Got a nasty malware virus on our general usage PC.

[martyboy]

Our `open to the general public´ PC has become infected. It is a particularly nasty piece of malware I think which shows a message purporting to be from the Police authorities. It is in Spanish and is under the heading of `Cuerpo Nacional de Police´...it claims to have detected `illegal´activity on the PC and instructs you to pay a fine to have the PC unblocked.

 

I´ve opened it in safe mode but need help from someone who knows how to deal with this problem. I´ve set up another PC by it so I can communicate via this one (although it is an old and slow steam driven antique...amazingly it still works!)

 

Anyone out there able to kindly offer a step by step approach to try and sort this problem?

[Jelly Bean]

Hello and welcome...

 

Ahh yes Ive seen this one before but only in the states.

 

Click here Malware Removal and follow the instructions.Please post the results and one of our Malware Experts will help you further.

 

JB.

[martyboy]

Hey that was quick!

 

Thanks Jellybean...I´ll see how I get on and let you know in due course.

Bfn,

Martyboy

[Jelly Bean]

Your welcome.

 

I will just let the Malware Guys know your here....

 

JB.

[martyboy]

The infected PC is switched on and is currently in safe mode but it won´t allow me to do anything like try to connect to the internet. Is there a manual procedure that I can perhaps try to follow?

Martyboy

[KenB]

Hi martyboy and welcome to ExTS

 

This is one for the experts.

 

Starbuck or etavares should be online soon to advise.

J-B has left a message for them to take a look at your problem.

 

Please be patient - one of them will get to you soon.

 

================

 

but it won´t allow me to do anything like try to connect to the internet

Did you select Safe Mode with Networking ............this should give you internet access :)

 

The MBAM and OTL logs are usually the starting point if you can d/l the software and post the logs.

[martyboy]

Hey thanks so much. I selected safe mode with command prompt as I recall but I can try again and opt for SM with networking. It would be great if I can access the internet that way. I´ll advise how I get on.

 

Martyboy

[martyboy]

Hey thanks so much. I selected safe mode with command prompt as I recall but I can try again and opt for SM with networking. It would be great if I can access the internet that way. I´ll advise how I get on.

 

Martyboy

 

Actually, I just noticed that the infected PC is `Windows Home Vista´ and not XP Professional as I mentioned when I joined this evening. Definitely need to visit the optician real soon!

 

Other breaking news is that I bought a Norton 360 Version 5 bit of kit from a local store here in Spain yesterday and copied it onto what the Spanish call a pendrive. Just then when I restarted the infected PC the Norton Bootable Recovery Tool kicked in and as I type this message it is running a scan. It´s already detected something listed as Trojan.Gen.2 which it lists as High risk. I don´t know how long the scan will take but I´ll let it do its thing and keep my fingers crossed that it will identify the malware and allow me to zap it! I´ll report back in due course. Martyboy

[Starbuck]

Hi Marty,

 

Other breaking news is that I bought a Norton 360 Version 5 bit of kit from a local store here in Spain yesterday and copied it onto what the Spanish call a pendrive. Just then when I restarted the infected PC the Norton Bootable Recovery Tool kicked in and as I type this message it is running a scan.

Ok.

We could have done it without you having to buy any program..... but no harm done as long as it's working.

 

Let us know when you have internet access on the infected m/c and we'll procede and make sure you are clean.

If you don't manage to get internet access.... no worries, we can work around that.

[martyboy]

Hi Starbuck

 

Well we´ve got 4 pc´s in the house and as one m/c went on the blink I panicked as I was not sure how up to date our security software was on all of them. I paid 19 euros for the Norton 360 which seemed pretty reasonable. The scan is still running and now it is showing 4 High Risks detected, 3 of which are listed as Trojans.

 

It´s good to know that even if I can´t access the internet, that you should be able to find a way around that problem also. Not sure how much longer the scanning process will take....currently showing 200,000 plus items scanned.

 

I´ll keep you posted. It´s great to think there are some good guys (and gals) out there to try to patch up the damage being done by the bad guys!

 

Martyboy

[martyboy]

Well, it has finished the scan and showed 5 risks, 4 of which were shown as high. It claims to have resolved those 5 problems but I can´t be sure. When I restart the m/c it still isn´t booting up as before. I´ve opened it in Safe Mode with Networking Support and it´s showing the Norton Bootable Recovery Tool again...Maybe I should run the scan once more but it just took more than an hour to do that! It´s almost midnight local time here and as I´ve got an early start tomorrow, I´ll hope to be back in touch tomorrow evening and all being well, we´ll get the m/c functioning as before.

 

Bye for now

Martyboy

[KenB]

I tried to explain earlier - our security guys don't need Norton or any other Antivirus software to help you.

You are only prolonging the procedure.

 

If you can get an internet connection then d/l the software that you were directed to and post the logs here.

Only then can they advise you how to clean up your machine.

[Starbuck]

Hi Marty,

 

If you are still having problems try this:

 

Download this program to another PC.

Save it to the Desktop ( so you know where it is)

Then transfer it to the infected system by way of usb stick (pen drive) or disc.

 

Malwarebytes Anti-Malware

 

The link may take you to a mirror site for the download.... that's ok.

Just don't install anything other than MBAM from the mirror site.

 

Install this on the infected system.

If you have no internet access to this system at the moment, don't worry too much about updating it. ( although it may help)

 

Make sure the "Perform Full Scan" option is selected.

Then click on the Scan button.

• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

Plan 'B'

( if MBAM is installed but won't run because of the malware)

Try running MBAM Chameleon:

 

Click.....Start >> All Programs >> MalwareBytes Anti Malware >> Tools >> MalwareBytes Anti Malware Chameleon.

 

Just follow the instructions given on the page that opens.

 

http://img.photobucket.com/albums/v708/starbuck50/MBAMChameleon.png

 

If you get a report.... post it here so that i can see what we are dealing with.

 

Thanks

[martyboy]

Finally I´m back!

 

Thanks Starbuck...I´ll try what you suggest...I have two other m/c´s switched on right by the one that´s on the blink.

 

I´ll keep you posted....

 

Martyboy

[Starbuck]

Ok,

I'm subscribed to the thread, so i'll get a notification if you reply.

[martyboy]

Hmmm...still unresponsive

 

Hi Starbuck,

 

Just a tad frustrating that the m/c isn´t booting up as it should (and did perfectly well prior to becoming infected). It opened up `Norton Bootable Recovery Tool´ like yesterday and just for something to do I opted to scan once more in case it can detect anything else suspect. I tried opening up in `Safe Mode networking´ and even after entering the password, it just seems to die and fade to black!

 

I´ve managed to D/L the programme you suggested onto another PC and then onto a `stick´ but can´t seem to get it to activate on the compromised PC.

 

Looks like I may have to try again tomorrow!

Bfn,

Martyboy

[Starbuck]

Hi Marty,

 

I´ve managed to D/L the programme you suggested onto another PC and then onto a `stick´ but can´t seem to get it to activate on the compromised PC.

Make sure that you are in normal mode when trying to install MBAM.

Also make sure you are logged in to an Admin profile.

 

Let me know how it goes.

If you have problems, there are other things we can run.

All is not lost.

[martyboy]

I´ve been away!

 

Hi Starbuck,

 

I´ve been away but am back now. Still got the same problem of the infected m/c not booting up properly. It allows me to enter my password but then just fades to a black screen with only the cursor visible. Any thoughts on how to overcome this glitch?

 

Martyboy

[Starbuck]

Hi Marty,

 

Ok, let's try and boot the system with a PE environment OS.

You will need to use another pc to download the required program.

 

Please print these instruction out so that you know what you are doing

 

• Download OTLPENet.exe to your desktop
  
• Ensure that you have a blank CD in the drive
  
• Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
  
• Reboot your bad system using the boot CD you just created.

.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
  .
   
  
• Your system should now display a Reatogo desktop.
  
• Note : as you are running from CD it is not exactly speedy
  
• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
  
• Right click the file and select send to : select the USB drive.
  
• Confirm that it has copied to the USB drive by selecting it
  
• You can also backup any files that you wish from your OS.
  
• Please post the contents of the C:\OTL.txt file in your reply.
  

 

Thanks

[martyboy]

Thanks Starbuck...

 

I´ll try that and let you know how I get on.

Martyboy

[Starbuck]

Take your time and don't worry if you get busy.... i'm not going anywhere. :o

[martyboy]

Hi Starbuck,

I don´t seem to get `Advanced Bios Features´ showing up on the `CMOS Setup Utility´. It shows `Standard CMOS Setup´ at the top left of the screen and then everything else is listed exactly as shown on the screen shot graphic from the link you sent me under the title `How to set BIOS from CDROM´. Not sure how best to proceed.

BTW, the system on the disabled m/c is Windows Vista Home Premium whereas initially I listed it as XP but have now altered that on my forum entry. Don´t know if that makes a difference with these instructions I´m trying to follow?

 

Perfectly happy to pick up tomorrow where we leave off today. Thanks for your patience!

Martyboy

 

I did manage to back up data on two DVD´s when invited to do so by the Fujitsu Siemens Recovery option about 15 minutes ago so hopefully that may come in handy at some stage?

[Starbuck]

Hi Marty,

 

Not sure how best to proceed.

Have you tried just running the disc?

Most systems nowadays seem to be set to boot from CD.

Just try it.

 

BTW, the system on the disabled m/c is Windows Vista Home Premium whereas initially I listed it as XP but have now altered that on my forum entry. Don´t know if that makes a difference with these instructions I´m trying to follow?

No it doesn't make any difference.

But thanks for pointing it out.

[martyboy]

No joy with the disc

 

Hi Starbuck,

 

No joy with the disc at present. I can´t even get it out of the m/c right now! It won´t even open/shut when I press the button as I thought I´d check it on another PC to see if all is okay with the d/loaded info´. This could merely be a mechanical problem not associated with the malware I suppose?

 

 

I have the Standard CMOS Setup showing nice and clearly so am wondering if there is a step by step manual approach available to try and sort out the booting up problem from there or via any other of the options presented on the CMOS Setup Utility?

 

It sure is a tad frustrating. Sorry to be such a pain in the neck!! Any thoughts on finding a way around this particular challenge?

 

Martyboy

[Starbuck]

I can´t even get it out of the m/c right now! It won´t even open/shut when I press the button as I thought I´d check it on another PC to see if all is okay with the d/loaded info´. This could merely be a mechanical problem not associated with the malware I suppose?

I can't see this being associated with any malware.

When you say you 'Can't get it out of the m/c' ..... do you mean that you have tried to run the disc?