PDA

View Full Version : Weird happenings with my computer on Sunday.



ronnie63
06-06-2011, 08:06 PM
Greetings all you fantastic, knowledgeable computer folk. I have been directed here from another forum to talk to you about the issues I had on Sunday.

I have an old HP desk top computer running XP.

On Sunday morning, whilst trying to open a workshop manual for our diesel burner, I got a message on the screen that seemed to come from Microsoft. It then proceeded to do a quick scan and tell me I had 27 infections in my computer. I clicked on the "fix it" button which then took me to a screen to purchase the fix for all my problems. I decided I did not want to pay for this, so tried to get out of it. Computer would not let me do anything, except return to this screen for payment. I could not shut the system down either.
It told me my firewall was not operational and my computer was at severe risk.
Then I did a really silly thing and paid it. That fixed all the issues and the annoying screens went away, so did the 27 infections. (I have since cancelled the card I used)

I then asked about this on another forum which has computer people partaking. I was advised this was a virus and i should immediately run Malwarebytes, AntiSpy and CCleaner. I did all of those (took all afternoon). Both Malwarebytes and AntiSpy picked up infections and cleared them out.

But I am now told this might be a very deep seated bug and the fix I have attempted may not be good enough to rid my computer of it.

Any suggestions please??

In my defence, I am normally very, very careful about opening any thing. The original screens all seemed legit from Microsoft but obviously werent.

What do I need to do to totally get rid of this bug?/\

wainuitech
06-06-2011, 08:32 PM
Welcome to PF1 - :)

Some of the infections these days do seat in really deep.

Start by downloading Rkill (http://www.bleepingcomputer.com/download/anti-virus/rkill) - run it, that will kill any infection that may be running in the background. ( temporally). "if" it locates anything, look at where it is, then manually go to that folder and delete the object.

Next download and run Hijackthis (http://free.antivirus.com/hijackthis/) - run and save a log file, then copy the complete log file and post it back here. ( someone - usually Speedy) will look at it and advise.

What you can also do is download and run TDSSkiller (http://support.kaspersky.com/viruses/solutions?qid=208280684) - that looks for any root kits.

If you want to use a serious removal antimalware tool, they use Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) - IF you run it, let it do its thing, do not under any circumstances shut it down till it says so.
Just a warning though - on the rare occasion, combofix can remove parts of the system and make the PC unbootable (Rare) But it will locate and remove any infection that on the PC.

ronnie63
06-06-2011, 09:55 PM
Thanks for that.

Not having much luck here. Tried to run Rkill, but could not get past avast! to open it. Kept asking me to open it in the avast! sandbox and the message kept coming up again and again and again etc etc etc.

Got sick of that so tried to run the Hijack this one. That went better until I hit the analyse this button. Told me I had no internet connection and went away.

Am a complete novice at these things so very disappointed I could not get the computer to do as I wanted it to.

Paul.Cov
06-06-2011, 10:15 PM
For future reference - when you get that bogus scan going on, and it won't let you close the window - go into your options and disable Java Script. It'll then let you close your browser without further bulls##t.

mzee
06-06-2011, 10:19 PM
I have had this same 'bug' several times. The first time it happened it took over control, disabled MS Security, the Firewall and the Task Manager. As I keep an Acronis back up image I restored the system.

Now when it happens I immediately press the Stop button holding it down for over 5 seconds when the Computer will shut off. If it doesn't switch it off at the Wall. (Laptop, remove charge plug, then battery). Reboot and do a virus scan, then a crap clean. Do not open a Browser until all the above has been done. Make sure that your Browsers are set to display the Home page on opening. The alternative, which you don't want is 'carry on from where you left off'.

mzee
06-06-2011, 10:22 PM
For future reference - when you get that bogus scan going on, and it won't let you close the window - go into your options and disable Java Script. It'll then let you close your browser without further bulls##t.

In my case I had no control on anything outside the 'bug' window.

wainuitech
06-06-2011, 11:05 PM
Thanks for that.

Not having much luck here. Tried to run Rkill, but could not get past avast! to open it. Kept asking me to open it in the avast! sandbox and the message kept coming up again and again and again etc etc etc.

Got sick of that so tried to run the Hijack this one. That went better until I hit the analyse this button. Told me I had no internet connection and went away.

Am a complete novice at these things so very disappointed I could not get the computer to do as I wanted it to. Every thing you answered to , indicates the PC could still be infected, especially if running in normal mode.

Restart the PC in safe mode with networking - to do this, restart, keep tapping F8, select Safe mode with networking using the arrow keys when the options appear, then press enter - you will be given two options to log in, your account and the administrator - use yours.

Generally these infections wont run fully in safe mode (some still do though) - Retry Rkill - this will hunt out any infection and disbale it, till you reboot, hence why I said locate the file if it finds anything, and manually delete it.

Being XP the infections will be in one of two places, 1st ones a hidden folder C:\Documents and Settings\USERNAME\Local Settings\Temp or it will be a hidden exe of a random name in C: (could be 3-5 files that are infected)

You will find when you run Rkill, the desktop will disappear for a moment, thats normal - You may have to disable avast as well, its not that good anyway these days,;) there are better AV's about.


While in safe mode:

Two options I would do - 1. Run Spybot S&D (link in my sig) as well as super antispyware in full scan modes.
2. Combo fix -- BUT as per the previous warning - it sometimes can cause problems - "if" it did, then you would have to know how to run a fix from the recovery console. (I run CF right away, I know how to recover if any problems) :nerd: Personally out of the countless times I have used Combofix over the years, only twice has it ever caused a problem afterwards.

Note: While Malwarebytes is Ok, it still can miss a lot these days.

Just a foot note:

Some of the infections these days are hiding a lot of files on the PC, they make all your desktop Icons and most of the system files go to hidden mode, and wipe out some system files, one easy way to check that is click on start, look up the menu, all programs -- If they are empty --- theres a bit of work to do to recover it.

Arnie
07-06-2011, 12:15 PM
Thanks for that.

Not having much luck here. Tried to run Rkill, but could not get past avast! to open it. Kept asking me to open it in the avast! sandbox and the message kept coming up again and again and again etc etc etc.

Got sick of that so tried to run the Hijack this one. That went better until I hit the analyse this button. Told me I had no internet connection and went away.

Am a complete novice at these things so very disappointed I could not get the computer to do as I wanted it to.

Welcome to this site Ronnie63, with hijackthis do not select analyse but select all, copy and paste to this site,that should assist.

Cheers