Messages

1

RogueKiller / Re: I was dumb - got a virus

« on: August 08, 2020, 05:08:57 AM »

Ok. For the FUTURE - here is my solution

Step #1 : Do a Google search for a site that has the top 25 FREE antivirus programs including such things as Malwarebytes, SuperAntiSpyware, Avira, Kaspersky, and CLAMWIN. ClaimWin is a really neat free piece of software. It is still running but so is Kaspersky. Anyway - a small plug there for free software. :-) I currently have HitManPro running, RogueKiller running, Kaspersky running, and ClamWin running. This is to keep my system safe while I get rid of the virus stuff.  Also I have #3 below running.

Step #2 : Download or RE-download all of your drivers. Look for the USB driver install and RE-install it. Then, reboot, then check to see if you can see every USB device you own. If not - RE-install it again and repeat. At some point you should be able to see your devices.

Step #3 : YOU NEED TO HAVE THIS AND RUN IT if netsh.exe (or NETSH.EXE) shows up in your Task Manager. Or better yet - download Microsoft's excellent Process Explorer and then look for the above program. If you have it you REALLY NEED my little program. This is called process.au3 (or PROCESS.AU3). It is an AUTOIT program. You can find and download AutoIt by Googling it, click on the download, go ALL THE WAY down to the bottom and download it. There is also a Script Editor (I use VIM). Install AutoIt and then run this simple program. What does the program do? It looks at your tasks, checks to see if netsh.exe is running, and if so - it kills it. It does this until there ARE no netsh.exe programs running, then it sleeps for 30 seconds and checks again. Here is the program:

Code: [Select]

#include <WinAPI.au3>
#include <Date.au3>

Local $iConsole, $hConsole, $aGetConsoleWin

$iConsole = _WinAPI_AttachConsole(-1)
If $iConsole = 0 Then Exit
$hConsole = _WinAPI_GetStdHandle(1)
If $hConsole = -1 Then Exit
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & "Hello World" & @CRLF)
$aGetConsoleWin = DllCall("kernel32", "ptr", "GetConsoleWindow")

local $c = 0

while 1
$c = $c + 1
; if $c > 10 then exit
$iPID = ProcessExists( "netsh.exe" );
If $iPID Then ; Check if the Notepad process is running.
killProcess( $iPID )
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : NETSH is running" & @CRLF)
Else
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : NETSH is NOT running" & @CRLF)
sleep( 50000 );
EndIf
wend

If Not @error Then
    DllCall("user32", "bool", "PostMessage", _
            "hwnd", $aGetConsoleWin[0], _
            "uint", 256, _  ; WM_KEYDOWN
            "wparam", 13, _ ; VK_RETURN
            "lparam", 0)
EndIf
end


Func getProcess()
    ; Run Notepad
    Run("notepad.exe")

    ; Wait 10 seconds for the Notepad window to appear.
    Local $hWnd = WinWait("[CLASS:Notepad]", "", 10)

    ; Display a list of Notepad processes returned by ProcessList.
    Local $aProcessList = ProcessList("notepad.exe")
    For $i = 1 To $aProcessList[0][0]
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : " & _
$aProcessList[$i][0] & @CRLF & "PID: " & $aProcessList[$i][1] & @CRLF )
    Next

    ; Close the Notepad window using the handle returned by WinWait.
    WinClose($hWnd)
EndFunc   ;==>Example

Func killProcess( $iPID )
    ; Run Notepad

    ; Close the Notepad process using the PID returned by Run.
    ProcessClose($iPID)

EndFunc   ;==>Example

You should be able to run the program by just typing "autoit3 process.au3". This will keep netsh.exe from downloading more viruses onto your system. Ok - so first you download AutoIt3, install, run this program AND THEN you run something like Kaspersky and ClamWin (I am running a lot of them and none of them seem to interfere with the other antivirus programs.)

Step #4 : So you have made it this far - after days of reading information online about what to do I FINALLY found how to stop netsh.exe. This is how you do it:

Code: [Select]

netsh interface ip reset log.txt
This resets your internet interface, gets rid of any commands that might have been put into netsh.exe's execution loop. You MUST reboot after this or netsh.exe will just continue to start up new instances of it.

This is what I have so far. I have NOT yet rebooted because I am backing everything up and I am making a DVD with drivers for my laptop.

PS: The Preview didn't seem to do anything. Let me check this again. Ah! That got it! :-)

PPS: The AutoIt3 program was taken, in part, from examples in the AutoIt3 documentation. The netsh command was taken from:

https://lizardsystems.com/articles/configuring-network-settings-command-line-using-netsh/

You can also use:

Code: [Select]

netsh interface ip delete arpcache
Which can clear the arpcache.

And - argh. Netsh.exe is still trying to run - but wait! I still have not rebooted. Ugh. I will reboot tomorrow. Hopefully all of the 7-zip programs will have finished and yes - I know the archives might have a virus in them. Probably not with all of the antivirus software that is running - but we shall see! :-)

Mark

2

RogueKiller / Re: I was dumb - got a virus

« on: August 06, 2020, 06:26:44 PM »

Ok. I'll give that a try. Should be simple. I own a dell.

3

RogueKiller / Re: I was dumb - got a virus

« on: August 06, 2020, 01:06:10 AM »

Would that it was that simple. Both the Desktop and Laptop have software that you MUST uninstall BEFORE wiping and reinstalling. Otherwise - it is just a huge hassle. Not just for me but for all of the software companies. Not to mention I also have to reset all of my 700 website locations. So yeah. Simple. Really. :-)

4

RogueKiller / Re: I was dumb - got a virus

« on: August 05, 2020, 08:24:15 PM »

Found the problem with USB. Uploading info. need to know how to fix if possible. It is beiginning to muck with laptop;s keypad.

5

RogueKiller / Re: I was dumb - got a virus

« on: August 05, 2020, 08:06:04 PM »

Here are the laptop's files.

6

RogueKiller / Re: I was dumb - got a virus

« on: August 05, 2020, 07:43:33 PM »

Let me  add a new twist to this problem. The virus has some kind of a part to it that kills USB devices. Ugh. Now on my laptop. Going to run the program again and upload the text file.

Running Avira PC Cleaner and ClamWin. Avira has found 6 viruses so far.

7

RogueKiller / Re: I was dumb - got a virus

« on: August 04, 2020, 09:50:23 PM »

Thanks and thanks for your help. System is really acting weird right now. :-/

8

RogueKiller / System mucked

« on: August 04, 2020, 03:07:09 AM »

Here is the output. After days of trying to back up my information I finally gave up. The virus has unactivated my system, deleted my AlcoholSoft 120% license, and several other licenses. I'm going to have to try to back everything up as best I can and wipe the hard drive, install Linux, install Oracle's Virtual Box, and run Windows software from there. Thanks for your help. Here is the log. I'll wait for your reply.

9

RogueKiller / Re: I was dumb - got a virus

« on: July 31, 2020, 06:34:50 AM »

Ok. All of those I installed myself except  the last one. But - I will uninstall all of them for this. I'll let you know how it goes here in a bit (or maybe tomorrow since it is almost midnight here). By the way - I use Revo to do the uninstalls because it does get rid of registry entries and files which might have been left behind.

Question: Avira is still running. It is scanning all of the disk drives. Should I stop it? Or wait for it to complete? Waiting could take a week or more. I'm thinking "Stop it" - but want to be sure. Thanks ahead of time.

To tell you more - I have several computers and use TightVNC to talk to them and FileZilla to move files around. Since my computer got infected I have NOT used either to do anything. I will be changing the password to the router here in a few moments. Already changed bank's info, Paypal, eBay, Amazon, and several other accounts. I'm writing a PHP script to scan all drives to ensure nothing has been installed and then I'll be writing one to send me to all 500 some odd websites to change the passwords on those as well. (Viruses are always a pain in the rear.)

10

RogueKiller / Re: I was dumb - got a virus

« on: July 31, 2020, 02:24:44 AM »

Here are the files. :-)

11

RogueKiller / Re: I was dumb - got a virus

« on: July 31, 2020, 02:04:50 AM »

I have Avira running, have run HitManPro and RogueKiller again. I have no idea what may show up. One thing I do know now is - My Wndows 7 Pro now says I need to put in the activation key again. Ugh. :-(

12

RogueKiller / I was dumb - got a virus

« on: July 29, 2020, 11:22:11 PM »

Last week I downloaded a program and ran it. It turned out to be a set of viruses. I went to MajorGeeks, downloaded RogueKiller et al, and RogueKiller found everything and got rid of it. I then rebooted and ran RogueKiller a second time. It found the virus again and killed them. Repeat a couple more times. So then I looked at MSCONFIG - nothing there. Then I used FileLocator and found one of the virus programs had a link (ScrSnap.lnk). I removed the files and folders in the temp/ directory. Rebooted. Ran RK. Found and removed viruses again. So, on a hunch, I ran MiniTools and found a 16MB partition on my hard drive. I ran DiskManager and - it did not see it. I tried to look at the partition but could not get to it. It was hidden and locked. So then I used MiniTool to reformat it and delete it. Currently I am running RK again to see if now the viruses show up. My main reason for posting is that this is the first time I have seen a virus create its own partition and just wanted you to know about this. If the viruses show up again I'll post about it.

13

RogueKiller / Re: White Screen of death

« on: October 04, 2016, 10:45:26 PM »

Hello Curson! :-)

Yes, I have SP3 installed.
No. It completes the entire scan, brings up Firefox, displays the Adlice Software PUP removal guide, and then when you go back to RogueKiller - it is hung up (white screen of death). No matter what you press the title then changes with the "(Not Responding)" added onto the title. I waited an hour before killing it the first time.

After going in to Safe Mode, I could press on the "X" to close out RogueKiller. Also, Firefox came up behind RogueKiller - so no white screen of death.

I then ran RogueKiller again and this time, as each object was found, I went in to Regedit and removed that entry. Also, all of the Application Data, Local Data, and All User/Application Data files I removed. I canceled RogueKiller before it ended each time and as long as I did that - it worked ok.

Finally, I ran it one last time and after it had found somethings I know are not actual PUPs I canceled it and RogueKiller came up and gave me the opportunity to remove those items it had found and which were selected (none at this point). RogueKiller completed everything and came up with the "Finished" button. Which worked.

So the problem seems to be if RogueKiller completes the scan then it hangs up after bringing up FireFox. I have run RogueKiller in the past once and it never had this problem before. So I'm thinking that it might be connected to changes in the Microsoft compiler if that is being used to compile RogueKiller. Microsoft is notorious for changing things so they don't work exactly like they should for old OSs. (It is one of the ways Microsoft gets people to move to newer OSs.)

At any rate - I got rid of everything I thought was a problem and that RogueKiller found. I just ran Hitman Pro also and it four the executable that RogueKiller for the registry entry for. :-) So I am happy. But I thought I should tell the forum about this problem I encountered.

14

RogueKiller / Re: White Screen of death

« on: October 04, 2016, 07:17:44 PM »

Back again! :-)

I restarted my computer under Safe Mode and.......the same thing happened.

The difference was that I was able to kill RogueKiller via the Task Manager which I was not able to do under the normal mode.  So I started it again. Then what I did was - every time RogueKiller found something (especially the catchme virus regedit entry) I went in and removed that entry. There were several folders that I also removed from Application Data. These folders were all empty and I recognized them from software that got installed but also was removed by me from the system.

Once RogueKiller had found twenty(20) items (there are a maximum of 23) I canceled the scan and tried to restart it. Unfortunately, RogueKiller again froze. So I killed it again via Task Manager and am now running it again. I think it will finish this time as the catchme virus stuff in the registry is now gone.

I'll post again once it has finished.

15

RogueKiller / White Screen of death

« on: October 04, 2016, 04:11:09 PM »

I have tried running RogueKiller twice now and both times RogueKiller gives me the white screen of death. What I mean by that is that RogueKiller makes it all the way through to where it is showing the list of PUPs et al and then it just hangs. If I bring up Firefox to report it and go back to look at it, all I can then see is a dialog box but it just has a white background. I am going to try rebooting the computer and running in Safe Mode to see if that allows RK to continue. I'll report back on that.

I'm running:

Windows XP Pro x32
4GB of memory
and a lot of programs et al. :-)

Perhaps you should ask people to use one of the programs that shows you everything about their computers? It might be more helpful than me trying to remember everything I have on here. :-)