Laptop with 44 threats

[Eric4753]

Well one of my friends handed me a laptop, which is in pretty bad shape. I booted it up, and windows antivirus master, popped up notifying me that it found 44 threats. Many were trojans with critical levels. I tried opening up internet explorer, to download an antivirus program or something, but windows keeps blocking saying "firewall has blocked a program from accessing the Internet. I then tried to run task manager to stop windows antivirus, but task manager immediately closes upon opening. I honestly don't know what to do. I can't get anywhere on this thing. Can anyone help me here? Its running windows 7 64bit.

Thanks,
Eric

 

[johnb35]

Windows antivirus master is the actual malware here. Reboot to safe mode with networking and download and run the following programs.

Run malwarebytes first but before running malwarebytes, you will need to run one of the rkill programs.

1.

Please download AdwCleaner by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Scan.
•After the scan you will need to click on clean for it to delete the adware.
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

2.

Please download Junkware Removal Tool to your desktop.

•Shutdown your antivirus to avoid any conflicts.
•Very important that you run the tool in this manner:
Right-mouse click JRT.exe and select Run as administrator
Do NOT just double-click it.
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Post the contents of JRT.txt in your next message.

3.

Please download Malwarebytes' Anti-Malware and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE

But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.

Please post the log that Malwarebytes displays on your screen.

4.

Download OTL to your Desktop


•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Click on Minimal Output at the top
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
◦When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Just post the OTL.txt file in your reply.

post the logs from the following 4 programs.

1. Adwcleaner
2. Junkware removal tool
3. Malwarebytes
4. OTL

 

[voyagerfan99]

Dammit John you beat me to it

 

[johnb35]

Dammit John you beat me to it

pfft lol

 

[Eric4753]

I got it to boot into safe mode with networking, but when I download the program off ie 8, it won't save the file. The computer keeps saving the file to the recovery drive instead of the hard drive. If I choose run, it says script error.

 

[johnb35]

Don't save it to the recovery drive, its not meant for file storage. Save it to C.

 

[Eric4753]

right i know, but it won't let me choose that one. I'll put in my flash drive and use that.

 

[Eric4753]

junk ware will not work, I ran it as an admin, but the command window comes up, with nothing on it. I can't format the recovery drive nor do a system restore lol. I';m stuck on what to do. ADW did run, but detected nothing.

 

[voyagerfan99]

Download, install, and run MalwareBytes.

 

[Eric4753]

It worked, but I just found out that windows will only boot from the recovery drive. If I try to boot from the hard drive I get a message that windows couldn't boot up etc, so I have 2 options, 1. repair it 2. start it normally. If I click repair, it goes to the previous screen of whether I want to boot from the recovery or hard drive. If I click start normally, the screen turn blue and says" STOP: c0000135 The program can't start because %hs is missing from your computer. Try re-installing the program to fix this." What should I do? Also I still have my windows 7 64 bit cd from purchasing my desktop, i don't know if that will help you guys or not.

 

[voyagerfan99]

Boot into recovery and try to perform a system restore to a point before the virus infected the machine.

 

[Okedokey]

If possible I would suggest that this is a classic partition, new install, scan files, transfer, delete old partition, extend new one.

 

[Eric4753]

I tried that, it needed i think 3gb of free space which it doesn't have. I tried deleting stuff, but I don't have permission too. The account is admin too which doesn't make any sense lol

 

[johnb35]

It worked, but I just found out that windows will only boot from the recovery drive.

What do you mean by recovery drive? An OEM recovery drive isn't bootable per say. You have to press certain keys at the beginning to even access the recovery partition. Is this recovery drive an actual separate drive from C drive? How many actual hard drives are installed in the system? So you can't even boot into windows now?

 

[Eric4753]

The hard drive is called RECOVERY (C, it has 14.6 gb the other is called OD (D I'm almost positive it is booting from the recovery drive I get this every time i turn it on.

the 2nd windows 7 option, brings me to the screen. I posted about that earlier.

 

[johnb35]

No, that screen just means that you have a double installation of windows 7 on your machine. XP has the option to check all boot paths. Windows 7 would require to use easybcd to edit and remove the bad one.

 

[Eric4753]

well there is no room on the recovery drive C:, I tried installing it on the main D: hard drive, but I get an error message every time. Pretty much anything I instal on the main drive starts with an error.

 

[johnb35]

Do me a favor, go into disk management and post a screen shot of it. Put the image on website like photobucket or imageshack or similar so I can see it better.

 

[Eric4753]

http://s1357.photobucket.com/user/TheSemperFi/media/Capture_zps0652269a.png.html

 

[johnb35]

I can't understand how a recovery partition got labeled C instead of being hidden from windows.

What happens when you go into "Computer" and try to open the recovery drive? Can you access it? Do you know if you have saved files to it? What brand of laptop is this? It sounds like windows is trying to store files on this drive and its not supposed to. If this was my computer, I would just boot to the recovery partition and reinstall windows or order recovery cd's and totally wipe the drive and start over. Sounds like the recovery drive was unhidden from windows.