Malware removal (Doh!)

Topic

New Reply

Yesterday, in an extreme act of stupidity, I did something which left me stuck with XP Antivirus 2012.
Basic question: How do I get rid of it? I uploaded Avast, which seemed to help a little, but seems to be causing problems of its own. I tried to install MalwareBytes Anti-Malware free program but ran into difficulties. I found that rkill and exehelper are supposed to make installation easier but there are five versions of the former and three versions of the latter. Which version of each works best with Win XP Service Pack 3? Which do I install first? Finally, are there any other programs that can clear out this pest? I’d hate to have to go for the nuke option, which I could talk about later.

Help?

Reply | Quote

Replies

Both Malwarebytes and SuperAntispyware should be able to remove that. Boot in Safe Mode with networking, download each of them and let them run.

Reply | Quote

Question: since I’ve never worked in safe mode, how do I do it? Steps? Procedures? And I still have those questions regarding rkill and exehelper. Plus someone told me about another program called Combofix which is suppose to be better than Malwarebytes. Anyone know anything about it?

Both Malwarebytes and SuperAntispyware should be able to remove that. Boot in Safe Mode with networking, download each of them and let them run.

Reply | Quote

Remove XP Antispyware 2012, XP Internet Security 2012 (Uninstall Guide)
[GUIDE] How to remove XP Antispyware 2012 (MANUAL/Malwarebytes)
How To Delete XP Antivirus 2012 Virus ( Uninstall Guide )
Remove XP Antivirus 2012 (Uninstall Guide)

Reply | Quote

Tiger,
Reboot your computer; as soon as it starts, press F8 repeatedly, untill you are given the choice of how to boot – pick safe mode with networking, download & install the abovementioned programs, and run them while still in safe mode.

I understand that Combofix is not for the faint of heart, nor the unexperienced.

Zig

Reply | Quote

I downloaded MalwareBytes and ran the scan twice. The first time it found a whole bunch of crap. They’re gone apparently. I was very happy to see my PC return to normal. The second time it found another pest. That’s gone too, I think. I ran Avast after that. It apparently didn’t find a virus but “Some files could not be scanned.” I’m going to run MalwareBytes again before bed. Now I’m thinking of adding SuperAntispyware but, with MalwareBytes and Avast on board, does anyone know of problems with three virus killers in the system? Plus, what’s the deal with Combofix? It sounds like MalwareBytes on steroids. Why the caution?

Tiger,
Reboot your computer; as soon as it starts, press F8 repeatedly, untill you are given the choice of how to boot – pick safe mode with networking, download & install the abovementioned programs, and run them while still in safe mode.

I understand that Combofix is not for the faint of heart, nor the unexperienced.

Zig

Reply | Quote

what’s the deal with Combofix? It sounds like MalwareBytes on steroids. Why the caution?

From the description on Majorgeeks.com:

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

It is also understood that the use of ComboFix is done at your own risk.

Reading between the lines, if you’re asking questions about how many antispyware programs you can have on your computer at any one time, you probably shouldn’t be running this program without some direction. Please don’t take this as a slam, just my 2 cents’ worth.

Zig

Reply | Quote

Well, I uploaded SuperAntiSpyware and used it. It found a lot of stuff. Pretty shocking, much of it adware. It removed it, but geez! The crap I had….whoa! Anyway, from the info on Combofix, I guess it’s one of those last resort, “do-not-use-unless-absolutely-necessary” programs. I guess Ted Myers’ multilayered approach seems the best way to go. I do have a question, several actually: Now that I have MalwareBytes, SuperAntiSpyware, Avast, and Microsoft Security Essentials, is this good for a multilayered approach or are there better programs to cover all the bases? I have this annoying red shield in my lower-right corner labeled Windows Security Alerts, is this a reminant of the virus or legit? Either way, how do I get rid of it? Plus my computer takes too long to shut down and a little long to log on to the internet. Are these a consequence of constant activity running the antivirus progs or is something still interfering with my PC functions? Anyway, thanks for the help and advice people, I really appreciate it.

Reply | Quote

Now that I have MalwareBytes, SuperAntiSpyware, Avast, and Microsoft Security Essentials, is this good for a multilayered approach or are there better programs to cover all the bases? I have this annoying red shield in my lower-right corner labeled Windows Security Alerts, is this a reminant of the virus or legit? Either way, how do I get rid of it?

“Tiger”

Hello… Just keep in mind that “Malwarebytes” Free does not run in real time (Background) you have to run it manually to scan and update… If you move to their “Pro” version it runs and updates automatically and can be set to remove the “Bad’s” on it’s own … As “Super blah,blah”… I don’t trust it since i tried it when it came out and it wanted to remove the “Virus” it found after purchasing the pay for version…As far as the Windows “Red Shield” i get that because i have “Windows Update” set to “Never Check for Updates” Have a look at your settings…:cheers:Regards Fred

Reply | Quote

Plus my computer takes too long to shut down and a little long to log on to the internet. Are these a consequence of constant activity running the antivirus progs or is something still interfering with my PC functions?

I’d like to amend that: My computer won’t shut down at all and it takes a bit too long to connect to the internet. Something’s interfering. Any ideas? Missed virus perhaps?

Reply | Quote

Tiger4, Hello.

It’s quite likely that your “scare-ware” XP antivirus 2012 infection has been dropped onto the system via a rootkit installing a trojan-dropper. It’s quite a common infection route.

If correct, running Malwarebytes / SuperAntispyware and all the others will not remove the root casue infection and it will come back time and time again as you are only removing the visible element dropped onto the system by the trojan which is now hiding.

A technique that, so far has not let me down for these types of scare-ware, is to boot into Safe mode (without networking) and run a System Restore. When re-booting from the System Restore make sure to return to Safe Mode (without networking) to complete the Restore. Double check to ensure you do not have a DNS Hijack or a proxy set in the adapter settings. Verify the Hosts (C:WindowsSystem32DriversEtc) file has not been changed and consider running Kaspersky TDSS Killer and the Sophos Rootkit tools too. Then run Malwarebytes and the others to verify you are clear.

After running Malwarebytes, re-run your favourite tools, but also check using autoruns for any leftovers.

To help prevent future outbreaks, make sure Java, Adobe Flash Player and Adobe Reader are fully patched (these are very common infection points). Also, install adblocking add-ons to you favourite browser – many of these nasties get in through poisoned animated adverts that exploit holes in flash or java and do not require user interaction.

Look into running a HIPs based OS firewall such as Comodo or Online Armor which will intercept suspicious program activity and allow you to nip it in the bud.

Finally, consider running the machine from a Standard User account rather than admin as this makes it much harder for the malware to install – it requires either an second attack to elevate privileges or for the user to manually allow installation.

BTW, I agree with the caution about ComboFix. It is almost certainly not needed to clean up this type of infection .

Reply | Quote

Tinto Tech, Hello Back 🙂

Thanks for the advice but thanks to that advice I now have a whole bunch of questions. You see, I’m not PC savvy, so a lot of the terms you mention in your post are Egyptian hieroglyphics to me. So here are the questions:

DNS Hijack or proxies set in adapter settings: What are they and how do I get rid of them?

How do I verify the hosts and what do I do if the file has been changed?

Kaspersky TDSS Killer: What’s that and how do I get it?

Sophos Rootkit Tools: see above

Autoruns: what are they? What do I do to activate them?

Java, Adobe Flash Player, and Adobe Reader: how do I check the patches? (No forget that. I don’t have Java or Flash Player . I do have Adobe Reader X)

Ad-blocking add-ons: the browser offers those, right?

HIPS based OS firewall: what’s that? How do I get it?

Standard User account: I think I already use it. In reference to manual allowance of malware, how do you think I got into this mess?

Furthermore, how do I turn off my computer when it won’t shut down? Other than switching off the surge protector, I mean?

Reply | Quote

I just removed and AV Security Protection 2012 from a Windows 7 Laptop by following Clints Boot to Safe mode with networking I was able to remove the program in safe mode and also run Malware Bytes and it worked easily when AV scanning in Normal mode was failing and trying the program removal was failing. The functionality of the system came back quickly after the removal. Then I used http://www.secunia.com to see what was out of date in all the Java, Flash and Adobe areas to plug any wholes.
On Anti virus I only use 1 being active, if you have more than that they seem to get into conflicts. If I’m questioning if I have a virus problem then I will try a 2nd anti virus for a scan then remove it. I have moved to using Microsft Security Essential as it seems to do a good job and for people I help it works with a least amount of intervention which most people have trouble with. I used to use AVG Free but they have made it only anti virus and no malware or spyware protection. I believe the Avast Free has done the same. The laptop I removed the Security Protection 2012 had Avast Free on it to no avail.
I also have had trouble with Super Anti Spyware slowing a system down considerably when I left it installed.
Good Luck
Carl

Reply | Quote

I’d like to amend that: My computer won’t shut down at all and it takes a bit too long to connect to the internet. Something’s interfering. Any ideas? Missed virus perhaps?

Seems like you have an LSO installed which is never found by normal adware programs or virus checkers. One good program for getting rid of flash based cookies is flashcookie cleaner.

http://www.flashcookiecleaner.com/

This finds and cleans out any flash based cookies. It may not get rid of all root kits but together with root kit removers may well help in clearing out your problem.

Reply | Quote

Now that I have MalwareBytes, SuperAntiSpyware, Avast, and Microsoft Security Essentials, is this good for a multilayered approach or are there better programs to cover all the bases?

I haven’t seen anyone comment on this…Avast, and Microsoft Security Essentials are both full time security programs…they should not be installed and running at the same time

Reply | Quote

I would highly recommend using ComboFix and then a Repair Reinstall. Assuming you have a valid copy of the OS anyway. Worked for me recently after attempting nearly everything else suggested in this thread! Just make sure to do an actual Repair Reinstall….it’s a little misleading as you’re starting the process. It’s not the the first “repair” option that you come to. Do a little research before attempting! :rolleyes:

Reply | Quote

I’ve never heard of combofix, but perhaps that’s because MalwareBytes works well for me, although with my multi-layered approach to security I have never had a successful attack against my PC’s. As you have found out, the hard way, the best security in the world doesn’t help against “an extreme act of stupidity” as you put it. We all sometimes have these moments. In my case I call them “senior Moments”. LOL :rolleyes:

Reply | Quote

This is why I have full image backups going back 3 weeks. It only takes me less than a half hour to restore a full image backup to time when OS was clean if ever needed.

Reply | Quote

SuperAntispyware can be installed and run when you feel like it because I understand it executes only when you order it to scan, same as with the free Malwarebytes. If they provided real time protection, that might be different.

Reply | Quote

Kaspersky TDSS Killer

Sophos Tootkit Tools

Autoruns

Java

Basically with all the above all I did was copied the names from your post and pasted them into my address bar in IE 9. This did a Google search and voila, there they are.

Reply | Quote

Thanks Ted 😉

Tiger, normally I include hyperlinks, but I chose not to in that post. Sometimes one can learn more by having to do the work.

A DNS Hijack is unlikely, but one where the malware adjusts a setting in your system that re-directs your browser to websites that are different to the ones you enter. You might type in cnn.com, but arrive somewhere else for example. There are two quick ways to check for the most likely route for a DNS Hijack:

Look at the lmhosts file at C:windowssystem32driversetc. Use Notepad to open it. It should not contain anything other than comments (prefaced with a #) or entries that you have made yourself. You can also check the date/time stamp of the file compared to the others in that folder to verify it has not been modified.

The second check for a DNS Hijack is to verify your network adapter has not been re-directed. Go to your network connections in Control Panel. Right click on your network adapter. Click on Internet Protocol (TCP/IP) and click the Properties button. In the TCP/IP properties window that appears, you should verify that DNS is set to automatic, or anything that you have not manually set yourself. While you are there, click on the Advanced button and then Options Tab. Verify that no TCP/IP filtering has been enabled {while not technically a DNS Hijack, TCP/IP filtering can be used to spoof a failed network connection to a website, which is sometimes enough to convince the victim they are infected with the problems indicated by the scare-ware}. Finally in this section, check for a Proxy re-direct. Open Internet Explorer. Go to Tools>Internet Options. Click on the Connections Tab and verify that the LAN settings do not have a Proxy address set (unless you have manually set one previously).

Re Flash Player, Java and Reader: You almost certainly have Adobe Flash Player, unless you have made a conscious decision not to install it. Go to http://get.adobe.com/flashplayer/ to install the latest version. Good that you have Adobe Reader X, it’s much more secure that earlier versions, employing a sandbox that prevent many infection routes – but it’s not totally secure, so open up Reader X and go to Help>Check for Updates and follow the instructions. You possibly also have Java installed. Go to to http://www.java.com to download the lates version. From time to time, you will see pop-up dialog boxes indicating updates are available for Java, Reader or Flash player: you should always install them if available. Make sure you use genuine download sites for reader, flash player and Java – the bad guys out there know people are looking to download these products and build spoof sites which can be compromised.

Adblocking tools vary depending on the browser. In Firefox and Chrome I use AdBlock Plus. The browsers do not offer these. They must be manually added to the browser. Search for Adblock Plus using Firefox or Chrome if you use those browsers. Since you are on XP, you will be limited to IE8: I’m not aware of any adblock tools for that browser, but there may be some, so look around.

A HIPS firewall is a Host-based Intrusion Protection System. It is a firewall that monitors activity on your machine and intercepts suspicious connections to the outside world, but also intercepts suspicious activity on the system. It is much more that the Standard firewall in Windows. Use a HIPS firewall in conjunction with your broadband router firewall. Take a look at Comodo Firewall or Online Armor and you will see examples of the products.

If you can’t turn off the PC with Start>Turn Off>Shutdown, try holding the power button for 5 to 10 seconds. To boot into Safe Mode tap F8 while the PC is booting up. Remember to re-boot into Safe mode if you attempt a System Restore from Safe Mode.

Reply | Quote

Tinto, I think you meant to say check the Hosts file in

C:windowssystem32driversetc, not lmhosts which is used for Netbios computer names. Otherwise an excellennt post.

Jerry

Reply | Quote

Tinto, Hello Again 🙂

Thanks! This info is highly informative. A couple of minor questions (it’s my overly cautious nature [which unfortunately failed me last Saturday]):

Should I download all the tools you recommend before I try System Restore or after (including the firewalls)? I wouldn’t want to do something that would force me to start all over again.

C:windowssystem32driversetc: I take it I go to My Computer to find the Host file right? I might have done this before but I’m not sure, and I don’t want to waste minutes trying something simple, but overlooked because of my easy frustration.

Reply | Quote

I think you meant to say check the Hosts file in
C:windowssystem32driversetc, not lmhosts which is used for Netbios computer names.

Ooops! Quite correct Jerry: I’ll put it down to being a bit slow this morning due to post Christmas fuzziness. :blush:

@ Tiger:

A couple of minor questions

No problem. Run the system Restore first. Use it without Networking. I don’t about this bit know for sure, but anecdotal evidence suggests to me that these rootkit/trojans hide themselves in or are activated by the Windows TCP/IP system. When networking is not enabled (in fact more than just networking, but the entire tcp/ip subsystem), they do not seem to be active, allowing one to run a restore to a point before the infection entered the system.

There are other methods, but I have had mixed results with these – some people suggest using rkill to eradicate the rogue process, others jump straight into autoruns etc, but I have found that running a restore goes right to the heart of the trouble and removes the change to the system files that has been made by the attacker.

Depending on what is causing the system not to shutdown, that may also be fixed by a System Restore too.

Having eradicated the rootkit/trojan using system restore, you should have a usable browser and can then download the extra tools to clean up anything left over, or use a memory stick with them on from another machine.

Another thought on that: it is possible that some of your existing AV tools may have been damaged by the infection. It might be necessary to uninstall them and install others (or re-install) to make them effective again.

Just to be sure it is locked into the process you are about to run……. It is necessary to reboot to complete a System Restore. You must reboot back into the same mode that initiated the restore. i.e. if you initiate a System Restore from Safe mode (where the infection is not active), you must return to Safe Mode upon reboot, otherwise the restore will not be completed and the infection will still be present.

Re the hosts file: yes, open My Computer and navigate down the path to find the file. If it is damaged and you cannot correct it using notepad, it may have been protected from access by the infection and you may need to run extra processes to run to get a clean file.

Reply | Quote

Tinto, Hello The Third 🙂

Well I tried three different restore points. All of them came up incomplete. The message was the same: “Restoration Incomplete. Cannot restore to such and such dates. I followed the instructions. I initiated from Safe Mode, then rebooted from same. I pressed F8 both times (actually six since I did this three times) all without networking. Should I just download and run the Kaspersky Killer and Sophos tools anyway?

Reply | Quote

If the system is so badly corrupt that it cannot complete a System Restore (as opposed to no restore point being available) and it won’t shutdown cleanly, I think you are going to have further stability problems, even if some of the tools described earlier make some progress against the malware.

If you have the time and resource, it might be worthwhile following a clean up procedure because it is a useful learning exercise in itself, but you should be prepared for it not to work and to experience additional issues along the way. If it fails, or if you are still left with an unstable system, then perhaps a Windows re-installation is the best way out now.

If you feel that it is worthwhile to try, yes, you could proceed to download some to the other tools and see what they make of it.

One thing you also may wish to do now is to copy any important data off the machine. You need to be careful not to propagate the infection to another machine, but you could drop important photos, documents etc onto a USB drive for safekeeping.

Sorry I can’t offer much more insight. Others may have alternative suggestions.

Reply | Quote

Well I’d hate to have to go for the “nuke” option, (i.e. wipe the drive and re-install everything). I spent the past few days listening to everybody sing the praises of MalwareBytes Antivirus etal (and the results were impressive), and then you tell me I’m not quite out of the woods yet, and then I run into this roadblock. I have to admit it’s been a frustrating and exasperating week. So…clean up procedures and nuke options. If it comes to that, what buttons to I press? Or should I just download the tools and run regular sweeps with both them and the antiviruses?

Reply | Quote

The problem is that the system is now in an unstable and/or unreliable state. Running some of the tools may or may not have the desired effect, but until the underlying stability is resolved few results can be totally trusted.

Re-reading the thread, it’s not clear to me how or why the system got into the state where it couldn’t complete a restore or shutdown. It is very unusual for a malware infection, particularly this type of scare-ware to leave the system in such a state.

The purpose of the scare-ware is to perform a fraud by getting you to pay for a fix that you don’t need and you can’t do that if the system is hosed. It’s in the interests of the bad guys to keep the system functional so you can complete a financial transaction: to pay for the XP Antivirus scare-ware to magically fix the problem {which of course it doesn’t}.

After that, all bets are off, because the malware may well introduce other attacks – but while it is still trying to defraud you, it shouldn’t break the system.

If you wanted to try the tools described earlier, run the standard scans, but be prepared for more pain and think about securing your data.

As previously noted, I think there may be some benefit of running through the process as a learning exercise, but given the stability issues, personally I would be reaching for my image backups or Windows installation disk.

To cover all options, seek other views on this aspect too.

Reply | Quote

Okay, so let’s explore, for the moment, just one question: Why won’t my System Restore work? Does anyone out there have any ideas?

Reply | Quote

Okay, so let’s explore, for the moment, just one question: Why won’t my System Restore work? Does anyone out there have any ideas?

tiger,
Hello… System restore is kind of misleading.. It will restore your “OS”files, registry etc. but not fool with anything that you did…Like if you downloaded something that put some kind of “bug” on your PC, or removed something that you shouldn’t have … “Recovering” with a previously made “Image” (or installation disk) is another matter. Regards Fred

Reply | Quote

Right, so System Restore wouldn’t have worked anyway. So the next option is re-installing, right? So that means saving all my files to a USB drive? Do I have to wipe everything after that, then re-install or does “just simply put the disk in” do it for me?

Reply | Quote

Right, so System Restore wouldn’t have worked anyway. So the next option is re-installing, right? So that means saving all my files to a USB drive? Do I have to wipe everything after that, then re-install or does “just simply put the disk in” do it for me?

tiger,
Hello…if i were in your position i would do the following….

1.Make a full system image using one of the free Imaging software’s available ..and save it to a 2nd Internal External Hard drive, DVD’s, flash drive etc.

2.Move any things that you want to keep off to a safe place also ( personal stuff …pictures data etc.)

3.If you have the OS disk try a “Repair” …If this doesn’t work then , would re-install the OS.

4.When completed …make another Image and keep it in a safe place, in case this happens again… you can then recover in about 10 minutes..get in the habit of making new Images at least once a week or so.

Hope this is of some help:cheers: Regards Fred

Reply | Quote

Right, free Imaging software: Which sites? Flash drive: does Walgreen’s sell that or probably Radio Shack?

Reply | Quote

Right, free Imaging software: Which sites? Flash drive: does Walgreen’s sell that or probably Radio Shack?

tiger,
If your new to “Imaging” and want to use Macrium… I would stick with one of their older versions 4.2.3638 available ( and easier to use ) Macrium V-4.2.3638 Make sure you read through their (?) help and burn and test the “Linux” Recovery disk …The newer versions “5” you will have to create the WAIK PE Recovery Disk …little more involved…The “Flash drive” you purchase will depend on how large your OS is (For the Image to be placed on it ) along with any othe stuff that you want. The Image file will be smaller than your whole OS because of the “Compression” that is use by Macrium to create it (Around 30 to 40 % smaller):cheers: Regards Fred

PS: V-5’s… work (and i use them now) but on my OS’s i couldnt get the Simple Recovery disk to work with version 5..and had to make the more complicated “WAIK” (Windows Automated Installer Kit) PE disk.

Reply | Quote

tiger,
If your new to “Imaging” and want to use Macrium… I would stick with one of their older versions 4.2.3638 available ( and easier to use ) Macrium V-4.2.3638 Make sure you read through their (?) help and burn and test the “Linux” Recovery disk …The newer versions “5” you will have to create the WAIK PE Recovery Disk …little more involved…The “Flash drive” you purchase will depend on how large your OS is (For the Image to be placed on it ) along with any othe stuff that you want. The Image file will be smaller than your whole OS because of the “Compression” that is use by Macrium to create it (Around 30 to 40 % smaller):cheers: Regards Fred

PS: V-5’s… work (and i use them now) but on my OS’s i couldnt get the Simple Recovery disk to work with version 5..and had to make the more complicated “WAIK” (Windows Automated Installer Kit) PE disk.

Macrium Reflect V does still allow creation of the good old Linux Rescue CD. Doesn’t always work, so they also have the WinPE/WAIK option. I have a dual-boot configuration, so I installed Macrium V on both partitions (Win8DP and Win7HP). Now if one side messes up, I can restore from the other side. Another quick and dirty option is to reformat and reinstall to OEM, install Macrium V and do the restore from within Windows.

After jumping through all these hoops and doing all these Safe Mode and Offline and Repair gymnastics, I hope the point is made: BACKUP! BACKUP! BACKUP! A clean System Image restore operation normally takes about twenty minutes from start to finish, and results in the loss of only the most recent data. Reformatting and restoring or reinstalling is the only sure-fire way to remove all traces of an infection.

-- rc primak

Reply | Quote

Here is my post from the blog about Windows Defender Offline beta: ”
[h=2]defender freezing[/h] [INDENT] Yesterday, I downloaded Windows Defender Offline beta and made a CD. Windows XP sp-3 updated. Taking over 5 hours, it picked up 5 problems. I clicked on System Cleanup. It took about 1 minute for the progress bar to move about ¾ of the way and then it just stayed on one spot. That was over 3 hours ago. It is an older PC. It did the same thing last night. The online FAQ mentioned downloading and burning on a different PC, so I did. Put the CD in and now that’s where I’m at. I let it sit and switched my monitor to this even older PC. I have MS, so I have a slight vision problem and problems with movement in my right hand, so my typing is slow.

Since it is an offline program, I can’t take a screen shot, but I did take a digital photo of the screens, showing the names of the items it was supposed to remove by doing the system cleanup.
4 of the 5 are Trojans or Trojan Dropper and use the hidden entry tied to “Ofida” plus additional characters , the 5^th is called a “Vr Tool” . They all hide in Win32. Microsoft Security Essentials and their online Safety Scanner DO NOT find them…… How do I get rid of them?
Don’t bother trying to contact MS via one of their forums on this topic, unless you have a windows live email address, they won’t let you even log in. Even their live chat uses an automated function… no real live chat, just a stupid system, trying to read your thoughts. ”

That was a couple of days ago. Since then, I have tried some of the suggestions listed in this forum. To make sure the PC was clean, I went to the county library and used one of theirs. I put the downloaded files on a new, formatted 8GB USB drive.
I tried S & D, Superanti… (regular and portable, Norton, Malwarebytes, Spybot, and already had MSE previously installed and running. I’ve run them all, usually first in safe mode. The others, except MSE, find a bunch of adware or tracking cookies. NONE of them, including MSE would pick up on the malware that Defender listed.

I have done full and incremental backups, as well as Easus backups and drive copies. Each one also does a registry backup at the same time. Problem is, without runing Defender on all my backup copies, I can’t tell which was actually a clean backup. How far back do I go? So far, only Defender Offline beta is the only AV that has spotted the malware and it freezes, so it won’t remove them.

Looks almost like it’s Nuke Time!!!!
[/INDENT]

Reply | Quote

Imaging software:
Macrium Reflect This is the app mentioned most often in the free category. There are several other excellent choices as well. Read some of the threads on Imaging in the Security and Backup forum.

Any electronics stores should have flash drives. Radio Shack, Best Buy, Staples, Office Max, even Walmart. These are available from 1 GB to 32 GB. Personally I would opt for a medium to large size (8 GB to 32 GB)

Reply | Quote

Ask Leo! recently posted a nice tutorial on using Macrium Reflect, but I think it is based on version 5.

Reply | Quote

Ask Leo! recently posted a nice tutorial on using Macrium Reflect, but I think it is based on version 5.

midnight,
Hello… Do you have the link …there are many and I’m not sure which one you are referencing … Also i recommend 4.2.3638 because for someone who has little or no experience imaging it’s the easiest one. Version 5’s have more “bells and whistles” than 4.2.3638 and can be a little intimidating to create the most important recovery disk.. With the version 4’s you could make the “Plain Jane” Linux recovery disk, which would work on any of my OS’s XP, Vista, “7”…Regards Fred

Reply | Quote

midnight,
Hello… Do you have the link …there are many and I’m not sure which one you are referencing

It is in his newsletter #311 dated Nov 29th. Sorry but I don’t have the link since I get it as a newsletter. It does apply to version 5 which I haven’t explored yet, but I found the on-site explanations of the version when I got it last year to be convoluted and obtuse.

Reply | Quote

Tiger,

EaseUS todo Backup Free has just been released in v.4.0:
http://www.todo-backup.com/
It offers the ability to do full, incremental or differential backups of disks, partitions or files, and will support the construction of both a Linux and a WinPE Boot disk. I haven’t used Macrium myself, due to the lack of differential & incremental backups. I HAVE been burned by Acronis, and many on this forum feel the bloom is off the rose for this once-highly-regarded program.

Zig

Reply | Quote

I get the newsletter as well. The first article of the tutorial can be found here:
http://ask-leo.com/macrium_reflect_1_downloading_and_installing.html

Jerry

Reply | Quote

Thanks Jerry…Good find ..and I’m sure will be a help to anyone who has never “Imaged” their OS before…Regards Fred

Reply | Quote

These simple steps will help you remove most malware from your computer (learned by experience of cleaning friends computers):

Boot into safe mode with networking – continually tap F8 while your computer boots to get to the boot menu – then choose safe mode with networking.

Download the Microsoft Fix-it for resetting your hosts file. http://support.microsoft.com/kb/972034, run the fix-it.Download and install Spybot Search and Destroy from http://www.safer-networking.org/en/home/index.html Open the program and go to the Settings. Click settings, scroll down to the System Start section and click the radio button to “Run check once at next system startup”.
Download, install and run SuperAntiSpyware free edition here: http://www.superantispyware.com/download.html
Reboot and let the system start normally, Spybot will interrupt the startup and will run – This will get rid of root kits.

Download and run Malwarebytes here: (get the free version) http://shop.malwarebytes.org/lpa/342/3/7268/index_b.html?_kk=malwarebytes&_kt=77dafa20-d875-4e0a-b98a-54dc2c93bd02&gclid=CM7P4oDgtK0CFcEUKgod-VV_Gg
Superantispyware also has a portable version to download – it can run from a usb drive without any install – use this if your spyware is blocking everything else, get it here (download on an uninfected computer and put on usb drive): http://www.superantispyware.com/portablescanner.html
Once your system is clean, use one or another of these tools about once a week to keep your system clean.

You could run the newest version of CCleaner to get rid of junk in your registry left by the spyware, get it free here:
http://www.piriform.com/ccleaner

P.S. I highly recommend SuperAntiSpyware – I even bought the pro version, because of how effective the program has been at cleaning up some really nasty malware on computers brought to me by friends and family. I have used all of the programs listed above many times and they all work well, but none of them get everything, but a combination of two or more usually does the trick. Remember to never click on a popup – use F4 to close out your browser, then run one of the programs above to make sure your system is safe.

I think I fixed the link to Spybot. Inadvertently left out the hyphen.

I’ve never had any problem downloading the free version of SuperAntiSpyware. I bought the Pro version a while back during a special sale and got a lifetime license for $19.95. I have installed the free version (along with Malwarebytes and Spybot Search and Destroy) on at least 6 friends and relatives computers that had been compromised in the last couple of years. All of those machines are still malware free. I did however make sure the owners knew how to run the programs and made them promise to run them every couple of weeks. I also installed MSE on all of the machines.

Reply | Quote

These simple steps will help you remove most malware from your computer (learned by experience of cleaning friends computers):

Boot into safe mode with networking – continually tap F8 while your computer boots to get to the boot menu – then choose safe mode with networking.

Download and install Spybot Search and Destroy from http://www.safernetworking.org Open the program and go to the Settings. Click settings, scroll down to the System Start section and click the radio button to “Run check once at next system startup”.

Download and run Malwarebytes here: (get the free version)

caveman ,
Hello… Good advice…However some other input..
1. The Link for “safenetworking” throws a “WOT” warning

2. Malwarebytes free is found Here

3. When “Superantispyware” first came out ..It would give me “Found Virus Blah, Blah, ” …Only today you can buy “Super Blah,Blah” for this one time price…. How do you spell Scam?
:cheers: Regards Fred

Reply | Quote

Fred,

The correct URL for Spybot S&D is:

http://www.safer-networking.org/en/

(note the hyphen) True, SuperAntiSpyware uses some aggressive marketing, but you DON’T have to buy the product to use it successfully.

Just my 2 cents’
Zig

Reply | Quote

Lots of good info here people, thanks 🙂 I already downloaded MalwareBytes and Superantispyware and used them. They seemed to have done the job. My PC, at least, looks and seems to run okay. I’m more worried about the issues Tinto raised. I’m in a holding pattern right now. I’m waiting for payday before going out to buy a USB drive. I’m inclined towards a wait and see attitude regarding my PC, with regular runs with the antivirus tools. Your info is good to retain for future reference but, with things calm on my PC at the moment, is my trouble urgent (I was kind of panicky last week but now…)? Or am I just complacent?

Reply | Quote

I have removed this malware 4 times in the last two weeks. Infected machines may have a variety of other problems, including inability to run Windows update, missing files, and inability to run any programs at all.
In addition to SAS and Malwarebytes, run Rkill, which “…is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.”
http://www.bleepingcomputer.com/download/anti-virus/rkillWhen I get such a machine I also look at Windows update, defrag and chkdsk and the start up processes as they are invariably neglected.
It’s way past time someone found these clowns and jailed them. If I have run into it 4 times in two weeks, there must be many thousands of machines being infected every day. For that matter, why do we have to rely on the goodness of the anti-malware community to remove these infections? MS should be providing solutions and better guidance to users, who shouldn’t have to suffer these malicious and expensive problems just because they get on line and get tricked by these very clever scammers.

Reply | Quote

I suggest installing Immunet which seems to be the only A-V program that can be run alongside others.
See http://www.immunet.com/plus/index.html

MS Security Essentials and Immunet together provide adequate free active A-V protection. Then run weekly scans using other tools mentioned in this thread. I suggest a different one each day since they all miss different things. I do this on Win 7 Home Premium 64 bit for the last 18 months without a virus problem.:rolleyes:

Reply | Quote

I would like to add my suggestion for a few helpful tools, all of which I have used.

First, make sure you have an effective Hosts file, as it can stop visits to unsafe sites. Best to manage it with a decent program – I use Hostsman from http://www.abelhadigital.com/hostsman and, once installed, MVPS Hosts (from the same source) to supply the details of the unsafe sites.

Second, consider running with less rights, that is, not as administrator. This will reduce the opportunity for malware to run. There is a good little program that makes this quite easy called DropMyRights; you can see what it does described at http://news.cnet.com/8301-13554_3-9756656-33.html (or indeed several other sites if you search); there is a download link there as well. Both these suggestions would be good for those average users who persist in clicking every link in sight.

Third, if you have to reload Windows, try doing so via the easy reinstall method suggested by Fred Langa some time ago now, which retains the majority of your settings but replaces those files that need it. He set out the procedure in a step-by-step guide (with pics) available at http://www.informationweek.com/news/189400897?pgno=1 and later mentioned it in a Windows Secrets article. It is certainly better than the “nuclear” method! Bear in mind it may not always work though, depending on the variety of problems.

Hope these might help.

Garth

Reply | Quote

I had to remove something called “Vista Antispyware” from a family members computer. I ended up going into “safe” mode with networking (on boot up-press ‘F8’ key) and then loaded and ran Spybot Search and Destroy. If you don’t go into safe mode, the malware will just keep opening itself, preventing you from loading anything or even accessing the internet I let it remove anything suspect and then I downloaded Avast and then I re-booted and everything was clean.

Reply | Quote

tiger4,

You might also try Microsoft Windows Defender Offline (featured in this week’s Windows Secrets newsletter). It may be able to catch any rootkits, malware, etc before the OS boots.

Reply | Quote

I’ve recently had to remove this same malware off some PCs for a friend and my daughter. Several months ago a different group of friends had the same thing, and it even made it onto my XP laptop over the summer, the second infection EVER for a system I’m using….going back to DOS 5. :huh: How it gets in is a mystery to me.

The basic safe-mode/MalwareBytes approach worked for most infections. A couple of them busted the Win Updates tool, but a search for the error code turned up fixes from MS. Turns out the malware had turned off the update service. All of the infections added proxy settings to the browsers, those were easy to fix.

The most recent infection on my daughter’s Win 7-64 system was a tough one. Any of the scanners would catch a bad .DLL, but its removal rendered the system unbootable. The only option to get it booting again was to use an infected restore point. Man, it hurts to do that, but when it’s all you have….

After that, I had to catch MSE before it auto-fixed the problem, and uninstall it. I ended up on a forum at bleepingcomputer.com, where I ran one of their tools and posted a log of the results. After a few days, someone picked up my post and led me through the removal of the crap, step by step. I don’t know how they know what to do, but several posts back and forth and it worked to solve a tough problem. There are still issues in this system with some corrupt DLLs, but she only uses it for goofing around online, it’s not key to her job or livelihood. In any case, those guys are really good, if you can handle the delay…I have no interest in them other than as a satisfied member.

As for prevention, my WinXP users are screwed. One friend clicks on everything, no curing that. My daughter’s Win 7 machine had been set with the weakest UAC (User Account Control) settings, so I cranked that up a couple notches. Next week I will be tweaking her accounts so she’s just a regular user, not an administrator. I’m a convert to this approach and use it myself with my new Win 7 laptop.

Spybot has an immunization feature I like to use, don’t know if it helps but it feels good. lol. The alternative firewall sounds intriguing, so long as it’s transparent to the user/customer.

Reply | Quote

Ah yes, sometimes this malware breaks the ability to run .exe files.

The trick is to change mbam.exe to mbam.com, and launch it that way. If you have to install MalwareBytes, then rename the installer with .com. When the jerks who created this one attack that vector, we’re in big trouble.

Just for grins, here’s my thread on the bleepingcomputer forum.
http://www.bleepingcomputer.com/forums/topic433604.html/page__pid__2526335#entry2526335

Clearly, proper malware removal isn’t for us amateurs.

Reply | Quote

yes a repair install remember you cannot do a repair install with your OS if it does not have SP1 on it and you have SP1 installed.
However you can download and ISO from Digital River with Windows 7 and sp1 burn it to a disc and do a repair install from it remember to keep your activation key, you will need it possibly

32-bit Windows 7 Home Premium x86 ISO

Digital River: http://msft-dnl.digitalrivercontent.net/msvista/pub/X15-65732/X15-65732.iso

64-bit Windows 7 Home Premium x64 ISO

Digital River: http://msft-dnl.digitalrivercontent.net/msvista/pub/X15-65733/X15-65733.iso

32-bit Windows 7 Professional x86 ISO

Digital River: http://msft-dnl.digitalrivercontent.net/msvista/pub/X15-65804/X15-65804.iso

64-bit Windows 7 Professional x64 ISO

Digital River: http://msft-dnl.digitalrivercontent.net/msvista/pub/X15-65805/X15-65805.iso

Reply | Quote

Super Sarge, Those links are for Windows 7 without SP1, The SP! windows install files are at:
http://techdows.com/2011/07/download-windows-7-integrated-with-sp1-iso-official-direct-download-links.html

Jerry

Reply | Quote

Try using this method, also, Last known good configuration, at this link.
http://windows.microsoft.com/en-US/windows7/Using-Last-Known-Good-Configuration

Reply | Quote

It doesn’t make any difference which security products you’re using if you access the internet through an administrator account, which is what most people unknowingly do. That’s like opening the door of your home and letting anyone walk in and wander around. Stay out of the administrator account as much as possible and instead use a limited account. Through the administrator account, sophisticated malware can turn off your security software and then destroy your operating system. That happened to me about four years ago. After reformatting the hard drive and reinstalling the operating system, I came across this web page: http://www.mechbgon.com/build/security2.html

It was then I realized I wasn’t using the operating system (XP Professional) properly and went about correcting that by setting up a limited account, implementing the Software Restriction Policy, and turning on Data Execution Prevention. These security protocols will introduce some inconvenience, and I was annoyed at first, but I got over that and would never go back to my old foolish ways. Now, I laugh at malware, even though I get attacked at least weekly. I have one antivirus software product (ESET NOD32), which seems to work well, and I run the free Malwarebytes’ Anti-Malware once a month, which never catches anything because nothing gets through. So, do yourself a favor and visit that web page; you might learn something new like I did.[/COLOR][/SIZE][/FONT]

Reply | Quote

Been working with PC’s since DOS first came out, when you booted and ran from 5 1/4 floppy. You learn something new everyday. I didn’t recheck the settings, but thought the login I was using in safe mode was one I had set up as limited. Guess not.

Reply | Quote

I have tried all of the A/V listing in this forum. Safe mode w/& wo networking mostly by loading from a USB drive and copying to HD, then running it. Problems: can’t run them with a limited S/O. So I reboot into safe without networking and use the admin s/o. They each pick up and remove or quarantine a lot of different cookies, but nothing I am worried about. Defender is the only program that picks up on these 5 problems. Nothing else can even see them, not even MSE!!!
When I was on dialup, a limited s/o worked for almost all of my online needs. 1 1/2 years ago I moved to a DSL. I do a lot offline and did not want these PC’s sitting there just waiting to be attacked. Simple solution was to go to Control PanelInternet Options and create a shortcut on my desktop. Click–enable or click –disable. Only problem…. it won’t work with a limited s/o and with a limited s/o, I can’t make the connection work to enable/disable in the Control Panel. No way am I going to keep logging in/out of admin and switching s/o’s just to check email or local news. I think the term is “Catch 22”. You can’t get there with limited, but need limited if you get there!
I wonder if MS is just messing with users? I ran WDO on my old Dell and had the same results. It picked the same problems and when told to fix, it gets so far and just freezes. I think I’ll just keep important files encrypted or in a secure vault and keep going the way I am.

Reply | Quote