ChiefsPlanet Mobile
Page 9 of 31
« First < 56789 1011121319 > Last »
Media Center>The Official Malware/Antivirus Thread - Need help or general advice? Read this first!
Bearcat 12:28 AM 08-18-2010
This thread provides information on malware removal, links to malware removal tools, and recommendations & links to anti-virus software. The intention of this thread is to provide quick and accurate support for malware-related issues and questions.

Many people here are willing to provide assistance if you're having computer problems, and this thread is not meant to discourage people from asking for help.... but, please read the information provided first, or else there's a good chance you'll be sent here, here, or here . We aren't Geek Squad, so while we won't grossly overcharge you for information and advice, we also aren't responsible for anything you do to your computer.

Also, feel free to make suggestions on the content of this post, and I'll try to keep it up to date.

Research


A lot of information can be found at this EliteKiller link, including...

Malware Removal

If you think your computer is infected, the EliteKiller link provides a thorough solution. Simply put...

Originally Posted by mikeyis4dcats.:
Step 1 go here http://www.elitekiller.com/malware.htm and read up

Step 2 download the Rogue Removal Kit http://www.elitekiller.com/files/rogueremoval.zip

Step 3 unzip the Kit, read the instruction file and run the tools in the order given.

Step 4 Thank me in about 3 hours for fixing your shit.

The Rogue Removal Kit is is a zipped file that includes malwarebytes, CCleaner (a registry cleaner that will also delete temporary files), Combofix, Hitman Pro, and HiJackThis (HiJackThis is optional, see below). The instructions guide you through running these tools in Safe Mode With Networking; then running malwarebytes and an online scanner in Normal Mode.

Some people don't recommend running Combofix unless you're fairly certain you need to use it, but I've never heard of people having major problems with it. Here's a list of symptoms to Vundo infections, which may help determine if you need to run Combofix. You can also look here to see instructions with screenshots on how to use Combofix.

Taken from the readme in the Rogue Removal Kit:

Quality Online Virus Scanners: (all scanners offer detection and removal)


F-Secure
NOD32
Bitdefender

Quality Free Anti-Virus Software:

Panda Cloud
Microsoft Security Essentials
Antivir
Avast!
AVG


My two cents on downloading anti-malware software...

Other Helpful Tips & Tools

Rkill will kill processes that may be preventing scanners from completely removing malware.

To get into Safe Mode With Networking, press F8 every couple of seconds while the computer is starting (before the Windows splash screen). If you see the Windows splash screen, you will need to try again. The safe thing to do is log into Windows, restart, and try pressing F8 several times before seeing the Windows splash screen. Alternatively, my advice that falls into the category of “what I'd do if it was my own computer, but wouldn't tell someone to do it if I worked in tech support” would be, if you didn't get into Safe Mode the first time and you're at the Windows splash screen, hold down the power button until the computer turns off. When you start the computer again, it should automatically ask you if you want to go into Safe Mode With Networking.

If you get a Blue Screen of Death after selecting Safe Mode With Networking, read the following posts on how to fix it:
http://blog.didierstevens.com/2006/06/22/save-safeboot/
http://blog.didierstevens.com/2006/0...ring-safeboot/
http://blog.didierstevens.com/2007/0...th-a-reg-file/


Still infected, or just want to make sure everything is okay?

HiJackThis is a tool that will create a log file that can be analyzed by geeks to see what is running on your computer. Install and run HiJackThis (preferably in Safe Mode With Networking), and select 'Do a system scan and save a log file'. You can then copy/paste the output to this thread, and with any luck, someone will stop by and let you know what you can delete. You can then checkmark the items in HiJackThis and click 'Fixed checked'.

If you don't get a quick response here or would rather do it yourself, you can also go to http://hijackthis.de/, which is an online analyzer for your HiJackThis log. Simply copy and paste the log into the text box and click the Analyze button. During my testing of the site, I found it wasn't perfect, especially when a proxy was setup (the visitor rating would be 'extremely nasty', but the site itself would say it was safe)... but, it's at least a good tool that can significantly shorten the time it takes to analyze the log, and it gives you an idea of which entries you can delete or at least Google/post here for further research.

You can also look at the responses to HiJackThis posts in this thread to get an idea of what is safe and what should be removed.


Windows Performance

A good starting point to knowing what processes and services are running on your computer is a HiJackThis log. There's also a lot of information that's only a Google search away.

To manage the process that start when Windows starts, use msconfig (Start button -> Run... -> msconfig -> Startup tab). This is a good resource on startup processes, and it includes a large database of startup processes with information on whether they're required to run Windows or if it's okay to uncheck them. You basically want processes that are in c:\Windows checked, and you can generally uncheck processes in c:\program files (but there are exceptions, like your antivirus), but do some research (Google, the provided links, this thread) if you're not sure. Adobe, Apple (including qttask, Boujour, AppleUpdater, etc), and any messenger program (unless you have it sign you in at startup) are always the first ones to get unchecked on my computer.

Services can be a little tougher to manage, because it's usually a much longer list, and it's not as simple as flipping them on or off. This is a great resource for managing Windows services (Start button -> Run... -> services.msc). Simply choose your version of Windows and then click on the Service Configuration link. It presents the default setup, a safe setup (what most people can use without any consequences), a tweaked setup for faster startup, and a bare bones setup for the super geek. There's also a Tweaks page for stuff like Adding/Removing programs and System Restore.
[Reply]
QuikSsurfer 02:21 PM 04-11-2011
run hijackthis and post your log here please

http://www.trendmicro.com/ftp/produc...HijackThis.exe
[Reply]
Bowser 02:28 PM 04-11-2011
Originally Posted by QuikSsurfer:
run hijackthis and post your log here please

http://www.trendmicro.com/ftp/produc...HijackThis.exe
Me? I will as soon as I answer the question it asked me about a file being in a windows folder, which I'm not sure if it is. That was what I was asking in the post - do I click yes, yes all, no, or just escape out of it? (And apologies for my lack of 'puter knowledge. It's kinda like trying to teach a kindergartner trigonometry sometimes with me)
[Reply]
Fish 02:38 PM 04-11-2011
Originally Posted by Bowser:
Ok, so my avast starts going apeshit with a malware warning. I open it up, delete it, restart, and get to a window where everything looks like it's from 1988, asking if I want to delete the problem. I click yes, and it goes nuts deleting stuff. Now, I am looking at a line that reads thusly -

File C:\windows\help\mui\0409\aclui.CHM>html\066cfb1-0e68-40bb-b889-6268f1308575.htm is infected by HTML:Script-inf
File is in windows folder, are you sure?
1-Yes, 2-Yes all, 3-No, Esc-Exit :

I have no idea where this shit is. I'm assuming I click yes all, but is that right? (And btw, the avast went apeshit on me as soon as I left ChiefsPlanet)
Sounds like you have malware that's spoofing Windows system messages, and you just clicked yes to it.

If you don't see anything on the message box that's branding it as from a legit source(Avast, Microsoft, etc.), then I'd cancel out of it and run Malwarebytes first thing.
[Reply]
thecoffeeguy 02:41 PM 04-11-2011
Originally Posted by Bowser:
Ok, so my avast starts going apeshit with a malware warning. I open it up, delete it, restart, and get to a window where everything looks like it's from 1988, asking if I want to delete the problem. I click yes, and it goes nuts deleting stuff. Now, I am looking at a line that reads thusly -

File C:\windows\help\mui\0409\aclui.CHM>html\066cfb1-0e68-40bb-b889-6268f1308575.htm is infected by HTML:Script-inf
File is in windows folder, are you sure?
1-Yes, 2-Yes all, 3-No, Esc-Exit :

I have no idea where this shit is. I'm assuming I click yes all, but is that right? (And btw, the avast went apeshit on me as soon as I left ChiefsPlanet)
Sounds like Fake Anti-virus warning. Shit load of it is going around as a result of Lizamoon

Download Microsoft Security Essentials (Yes Microsoft), update the definitions and run a full scan.

Security essentials is very very good at finding this nasty stuff believe it or not.
[Reply]
Bowser 02:43 PM 04-11-2011
Originally Posted by KC Fish:
Sounds like you have malware that's spoofing Windows system messages, and you just clicked yes to it.

If you don't see anything on the message box that's branding it as from a legit source(Avast, Microsoft, etc.), then I'd cancel out of it and run Malwarebytes first thing.
Awesome. Here's a line right on the screen that's right over the question -

File C:\users\owner\AppData\Local\Temp\nss778A.tmp\Setup.dll is infected by win32: PUP-gen [PUP]
Deleted

So, I am to escape out of this, dowload Malwarebytes, and run it as soon as possible, yes?
[Reply]
Bowser 02:45 PM 04-11-2011
Originally Posted by thecoffeeguy:
Sounds like Fake Anti-virus warning. Shit load of it is going around as a result of Lizamoon

Download Microsoft Security Essentials (Yes Microsoft), update the definitions and run a full scan.

Security essentials is very very good at finding this nasty stuff believe it or not.
Cool. I'll get that one, too.

Is it any coincidence that I downloaded IE 9 like two days ago that this shit is happening?
[Reply]
Fish 02:49 PM 04-11-2011
Originally Posted by Bowser:
Awesome. Here's a line right on the screen that's right over the question -

File C:\users\owner\AppData\Local\Temp\nss778A.tmp\Setup.dll is infected by win32: PUP-gen [PUP]
Deleted

So, I am to escape out of this, dowload Malwarebytes, and run it as soon as possible, yes?
Yes.
[Reply]
Fish 02:49 PM 04-11-2011
Originally Posted by Bowser:
Cool. I'll get that one, too.

Is it any coincidence that I downloaded IE 9 like two days ago that this shit is happening?
No.
[Reply]
QuikSsurfer 02:55 PM 04-11-2011
Originally Posted by Bowser:
Me? I will as soon as I answer the question it asked me about a file being in a windows folder, which I'm not sure if it is. That was what I was asking in the post - do I click yes, yes all, no, or just escape out of it? (And apologies for my lack of 'puter knowledge. It's kinda like trying to teach a kindergartner trigonometry sometimes with me)
It's a rogue (fake av). And you'd be better off running a updated ver of malwarebytes in safe mode.
[Reply]
Fish 03:03 PM 04-11-2011
I would like to reiterate what a great investment it is to purchase the full version of Malwarebytes Anti-Malware.

It's only $25, and that gives you a version of Malwarebytes that is always running, and scans each file you access in real-time exactly like your virus scanner does. This catches spyware and malware before it has a chance to infect anything. This program has completely eliminated monthly visits to fix my grandmother's computer. And I can't tell you how much of an accomplishment and endorsement for the product that is.

https://store.malwarebytes.org/342/p...am_page_button
[Reply]
Bowser 03:14 PM 04-11-2011
This is interesting. Everytime I go to try and get to MS's website, avast pops up with a malware warning....
[Reply]
Bowser 03:15 PM 04-11-2011
And I'm gonna take you up on your recommendation, Fish. Our desktop is relatively new, and I don't want it to get fried out.
[Reply]
Fish 03:27 PM 04-11-2011
If the malware has infected the machine, it may be screwing with your internet settings. Hence the malware warning when viewing the M$ site. I'd download Malwarebytes, then reboot into Safe Mode and run Malwarebytes from there. Then after you've run a complete scan in Safe Mode and hopefully removed the malware, I'd boot back up normally and run it again.

And you won't be disappointed with Malwarebytes Pro. It's worth every stinkin penny IMO....
[Reply]
Sure-Oz 03:28 PM 04-11-2011
My dads cpu is getting alot of avast shit too saying its blocked like js shit like 200 times...while malwarebytes was running it popped up 20 times.

running spybot, and malwarebytes in safe right now...going to dl microsoft sec. essentials next. Also spybot found and removed a browser hijacker registry on svchost or whatever.
[Reply]
Fish 03:38 PM 04-11-2011
Once you run Malwarebytes Pro a little while, you'll be shocked at the frequency of the attack attempts on your machine. It will pop up a little dialog box every time it blocks something harmful. Which you'll eventually have to turn the dialog box off, because it's popping up all the damn time and becomes annoying. But it serves as a good reminder of how much harmful shit is out there waiting to exploit something on your machine.
[Reply]
Page 9 of 31
« First < 56789 1011121319 > Last »
Up