Help with a virus

MO35AB

Well-Known Member
OP
Member
Joined
Apr 16, 2016
Messages
227
Trophies
0
Age
30
XP
1,161
Country
Algeria
no idea if this is the right section in gbatemp.

i torrent downloaded a game.
after install i got infected with several viruses spywares, i got most of theme eliminated, i guess :/
now ,every time i boot windows ,i find that the defender has been dis-activated by group policy, then i have to run "regedit", and delete an entry to reactivate it.
on the task manager i find a "gxxx.temp.exe", at every start up. where xxx=random number.
deleting it from "C:\Windows\temp\gxxx.temp.exe" , will create another one at start up with different number :/

HELP :'(
 

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,024
Trophies
1
Location
US
Website
mogbox.net
XP
5,961
Country
United States
These are easy. Check your startup entries and you'll find what keeps dropping the binaries. Also, could you PM me a sample of one of the binaries?
 

The Real Jdbye

*is birb*
Member
Joined
Mar 17, 2010
Messages
22,377
Trophies
4
Location
Space
XP
12,092
Country
Norway
These are easy. Check your startup entries and you'll find what keeps dropping the binaries. Also, could you PM me a sample of one of the binaries?
There are ways to run things on boot that won't show in the startup entries, but it's worth a try.
It's also worth booting in safe mode, it might prevent the malware from starting.
Also, Process Explorer will let him see what keeps putting that file there.
 
Last edited by The Real Jdbye,

The Real Jdbye

*is birb*
Member
Joined
Mar 17, 2010
Messages
22,377
Trophies
4
Location
Space
XP
12,092
Country
Norway
no idea if this is the right section in gbatemp.

i torrent downloaded a game.
after install i got infected with several viruses spywares, i got most of theme eliminated, i guess :/
now ,every time i boot windows ,i find that the defender has been dis-activated by group policy, then i have to run "regedit", and delete an entry to reactivate it.
on the task manager i find a "gxxx.temp.exe", at every start up. where xxx=random number.
deleting it from "C:\Windows\temp\gxxx.temp.exe" , will create another one at start up with different number :/

HELP :'(
Malwarebytes is really good at removing things other AVs won't remove. Combine that with a good AV and hopefully you'll be able to remove whatever you have. Malwarebytes also has a rootkit scanner, which might help you.
It's best to run them from a live CD/USB. Medicat is a pretty good one: https://gbatemp.net/threads/medicat-dvd-a-multiboot-linux-dvd.361577/
I'm not sure if the Mini Windows 10 environment comes with any AVs or Malwarebytes, I would assume it does, but even if it doesn't you should be able to find portable versions of them that will work, or failing that, you should be able to install them.
I would just reset the PC and wipe out everything.
Sometimes that's the only option, but it should only be a last resort.
 

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,024
Trophies
1
Location
US
Website
mogbox.net
XP
5,961
Country
United States
how to ?
(i already checked task manager / startup, clean.
Check the startup folder for the Start Menu, and you can use a tool like CCleaner to check startup registry entries. Malware likes to hide in your AppData folder as well so that it doesn't trigger the UAC prompt, so that's a good place to start looking.
 
Last edited by Joom,
  • Like
Reactions: MO35AB

Captain_N

Well-Known Member
Member
Joined
Mar 29, 2010
Messages
1,893
Trophies
1
XP
1,713
Country
United States
To attempt a repair manually you first have to find what is running and where the files are located. It is very important that you disconnect from any internet or network connection.

1st step is information gathering
The first tools you will need are Microsoft Sysinternals Autoruns and Process explorer. Use those to to figure out what is actually running. Keep note of the files you suspect and Google them. A good indicator of the infection is a start up entry or driver running from a temp folder. Nothing should be running from a temp folder.

Next you need a windows live disc
I recommend Gandalfs windows 10 live x64 or x86 .

Boot the PC with the Live disc
Then you can manually delete the files to prevent them from running when the system starts. I actually copy the suspect files to their own folder encase the system blue screens when the files are removed. if the virus sets its self up as a driver you will usually blue screen from that. After the computer boots look to see if its running. The virus has to be stopped from running or any editing you do will usually be undone. then you can edit what runs using Microsoft sysinternals autoruns. You then delete all the entries that you find there as well as any services that the virus created. Now is the time to run adwcleaner, malwarebytes and junkware removal tool. they will clean all the registry entries up. You also should delete any system restore points because viruses usually infect that so when you try to restore it re-installs the virus lol

Manual removal is not easy. I have gotten good at it because i know where to look. If its a root kit, i suggest a fresh install.
To prevent infections make Images you your system drive so you can restore the entire drive to the point before the infection. I recommend using a virtual machine program like vmware to run a virtual machine. Do all your web browsing in the virtual machine. Hell, install Ubuntu Linux in a virtual machine and run that. good luck infecting that....
 
Last edited by Captain_N,
  • Like
Reactions: MO35AB

You may also like...

General chit-chat
Help Users
    captainbob321 @ captainbob321: It's Just That I Have Been Having a Hard Time Ever Since That I Saw Awful Hate Images of Ami...