Help with Virus / Malware?

[SKJohn]

The kid's computer at home has picked up a virus (malware?).  It is the one where you get a big black box in the middle of your desktop, and it says "Warning! Your system is infected!  on not use this computer until . . ."

I have ran Malwarebytes, AVG, Ad Aware, Spybot, etc.  Both Malwarebytes and AVG say they have located the infected files and remove them, but when I turn  it back on, it's there again.

Not being very computer savy, any ideas for getting rid of this thing?

Thanks,
John

[Denholm]

The easiest way is to simply reformat the system after backing up files that you absolutely can't go without.

The second (and far less secure) method would be to add AVG Anti-Rootkit Free, Spyware Doctor, and ESET NOD32 AntiVirus into your scanning mix.

NOTE: Spyware Doctor will not remove the files for you. It will, however, show you where the infected files are located. Generally if the infection isn't currently using those files you can simply browse to the file's location and remove it.

This is the scanning order I would use:

1. AVG Anti-Rootkit Free
2. Malwarebytes' Anti Malware
3. Spybot Search & Destroy
4. Spyware Doctor
5. ESET NOD32 AntiVirus

Completely leave AVG Anti-Virus out of the scanning proccess (would be best to remove it from your system, the virus has probably embedded itself into AVG Anti-Virus), it's horrible at defending and removing infections. One more suggestion. Update Malwarebytes, Spybot, Spyware Doctor, and (if you registered for the trial) ESET NOD32 before scanning. Also make sure to run full scans not abbreviated/quick/smart scans.

Let us know how it turns out.

[TequilaChaser]

I have ran Malwarebytes, AVG, Ad Aware, Spybot, etc.  Both Malwarebytes and AVG say they have located the infected files and remove them, but when I turn  it back on, it's there again.
Not being very computer savy, any ideas for getting rid of this thing?

Thanks,
John

sounds like it is either in one of the (2) following areas, if it keeps coming back:

example 1: C:\Documents and Settings\Default User\Local Settings\Temp
it is here and is in a cache or tmp type file that you manually have to go delete, or it will just keep reinstalling, because it is written into the registry to do so.....so once uninstalled you need to clean up your registery.......

example 2: it has loaded itself into your computer's memory to self-execute everytime you reboot/restart the computer

might need to do a memory swipe / memory flush.......

this is just some thoughts of why it keeps reloading, and not a definite......

hope this helps....Good Luck

[gyrene81]

There is going to be one or more registry entries and a dll file to make it re-execute on your system every time you boot up...trying to remember what all that crap does on install is mind numbing.
Common pathways are generally, where TC pointed, C:\Windows, C:\Windows\System32, C:\Documents and Settings\youruserid\Local Settings\Temporary Internet Files, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\run or runonce, and a few other places in the registry where it may have created it's own registry keys.

In order to dump it, you're going to have to do some registry hacking and manual deletion of files that could be coded to not allow deletion even by the base system admin account, unless you can boot the system to a simple DOS command prompt and navigate to the proper location, then type in a delete command...a real PITA.

[Ghosth]

Boot to a dos based virus scanner on a CD might be worth a try.

Otherwise the only sure fire way is to backup essentials, wipe the drive and start from scratch.

[TequilaChaser]

There is going to be one or more registry entries and a dll file to make it re-execute on your system every time you boot up...trying to remember what all that crap does on install is mind numbing.
Common pathways are generally, where TC pointed, C:\Windows, C:\Windows\System32, C:\Documents and Settings\youruserid\Local Settings\Temporary Internet Files, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\run or runonce, and a few other places in the registry where it may have created it's own registry keys.

In order to dump it, you're going to have to do some registry hacking and manual deletion of files that could be coded to not allow deletion even by the base system admin account, unless you can boot the system to a simple DOS command prompt and navigate to the proper location, then type in a delete command...a real PITA.

I have never used glare utilitys...does it not have a registry scrubber/cleaner?

if you can find & manually delete the .exe & .dll files ( in the location I posted & gyrene expanded it on )........ then do a registry cleaning/scrub   IObit 's ASC is free and it has a registry cleaner, also Spybot does as well.....

as gyrene and Ghosth both mentioned.....it can be deeply embedded and either manually deleting through C:\ ( Dos prompt )  or back up essentials and reformat/reload your OS

hopefully you can clean it out without going through the reformat/reload stage........ 

also lil tip:  do a search for all .dll / .exe .tmp files created on your hard drive going back to a date right before you noticed this happened, will be helpful sometimes also.   just make sure you do your search with advanced options set up to look in hidden & system files/folders


best of luck to ya........ not sure if their is anything else help wise, that I can offer

[SKJohn]

Denholm,
Thanks for providing the links to those programs.  I'm in the process of savin gthem on a thumb drive 'cuz the infected computer has it's internet access blocked right now. I'm going to give it a try with the programs you recommended first.  Trying to track down all the dll files and other stuff seems a little scary at this point - if I can do it with these programs, that would be fine by me.  If not, I may go for the wipe and reinstall method others have recommended.  Keep your fingers crossed!

Thanks for all the suggestions so far, everybody!

[Denholm]

I myself prefer a fresh install for two reasons. 1. It takes far less time than scanning. 2. It's the only true way to remove malicious software. The thing with viruses today, you never know if there are "inactive" remnants left behind just waiting to wake up. The only reason I wouldn't reformat would be if the computer isn't used for anything special and you don't have the resources to reinstall Windows. By special I mean you don't check email, bank accounts, PayPal, etc...

Hopefully the software I linked above does the trick. However, please do consider a reformat if the computer is used for anything other than casual browsing or gaming.

[Ghosth]

I agree with Denholm, plus it seems virus's always manage to corrupt enough drivers, registry entry's, etc. That its just not stable until you bite the bullet and wipe it clean, start fresh.

[Ghastly]

Most of the current malware either binds itself into the LSA (Winlogon) area via a gina.dll or via redirecting userinit - and typically works in paired (or sometimes, even more) processes that each protect each other from termination.  Since even in safe mode Windoes loads both GINA's and whatever's pointed to by userinit, it's tough to deal with them - and in some instances, Safe mode is booby trapped, so I tend to avoid it anymore except as a last resort.

I have been finding that the best way to remove today's malware is often via booting chntpw and using the offline registry editor, and using a more robust Linux distro to clean the files off of the harddrive (followed by a system restore to prior to infection as a good measure).  As always, do a clone of the drive before mucking about with it (Clonezilla is free and works well).

Otherwise, I find that first SUSPENDING (not terminating) all the running processes that belong to the malware with the ProcessExplorer from Systernals, then terminating them all one at a time prior to scanning and removing provides the best results. The msconfig diagnostic startup is great for eliminating the clutter from the normal processes, so you can very easily home in on what's still running that shouldn't be after the diagnostic restart.

<S>

[ink]

advance system care....IObit security,

both have a free version both kick arse. and much more then just antimalware anti virus, total system clean and repair.

Threatfire is also a good anti virus.  THAT WORKS


eset I had, it was running and I got a virus simular to what you describe, will never use it again.

AVG just plain sux

but like others have said best is to reinstall windows if possable, and then first thing after windows updates is Threatfire.
then Advance system care, from there you can get IObit security.

[BaldEagl]

There are two easy things you can try that sometimes work:

1.  Delete all temporary Internet files using disc cleanup then reboot the system.

2.  Turn off system restore.  Reboot then turn system restore back on.  You'll lose all system restore points but it might get rid of the virus.

[Ghastly]

In this instance, I have to respectfully disagree with BE - clearing system restore areas are in my opinion a method of last resort.  Often times, I've cleaned otherwise unclearable systems by manually restoring the registry hives from the copies placed under system restore, while booted into a Linux distro.  

If you do clear them, I'd strongly urge you to clone the disk first, because unless you are among the 1-3% that actually backs up your home system effectively, the ONLY uncontaminated copies of the registry that you might well have (excluding the "safety" copy from the end of the original install, which will be nearly worthless in most instances) will be buried in System Restore files.

<S>

P.S. absolutely do clear the temporary internet files.

[MrRiplEy[H]]

In this instance, I have to respectfully disagree with BE - clearing system restore areas are in my opinion a method of last resort.  Often times, I've cleaned otherwise unclearable systems by manually restoring the registry hives from the copies placed under system restore, while booted into a Linux distro.  

If you do clear them, I'd strongly urge you to clone the disk first, because unless you are among the 1-3% that actually backs up your home system effectively, the ONLY uncontaminated copies of the registry that you might well have (excluding the "safety" copy from the end of the original install, which will be nearly worthless in most instances) will be buried in System Restore files.

<S>

P.S. absolutely do clear the temporary internet files.

You're putting it like 'saving' the current install would be the only way to continue using the computer. Why?

In reality it's about a thousand times safer and easyer to reinstall both OS and the few applications used, preferably by getting a new cheap harddrive for the OS to ensure no infected files remain after reinstallation. Then copy all personal files from old HDD and nuke it from orbit so to speak.

Often people are wasting considerable time and resources fighting the infection when they could simply drop the OS and start up clean. No matter how many 'cleaners' and manual hunting you run through you can _not_ be certain your system is clean once the bad stuff gets in. Once you have a fresh OS installation however, you can be sure any AV or malware cleaners will run as they're intended without system hooks disabling their actions.

[Ghastly]

I don't mean to imply that you can't fix a malware issue that way (if you can successfully do so - see the comments below) - but the basis of the discussion is that the intent is to clear up the current installation.   If someone asked how to repair an engine, responses to the effect that "it's time to buy a new car" would perhaps be valid, (as is the "wipe, reinstall, reload, and retweak" viewpoint) but they wouldn't answer the questions being asked.

Actually, if I had to make a recommendation, it would be to implement a proper and effective backup strategy, so recovery to a useful state is only a re-image/restore away - but by the time that people are infected with malware, it's too late - and in my experience, the people who need help with malware generally are those who would have only thought they had an effective backup methodology in place if they had tried to do so anyway.

"Wipe, reinstall, reload, and retweak" represents for most Windows installation a fairly serious commitment in time - and unless they installed the installation from the ground up with the thought that they might have to do so at a later time in mind - and here we are assuming that they installed it themselves in the first place, or have the experience required to do so - often represents the real risk of the loss of items that are of importance to them.  

And laptops are particularly problematic. Often the "recovery disks" - which is all users often get, if they even get that - wipe the partitions before installation, or do a destructive reimaging, many times aren't even the same software stack that came with the system ( and work even more poorly than the software that came preinstalled if they work at all ) and doing a non-recovery installation often requires both installation media and drivers (on disk - and a disk drive that the user doesn't have either!) that the end user was never given in order to do the vanilla install.   The technical level required to successfully rebuild the Windows install on many laptops is often much much higher than that of the end user of the laptop in the first place - and can exceed that required to clear the malware off.

All IMO, YMMV, etc.

<S>