Urgent help wanted by anyone conversant with computers and rootkits and how to sort virus problem

[cliveshep 786]

I  need expert help and advice - I'm only partially computer literate so one-syllable words would be best Here is the issue.

 

I have both Opera and Firefox browsers and apparently Edge (cannot delete that somehow) and Chrome also somehow crept in. I use Opera most of the time, Firefox kept fairly clean for UK banking issues only so I absolutely do not want to fiddle with that.

 

I have uninstalled and re-installed a fresh copy of Opera. I installed and ran AVG which found one virus it said it couldn't remove, I found the folder it purported to be in but I couldn't manually delete it either. It was a backup folder in Program files (x86) although I cannot remember the name.  I uninstalled AVG as useless.

 

I then downloaded and installed Malwarebytes Premium (trial edition) and ran that - it found 33 viruses and quarantined all of them. The problem was still there. So I ran it again - lo and behold another 7 viruses which I duly quarantined. The problem remained. 

 

I ran Malwarebytes 6 times in all, each time it found 7 viruses I duly quarantined, it as taken most of the day and the problem is still there. So I uninstalled that. Assuming it is a rootkit I tried to run Windows  (now Microsoft) Defender. Windows helpfully tells me it is turned off, there is no button or link allowing me to turn it on so I'm stuffed there!

 

Right - the problem is that whichever browser I use a command line pops up to open a website which instantly tries to install a programme. I cannot find it to delete it, ran CCleaner, Malewarebytes and AVG to no avail and cannot get Defender to run to scan for rootkits. I've toggled Malwarebytes to include rootkits - to no avail!

 

Malwarebytes says the website address is:  (I've deleted the https bit  at the beginning for safety)   xxxx://take-realprize.life/?u=lq1pd08&o=hdck0gl, the URL is 104.155.207.188 according to the Malwarebytes pop-up blocking it. Apparently it is a public IP address and owned by Google Cloud and located in Taipei, Taiwan.

 

Can anyone please help out? How do I find where this thing has hidden itself. Clearly it is a command line somewhere that instructs connection to the site whenever I open a browser window. Letting Malwarebytes block it from connecting is only a short-term preventative fix. 

[CharlieH 40146]

MOVED to IT forum

[ozimoron 6753]

Which windows version do you use? You probably need to do a disk format and fresh install.

 

What do you use this computer for? Browsing the net, email and banking? If so, I strongly recommend using Ubuntu instead. then you can forget about viruses.

 

If you really want to use windows then use Defender, forget the other virus programs. Back in the day Defender was horrible but not it isn't.

[cliveshep 786]

I'd love to use Defender as it is reputed to be the best rootkit removal tool, but like I said that option is not open to me.

 

In Security under viruses Windows helpfully says this is managed by others - it isn't - and there is no option to turn it on.

 

As for format and reload - I use the lappie for everything, thank ~God I just fitted a new optical drive if push comes to shove I can uses to save to double sided DVD's all my data - there is a lot! 

 

I fear that will be the route I will be forced to travel down!

[Daffy D 2620]

Try this see if it helps.

 

Download Search Everything

 

Search for the program you are looking for and delete every thing with that name.

 

Download and run Unlocker to delete any program that will not delete normally.

 

Both programs are free. 

 

Good Luck   

[norbra 293]

Dont do anything drastic until you have tried this method.

If you know when the problems first stated an easy way to try is using system restore

Type RESTORE in the sesrch box,this will open a create restore point option.

Select OPEN this will open a new option box.

Select SYSTEM RESTORE

A new box will suggest a recommended date,if this is not the best at the bottom select a different restore point,select NEXT for more option dates,after selecting a suitable date select NEXT then FINISH.

This will revert your laptop system back to that date,it does not affect your documents,pics etc.

Reboot check again for problems

Edited June 15 by norbra

[sungod 7777]

27 minutes ago, cliveshep said:

I'm only partially computer literate

Me too, so the way I tackle this is not to spend too much time finding the solution unless it lands on your lap.

 

My files are in the cloud and synced, therefore not a lot on my computer left I really care about.

 

It doesn't happen often thankfully, but the once or twice it has I just do a fresh reinstall. It sounds time consuming and over the top, but trying to fix it myself by downloading other programs and getting nowhere has been longer in my experience.

 

Doesn't hurt to give it a clean up every now and then anyway.

 

Oh, and as someone mentioned, system restore first.....but that may not always work so back to basics.

Edited June 15 by sungod

[OneMoreFarang 39535]

With so many viruses it will be a headache to remove them all and still have a perfectly working system.

 

I agree with others: Set it up new from scratch.

 

If you don't have a backup then I suggest keep your existing hard disk and remove it.

Install a new "hard" disk, preferable a SSD or M.2 and install everything from scratch. And make sure you get your software and everything you install from clean sources. I.e. if you have a memory stick with software and that stick is virus infected then your new system will be infected.

If you are not sure about any of this ask an expert to do it.

Because if someone hacked your bank then probably you think in the hindsight you should have spend a couple of thousand THB...

[sqwakvfr 2273]

I got virus through a USB Stick file transfer process(I will never do it again),  I have a Windows computer and the only solution I found was a Factory Reset without deleting my files.  

[OneMoreFarang 39535]

And don't download tools here and there which you don't know and with unknown origin.

There are too many "we help you with those viruses" links which just add more viruses.

[OneMoreFarang 39535]

Just now, sqwakvfr said:

Factory Reset without deleting my files.  

And how are you sure that none of your files are infected?

[CALSinCM 1345]

Learn everything you can absorb about backups and creating partition images.  Then when you've gone somewhere that has hosed your system?
You reimage your system.  And hour later?  You're back in business.
I can't help you with whatever you're doing to get infected.
Buy books on hardening your system and becoming security conscious.

[ozimoron 6753]

1 minute ago, CALSinCM said:

Learn everything you can absorb about backups and creating partition images.  Then when you've gone somewhere that has hosed your system?
You reimage your system.  And hour later?  You're back in business.
I can't help you with whatever you're doing to get infected.
Buy books on hardening your system and becoming security conscious.

or just use linux and get on with life. Viruses aren't a thing on linux - despite what anyone will tell you.

[NextG 1]

25 minutes ago, cliveshep said:

I'd love to use Defender as it is reputed to be the best rootkit removal tool, but like I said that option is not open to me.

 

In Security under viruses Windows helpfully says this is managed by others - it isn't - and there is no option to turn it on.

 

As for format and reload - I use the lappie for everything, thank ~God I just fitted a new optical drive if push comes to shove I can uses to save to double sided DVD's all my data - there is a lot! 

 

I fear that will be the route I will be forced to travel down!

 

You have a Rootkit.

Two recommended routes; One, swap drives in your laptop. This is a good solution if you are currently using a normal hard drive. That way you can move to the much more efficient solid state drive. Pop your old drive into a external USB casing and copy over what you want to the new install on the SSD.

 

Second option, remove the Rootkit.

I am too busy to help you with the detail needed, though I recommend that you head over to the bleepingcomputer forum. You'll find others with your issue and when someone finds the time, they will help you to sort it out.

I've stopped doing it, as people are often too impatient or simply ungrateful 

 

https://www.bleepingcomputer.com/forums/t/772491/infected-with-trojan-other-virus-antivirus-keeps-blocking-ip-104155207188/

[BigStar 2284]

48 minutes ago, cliveshep said:

I found the folder it purported to be in but I couldn't manually delete it either. It was a backup folder in Program files (x86) although Icannot remember the name. 

Sounds like a variant of this browser hijacker. Follow these steps and see if it doesn't go away:

 

https://malwaretips.com/blogs/remove-take-your-prizes-here-life/

 

You may have something else even in addition. Remove anything suspicious in Add/Remove Programs. Run msinfo32.exe and stop any suspicious programs from Startup. Look in the Task Scheduler and see if any bad guy is scheduled to start.

 

And find out the folder you mentioned above and then delete it after booting in Safe Mode or via a command prompt from a Windows boot disk. To get to the prompt, follow these directions:

 

https://www.thewindowsclub.com/boot-or-repair-windows-10-using-the-installation-media

 

Good luck.

 

[cliveshep 786]

I did pop in to Bleeping forum, someone with a similar problem was promised help, after a week he asked if help was likely to be forthcoming, that was almost a month ago and there has been no answer so I am not going to hold my breath for 5 or 6 weeks hoping someone isn't too busy or has popped his clogs or emigrated.

 

I need to transfer funds from UK to my Thai bank tomorrow, once that is done I'll take off all my data and so on and then format and do a clean install as I can do that in a day or so. Malwarebytes says just about 3000 files and the Farbar programme lists the lot. At my age I should live so long to trawl through that lot. Ditto everything.

 

So thank you all for advice and tips - hopefully my bank remains untouched and I can transfer funds safely tomorrow.

[norbra 293]

8 minutes ago, cliveshep said:

I did pop in to Bleeping forum, someone with a similar problem was promised help, after a week he asked if help was likely to be forthcoming, that was almost a month ago and there has been no answer so I am not going to hold my breath for 5 or 6 weeks hoping someone isn't too busy or has popped his clogs or emigrated.

 

I need to transfer funds from UK to my Thai bank tomorrow, once that is done I'll take off all my data and so on and then format and do a clean install as I can do that in a day or so. Malwarebytes says just about 3000 files and the Farbar programme lists the lot. At my age I should live so long to trawl through that lot. Ditto everything.

 

So thank you all for advice and tips - hopefully my bank remains untouched and I can transfer funds safely tomorrow.

I forgot to add System Restore takes around 5 minites to complete its so much easier than starting again from scratch

[NextG 1]

14 minutes ago, cliveshep said:

I did pop in to Bleeping forum, someone with a similar problem was promised help, after a week he asked if help was likely to be forthcoming, that was almost a month ago and there has been no answer so I am not going to hold my breath for 5 or 6 weeks hoping someone isn't too busy or has popped his clogs or emigrated.

 

I need to transfer funds from UK to my Thai bank tomorrow, once that is done I'll take off all my data and so on and then format and do a clean install as I can do that in a day or so. Malwarebytes says just about 3000 files and the Farbar programme lists the lot. At my age I should live so long to trawl through that lot. Ditto everything.

 

So thank you all for advice and tips - hopefully my bank remains untouched and I can transfer funds safely tomorrow.

 

I wouldn't do any banking on a PC with a Rootkit installed.

 

Swap the drives or back up, delete ALL partitions and then run a clean install. I am sure my advice will fall on deaf ears

[sqwakvfr 2273]

1 hour ago, OneMoreFarang said:

And how are you sure that none of your files are infected?

Cannot be 100% sure but so far no indicators of any files being corrupted or infected.  Also, no indications of any accounts being comprised or hacked.  One can never be completely sure of anything.  

Edited June 15 by sqwakvfr

[KIngsofisaan 721]

Go into Windows Register, search for the file name giving you the issue and manually delete it. Malware will modify the registry to make sure it can launch itself after a reboot. So you must delete it from Windows registry so it doesn't keep relaunching.

[cliveshep 786]

1 hour ago, NextG said:

 

Edited June 15 by cliveshep
Clicked before replying like a plonker!

[cliveshep 786]

1 hour ago, NextG said:

 

I wouldn't do any banking on a PC with a Rootkit installed.

 

Swap the drives or back up, delete ALL partitions and then run a clean install. I am sure my advice will fall on deaf ears

Not a question of deaf ears friend, more one of trying to keep afloat with no cash on hand and needing to transfer some. 

It is not redirecting at the moment, on any browser but Windows has just done a security update so that might be hindering it.

Currently scanning with the Sophos anti-rootkit programme - dreadfully slow and I'll probably have to leave the thing running all night!

[norbra 293]

4 minutes ago, cliveshep said:

Not a question of deaf ears friend, more one of trying to keep afloat with no cash on hand and needing to transfer some. 

It is not redirecting at the moment, on any browser but Windows has just done a security update so that might be hindering it.

Currently scanning with the Sophos anti-rootkit programme - dreadfully slow and I'll probably have to leave the thing running all night!

You asked for urgent help but you are fishing for a solution to an undefined problem.

Running system restore for 5 minutes may well resolve your system image issues

[steven100 26668]

click on the start icon at the bottom left corner .....   find '  command prompt '  in the programs listed ....   right click on the command prompt and ' run as administrator '  ........   

 

then the command prompt black box will open ....      type in  :  

 

run  chkdsk /f   then hit enter  ....  then run sfc /scannow  .....   then run  Dism /Online /Cleanup-Image /CheckHealth

[ChristianBlessing 415]

Have you tried running Defender Offline? It's too detailed to cover here but you can find instructions online. Essentially, while logged into your computer, you can go to the security settings and choose Microsoft Defender Offline. The computer will reboot into recovery mode and then do a full scan. It's as close to scanning in Safe Mode as you can get. Good luck.

Edited June 15 by ChristianBlessing

[userabcd 2210]

14 hours ago, ozimoron said:

or just use linux and get on with life. Viruses aren't a thing on linux - despite what anyone will tell you.

Like this one found and reported on few weeks ago.

 

"Linux Malware Deemed ‘Nearly Impossible’ to Detect"

[DezLez 2421]

13 hours ago, norbra said:

Running system restore for 5 minutes may well resolve your system image issues

Since when has system restore only taken 5 minutes.  I assume you only have the OS installed!

 

PS;  System restore only works if you have created a restore point before the problem occurred!

Edited June 16 by DezLez

[cliveshep 786]

Right - update. Loaded Avast and let it do a full scan, it ran tghe whole night and was still chugging away this morning. When it finished it announced it had found a rootkit and would quarantine it and I must restart computer.

Great I thought, told it to restart whereupon it started a full pre-boot scan. After another tedious hour it seemed to have frozen so I cancelled it and let the beast boot.

Had to open Avast again and behold - no quarantine with the rootkit. Ran various including full scans during the day, in between I managed to transfer money via Wise (3 seconds!) from the UK, on the basis that this rootkit is unable to escape to the outside world as Avast continously blocks it very noisily so it cannot corrupt my bank. 

During the day it constantly tries to connect and Avast blocks it instantly with a full-volume gonging noise!

Also I have piggy-backed a spare HDD via a caddy and a slow 2.0 USB connection to my laptop and am transferring across my pictures, home videos, folders etc and fresh app downloads. 

Once everything is solidly backed up I will format the machine and as suggested do a complete clean install.

As also suggested it will get rid of all the junk and clutter, the only downside is having to run in circles to get all my banking details reinstalled.

[fdsa 1186]

Unfortunately there is Linux malware in the wild already (still much less than Windows though), because Linux is gaining popularity.

And there are no antiviruses for Linux yet, just a bunch of random security software which requires you to be an expert in IT to use, and if you have such knowledge and understanding you won't catch the malware anyway lol.

[ozimoron 6753]

14 minutes ago, fdsa said:

Unfortunately there is Linux malware in the wild already (still much less than Windows though), because Linux is gaining popularity.

And there are no antiviruses for Linux yet, just a bunch of random security software which requires you to be an expert in IT to use, and if you have such knowledge and understanding you won't catch the malware anyway lol.

There is a major reason that linux distros aren't affected by viruses in the real world and that is the user doesn't automatically have root permissions unlike in windows and therefore viruses and malware can't install themselves.