Virus Help! [Archive] - Glock Talk

PDA

View Full Version : Virus Help!


nathanours
10-11-2010, 16:06
So one of my computers running Windows 7 got infected by a trojan I think.

It keeps popping up some "Anti Spy Safeguard" thing that i never installed, and I can't get rid of it!

It wont let me have internet access saying that it is "unsafe"

Any ideas for removing it?

ETA: this particular machine has AVG on it, and it still somehow got through

GenX
10-11-2010, 16:29
I thought windows 7 had great security? I have always had good luck with avast and malwarebytes.

Goodspeed(TPF)
10-11-2010, 16:32
Download, install then update and finally run Malwarebytes anti malware from File Hippo. Works every time for me. http://www.filehippo.com/download_malwarebytes_anti_malware/

Keep us posted. -Goodspeed

IndyGunFreak
10-11-2010, 16:38
I thought windows 7 had great security? I have always had good luck with avast and malwarebytes.

:wavey::rock::bowdown::poke:

Where you been man? Haven't saw you around in a while...

IGF

GenX
10-11-2010, 16:55
:wavey::rock::bowdown::poke:

Where you been man? Haven't saw you around in a while...

IGF

I don't post much. Rarely have anything useful to post. Plus work, house maintenance and family rearin' knocks me on my butt.

nathanours
10-11-2010, 17:21
So more info, its called Trojan horse SHeur3.BFAY according to AVG, and AVG can't remove it... I'll give malwarebytes a try now. AVG says that "the object is inaccessible" when it tries to remove/quarantine it

Drjones
10-11-2010, 17:36
First, back up all of your stuff.

If it's difficult to do because of the virus, boot into safe mode; shut off your computer, then turn back on and keep hitting the "F8" button until you get the prompt to boot into safe mode.

Next, if malwarebytes doesn't remove it, just reinstall windows. You will spend far, far less time that way and your computer will run better than it was before anyway.

Linux3
10-11-2010, 18:36
First, back up all of your stuff.

Yes but....
If he backs up all his stuff most likely that 'stuff' is infected too.

I manage a few email lists for some clubs in the area and we are having major out breaks that are just going round and round.

My suggestion is wipe and re-install saving NOTHING. And then meditate on why you are using such an insecure O.S.

GIockGuy24
10-11-2010, 20:18
SuperAntiSpyware is suppose to take care of that one.There is a portable version and an installable version of SAS.

Portable version. Can put it on a CD or USB drive with another computer if the installable version won't install.

http://www.superantispyware.com/portablescanner.html

installable version

http://www.superantispyware.com/download.html

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Avira Antivir Rescue CD is a very good tool. Make a CD with it and boot the computer with the CD. It's a large download.

Make CD with Windows

http://www.avira.com/en/support-download-avira-antivir-rescue-system

or write CD iso directly.

http://www.avira.com/en/support-download-avira-antivir-rescue-system

Also install and run Malwarebytes.

http://www.filehippo.com/download_malwarebytes_anti_malware/

Goodspeed(TPF)
10-11-2010, 22:55
So more info, its called Trojan horse SHeur3.BFAY according to AVG, and AVG can't remove it... I'll give malwarebytes a try now. AVG says that "the object is inaccessible" when it tries to remove/quarantine it

I used to run AVG on most of my PCs (I have over 30) now I run Avast. It can happen to the best of them. Malwarebytes should take care of that issue for you. I still have AVG on a couple PCs and honestly there really is not much difference in overhead between the two programs. Keep us posted. -Goodspeed

Pierre!
10-12-2010, 07:11
Never Ever waste your time scanning if you are not in SAFE MODE. It is no use.

Get into SAFE MODE with Networking. Update your signature files. Scan with AVG, then with Malware bytes.

If you have a rootkit, you will have to use something like Darik's Boot N Nuke on it, then reinstall.

Data typically does not get infected. Backit up even if it is infected. You can scan the drive from another hard drive when the virus hasn't loaded.

Don't listen to everything the Linux Fan Boys say...:cool:

In the future, keep your UAC on High. It isn't that tough to work with, bout the same as working with Linux. :rofl:

Drjones
10-12-2010, 09:42
Yes but....
If he backs up all his stuff most likely that 'stuff' is infected too.

I manage a few email lists for some clubs in the area and we are having major out breaks that are just going round and round.

My suggestion is wipe and re-install saving NOTHING. And then meditate on why you are using such an insecure O.S.


Wow. I really hope you never provide tech support to anyone. You won't be in business long telling people they have to completely delete everything on their computer and start from scratch.

IndyGunFreak
10-12-2010, 09:47
While I'm a fan of nuking an infected OS(is it ever actually gone?)... Saving individual files should be safe(Music, pics, Doc's.. etc..).

Sgt. Schultz
10-12-2010, 10:02
Yes but....
If he backs up all his stuff most likely that 'stuff' is infected too.

I manage a few email lists for some clubs in the area and we are having major out breaks that are just going round and round.

My suggestion is wipe and re-install saving NOTHING. And then meditate on why you are using such an insecure O.S.

I agree with Drjones and IGF hat has to be the worst advice I've seen posted in a while!

OP you can safely move all of your data, music, pictures e-mail etc ... to a external drive or flash drive and then scan it on a clean machine before moving it back to your clean reinstall.

nathanours
10-12-2010, 14:32
So I have been running malwarebytes and every time I re-run it, it finds on average of 15 more infected files to delete.

I don't get it. How do they keep coming back? The definitions are up to date, and I'm running full scans (not the smart scan) and I've done it maybe 8 times now.

The first two times it caught like 75-80 things and now its settled down to like 15 ish each time.

Does the virus (trojan or whatever) keep reinstalling itself?

And I've got Ubuntu on my other machine, I just need one with Windows for some of my college issued software for classes. Running a secure os on this system isn't really an option.

Also, it used to be a vista machine, but we got a free 7 upgrade from the college (from a download link). How would I reinstall Windows without the disc?

IndyGunFreak
10-12-2010, 14:40
So I have been running malwarebytes and every time I re-run it, it finds on average of 15 more infected files to delete.

I don't get it. How do they keep coming back? The definitions are up to date, and I'm running full scans (not the smart scan) and I've done it maybe 8 times now.

The first two times it caught like 75-80 things and now its settled down to like 15 ish each time.

Does the virus (trojan or whatever) keep reinstalling itself?

And I've got Ubuntu on my other machine, I just need one with Windows for some of my college issued software for classes. Running a secure os on this system isn't really an option.

Also, it used to be a vista machine, but we got a free 7 upgrade from the college (from a download link). How would I reinstall Windows without the disc?

Update Definitions
Boot safe mode w/o Networking
Run scans again

IGF

RMD
10-12-2010, 14:47
So one of my computers running Windows 7 got infected by a trojan I think.

It keeps popping up some "Anti Spy Safeguard" thing that i never installed, and I can't get rid of it!

It wont let me have internet access saying that it is "unsafe"

Any ideas for removing it?

ETA: this particular machine has AVG on it, and it still somehow got through

If Malwarebytes doesn't get rid of it, try safe mode and look for an executable in one of the Application/Local Data folders. On the system I cleaned last week, it was named "hotfix.exe".

Also check registry - software/microsoft/windows nt/current version/winlogon...some stuff hiding there as well.

And be sure to check the hosts file.

Was very nasty.

GIockGuy24
10-12-2010, 14:59
So I have been running malwarebytes and every time I re-run it, it finds on average of 15 more infected files to delete.

I don't get it. How do they keep coming back? The definitions are up to date, and I'm running full scans (not the smart scan) and I've done it maybe 8 times now.

The first two times it caught like 75-80 things and now its settled down to like 15 ish each time.

Does the virus (trojan or whatever) keep reinstalling itself?

And I've got Ubuntu on my other machine, I just need one with Windows for some of my college issued software for classes. Running a secure os on this system isn't really an option.

Also, it used to be a vista machine, but we got a free 7 upgrade from the college (from a download link). How would I reinstall Windows without the disc?

SuperAntiSpyware may do better than Malwarebytes. Try it and then make the Avira rescue CD and boot the computer with it, that way nothing in Windows is running at the time of the scan.

Some people claim success with IObit Security 360, which is from a questionable Chinese company. It's easy enough to uninstall after using it for those that don't like the company.

http://majorgeeks.com/IObit_Security_360_d6088.html

Sgt. Schultz
10-12-2010, 15:16
Boot to safe mode with networking and update malwarebytes, SuperAntiSpyware and any other tool you are using to clean the system. Now clean out all temp folders, do a disk cleanup, run CCleaner, etc ... turn off system restore and delete all restore points (if this does work you wont need them anyway) and then reboot to safe mode w/o networking and run the utilities.


.

nathanours
10-12-2010, 15:22
Thanks I'll try the safe mode thing. I tried Super Anti Spyware, and it didn't even find anything. How to you turn off system restore in Windows 7?

Also I've got CCleaner, will that clean out all temp folders and do a disk cleanup, or is there more I should do?

I killed the process hotfix.exe at some point so its definitely the same thing.

What should I look for in the registry under "software/microsoft/windows nt/current version/winlogon..." ? Should I just google everything I see in there to see if it's harmful and if so delete it?

And how do I check the hosts file exactly?

GIockGuy24
10-12-2010, 16:53
The Avira CD scans the computer without running Windows, which is similar or better than safe mode. The download is large. The first download I listed when double clicked automatically writes the CD in Windows. You need a blank CD-R (not CD-RW) and make sure the computer is set to boot from CD. The CD has an update option if you are hard wired to a router it can update. The CD download itself is updated often so a same day download shouldn't require updating.

Sgt. Schultz
10-12-2010, 17:15
To turn off system restore in 7 go to Start - Run - and type "SystemPropertiesProtection.exe" minus the quotes - press Enter. Also a shortcut to your temp folder type %temp% in the Start - Search Programs and Files dialog box and press Enter.

.

nathanours
10-12-2010, 17:46
Thanks for the help guys, you've been awesome. I'll give all this stuff a try when I get home and let you know how it goes.

Goodspeed(TPF)
10-14-2010, 03:09
Glad to hear that you are making progress. :wavey:

RMD
10-14-2010, 07:52
Thanks I'll try the safe mode thing. I tried Super Anti Spyware, and it didn't even find anything. How to you turn off system restore in Windows 7?

Also I've got CCleaner, will that clean out all temp folders and do a disk cleanup, or is there more I should do?

I killed the process hotfix.exe at some point so its definitely the same thing.

What should I look for in the registry under "software/microsoft/windows nt/current version/winlogon..." ? Should I just google everything I see in there to see if it's harmful and if so delete it?

And how do I check the hosts file exactly?

Look for any reference to "hotfix.exe" in the winlogon branch. On the system I cleaned, the malware was trying to cloak itself as Microsoft Security Essentials, so if your system doesn't use this product, any reference to it is most likely malware.

If Task Manager has been disabled, use a 3rd party process killer (like KillProcess (http://orangelampsoftware.com/products_killprocess.php)) to stop hotfix.exe. I had to boot to Safe Mode for it to work.

The hosts file should be very minimal (http://support.microsoft.com/kb/972034). Maybe just one entry.

The infection I saw had entries for every frakkin' website known to man and redirected them all to the malware home.

nathanours
10-14-2010, 17:17
Well I ran malwarebytes in safe mode with a full scan and it caught nothing. Then I scanned again and it caught a trojan downloader when it wasn't in safemode. When I check the processes I do not see hotfix.exe anymore.

I am not seeing hotfix.exe in any of the winlogon branches either.

Could it be that the virus it caught was just added a day ago to the definitions and that's why it got caught now, or do you guys think its reinstalling itself over and over again?

If it keeps catching stuff, I'm gonna go out and buy some burnable discs and try the Avira thing.

ETA: oh I just found like 40 DVD-R's I had laying around, can I use one of those instead of a CD-R to put avira on? I know it's overkill as far a space goes, but I don't have any CD-R's at the moment.

GIockGuy24
10-14-2010, 18:00
Well I ran malwarebytes in safe mode with a full scan and it caught nothing. Then I scanned again and it caught a trojan downloader when it wasn't in safemode. When I check the processes I do not see hotfix.exe anymore.

I am not seeing hotfix.exe in any of the winlogon branches either.

Could it be that the virus it caught was just added a day ago to the definitions and that's why it got caught now, or do you guys think its reinstalling itself over and over again?

If it keeps catching stuff, I'm gonna go out and buy some burnable discs and try the Avira thing.

ETA: oh I just found like 40 DVD-R's I had laying around, can I use one of those instead of a CD-R to put avira on? I know it's overkill as far a space goes, but I don't have any CD-R's at the moment.

Yes you can use a DVD-R for a CD-R. The first download is in a Windows program format to automatically write the disk. The second download is the plain disk image. Either one should work. The second one you need to know how to burn an iso image. The first one you just double click after installing a blank disk.

Sgt. Schultz
10-14-2010, 18:06
You could chase this virus around for days ... use the DVD blanks to backup your data and then do a clean install ...

srhoades
10-14-2010, 21:12
Use combofix in safemode.

Linux3
10-14-2010, 22:54
Wow. I really hope you never provide tech support to anyone. You won't be in business long telling people they have to completely delete everything on their computer and start from scratch.
I work for a major American Company as a Senior Network Admin and yes it is company policy to do this. We are having a storm of virus and trojan problems and all of us in IT are sick of the issue.
Even Microsoft suggest that we wipe and re-install every 11 months
http://www.microsoft.com/athome/organization/personalfiles.aspx
http://social.answers.microsoft.com/Forums/en-US/officeinstall/thread/9a22bcaa-18a0-400e-a4a9-b9531221fd79

RMD
10-15-2010, 05:43
Well I ran malwarebytes in safe mode with a full scan and it caught nothing. Then I scanned again and it caught a trojan downloader when it wasn't in safemode. When I check the processes I do not see hotfix.exe anymore.

I am not seeing hotfix.exe in any of the winlogon branches either.

Could it be that the virus it caught was just added a day ago to the definitions and that's why it got caught now, or do you guys think its reinstalling itself over and over again?

If it keeps catching stuff, I'm gonna go out and buy some burnable discs and try the Avira thing.

ETA: oh I just found like 40 DVD-R's I had laying around, can I use one of those instead of a CD-R to put avira on? I know it's overkill as far a space goes, but I don't have any CD-R's at the moment.

Check out the instructions here (http://www.bleepingcomputer.com/virus-removal/remove-antispyware-soft), too.

If nothing seems to work, think about doing what others have suggested - back up your data and reload the OS.

And if you don't need Windows, you could always go Mint (http://linuxmint.com/) :)