Please help: virus has taken over my computer.

[Jaypaul97]

Hi. My PC has a virus that will not let me run a windows defender scan, go to any antivirus sites, and is screwing up the Microsoft Safety Scanner.

What can I do?

 

[marsmimar]

Have you tried Windows Defender Offline? Create a bootable disk on a machine that is not infected. The machine used to create the disk must be the same "bit-ness" as the infected machine. In other words, if the infected machine is running a 64-bit version of Windows 7, the uninfected machine must also be 64-bit.

http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html

 

[bobkn]

I'm not sure which of these to recommend, but a bootable antivirus CD or DVD may help.

The Best Free Bootable Antivirus Rescue CDs

Malwarebytes also has a utility, Chameleon, which is supposed to permit the anti-malware application to install and run on an infected system.

Use Malwarebytes Chameleon to install Malwarebytes Anti-Malware on an already infected system : Malwarebytes Support

Ultimately, you may want to reformat the drive(s) and re-install Windows. I hope that you've got backups. (obviously you don't have an OS image, or you'd have used it already.)

 

[VistaKing]

Download Farbar Recovery Scan Tool from below on a non infected PC
For 32-bit (x86) systems
Download


Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems
Download


Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

:ar: To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

:ar: To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

:ar: On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt

In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

   Note

Replace letter e with the drive letter of your flash drive.

   Tip

Type the commands below to see what your letter is for the USB drive and press ENTER after each command

Diskpart
List volume

The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
Now press the Search button
When the search is complete, search.txt will also be written to your USB
Type exit and reboot the computer normally
Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

 

[cottonball]

Jaypaul97,

...virus that will not let me...go to any antivirus sites...

That is a tough one.

As a starting point, let's see if we can get to the root of the problem with this short scan.
From its results, we can press on to additional actions.

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement

Select the version that applies to your system: x64.
Click the dark-blue button that applies.
Save to the Desktop

Close all windows and browsers

Right-click RogueKiller and select: Run as Administrator
Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
(Please do not delete anything!)

Note:
If the program is blocked by the virus, try it a few times, and if it is still blocked, rename it to RK.com

 

[Jaypaul97]

Hey, thanks for all the responses, I'm going to have to try some of the earlier ones but in the meantime this has happened: I downloaded "Rkill", ran it once, then installed AVG, ran it again and this time it said no problems found. So now I have this AVG telling me C\windows\system32\services.exe is malware. It's telling me to manually remove it...should I do this?

For the other solutions I'd have to find another 64bit PC, my laptop is 32bit :s

 

[cottonball]

No problems with RogueKiller, it has a 32-bit version. You can pick the 32-bit version or the 64-bit.

The program is a fast scanner, and targets malware and other problems.

Give it a whirl!

 

[Jaypaul97]

Rogue killer didn't get rid of the services.exe but AVG is telling me that it's a virus. Should I just delete it? AVG says I have to manually remove it

 

[BugMeister]

can u confirm that u have installed and run Windows Defender Offline.. (?)

remember to pull the plug on the wifi - before u reboot from the CD/DVD/Stick
- it should be run direct from boot-up and in offline mode..

the scan will take quite a while to complete - it's very thorough..

 

[shawn77]

Hi Jaypaul,

You need to post the roguekiller log.

You cannot delete services.exe.If you change the permission and delete it,system would become unbootable on next reboot.You need to replace it with a clean copy.

 

[cottonball]

Jaypaul97,

Like shawn77 says, and per instructions in the RogueKiller post (# 5), we do need for you to post the RKreport.txt (Mode: Scan) to proceed.

Also, do you have the Repair your computer option in the Advanced Boot Options menu?

To find out:


Restart the computer.

• As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
• Is the Repair your computer option listed?

If you do not have the option above, do you have your Windows installation CD/DVD available?

Just to confirm, the infected computer, is it 32-bit, or 64-bit?

 

[rhuds13]

You may want to read the following: AVG anti-virus software mistakes Windows system file for a trojan - Wilders Security Forums
Maybe you could try another AV and see if there is still a problem. Hope this helps.

 

[Jaypaul97]

Hi Jaypaul,

You need to post the roguekiller log.

You cannot delete services.exe.If you change the permission and delete it,system would become unbootable on next reboot.You need to replace it with a clean copy.

Yes, I used the CMD to repair it, and as of now AVG says there are no problems. I could still give Windows Defender offline a go just in case AVG missed something I suppose

 

[cottonball]

Jaypaul97,

Thank you for the information on your last post.

However, please understand that I cannot help you when operating in the blind.

If you would like further help from me, please provide the RKreport (Mode Scan), and the RKreport (Mode Delete). You can XXX out your name on the reports, that is fine.

There is more to the process of removing the infection from your computer than what meets the eye, and the goal is to make sure it is all gone. A RootKit could also be involved.

As rhuds13 has pointed out, relying on AVG to determine if everything is OK is not in your best interest. Neither is relying on programs which are not specifically catered to point out this malware.

Regards...

 

[shawn77]

We are confused why you want to create a topic here and fix things on your own.We could have fixed the infection and services in matter of minutes if you were able to post logs.

rhuds13

You are wrong.You should read about zero access rootkit and what files it infects.

 

[rhuds13]

When I posted there was no previous remarks that the OP had a ZeroAccess Rootkit. I believe that if only AVG found something and the OP had not stated having tried other types of scans or offered help, then using another software may not be a bad idea. I did in fact read: ZeroAccess – From Rootkit to Nasty Infection |
I could have offered more on my post but others had already done so. Sorry about that.

 

[cottonball]

No need for apologies, rhuds13.

The bottom line is that, if there is a RootKit hiding in that system that normal scans can't find, who knows when that ship is going to need some heavy steering to come out of the storm!

 

[rhuds13]

Very true. That's why I always make a system image on external drive or disc of any system I work on after initial install and updates. If on disc then place in disc inside case. That way if they come back with borked system just format C and run image.

 

[Jaypaul97]

Here's the RKill log:

Rkill 2.4.7 by Lawrence Abrams (Grinler)
Bleeping Computer - Technical Support and Computer Help
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesn't - A brief introduction to the program - BleepingComputer.com

Program started at: 03/16/2013 10:30:02 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Possibly Patched Files.

* C:\Windows\system32\services.exe

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\User\Desktop\rkill\rkill-03-16-2013-10-30-04.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:
* C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* BFE [Missing Service]
* BITS [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* C:\Windows\System32\services.exe [NoSig]
+-> C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe : 328,704 : 07/13/2009 06:39 PM : 24acb7e5be595468e3b9aa488b9b4fcb [Pos Repl]

Checking HOSTS File:

* No issues found.

Program finished at: 03/16/2013 10:33:49 PM
Execution time: 0 hours(s), 3 minute(s), and 46 seconds(s)

 

[cottonball]

Jaypaul97,

Glad you returned! There is some work to do with that system.

Please go back to VistaKing's post #4:
http://www.sevenforums.com/system-security/282639-please-help-virus-has-taken-over-my-computer.html#post2327091

You may want to print the instructions so you have access to them while working on the process outlined.

If you have any questions on any part of the instructions, feel free to ask.

When done, post the FRST.txt and the Search.txt as requested. We need this information in order to press on.