.
You may be able to download or acquire a valid (clean) copy of it and eliminate whatever isn't working.
Or not, of course.
You may be able to download or acquire a valid (clean) copy of it and eliminate whatever isn't working.
Or not, of course.
Join Date: Jul 2001
Location: U.K.
Posts: 805
Likes: 0
Received 0 Likes
on
0 Posts
Thanks Keef - I was thinking along those lines as well, all I've got to do is to make a note of the file name and see if I can find it on my machine then I can copy it over. As you say, the file is probably involved in an unused function.
P.P.
P.P.
I had an issue with a similar program called Personal Security a few months ago. I followed this process:
To start with I booted up and started Task Manager before the malware program started and stopped it running, then:
Personal Security manual removal:
Kill processes:
psecurity.exe
HELP:
how to kill malicious processes
Delete registry values:
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "PSecurity"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Internet Settings\5.0\User Agent\post platform "WinTSI 01.12.2009"
HELP:
how to remove registry entries
Unregister DLLs:
win32extension.dll
HELP:
how to unregister malicious DLLs
Delete files:
psecurity.exe Uninstall.lnk win32extension.dll Computer Scan.lnk Help.lnk Personal Security.lnk Registration.lnk Settings.lnk Update.lnk
HELP:
how to remove harmful files
Delete directories:
C:\Program Files\PSecurity
C:\Program Files\Common Files\PSecurityUninstall
C:\Documents and Settings\All Users\Start Menu\PSecurity
Obviously the details will be different, but the above worked fine and I haven't had a problem since.
To start with I booted up and started Task Manager before the malware program started and stopped it running, then:
Personal Security manual removal:
Kill processes:
psecurity.exe
HELP:
how to kill malicious processes
Delete registry values:
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "PSecurity"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Internet Settings\5.0\User Agent\post platform "WinTSI 01.12.2009"
HELP:
how to remove registry entries
Unregister DLLs:
win32extension.dll
HELP:
how to unregister malicious DLLs
Delete files:
psecurity.exe Uninstall.lnk win32extension.dll Computer Scan.lnk Help.lnk Personal Security.lnk Registration.lnk Settings.lnk Update.lnk
HELP:
how to remove harmful files
Delete directories:
C:\Program Files\PSecurity
C:\Program Files\Common Files\PSecurityUninstall
C:\Documents and Settings\All Users\Start Menu\PSecurity
Obviously the details will be different, but the above worked fine and I haven't had a problem since.