Erie_Laker
asked on
Unknown spyware - unable to browse, or run programs!
I run XP on one of my computers. As a webmaster, I frequently check my work in different browsers, and I had IE 8 installed on that machine. While I was still in IE, I also visited my bank website, and few other sites that I go to frequently. I had never had problems with these few sites. However, it seems that this time something happened; I picked up some sort of virus or spyware; it's hard to tell what.
On the next reboot, I went back to IE and wanted to go to Google, but instead, there was a warning that my computer was infected with a virus, and that I need to install a program to remove it. I didn't click to install it; I just closed the browser. I thought, ok I was going to run Adaware and see if it could fix it. However, instead of opening the application, there was a javascript-like alert telling me that Adaware application is infected by the virus, and asked me yes or no if I wanted to install application that would remove it. Of course, I hit NO to prevent further damage to my system. But after that, every 15 - 20 seconds, a similar alert would pop up on the screen telling me that the system is infected by the virus and asking me to download a cleaner app. In these short intervals when the alert was not on, I tried to go to msconfig and see what is running on startup, but as soon as that would open, it would close, and another alert was there saying that msconfig was infected by the virus and... so on. The same thing with the Task Manager.
Even worse, every few minutes IE opens up by itself and serves me porn ads and sites.
I don't know what to do; I don't even know what I am dealing with? Is there any way to find out?
Thanks.
On the next reboot, I went back to IE and wanted to go to Google, but instead, there was a warning that my computer was infected with a virus, and that I need to install a program to remove it. I didn't click to install it; I just closed the browser. I thought, ok I was going to run Adaware and see if it could fix it. However, instead of opening the application, there was a javascript-like alert telling me that Adaware application is infected by the virus, and asked me yes or no if I wanted to install application that would remove it. Of course, I hit NO to prevent further damage to my system. But after that, every 15 - 20 seconds, a similar alert would pop up on the screen telling me that the system is infected by the virus and asking me to download a cleaner app. In these short intervals when the alert was not on, I tried to go to msconfig and see what is running on startup, but as soon as that would open, it would close, and another alert was there saying that msconfig was infected by the virus and... so on. The same thing with the Task Manager.
Even worse, every few minutes IE opens up by itself and serves me porn ads and sites.
I don't know what to do; I don't even know what I am dealing with? Is there any way to find out?
Thanks.
best thing to do is to ge back to an earlier restore point from when you where certain that your computer was running normaly.
Start > help and support > system restore (on the right)
I hope that your system restore was turned on (default)
you can check it :
start > right clcik my computer > poperties > system restore
and pick a date from when it was working normaly > windows will create system restore points in most cases when you're installing new software or updates
Good luck
afterwards you can scan your computer with a virusscanner of choice to remove all nasty files
Start > help and support > system restore (on the right)
I hope that your system restore was turned on (default)
you can check it :
start > right clcik my computer > poperties > system restore
and pick a date from when it was working normaly > windows will create system restore points in most cases when you're installing new software or updates
Good luck
afterwards you can scan your computer with a virusscanner of choice to remove all nasty files
Boot your computer in safe mode with networking and download the Malwarebytes AntiMalware and update it before running a full system scan:
http://www.malwarebytes.org/mbam-download.php
Once that is done boot into normal mode and from there you could also try HitManPro
32bit
http://dl.surfright.nl/HitmanPro35.exe
64bit
http://dl.surfright.nl/HitmanPro35_x64.exe
at last Download Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Tutorial on how to use combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the Combofix logs here for further analysis.
I hope that would help
Sudeep
http://www.malwarebytes.org/mbam-download.php
Once that is done boot into normal mode and from there you could also try HitManPro
32bit
http://dl.surfright.nl/HitmanPro35.exe
64bit
http://dl.surfright.nl/HitmanPro35_x64.exe
at last Download Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Tutorial on how to use combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the Combofix logs here for further analysis.
I hope that would help
Sudeep
ASKER
Sudeep
I can not get into msconfig; is there other way to go to safe mode with networking?
Thanks.
I can not get into msconfig; is there other way to go to safe mode with networking?
Thanks.
You've gotten some good advice here. If you can't go back to a previous date using system restore (
to go back
1. reboot your computer
2. while computer is booting, hold down the F5 key to go into safe mode
3. once you log in it will ask if you want to continue to safe mode or not say NO
4. This will bring you to the system restore screen
5. Follow the instructions to restore your system to an earlier date (a couple of days before you started having problems)
6. If this works you are fixed.
7. If it didn't work try going to an earlier time
If you eventually get this to work, reboot windows normally. Then follow the instructions in the following article on deleting your system restore points and creating a new one (just in case they have been infected as well).
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_2209-Removing-protected-System-Restore-files-if-they-have-been-infected.html
to go back
1. reboot your computer
2. while computer is booting, hold down the F5 key to go into safe mode
3. once you log in it will ask if you want to continue to safe mode or not say NO
4. This will bring you to the system restore screen
5. Follow the instructions to restore your system to an earlier date (a couple of days before you started having problems)
6. If this works you are fixed.
7. If it didn't work try going to an earlier time
If you eventually get this to work, reboot windows normally. Then follow the instructions in the following article on deleting your system restore points and creating a new one (just in case they have been infected as well).
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_2209-Removing-protected-System-Restore-files-if-they-have-been-infected.html
ASKER
And I can't run cmd either
You need to rename the programs you want to use (such regedit,cmd,taskmgr,msconf
The malware is "smart"...
The malware is "smart"...
Run Exehelper first and then try other programs
http://raktor.net/exeHelper/exeHelper.com
http://raktor.net/exeHelper/exeHelper.com
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ tzucker:
System restore is turned off, and I am 100% sure I've never done it. I will have to try some other solutions proposed here. Thanks.
System restore is turned off, and I am 100% sure I've never done it. I will have to try some other solutions proposed here. Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Additional info from my comment above.
If taskmgr.exe works after it was renamed, the malicious program is allowing iexplore.exe to run but not other .exe and .com programs. You may need to then rename an antispyware program iexplore.exe to allow it to run and to identify and remove the malicious files.
If sucessful in removing the malware, you may still need to then open Internet Explorer, and change the LAN Connections settings to remove the proxy server that was set by the malware before you removed it.
If taskmgr.exe works after it was renamed, the malicious program is allowing iexplore.exe to run but not other .exe and .com programs. You may need to then rename an antispyware program iexplore.exe to allow it to run and to identify and remove the malicious files.
If sucessful in removing the malware, you may still need to then open Internet Explorer, and change the LAN Connections settings to remove the proxy server that was set by the malware before you removed it.
Hope this helps, but I needed to format the pc :-(