Unsolved
This post is more than 5 years old
32 Posts
0
3871
Worm???
Hi,
I opened an email which looked legit (post express) as I was expecting a package, opened the attachment and my Dell Inspiron 1545 started crashing. Macafee kept coming up saying real time scan not on and when I clicked to turn it on, it kept turning off. I can open with Safe Mode, but my wireless and landline connection don't work. The only thing I can see when info about dumping and errors come up is Driver IRQL is not less or equal, and then it all crashes before I can read any other info.
Macafee hasn't repsonded and a friend said the same thing happened to him and he needed to go through a Dell Tech by phone for lots of ££££ because it was a worm. I have done a scan with disc I got with computer and all seems OK. If it is a worm, I've heard they never leave the harddrive, just stay dormant and I will have to get a new email address because just going on to my email will wake it up. I haven't deleted the email, just put it in my Spam box for now.
Help is appreciated
Trishk
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
March 12th, 2011 11:00
Trishk, was it the email that is described here? http://nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out/
I suggest that you delete it from your Spam Box and make sure it has been deleted from Deleted Messages as well. If you cannot get online, you will need to use a clean computer to download some tools to a USB stick or CD. Will you be able to do that?
.
Trishk123
32 Posts
0
March 13th, 2011 05:00
Hi ,
Yes thats the one and I have now deleted it from my spam and email account. I was just keeping it in case the name was needed to get rid of the worm.
I was told I need to call a Dell technician to get rid of this worm, but what else can you suggest.
Thanks
trish
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
March 13th, 2011 07:00
It's up to you. We can try to clean it if you would like to try that first.
If so,You will need the clean computer to access the forum and to transfer tools and logs. You can use a CD or USB flashdrive.
In order to run Malwarebytes Anti-Malware, using the clean computer, download and, rename the program installer "mbam-setup.exe" file to something else like "trishk.exe". Copy the installer file and the update file to your CD or flash drive.
Transfer the files to the infected computer. (You would use the update link mentioned below to manually update.) Install the "trishk.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.
Please download Malwarebytes Anti-Malware and save it to the CD or USB flash drive.
alternate download link 2
After you have renamed it and transferred the program to the infected computer, double-click on trishk.exe to install the application.
Update through MBAM's interface from a clean computer; copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to your usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
Back at the main Scanner screen:
Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
-- MBAM may make changes to your registry as part of its disinfection routine.
If you're using other security programs that detect registry changes (like Spybot's Teatimer),
they may interfere with the fix or alert you after scanning with MBAM.
Please disable such programs until disinfection is complete or permit them to allow the changes.
**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE
Trishk123
32 Posts
0
March 13th, 2011 10:00
Hi,
Wow alot of info for someone not very literate about computers but I'll give it a go. I'm going to print your instructions and make sure I understand
it before actually doing what you've said as I don't want to screw up my laptop anymore than it already is. May take me a day or so, but I will be back
in touch with any questions and or progress.
Thanks so much for your time and help
Trish
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
March 13th, 2011 11:00
Yes, please print the instructions and read them over before you start. If you have any questions ask before you begin.
You cannot use the computer in its infected state, so being concerned with messing it up is not a issue at this point. Malwarebytes' Anti-malware is safe to use. The biggest problem is getting it to run on the infected machine. The worst that can happen, and what Dell paid support may tell you to do is to reformat/reinstall the operating system. That is more trouble than what you will be doing here, so we'll try this first before you go there.
Trishk123
32 Posts
0
March 14th, 2011 09:00
Hi,
there are several webb sites for Malwarebytes. one is the malware...org, another says its the latest and is at softlate.com. Which one should
I use?
Trish
Trishk123
32 Posts
0
March 14th, 2011 09:00
Hi again,
I see now that I have to access Malwarebytes via your email and have done so. It puts me into a web site Major Geeks online store where I
have to buy aconsumer license and option for extended license for total of about £19. Is this correct? There is also something about a license
for 24$. on link 2
trish
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
March 14th, 2011 10:00
All the tools that we use here are FREE versions. You do not need to purchase anything unless you want an upgraded version with realtime scanning and automatic updating. You do not need a paid version right now, and have the option of upgrading later if you choose to do so.
If you click on the first link that I posted above, it takes you to a download hosting site that gives you a choice to Download or Purchase. Click on Download for the free version.
If you click on the second link, it takes you to Majorgeeks. That one gives you the option to Download (the free version) from one of download mirrors or purchase a license for the upgraded version.
* The email notifications are sent as simply a reminder that I have replied so you can return to the forum. The emails may not include all the information that you need, so it is best to come to the forum to read the entire post, rather than trying to work from the emails..
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
March 14th, 2011 11:00
The first link is for BestTechie which redirects to here: http://fileforum.betanews.com/detail/Malwarebytes-AntiMalware/1186760019/1
If you are being redirected to softlate.com, on your "clean" computer, we might need to check that one for malware as well.
Trishk123
32 Posts
0
March 14th, 2011 11:00
When I click on the first site you gave me, it sends me to Major Geeks as does the second site. I'll check it out again and see if I can find the
free download on Major Geeks.
Trish
Trishk123
32 Posts
0
March 14th, 2011 11:00
Hi,
I was able to download the malware from the Geek site,but windows won't let it copy, send to or transfer to the CD disc. I am on an asus EEE900 with XP and have connected portable" CD player as this little Asus has no CD drive. What now??
trish
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
March 14th, 2011 12:00
I'm confused about how you are doing this. You downloaded and saved the MBAM setup to the CD. You inserted the CD into the infected machine, and it won't run?
Are you able to boot the infected machine into Safemode and do it that way?
Trishk123
32 Posts
0
March 14th, 2011 12:00
Hi,
Sorry if I'm confusing you. I downloaded the program to the Asus I am using. I have a separate cd drive attached to the Asus, but am unalbe
to transfer the downloaded malware from the Asus to the CD. An error message comes up saying Windows will not do it. I am going to try to
put the downloaded malware program on a Flash drive and if that works, then will proceded with the rest of your instructions.
trish
Trishk123
32 Posts
0
March 14th, 2011 14:00
Hi,
This is what happened. I was able to install the Malware removal onto the Dell and run the scan. It picked up one Adware bug
and I removed it according to the Malware removal instructions. .I ran the scan again and it came up clean, so
I restarted the computer as you said and it came up fine no problems. and I thought that it was fixed. I tried to put the landline internet
plug in and it didn't work.
I tried to open the music icon and it all crashed again. I was able to open it in safe mode, and start the scan again, but it crashed
during the scan. I opened it again in safe mode, decided to try the full scan in case the malware was deeper than the quick scan
would see it, but it crashed after a few minutes during the scan.
I'm finished for the night with this as very frustrated, and tired but if you have any other suggestions.....
trish
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
March 14th, 2011 16:00
Trish, it seems that you are doing things that are not included in the steps that I posted.By doing things out of sequence, and attempting to run scans on your own, it may be making things worse as the malware has time to activate again.
You tried to run Malwarebytes twice rather than once, and use the landline to connect to the internet. I would have advised against that until I was sure we had killed the downloader. I'm not sure why you tried to open a "music icon".
Let's see if we can disable the malware long enough to run Malwarebytes. You will need to download another tool called RKill to your CD, and transfer that to the infected computer. Please print these instructions so you can follow them carefully.
Reboot your computer into Safe Mode.. When the computer reboots into Safe Mode, make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
In the event that the infection has changed your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software we should fix this. Please start Internet Explorer. you will be offline in Safemode so it will open but you will not see your homepage when the program is open, Click on the Tools menu and then select Internet Options.
When at the Internet Options screen click on the Connections tab.
When you see the Connections tab, click on the Lan Settings button. You will now be at the Local Area Network (LAN) settings
Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Next, press the OK button to close the Internet Options screen. Now that you have disabled the proxy server that may help with your connection problem.
These things are never a one-shot fix, so patience is needed. :emotion-15:
Please download Rkill by Grinler to your CD so you can transfer it to the desktop of the infected computer.When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
. ** Do not download any other programs or other scans advertised on that page.
Once it is downloaded to your CD, transfer RKill to the other computer still in Safemode. When it is on the desktop of the infected computer, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with your malware and other Rogue programs. If using Vista or Windows 7, right-click on it and Run As Administrator.Please be patient while the program looks for various malware programs and ends them.
When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections' warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the infection . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the instructions. If you continue having problems running RKill, you can download other renamed versions of RKill from the download page. If you reboot, the malware will activate, so you will need to run RKill again.
Next, you will run Malwarebytes. Since the infected computer is not connected to the internet, if you did not update Malwarebytes before, you can download the updates from here to the CD, transfer them and just double-click on mbam-rules.exe to install.
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to your CD and then copy it to the infected machine to the same location on the infected one:
The settings will be the same as before - to review:
On the Scanner tab:
Back at the main Scanner screen: