Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: SKJohn on January 28, 2010, 10:07:28 AM
-
The kid's computer at home has picked up a virus (malware?). It is the one where you get a big black box in the middle of your desktop, and it says "Warning! Your system is infected! on not use this computer until . . ."
I have ran Malwarebytes, AVG, Ad Aware, Spybot, etc. Both Malwarebytes and AVG say they have located the infected files and remove them, but when I turn it back on, it's there again.
Not being very computer savy, any ideas for getting rid of this thing?
Thanks,
John
-
The easiest way is to simply reformat the system after backing up files that you absolutely can't go without.
The second (and far less secure) method would be to add AVG Anti-Rootkit Free (http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml), Spyware Doctor (http://download.cnet.com/Spyware-Doctor-with-AntiVirus-2010/3000-2239_4-10706811.html), and ESET NOD32 AntiVirus (http://download.cnet.com/ESET-NOD32-Antivirus/3000-2239_4-10185608.html) into your scanning mix.
NOTE: Spyware Doctor will not remove the files for you. It will, however, show you where the infected files are located. Generally if the infection isn't currently using those files you can simply browse to the file's location and remove it.
This is the scanning order I would use:
1. AVG Anti-Rootkit Free
2. Malwarebytes' Anti Malware
3. Spybot Search & Destroy
4. Spyware Doctor
5. ESET NOD32 AntiVirus
Completely leave AVG Anti-Virus out of the scanning proccess (would be best to remove it from your system, the virus has probably embedded itself into AVG Anti-Virus), it's horrible at defending and removing infections. One more suggestion. Update Malwarebytes, Spybot, Spyware Doctor, and (if you registered for the trial) ESET NOD32 before scanning. Also make sure to run full scans not abbreviated/quick/smart scans.
Let us know how it turns out.
-
I have ran Malwarebytes, AVG, Ad Aware, Spybot, etc. Both Malwarebytes and AVG say they have located the infected files and remove them, but when I turn it back on, it's there again.
Not being very computer savy, any ideas for getting rid of this thing?
Thanks,
John
sounds like it is either in one of the (2) following areas, if it keeps coming back:
example 1: C:\Documents and Settings\Default User\Local Settings\Temp
it is here and is in a cache or tmp type file that you manually have to go delete, or it will just keep reinstalling, because it is written into the registry to do so.....so once uninstalled you need to clean up your registery.......
example 2: it has loaded itself into your computer's memory to self-execute everytime you reboot/restart the computer
might need to do a memory swipe / memory flush.......
this is just some thoughts of why it keeps reloading, and not a definite......
hope this helps....Good Luck
-
There is going to be one or more registry entries and a dll file to make it re-execute on your system every time you boot up...trying to remember what all that crap does on install is mind numbing.
Common pathways are generally, where TC pointed, C:\Windows, C:\Windows\System32, C:\Documents and Settings\youruserid\Local Settings\Temporary Internet Files, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\run or runonce, and a few other places in the registry where it may have created it's own registry keys.
In order to dump it, you're going to have to do some registry hacking and manual deletion of files that could be coded to not allow deletion even by the base system admin account, unless you can boot the system to a simple DOS command prompt and navigate to the proper location, then type in a delete command...a real PITA.
-
Boot to a dos based virus scanner on a CD might be worth a try.
Otherwise the only sure fire way is to backup essentials, wipe the drive and start from scratch.
-
There is going to be one or more registry entries and a dll file to make it re-execute on your system every time you boot up...trying to remember what all that crap does on install is mind numbing.
Common pathways are generally, where TC pointed, C:\Windows, C:\Windows\System32, C:\Documents and Settings\youruserid\Local Settings\Temporary Internet Files, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\run or runonce, and a few other places in the registry where it may have created it's own registry keys.
In order to dump it, you're going to have to do some registry hacking and manual deletion of files that could be coded to not allow deletion even by the base system admin account, unless you can boot the system to a simple DOS command prompt and navigate to the proper location, then type in a delete command...a real PITA.
I have never used glare utilitys...does it not have a registry scrubber/cleaner?
if you can find & manually delete the .exe & .dll files ( in the location I posted & gyrene expanded it on )........ then do a registry cleaning/scrub IObit 's ASC is free and it has a registry cleaner, also Spybot does as well.....
as gyrene and Ghosth both mentioned.....it can be deeply embedded and either manually deleting through C:\ ( Dos prompt ) or back up essentials and reformat/reload your OS
hopefully you can clean it out without going through the reformat/reload stage........
also lil tip: do a search for all .dll / .exe .tmp files created on your hard drive going back to a date right before you noticed this happened, will be helpful sometimes also. just make sure you do your search with advanced options set up to look in hidden & system files/folders
best of luck to ya........ not sure if their is anything else help wise, that I can offer
-
Denholm,
Thanks for providing the links to those programs. I'm in the process of savin gthem on a thumb drive 'cuz the infected computer has it's internet access blocked right now. I'm going to give it a try with the programs you recommended first. Trying to track down all the dll files and other stuff seems a little scary at this point - if I can do it with these programs, that would be fine by me. If not, I may go for the wipe and reinstall method others have recommended. Keep your fingers crossed!
Thanks for all the suggestions so far, everybody!
-
I myself prefer a fresh install for two reasons. 1. It takes far less time than scanning. 2. It's the only true way to remove malicious software. The thing with viruses today, you never know if there are "inactive" remnants left behind just waiting to wake up. The only reason I wouldn't reformat would be if the computer isn't used for anything special and you don't have the resources to reinstall Windows. By special I mean you don't check email, bank accounts, PayPal, etc...
Hopefully the software I linked above does the trick. However, please do consider a reformat if the computer is used for anything other than casual browsing or gaming.
-
I agree with Denholm, plus it seems virus's always manage to corrupt enough drivers, registry entry's, etc. That its just not stable until you bite the bullet and wipe it clean, start fresh.
-
Most of the current malware either binds itself into the LSA (Winlogon) area via a gina.dll or via redirecting userinit - and typically works in paired (or sometimes, even more) processes that each protect each other from termination. Since even in safe mode Windoes loads both GINA's and whatever's pointed to by userinit, it's tough to deal with them - and in some instances, Safe mode is booby trapped, so I tend to avoid it anymore except as a last resort.
I have been finding that the best way to remove today's malware is often via booting chntpw and using the offline registry editor, and using a more robust Linux distro to clean the files off of the harddrive (followed by a system restore to prior to infection as a good measure). As always, do a clone of the drive before mucking about with it (Clonezilla is free and works well).
Otherwise, I find that first SUSPENDING (not terminating) all the running processes that belong to the malware with the ProcessExplorer from Systernals, then terminating them all one at a time prior to scanning and removing provides the best results. The msconfig diagnostic startup is great for eliminating the clutter from the normal processes, so you can very easily home in on what's still running that shouldn't be after the diagnostic restart.
<S>
-
advance system care....IObit security,
both have a free version both kick arse. and much more then just antimalware anti virus, total system clean and repair.
Threatfire is also a good anti virus. THAT WORKS
eset I had, it was running and I got a virus simular to what you describe, will never use it again.
AVG just plain sux
but like others have said best is to reinstall windows if possable, and then first thing after windows updates is Threatfire.
then Advance system care, from there you can get IObit security.
-
There are two easy things you can try that sometimes work:
1. Delete all temporary Internet files using disc cleanup then reboot the system.
2. Turn off system restore. Reboot then turn system restore back on. You'll lose all system restore points but it might get rid of the virus.
-
In this instance, I have to respectfully disagree with BE - clearing system restore areas are in my opinion a method of last resort. Often times, I've cleaned otherwise unclearable systems by manually restoring the registry hives from the copies placed under system restore, while booted into a Linux distro.
If you do clear them, I'd strongly urge you to clone the disk first, because unless you are among the 1-3% that actually backs up your home system effectively, the ONLY uncontaminated copies of the registry that you might well have (excluding the "safety" copy from the end of the original install, which will be nearly worthless in most instances) will be buried in System Restore files.
<S>
P.S. absolutely do clear the temporary internet files.
-
In this instance, I have to respectfully disagree with BE - clearing system restore areas are in my opinion a method of last resort. Often times, I've cleaned otherwise unclearable systems by manually restoring the registry hives from the copies placed under system restore, while booted into a Linux distro.
If you do clear them, I'd strongly urge you to clone the disk first, because unless you are among the 1-3% that actually backs up your home system effectively, the ONLY uncontaminated copies of the registry that you might well have (excluding the "safety" copy from the end of the original install, which will be nearly worthless in most instances) will be buried in System Restore files.
<S>
P.S. absolutely do clear the temporary internet files.
You're putting it like 'saving' the current install would be the only way to continue using the computer. Why?
In reality it's about a thousand times safer and easyer to reinstall both OS and the few applications used, preferably by getting a new cheap harddrive for the OS to ensure no infected files remain after reinstallation. Then copy all personal files from old HDD and nuke it from orbit so to speak.
Often people are wasting considerable time and resources fighting the infection when they could simply drop the OS and start up clean. No matter how many 'cleaners' and manual hunting you run through you can _not_ be certain your system is clean once the bad stuff gets in. Once you have a fresh OS installation however, you can be sure any AV or malware cleaners will run as they're intended without system hooks disabling their actions.
-
I don't mean to imply that you can't fix a malware issue that way (if you can successfully do so - see the comments below) - but the basis of the discussion is that the intent is to clear up the current installation. If someone asked how to repair an engine, responses to the effect that "it's time to buy a new car" would perhaps be valid, (as is the "wipe, reinstall, reload, and retweak" viewpoint) but they wouldn't answer the questions being asked.
Actually, if I had to make a recommendation, it would be to implement a proper and effective backup strategy, so recovery to a useful state is only a re-image/restore away - but by the time that people are infected with malware, it's too late - and in my experience, the people who need help with malware generally are those who would have only thought they had an effective backup methodology in place if they had tried to do so anyway.
"Wipe, reinstall, reload, and retweak" represents for most Windows installation a fairly serious commitment in time - and unless they installed the installation from the ground up with the thought that they might have to do so at a later time in mind - and here we are assuming that they installed it themselves in the first place, or have the experience required to do so - often represents the real risk of the loss of items that are of importance to them.
And laptops are particularly problematic. Often the "recovery disks" - which is all users often get, if they even get that - wipe the partitions before installation, or do a destructive reimaging, many times aren't even the same software stack that came with the system ( and work even more poorly than the software that came preinstalled if they work at all ) and doing a non-recovery installation often requires both installation media and drivers (on disk - and a disk drive that the user doesn't have either!) that the end user was never given in order to do the vanilla install. The technical level required to successfully rebuild the Windows install on many laptops is often much much higher than that of the end user of the laptop in the first place - and can exceed that required to clear the malware off.
All IMO, YMMV, etc.
<S>
-
Did you run the full malwarebytes scan?
Infidelz.
-
In this instance, I have to respectfully disagree with BE - clearing system restore areas are in my opinion a method of last resort.
I know that some viruses/malware will hide in the system restore files as it's a location that's inaccessable to many AV applications. I know this because I picked one up somehow a month or so ago. Removing the restore points was a simple and effective method of clearing the bug.
My brother had the same bug as the OP. He clicked on one of those "your computer might be infected" pop-ups on the Internet. Rather than going though a long drawn out attempt to clean it with him over the phone I had him try a couple basic steps then advised him to re-install his OS and all his applications (Toshiba laptop). Because he had upgraded from Vista to Win 7 I had him do a clean install rather than use the restore discs. Toshiba has all the Win 7 drivers and apps all packaged together on their web-site for anyone doing a clean Win 7 install so that part wasn't a problem at all. The only thing we couldn't restore was his copy of MS Works so I had him install Open Office instead.
To the OP: If you ever see one of those "your computer might be infected" pop-ups on the Internet again do not click on any part of that pop-up, even the close button in the top right corner. It is part of the active window. You need to hit control+alt+delete and close that pop-up from the task manager.
Of course, you can get rid of the annoying pop-ups after being infected by paying them for their software. That's the scam... they tell you you're infected so you'll click and get infected, then, they ask you to pay for their great AV software and after you do they set the infection to hibernate. After that you're rid of the annoying pop-ups but are still infected. Of course they don't tell you that... they report a clean machine.
-
I know that some viruses/malware will hide in the system restore files as it's a location that's inaccessable to many AV applications.
That's true. But a better way to deal with that (IMHO) is to move the "System Volume Information" directory branch to another directory (again, another thing you must do using either another Windows installation on a different partition (and after adjusting ownership and permissions), or while booted under Linux). This is something I do after every cleanup anyway, because while you can clean up the live installation you can't clean up the compressed backups of the the critical files made by System Restore ( or at least, I don't know how). And if you don't , the user of system could do a System Restore back to an infected state. I suppose you could do this early on in the process and it would clean up an infection that was located solely in the System Restore directory structure, but most infections these days infect a number of different areas, and if it's somewhere else, it's going to be recreated by the infection process at the next boot (or more usually these days, at the next event timer tick).
My usual method is to do nothing to the file structure until I've identified every startup hook the infection has made, and then suspended via ProcessExplorer (when working though Windows) every thread associated with it ( or these days, rebooted into Linux where I can be sure it's not running) before I start removing/repairing files.
The problem I see with clearing system restore is that it's an all or nothing gambit, in the sense that
a) the systems I clean up for folks are rarely backed up at all, and never in a way that contains a usable system state
b) the only copy of a good registry hive I will have to work with is going to be those I find from System Restore
Of course, if you aren't going to go the next level of trying to repair the registry from files contained in System Restore, then you have nothing to lose by doing so, and as you've said, in some instances, it will help clear the infection.
Again, all just my humble opinion.
<S>
-
Well, Denholm's idea didn't seem to work. I guess I'm gonna have to find someone local who knows what they're doing and reinstall the OS. . .
-
You've got plenty of people here who know much more about this than me but I'll share my experience if it helps. I've gotten two viruses within the last few months and they sound similar to yours. It shows itself as a security center and says it has found a virus and you have to purchase the full version to get rid of them. My anti-virus software didn't catch it (McAfee or ESET) but Malwarebytes found the virus the first time and cleaned it up fine. However the second time it couldn't find the virus so I checked for updates in the Malwarebytes software. There were updates but I was unable to download them, I assume the virus was blocking it somehow. I ended up downloading the newest version of Malwarebytes with the updates, ran the full scan, and cleaned out the virus.
-
Well, Denholm's idea didn't seem to work. I guess I'm gonna have to find someone local who knows what they're doing and reinstall the OS. . .
IObit Security
ADVANCE SYSTEM CARE
Threatfire
all you need!!!!!!!!!!!!!!!!