Solved How to get rid of this nasty virus?

March 17, 2018 at 03:52:11
Specs: Windows 7
Update for Malwarebytes, clicked ok, took over my computer, won't allow antivirus, ComboFix, anything similar to run, even though I rename them for download. Removes log files from ComboFix, etc, scans.Won't allow Windows updates, turned off audio, added 2 users to my allowed list, removed my full control as administrator. Whether in safe mode or normal, after I uninstalled Malwarebytes, it restores it. Won't allow email attachments to or from anyone. If I try to open 2 tabs same time, I get a blue screen saying Windows was being shut down for my protection. Have to reboot. No updates of virus definitions since 3/12/2018. System restore did not fix. Running Dell Mini10 with Windows 7, solid state, ancient like me, gift from my deceased brother. Don't want to lose it. HELP, please?

See More: How to get rid of this nasty virus?

Reply ↓  Report •

✔ Best Answer
March 17, 2018 at 15:47:16
The proper MalwareBytes is quite safe. Most likely the update was not genuine - a scam. By now MWB proper must be in a crippled state because of what you've done.

See if you can get this file in, via another computer and a flash drive if you can't download it:
AdwCleaner:
https://www.malwarebytes.com/adwcle...
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Clean" button. If necessary run it in Safe Mode.

In the meantime there is a security helper who might be able to assist "if available" I will let him know about your plight.

Always pop back and let us know the outcome - thanks

message edited by Derek



#1
March 17, 2018 at 04:00:39
I searched and deleted all files with MBam or Malwarebytes. My recycle bin is now a blue color, and I noticed just before shutdown it gets filled with whatever??? ComboFix deleted a file called SafeBoot Mbam. That's about all I remember as that saved log was deleted. No matter what, Malwarebytes is reinstalled after every forced shutdown (that blue screen thing) no matter if safe mode or not. Sorry, I'm 70 years old & tech illiterate. I changed recycle bin settings so nothing is put there, just gets directly deleted and changed the name of Malwarebytes and recycle bin. Haven't "crashed" yet, been online for about 45 minutes in safe mode with network, seems I get logged off/shutdown after about an hour, like it or not.

Reply ↓  Report •

#2
March 17, 2018 at 05:44:54
Whatever this is, it has now cut my time online to 10-15 minutes, but I copied the url so I can access it when I can from maybe daughter's computer, so excuse a slow response time. BTW, the only anti-virus I've used for about 2 years now are Microsoft's products and I'm running old Internet Explorer because all others seemed to hang incessantly. I can no longer download anything, can't send or receive attachments in email. It's just getting worse?
Thank you for any suggestions that don't involve downloads, and as an added bonus, my TeamViewer has been erased.
No way I am allowed to change settings or even do a screenshot!
Is there no way to scan and quarantine viruses ONLINE, no download?
I did mention I don't speak Tech at all, yes?

Reply ↓  Report •

#3
March 17, 2018 at 06:19:45
Do you have the free version or paid version of Malwarebytes? Does it load at startup & have a blue "M" in the notification area? Please explain how you went about updating. You may have gotten scammed.

"BTW, the only anti-virus I've used for about 2 years now are Microsoft's products and I'm running old Internet Explorer"

An accident just waiting to happen. And it finally did. Why do you have TeamViewer? Have you granted someone remote access to your laptop?

My suggestion is to create a bootable anti-virus rescue disc, that way you can run a virus scan without booting into Windows. Try the Bitdefender version explained here: https://www.bitdefender.com/support...

After your system is clean, dump the MS antivirus & replace it with Bitdefender Free Edition. There's no charge but you will have to register your email address.
https://www.bitdefender.com/solutio...


Reply ↓  Report •

Related Solutions

#4
March 17, 2018 at 09:36:58
Yes, why do you have TeamViewer? What have you used it for?

The very brief Wikipedia article on TeamViewer says:

"TeamViewer and similar services have been used to commit
technical support scams via telephone calls. People are called,
either at random or from a list, by criminals claiming to represent
a computer support service which has identified the victim's
computer as being infected by malware, most often using the
name of companies such as Microsoft. They then ask the victim
to give them access to their computer by installing a remote
control service, which can allow the attacker to infect the
computer with malware or to delete or copy personal files."

-- Jeff, in Minneapolis


Reply ↓  Report •

#5
March 17, 2018 at 15:47:16
✔ Best Answer
The proper MalwareBytes is quite safe. Most likely the update was not genuine - a scam. By now MWB proper must be in a crippled state because of what you've done.

See if you can get this file in, via another computer and a flash drive if you can't download it:
AdwCleaner:
https://www.malwarebytes.com/adwcle...
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Clean" button. If necessary run it in Safe Mode.

In the meantime there is a security helper who might be able to assist "if available" I will let him know about your plight.

Always pop back and let us know the outcome - thanks

message edited by Derek


Reply ↓  Report •

#6
March 17, 2018 at 16:29:49
Many thanks to all who replied. Much appreciated.
I downloaded Malwarebytes from bleepingcomputer at the advice of 2 friends and my son who are all IT and who remote in to do whatever IT people do. They are the only 3 I allow in via TeamViewer which my son put on my machine last time he had it overnight.
That's why I have TeamViewer, so he doesn't keep my computer overnight.
I've known the other 2 guys for over 20 years.
They build and repair computers.
I don't know how anything from bleeping updates. I was just having problems with a not responding message on several sites, all my beloved "geeks" said go get Malwarebytes. I hear and obey, great wizards.
When it said it was updating, I just clicked ok. BAD move.
I certainly will try the flashdrive thing rather than send 'Baby Dell' away for days. I'm always afraid it will be lost by FedEx.
Grandsons are computer savvy enough to help me, I hope.
As for Internet Explorer, I hate it, but Chrome was nothing but a headache on this ancient laptop and Firefox kept crashing and despite promises the new version was fixed, NOT on this Dell it wasn't.
As one of my wizards declared to the other 2, "Who better than Microsoft knows how to defend Windows?" So, we went with that after the Kaspersky fail.
I've tried other laptops, Windows 10, but, well, they suck, I believe is the term used.
I am a dedicated 'desktop' computer devotee, the tower, the hum of 4 fans running, YES!, the way the lights dimmed when it powered up, but my 'mega-monster' that son built for me fell prey to a virus so bad that Kaspersky refunded me my $ for their software.
Anyway, I was amazed I got back online at all, and will try the above suggestion.
Not sure when I can get back here, but thanks ESPECIALLY to Derek, who didn't lecture and do the "you should've known better" crap.


Reply ↓  Report •

#7
March 17, 2018 at 16:35:33
I agree that the genuine Malwarebytes is a good, safe, and useful tool.
You apparently have either a bogus version, one corrupted by malware, or something else masquerading as Malwarebytes (in Task Manager, etc.).
You DO need to get your system cleaned out. The first step here is the rescue disk as mentioned earlier. If you get the ISO image and burn a CD of it, then boot to it, it will run only off the CD and your RAM and scan your system for all of the nasties and remove them. After that you may need to continue with a few more scans and do a few repairs to your system. Please update your antivirus program AND Please try Firefox again, the newest version is MUCH faster than anything I have ever run on Windows 7.
JohnW will probably be popping by soon to help, he is the most experienced with restoring even very badly infected systems, usually without needing to reinstall Windows. Please be patient, it probably took a long time to get that infected though you did not realize at the time that the infection was working its way in deeper, it may take many steps to completely be sure it is all gone and you are back on track.

You have to be a little bit crazy to keep you from going insane.


Reply ↓  Report •

#8
March 17, 2018 at 16:41:03
Yes, it was JohnW I had in mind but, as given, it depends on his availability.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •

#9
March 17, 2018 at 16:41:06
BTW, as to "The proper MalwareBytes is quite safe. Most likely the update was not genuine - a scam. By now MWB proper must be in a crippled state because of what you've done."
I used the link sent to me by the older IT guy to download something I didn't want, and he's the one who saw that MWB was being reinstalled and also the one who said MWB does NOT update as I described, nor would it reinstall once uninstalled.
You know, maybe, how long the free version takes to update before scanning, several minutes, yes, but the 'updated' MWB did the update and a full scan in 34 seconds the one time I used it before I was told to uninstall it and delete all files.
Like I said, I don't speak 'tech', but I did surgery,etc, quite well.
We each have our slot in life, yes?
Thanx.

Reply ↓  Report •

#10
March 17, 2018 at 16:49:39
Thank you for being so kind, Fingers, will do. Trying to do what I can so I don't have to send Baby Dell out into the world on a FedEx truck. Son lives in SC, other 2, one in FL, other in NC. I have a strict schedule with oncology so I don't travel any further than Memphis, 60 miles away, since I don't drive anymore. And I use my computer to read about 12 hours a day, keep up with medical developments, etc. Should've read about computers and such. :-) Trying to remain calm.

Reply ↓  Report •

#11
March 17, 2018 at 16:51:01
What you re saying about MalwareBytes is all rather confusing. Seems you uninstalled MalwareBytes but I've no idea if it was the free version or the paid for version. Either from the right place are OK but this is something to sort out after the virus is fixed. Just for info, the time it takes to update depends on when it was last done (manually). On the paid for version it is frequently updated so has less to do.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •

#12
March 17, 2018 at 17:02:49
One last thing, I am in a very rural area, on an oxbow lake that floods when the river overflows, so we can't get cable internet (water stays 2-3' high sometimes for weeks), no cable providers, not even AT&T will risk running cable for us, so we only have satellite for all our cabins on stilts out here. SLOW doesn't describe satellite in this area. We get in and out by boats, which are faster than satellite. :-)

Reply ↓  Report •

#13
March 17, 2018 at 17:06:52
Derek, you wrote, " Seems you uninstalled MalwareBytes but I've no idea if it was the free version or the paid for version."
Just above where you wrote that, I had typed, "You know, maybe, how long the free version takes to update before scanning,..."
Again, it was the free version and I'd had it for about 2 months.
It never found a single problem.

Reply ↓  Report •

#14
March 18, 2018 at 06:05:38
The free version of Malwarebytes used to be completely manual but now if you do not deactivate parts of it, it loads with Windows and does check for updates, etc. I prefer to go through the settings and turn off 'start with Windows', 'Check for updates', and anything that might keep it working in the background. I launch it periodically or if I suspect the system of a possible minor problem, then it will tell me in the program window that it is not up to date and I can click 'get updates' before scanning with it. They are trying to get people to pay for it so it installs the free version as a trial for the professional version until you click 'end free trial' or it expires. At which time it bugs you to upgrade to paid version. Turning off the parts that makes it the trial manually reverts it to the true free version.
I use Webroot Secure Anywhere as my AV program, though I do pay annually for it. I find it very good and light on resources. You purchase it online and discounts for multiple machines does help in the family and their cell phone protection app is also good and is free for all.

You have to be a little bit crazy to keep you from going insane.


Reply ↓  Report •

#15
March 18, 2018 at 11:23:46
Hurrying to post this, sorry. Been shut down twice already.
Still working on getting a grandson out here with a thumb drive and another laptop.
After an overnight "lock-out", I rebooted in normal mode (or whatever it's called) and was amazed to get notice of new Defender updates, sure, why not. It downloaded 2 files, began installing and BAM!, Shutdown.
But this message (?) with a green shield with a checkmark on the shield:
"Windows is up to date.
There are no updates available for your computer.
Most recent check for updates: Today at 10:37 AM.
Updates were installed: Today at 10:41 AM (FAILED).
You receive updates: For Windows only.

Clicked on View Update History, got "You have not tried to install any updates for your computer.

Found a file named iExplore.exe in my PICTURES folder, it appeared to be maybe an old RKill.
Ran as administrator, got the following (expected) result.

Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2018 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/for...
 
Program started at: 03/18/2018 12:28:13 PM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
* No malware services found to stop.
 
Checking for processes to terminate:
 
* C:\Windows\System32\WLTRYSVC.EXE (PID: 1300) [WD-HEUR]
* C:\Windows\System32\bcmwltry.exe (PID: 1336) [WD-HEUR]
* C:\Windows\System32\WLTRAY.EXE (PID: 2208) [WD-HEUR]
 
3 proccesses terminated!
 
Checking Registry for malware related settings:
 
* No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
* No issues found.
 
Searching for Missing Digital Signatures:
 
* No issues found.
 
Checking HOSTS File:
 
* HOSTS file entries found:
 
127.0.0.1 localhost
 
Program finished at: 03/18/2018 12:28:45 PM
Execution time: 0 hours(s), 0 minute(s), and 31 seconds(s)


The new users names were changed (?).
Two new users were added, one named 'Authenticated Users", the other named "Public".
There were 3 prior to this: SYSTEM, my PC name, and me as Administrator.
Only the new names have full control, except for one instance where SYSTEM does, having to do with the Network.

I found the following under the name 'Qoobox' on Local Disk (C:)

A notepad file named BackEnv with a Created Date of 07/13/2016, denies me access, even if I try to override denial.


Add remove programs Notepad, 02/28/2018

7-Zip 15.14 (This was renamed 4 days ago when it was just 7Zip, installed by my son maybe 3 years ago?)
Adobe Flash Player 27 NPAPI
Broadcom Wireless Utility (I don't use wireless, am hardwired into a modem by one blue cable plugged into the Dell and a cord that plugs into the wall, no router in the house. Like I said, satellite internet)
Google Update Helper
Intel(R) Graphics Media Accelerator Driver
JMicron JMB38X Flash Media Controller
Microsoft .NET Framework 4.7
Microsoft Visual C++ 2005 Redistributable
Realtek USB Ethernet Controller All-In-One Windows Driver
SumatraPDF
Update for Microsoft .NET Framework 4.7 (KB4040973)
Update for Microsoft .NET Framework 4.7 (KB4041778)
Update for Microsoft .NET Framework 4.7 (KB4043764)
========================================
ComboFix Quarantine on Notepad
2018-02-28 06:46:30 . 2018-02-28 06:46:30 558 ----a-w-

C:\Qoobox\Quarantine\Registry_backups\SafeBoot-MBAMService.reg.dat
2017-11-14 19:56:00 . 2017-10-18 01:55:51 259,584 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\SETDABA.tmp.vir
2017-11-13 12:58:49 . 2017-11-13 15:22:39 1,342 ----a-w- C:\Qoobox\Quarantine\C\Windows\security\logs\scecomp.log.vir
2017-09-10 09:50:55 . 2017-10-22 22:19:16 153 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24}.reg.dat
2017-05-11 02:59:12 . 2017-05-11 02:59:12 396 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM_ActiveSetup-{8A69D345-D564-463c-AFF1-A69D9E530F96}.reg.dat
2016-07-13 22:16:40 . 2018-02-28 06:35:14 11,879 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2016-07-13 22:05:23 . 2018-02-28 06:23:51 512 ----a-w- C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2016-07-13 22:01:54 . 2018-02-28 06:24:05 815 ----a-w- C:\Qoobox\Quarantine\catchme.log
=====================================

ComboFix2 on Notepad,
Completion time: 2017-11-04 10:04:51
ComboFix-quarantined-files.txt 2017-11-04 15:04

--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
===========================

The Recovery File is EMPTY


Reply ↓  Report •

#16
March 18, 2018 at 11:38:45
Fingers, you wrote: "I use Webroot Secure Anywhere as my AV program, though I do pay annually for it. I find it very good and light on resources. You purchase it online and discounts for multiple machines does help in the family and their cell phone protection app is also good and is free for all."

In the past I have shelled out hundreds of $$ for "good AV", Kaspersky to Sophos, something called Vipre that we had the devil getting rid of, paid for AVG long ago, Avast, BitDefender (another one that hung on like a leech), ALL failed or else sucked up too much, is it called CPU usage?, that my 2008 machine was slower than mud moving uphill.
Some web pages wouldn't even crawl when I was running Sophos, Bit, and Vipre.
Paid for Hitman Pro because it found things nothing else had, but it went south about 2 months back, I forget the excuse on that one, something about my old Windows 7, I think?
And I'm getting screen flicker, so


Reply ↓  Report •

#17
March 18, 2018 at 16:21:24
I have used Webroot products for many years. Initially it was just a malware program that was free and it worked alongside the expensive but mostly useless antivirus programs of their day and picked up more than they did. Later when they upgraded to a full AV program and the 'expensive' programs were getting more system resource hungry, I switched over to Webroots product completely. They have improved it many times over the years but always with the user in mind. You never get the pop ups on screen or system tray, you never get the 'downloading definitions' which makes the internet crawl, it just works. I have a couple of times had it block a web page from loading and I get a full web page telling me it was blocked any why. There was an option to go there anyway but strongly advised not to. I typically scan with Malwarebytes every couple of weeks anyway and if the machine is slow or acting weird but that is it. My machine is fairly modern but it is still running Windows 7 on it. I delete emails that sound suspicious and do not open attachments or pop ups unless I know why and from where they came.

I sent a note to JohnW to pop over even though one was already sent (he may have seen the 'Solved' note and thought you were done so I included the fact that I did not think you were actually done).

Did you try running the Rescue Disk?
Have you cleaned out the dust build up in your system armed with a can of compressed air?
Sudden shut downs can be caused by many things, including overheating caused by blocked air vents.
You can install HWMonitor and post back the temperatures listed (min, normal, maximum), particularly the CPU temps, after 10 or 15 minutes working with the computer with the monitor program running minimized.

You have to be a little bit crazy to keep you from going insane.


Reply ↓  Report •

#18
March 18, 2018 at 16:41:49
JohnW does not appear to have been around for about 8 days, so he might be away or something.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •

#19
March 18, 2018 at 17:29:35
mmm would seem so as otherwise he'd have had his toofs into this one...

Reply ↓  Report •

#20
March 18, 2018 at 19:53:50
I have the impression you have a hardware problem.

Check the CPU temp with this little app if not already done: (you can ask your son/friends for approval)
if your CPU is INTEL: https://www.techpowerup.com/downloa...
Or a more in-dept diagnostic tool: https://downloadcenter.intel.com/do...

If you have AMD CPU: https://support.amd.com/en-us/kb-ar...


Reply ↓  Report •

#21
March 19, 2018 at 06:39:15
Yup Johnw was off line due to storm damage; and is now trying to catch up on things various.

Reply ↓  Report •

#22
March 19, 2018 at 06:45:15
Just about to go to bed, it's that time of day in my patch downunder.
Shall see what transpires during the night.

Reply ↓  Report •

Ask Question