• Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solved A virus disguising as RAR

Status
Not open for further replies.
Berry Marchs

Berry Marchs

PCHF Member
Dec 16, 2022
9
1
39
#1
I have virus that is disguising itself as winRAR, and it can be viewed in Task Manager.
1671232239683.png


If show in details, it will show up as this (properties included)
1671232323357.png

1671232363833.png

Ending the task does nothing. It will simply run again on its own. Access to the file's location is also inaccessible, even with Administrator.
1671232447361.png

Is there a way to get rid of this? Thank you.

Some specs if necessary:
i7-9thgen
GTX 1050 4GB
1TB HDD
no SSD
8GB RAM
 
#2
Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.
  • Unzip it there. -- If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----
  • Right click Autologger and run as admin. (Xp user double click)
  • AVZ4 will open and scan your machine, allow this to complete.
  • Upload Collectionlog.zip to your next reply.
 
#7
Look in the Autologger folder and drag out the CheckBrowsersLNK file.
To your desktop.
AutoLogger\CheckBrowserLnk
Click to expand...
Drag and drop onto the ClearLNK utility .
After saving ClearLNK to desktop.
move.gif
Disable your antivirus prior to running AVZ!
Run AVZ as admin! (located in the folder ...Autologger\AVZ) click File => Customs Scripts.
Copy the content of the text file I uploaded. (AVZFix.txt)
Click edit select all copy.
Paste into AVZ window.
Make sure the word begin is in the absolute top left of the window as per picture below.
1671241631764.png

Hit Run Fix.

The computer will reboot.


Then collect FRST logs for me and let me know if the issue is still present.



Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.
If you are unsure if your operating system is 32 or 64 Bit please go HERE.
Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu
If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.
  1. Accept the default whitelist options,
  2. If the additions.txt options box is not checked please select it.
  3. Then select Scan
  4. Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.

2016-08-12_152002.jpg



Please Attach the contents of these logs in your next post for review by our Security Team

Code: 
begin
 ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
 QuarantineFile('c:\programdata\msibooster\windowspaint-ver4.7.0.7.exe','');
 DeleteFile('c:\programdata\msibooster\windowspaint-ver4.7.0.7.exe','32');
 DeleteFileMask('C:\ProgramData\MsiBooster', '*', true);
 DeleteDirectory('C:\ProgramData\MsiBooster');
 CreateQurantineArchive(GetAVZDirectory + 'quarantine.zip');
ExecuteSysClean;
 ExecuteWizard('SCU', 2, 3, true);
RebootWindows(true);
end.
 

Attachments

  • avzfix.txt
    468 bytes · Views: 4
Last edited:
#14
FRST Fix.
Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Download RogueKiller and install the program.
Once downloaded and installed, right click and run as admin.
Click the check for updates button.
Go to scan setting then slide the MalPE option right to activate.
Then go to scan, then start a full scan on your machine.
Then click report when the scan completes.
Under Share my report click on open then select text file.
Copy it and paste the results here.
Make sure you do not remove anything detected until I see the log please.
 

Attachments

  • fixlist.txt
    86.8 KB · Views: 11
Last edited:
#20
Berry Marchs said:
No more issues on my end.
Click to expand...

Wonderful News!!
The Virus Modified Windows defender slightly, we will set it to default.

FRST Fix.

Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
We will clean all the tools we used...

Download KpRM
Save to Desktop
Check Delete Tools'
Check Delete Restore points.
Create Restore point.
Click delete quarantines.
Then click run.


Update your older programs with Patch My PC home Edition.
 

Attachments

  • fixlist.txt
    927 bytes · Views: 2
Last edited:
Status
Not open for further replies.
Top Bottom
Back
Forums
Resources
Menu