Difficulty removing malware

Topic

New Reply

My son has a maleware bug in his PC. He gets frequent popups saying there is a virus and to click ok to run an antivirus program. No program name is mentioned. Luckily he didn’t click Ok.

He tried to run his own antivirus software (nod32) and it found a virus. But then his PC was rebooted right away probably so the antivirus program would not remove the bug.

He then tried to install Adaware to get rid of it but when the install started, it immediately rebooted his PC. He went into safe mode to install it but a message popped up wanting a few things like C++ programs which is probably in his PC. But because it is running safe mode the install probably doesn’t find them.

He’ll try installing Spybot and Microsoft Maleware remover but he might have the same problem as Adaware.

Will restoring the system to a previous point physically remove the maleware file?

What else can he try to get the maleware removers installed and running?

Reply | Quote

Replies

He should try booting in safe mode with with networking, which will allow him to access the internet and download malware bytes anti malware. Maybe that will be enough. If he is stopped from installing something even in safe mode, you may have to download a bootable CD from an antimalware vendor, boot the PC with it and let the software try to get rid of the malware.

Reply | Quote

Try the free version of Malwarebytes’ Anti-malware[/url]. You may need to boot into safe mode to get it installed and run.

A System Restore would not hurt if there is a restore point to a time when he knows it was working correctly.

Try a repair disk such as the one discussed at http://bro.ws/780869L

Joe

--Joe

Reply | Quote

Along with the previous suggestions, if your son has access to another computer, this How To Geek tutorial shows how to create a bootable Kaspersky Rescue Disk that can be updated via the Internet with fresh definitions after booting to it so scans can be conducted while Windows is not running.

Also SuperAntiSpyware Portable can be downloaded and placed on a USB flash stick. It is routinely available with fresh definitions and a new random file name so malware does not recognize it. With this you must be able to boot into Windows to run the program from your USB flash stick.

Reply | Quote

Hi Omega :

Your son’s computer is displaying the classic symptoms of what the
Expert malware-fighting community calls a “Rogue” or “Fake” security
program . Usually it mentions a “Name”, so it is unusual for it not to do
so; otherwise, a preliminary specific removal plan could be
recommended . Usually a removal plan starts with something other
than running Malwarebytes Anti-Malware ( either “RKill” or
“exeHelper”, such as the procedure mentioned at
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011 .
So IF running “RKill” or “exeHelper” as the starting point does not
lead to the removal of the “rogue”, I recommend you seek help from
that Expert, certified, Volunteer, malware-fighting community, such as
the Ones at http://www.geekstogo.com/forum/forums.html .

Reply | Quote

Reporting back. We didn’t try everything mentioned but this is what happened. We ran SuperAntiSpyware in safe mode. It gave the message: Adware.Tracking Cookie 483 found. It quarantined those. That’s all it found. Ran Malwarebytes in Safe mode and found nothing.

Booted to normal mode and the virus popup warnings about a virus started again as well as IE starting by itself to porno sites. Ran Nod32 antivirus and it found nothing.

Tried to run Malwarebytes and SuperAntiSpyware in normal mode and neither would run. Excel and Word would not run. Task Manager, System Maintenance, Windows Defender, and System Restore do not run. The uninstall programs did run so it isn’t every program just most programs.

Something opens behind any window that is open that we launch a program from but then disappears. I think it may be the virus program intercepting most programs that are trying to launch.

We’ll try a few more things suggested but is there anything else we could try?

How the bug may have happened…
He was doing a google on: *Watch V*. V is a tv show that he wanted to see. He clicked on a link and that’s when the popups started. I guess V in this case meant Virus.

He has some programs he downloaded not long ago that I don’t recognize but I think they are safe. They are: Steam, Panda Media Booster, AA2Deploy, and PunkBuster Services.

Reply | Quote

You really MUST follow all instructions given in the antimalware forums.

I use the Read and run first instructions given at Majorgeeks, read the first page very carefully then follow the link for the Windows version in question. Make notes of all error/warning messages. Then create a new thread in the Malware forum there and attach the required logfiles for expert analysis and further instructions for your problem.

Following advice given in other threads for similar problems to yours is often not enough.

Even after all traces of malware have been removed, certain parts of Windows may not function correctly due to damage caused by the earlier infection(s). Have on hand, or be prepared to create, a Windows CD of the same Service Pack level that your Windows version is at. A Repair install may be enough to get the PC back to normal – no guarantees, though. The safest method of cleaning is wiping the drive, renewing the MBR/bootsector and a clean install.

EDIT: I enjoyed watching V, seems like a long time ago now ;).

Reply | Quote

You really MUST follow all instructions given in the antimalware forums.

The instructions do not mention safe mode. Since we are having problems running programs in normal mode will it still help us if we run them in safe mode when the virus/rootkit is not active?

Reply | Quote

The instructions do not mention safe mode. Since we are having problems running programs in normal mode will it still help us if we run them in safe mode when the virus/rootkit is not active?

You can even use safe mode with networking, which will allow you internet access and download any tool you may need. Maybe you will be able to solve it that way. I am not sure all AV and malware tools will run in safe mode, but you can always try.

Reply | Quote

The instructions do not mention safe mode. Since we are having problems running programs in normal mode will it still help us if we run them in safe mode when the virus/rootkit is not active?

If you’re referring to the MGs link I posted, the following quote is from the section immediately before STEP 1:

If you cannot boot in Normal Boot mode or can boot but not properly run in normal mode but your PC runs in safe boot mode, you can ignore our note about Normal Startup and just complete as much as you can in safe boot mode. Some programs may not install in safe boot mode.

Which is why I wrote:

read the first page very carefully then follow the link for the Windows version in question. Make notes of all error/warning messages.

I would class being unable to run something in Normal mode as an error and should be noted down and passed on to your malware helper.

The main reason that some programs will not install in Safe Mode is that the Windows Installer Service is disabled in that mode; this immediately rules out installing *.msi and some other installer packages. Sometimes you can install in Normal Mode but only run the program in Safe Mode.

Reply | Quote

If you’re referring to the MGs link I posted, the following quote is from the section immediately before STEP 1:
Which is why I wrote:
I would class being unable to run something in Normal mode as an error and should be noted down and passed on to your malware helper.

The main reason that some programs will not install in Safe Mode is that the Windows Installer Service is disabled in that mode; this immediately rules out installing *.msi and some other installer packages. Sometimes you can install in Normal Mode but only run the program in Safe Mode.

Andy, thanks for those details!

Reply | Quote

Update
We booted his PC in normal mode to try some out some suggestions and his NOD32 antivirus lite up red saying there was a virus in RAM. So before doing anything else we ran another full scan and this time it found two files that it deleted. The are…

C:UsersMattAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5N6SNXRQNna[1] – Win32/Adware.SpywareProtect2009 application – cleaned by deleting

C:UsersMattAppDataLocalTemp0154995.exe – a variant of Win32/Kryptik.JLH trojan – cleaned by deleting

We rebooted and this time found a different problem. The virus popups have gone away so it appears that NOD32 did its job. Seems we’re almost back to normal. HOWEVER, Firefox and IE cannot connect to the internet. We think the virus changed a setting and we need to undo it so the browsers work.

When browsers are launched we get the message – Proxy Server is refusing connection. Now we can ping to the internet say http://www.yahoo.com and we get a good connection. His Steam application pops up a window from the system tray now and then about someone being online. Seems as though his PC (Windows 7) can receive information but can’t use a browser.

We did download a new version of Firefox from another PC and installed it on his but we have the same problem.

Any suggestions?

P.S. He doesn’t have a software firewall. He uses the hardware firewall on his router.

Reply | Quote

When browsers are launched we get the message – Proxy Server is refusing connection. Now we can ping to the internet say http://www.yahoo.com and we get a good connection. His Steam application pops up a window from the system tray now and then about someone being online. Seems as though his PC (Windows 7) can receive information but can’t use a browser.

We did download a new version of Firefox from another PC and installed it on his but we have the same problem.

Any suggestions?

P.S. He doesn’t have a software firewall. He uses the hardware firewall on his router.

Go to your Control Panel >Internet Options>Connections and uncheck anything that has to do with proxies or proxy servers and see if that helps.

In FF go to Tools>Options>Advanced>Network and check the network settings there to see if something got changed.

Reply | Quote

Go to your Control Panel >Internet Options>Connections and uncheck anything that has to do with proxies or proxy servers and see if that helps.

In FF go to Tools>Options>Advanced>Network and check the network settings there to see if something got changed.

We checked FF and it was set to use system proxy settings. The lan settings on IE was set to use a proxy server. We changed IE to automatically detect settings and now both browsers work and his online games work. Thank you!

Reply | Quote

We checked FF and it was set to use system proxy settings. The lan settings on IE was set to use a proxy server. We changed IE to automatically detect settings and now both browsers work and his online games work. Thank you!

That is so very COOL! Thanks for posting back Congratulations!!!

Reply | Quote

Should his browsers be configured to use a proxy? What proxy are the browsers configured to use?

Reply | Quote

I’d suggest you try some of the Root Kit finders like Root Kit Reveler.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I’d suggest you try some of the Root Kit finders like Root Kit Reveler.

Retired, we finally got his PC back to work properly. At least it seems that way. It may have been just a virus we got rid of or there may be a root kit still hiding somewhere. We’ll take precautions and run a root kit finder though just to make sure. Thanks.

Reply | Quote

Reading through this thread, I noticed one thing, which I see a lot……..
When the proper program is finally used, it often finds the offending virus, spyware, trojan, or whatever, in the TEMP folder or Temporary Internet File folder(s).
If, at the first sign of problems, all those folders are cleaned out, much of the problem can be removed right there.
That’s the first thing I do when cleaning up a customer’s PC.
On my own PC, I have a batch file in my Startup folder, that deletes all the junk files off of my C: drive on every boot-up.
It does take a while to find every folder on the HD that contains junk and to put that folder into a Cleanup.bat program, but the
result is well worth the effort.

Another problem I see a lot, is that most people don’t know that you have to use an Anti-Virus program to remove viruses, an Anti-Spyware program to remove spyware and often an Anti-Trojan program to remove Trojans. Using an anti-spyware program to remove a virus, for instance, will do you no good at all.

Some of the better AV programs will now remove Spyware, Trojans and even Rootkits. AVG 2011, for instance is one of these expanded programs that will find ‘almost’ every form of malware. They have expanded their coverage greatly since AVG 9.0 FREE.

But knowing that no one program can or will get every piece of malware in the world, I run a “Package” of security software to keep my own PC 100% malware free. I use:
AVG Pro 2011
Spybot Search & Destroy
Spyware Blaster (a spyware blocker)
Malware Bytes Pro
Trojan Hunter

Trojan Hunter is good for cleaning a “Dirty” PC, because even in the 30 day trial mode, it’s 100% fully functional.

Cheers Mates and may all your problems be LITTLE ones,

The Doctor

Reply | Quote

Sorry, but I can’t resist to add another $0.02 worth…

I almost totally second Dr. Who’s post!

It greatly puzzles me that nobody even mentioned SysInternals’ AutoRuns. Portable and GOOD! If you only know a bit of what you are doing that’s the thing to use in such a situation.

Run it in Safe Mode and delete ALL entries that point to any Temp…. or Data… folder. Naturally it helps to know your way around in Windows’ folder maze but AutoRuns’ listing is easy to read. You’ll find everything except Rootkits

Once you find an entry in a Temp or Data folder go to Explorer and delete the folder that stuff is in. If it does not want to delete use Unlocker 1.8.9, NOT the most current version. If you can’t install Unlocker use SafeMSI.

All the tools I mention here are free and work for me; I use them for years from XP through Win7; I have donated to all their creators where that was an option..

Cheers!

Reply | Quote

Once you find an entry in a Temp or Data folder go to Explorer and delete the folder that stuff is in. If it does not want to delete use Unlocker 1.8.9, NOT the most current version.

FYI-

I downloaded “Unlocker 1.8.9.” and was immediately met with the (for me anyway) rarely seen MSE red warning pop up. I allowed MSE to clean it out successfully. It may well have been a false positive, but….

Reply | Quote

@John Juergens:

Before I come to my reply: My web storage service currently does not work, so I will have no screen shots for you. How did you get your screen shots in your post? That is something I “always” wanted to be able to do. TIA for a reply

Re Unlocker: All true but you are crying wolf.

Maybe I should preface that I just simply expect everybody to get all the information when they work with freeware, especially from someone who is geeky enough to do manual malware removal. “… get all the information …” means to READ the Installer windows for example! So here it is:

Most all freeware authors “make” some money by adding what I call “blind passengers” to the install. With Unlocker 1.8.9 it’s so called “eBay Shortcuts”, with Unlocker 1.9.0 it’s the Bing Toolbar and with Auslogics Disk Defrag it is Chrome and the Chrome toolbar, just to name a few.

At least above examples give you ample opportunity to UN-check the check marks that would actually install the maybe/mostly unwanted blind passenger(s). Where were your eyes? IMHO just clicking Next, Accept, Next, Next, Install to get through the install really fast always has been one of the many paths to disaster.

Now the details:
Unlocker 1.8.9 asks you to select what you want to install. eBay Shortcuts? Why didn’t you stumble over that?

MSE alarm #1: In the Details you could have seen that it screams about the eBay Shortcuts module in your temporary folder right after unpacking the installer package. If you UN-check eBay Shortcuts nothing will happen.

BTW, I think that eBay and MSE should have a conversation about what I presume to be possibly a false positive in the first place.

Then I got MSE alarm #2 complaining about the eBay shortcut file in the installer container (at that point in time on my desktop). Just for kicks I told MSE to remove it. Even after the removal from the container the installer ran just fine.

Did I have an inappropriate expectation about other people reading all the little windows when they work with freeware? And thinking before they click? Maybe. My apology.

Anyway thanks for reading.

Reply | Quote

Before I come to my reply: My web storage service currently does not work, so I will have no screen shots for you. How did you get your screen shots in your post? That is something I “always” wanted to be able to do. TIA for a reply

I’ll take this one. When composing a reply, use the full editor. Below the compose area is an attachment box. Save your image as a file and then upload it as an attachment. You can place it within your post (e.g., between paragraphs) or at the bottom.

Reply | Quote

I’ll take this one. When composing a reply, use the full editor. Below the compose area is an attachment box. Save your image as a file and then upload it as an attachment. You can place it within your post (e.g., between paragraphs) or at the bottom.

Thank you jscher2000!

I played with it and it truly works like charm.

Reply | Quote

@John Juergens:

Re Unlocker: All true but you are crying wolf.
– get all the information …” means to READ the Installer windows for example! So here it is:

At least above examples give you ample opportunity to UN-check the check marks that would actually install the maybe/mostly unwanted blind passenger(s). Where were your eyes? IMHO just clicking Next, Accept, Next, Next, Install to get through the install really fast always has been one of the many paths to disaster.

Now the details:
Unlocker 1.8.9 asks you to select what you want to install. eBay Shortcuts? Why didn’t you stumble over that?

MSE alarm #1: In the Details you could have seen that it screams about the eBay Shortcuts module in your temporary folder right after unpacking the installer package. If you UN-check eBay Shortcuts nothing will happen.

Did I have an inappropriate expectation about other people reading all the little windows when they work with freeware? And thinking before they click? Maybe. My apology.

Hi, Eike Heinz!

First of all, thank you for your interesting and useful initial post in this thread. I was working my way through it when interrupted by the unexpected malware warning. I have come to look forward every day to visiting WSL for the wonderful opportunity to learn from others such as yourself that have years of valuable experience to pass on to those of us eager to learn more about computers and related subjects.

Regarding your reply, I actually never made it to the point of unpacking or installing the “Unlocker” app, which would have given me the opportunity to “stumble over that”, “UN-check eBay Shortcuts”, “reading all the little windows”, or “thinking before they click”. The warning from MSE came as soon as the installation package downloaded to my computer. As is my current practice, I followed MSE’s recommendation and allowed it to remove the downloaded file. At the time, it didn’t seem prudent to continue on with a file that MSE named as a severe threat and recommended be removed immediately. In over a year of using MSE, I’ve only had to react to such a warning five times, and was taken aback to come across something here that would trigger a response from the security app.

I understand your response to me; my warning implied that you had either knowingly or unknowingly posted a link to an unsafe file. As I re-read it, I would have taken it the same way if I were you. I offer my sincere apologies to you, sir. It was not my intention to besmirch your integrity here, but rather to keep someone lacking security protection from downloading and installing themselves an unwanted mess.

John

Reply | Quote

@John,

No need to apologize, I didn’t feel personally “besmirched” at all.

And it’s a pleasure to read your well written comments, thank you.

My intention was much more to point out that as so often with computers “the truth” seems to be well hidden in the gray.

I have witnessed Unlocker’s path from a free utility to free utility with a stow-away. Cedrick Collomb, the author, has replaced the eBay payload with the Bing bar. And I can’t even tell why, while writing my original post, in my mind I did considered the Bing bar worse than the eBay shortcuts.

Maybe I have to apologize here.

Reply | Quote