Stubborn malware cripples computer

Let'sgoflying!

Let'sgoflying!

Touchdown! Greaser!
Joined
Feb 23, 2005
Messages
20,323
Location
west Texas
Display Name
Display name:
Dave Taylor
I have the Security Defender 2010 malware on my computer.
It is a bogus program that claims to offer to remove spyware for a fee. The only malware on my computer is Security Defender itself.
I have tried Avast's quarantine feature and their delete feature.
I have tried the instructions here:
http://www.bleepingcomputer.com/virus-removal/remove-security-essentials-2010
(I think Security Defender is preventing me from getting what I need off that site, and downloading it via another computer thence to usb flashdrive is not helping)
I have tried to access this site but cannot dl anything, again I think because of Security Defender
http://www.spywarevoid.com/remove-s...10-security-essentials-2010-removal-help.html
I cannot even access many sites now, it appears that SD believes that I am trying to get rid of it.

Anyone think a System Restore would work?

How about the manual instructions on the last site instead of System Restore?

Would a backup, made now, be infected? (Maybe I should not make a backup at this time)
 
That's one of the most stubborn ones to remove.

We ended up reimaging my work computer after it got picked up as a drive-by from a legitimate web site.

Any backup you make now will carry the infection. And system restore won't fix it.

There is a variant of that that will overwrite one of your system programs that drives the network and intercept search engine requests.

You may be better off getting a new hard drive, reloading the operating system fresh, reloading your programs, and then setting up the old drive in a fashion that you can copy your data files from it. You'll need to run data files through a legit virus scanner.
 
1. to do most of the manual removal stuff you need to be in Safe Mode and/or kill the process. If not then it may not get removed because Windows doesn't like to delete files that are in use.

2. Are you sure you have the right manual remove directions? Those say "Security Essentials"

3. System Restore *might* "work" provided the malware didn't poison those. The files will still be there but just won't be opened.

4. Expect this to take 2-5 hours to remove.
 
Dave,

I am not the fastest typist so I will keep it short. Try this.

Reboot into windows safe mode with networking. As soon as the computer starts start hitting the F8 ( function key 8 ) at a pace of around every second until a text menu pops up. Select safe mode with networking.

Download and install malwarebytes from www.malwarebytes.org once it is installed try to run in safe mode if it doesn't run reboot into regular mode.

Run a full scan once or twice allowing it to remove or delete anything it finds.

At some point you will need to decide to give up any past system restore points and turn off system restore and then do another full malwarebytes scan or two. To turn off system restore right click on your "my computer icon" select properties and then the system restore tab. check off turn off system restore. Remember you will loose your previous restore points.

Run a antivirus scan or two for good measure..

This has worked for my customers, I hope it helps you...

Jon
 
Last edited:
One more thing..

If internet explorer is hijacked and will not let you get to malwarebytes try downloading and installing Firefox first and then use that to get the malwarebytes. Download Firefox in safe mode if necessary.

Jon
 
malwarebytes is part of the first solution and it hasnt been successful.
hmm I do have a spare IBM harddrive. What a PIA that would be!
And I still don't know what I did wrong to get this, or why Avast did not stop it.
I will try the malware in safe mode first
then remove entries
then system restore
then new hd
 
This is a tough bug ! But it can be cleaned. If malwarebytes removed it but then it came back after a reboot turning off system restore has a very good chance of helping. Let us know.




Let'sgoflying! said:
malwarebytes is part of the first solution and it hasnt been successful.
hmm I do have a spare IBM harddrive. What a PIA that would be!
And I still don't know what I did wrong to get this, or why Avast did not stop it.
I will try the malware in safe mode first
then remove entries
then system restore
then new hd
Click to expand...
 
turning off system restore has a very good chance of helping. Let us know.
Click to expand...

Turning off SR?
Is that not a protection against this very thing?
If I turn SR off, does that not mean I will no longer have a restore point that is malware-free??
 
Let'sgoflying! said:
And I still don't know what I did wrong to get this, or why Avast did not stop it.
Click to expand...
Hard to say, but it could've been something as simple as a security hole that was patched a little too late (through no fault of yours). And typically, many AV programs suck at picking up malware. In recent times their malware detection/block/removal abilities have climbed from dismal to marginal. YMMV
 
Dave,

A lot of malware infects the system restore files, Antivirus or antimalware scanners can not access the system restore files and therefore the problem can't be fully removed when system restore is active.

Please understand that yes you will loose your restore points but if right now you are considering a new hard drive and reloading windows what good are those restore points doing for you anyway.

Don't forget you current problem and anything that you do to try to fix this risks the loss of your files or operating system ! If you have important files copy them to an external drive first.

Good Luck,

Jon



Let'sgoflying! said:
Turning off SR?
Is that not a protection against this very thing?
If I turn SR off, does that not mean I will no longer have a restore point that is malware-free??
Click to expand...
 
If you feel better about it it can't hurt to try to restore the system back using system restore. I hope it works, but I have found it to work on a very limited number of systems
 
iflyatiger said:
Don't forget you current problem and anything that you do to try to fix this risks the loss of your files or operating system ! If you have important files copy them to an external drive first.
Click to expand...

And then, once you get your system rebuilt (probably the best option, now), be sure to scan those external files / documents with a freshly updates AntiVirus program before you move them back to your system and open them. Sorry you're having to deal with this, Dave. What a mess.
 
I think it also has built into it a timer,...whereupon the computer works well for a while, then it is locked up - popups and no internet access.....so it is harder to decide if the last action worked!
 
Just a note: when my office computer had the infection it disabled safe mode - any attempt to get into safe mode brought on the BSOD.

Safe mode is essential to trying to remove this.
 
This, dear friends is an object lesson. Everyone needs to image their HDs periodically, and progressively, with a non-windows boot-from the CD drive system.

Then, the data on the HD is just that. Data. You can pick and remove whatever you need to get rid of.

But more importantly, if you get some tough crap in your system, you simply groc the files you want from the outboard image, save them, and restore last months ( or last week's) image, pre- invasion.

You then reload your groc'd files, reimage the new HD, and proceed with life.

Acronis costs ?$21, there are numerous others.
Credit for this belongs to the Master himself, Mr. Mike Andrews.
 
This, dear friends is an object lesson. Everyone needs to image their HDs periodically, and progressively
Click to expand...

Well its an additional lesson. My backups are good. My thought of accidentally sending a virus to my external HD was a knee jerk reaction "Its about to crash, I need to...oh...no, I don't".

I have not figured out what the real lesson is for this. Don't get so excited about Icepilots, I guess....let someone else take the bait first!
 
The kids or their cousins or my 19 year old swedish nanny brought that lovely set of ones and zeros to one of my computers. I followed the 'do this first' script at the majorgeeks.com malware forum and got rid of it without having to post any info for additional help. The combination of SuperAnitSpyware and MalwareBytes in the proper order seemed to be the trick, but that is just an observer's guess.
 
I had a computer with a stubborn virus in it. I used a number of tools referenced here to remove it. It took me literally weeks to clean it up completely. I used a number of tools they referenced in the various posts.
There is no fast way except for a full restore but where not possible, work at it. It helps if you have a second PC to do this from. Cheap netbooks or notebooks would help. Get the infected one off the network so it doesn't cause problems for you.
I have SPYBOT running and AVG (the commercial version). It helps to keep them current.
 
Most of the pain is over. All the popups have stopped and Avast is not going bananas anymore. Scans by various programs proclaims the HD clean.
The only lingering after effect is that it is still blocking access to certain websites. Specifically I cannot log onto www.malwarebytes.com although another computer right beside me has no trouble. I think it is trying to prevent me from fixing it with this ploy.

Wish I could say I knew specifically how I removed as much as I did, but I was sick....with a virus no less.....and it is mostly a blur.
There are many many sites out there with step by step instructions....and they are all different! I did complete some of these steps but not all in each case....due to some type of roadblock.
 
Let'sgoflying! said:
Well its an additional lesson. My backups are good. My thought of accidentally sending a virus to my external HD was a knee jerk reaction "Its about to crash, I need to...oh...no, I don't".

I have not figured out what the real lesson is for this. Don't get so excited about Icepilots, I guess....let someone else take the bait first!
Click to expand...



Dave, are you sure it was the Ice Pilot file?

I downloaded Episode 13 from the link you posted before you pulled it back down, and had no problem with it at all. When you posted the virus issue, I had already opened the file on my laptop (XP with Trend Micro antivirus) and scanned it before viewing. The file looked fine and didn't set off any alarm bells and I watched it. After I saw your posting about the virus, I rebooted the laptop twice and did a full system scan to see if there was any problem and, so far, there is none.

After seeing you post about your continuing problems, I scanned the file on my Windows 7 machine with Microsoft Security Essentials and Secunia and they all showed it to be clean.

You may have picked it up from somewhere else. Had you already downloaded it when you posted that link?
 
Dave, check your 'hosts' file (see this article) and make sure the virus didn't put some fake entries in there. Most computers should have nothing other than the 127.0.0.1 localhosts entry after all the header stuff.

If you have other entries (including one for malwarebytes.com), then the virus put fake entries in there to keep you from getting to the site. Windows checks the hosts file first to see if an IP address is defined for the site name; if it finds nothing there, then it starts looking other places, like DNS. Some viruses will put fake IP addresses in the hosts file to keep you from getting to the site, or to redirect you to another site.
 
As soon as I downloaded it, right after completion - all sorts of popups started. I was doing nothing else at the time. No other windows were open and I was not even working on the computer at the time. Set it to dl and was milling around doing paperwork. Certainly can't say for sure that it was that link, but the chronology of it made me suspicious. It might have been some completely other thing. Others have dl'd the video ok too. One of the things I did after discovering the problem was to scan the avi and it was clean...so I watched the movie!
I posted the link when I found it, then downloaded for myself, then found a problem, then pulled the link. To answer your Q.

Troy I will check my hosts and report back. Thanks!
 
must have MydoomB virus - it won't let me access antispyware sites or MS windows updates.
 
The way I usually do these jobs probably won't work for you because it involves, frankly, some guesswork and poking around the filesystem (usually using a Linux boot disk, because even ERD, being basically a Windows PE, sometimes crashes on these systems).

If you want a simple solution that is safe and probably will work, try this:

Check the hosts files, as others have said. It should only have the localhost entry (127.0.0.1) for now. Then shut the machine off for a day. Just completely shut it down. And put a sign on it so no one else turns it on.

The next day, when you're ready to do the job, download the latest ComboFix from bleeping computer (NOT combofix.org, which is a malicious site), as well as MBAM from malwarebytes.org, onto a flash drive using an uninfected computer. Then run to the infected one, and immediately boot the infected machine into Safe Mode with Networking and run ComboFix. After it finishes (and reboots itself a few times, which it probably will), install, update, and run a full scan with MBAM.

ComboFix is frequently updated to defeat the crippling code typically included with rogue AV's and other rootkitting malware, as well as to detect new malware. I've seen it update multiple times during the same job. By turning off the infected machine for a day, you give ComboFix the benefit of a day's edge on the nasties; and so it has a better chance at detecting and removing enough of the malware to at least cripple it long enough for MBAM to pick up the rest of the pieces.

There are other ways to do this, but they're risky and might just result in your hosing the system.

I disagree with the assertion that these infections always require reinstalls. I've only had to reinstall one system in the past year or so. I've elected to reinstall a few others because they had nothing of importance on them and reinstalling was faster and cheaper than fixing the system. But it's a rare piece of malware that absolutely cannot be removed. It's just a lot of work sometimes.

-Rich
 
He ended up having a DNS hijack in the registry, redirecting name resolution to some servers with Ukrainian IP addresses. We manually corrected that, which fixed the blocks to anti-malware sites. Several safe-mode scans later, we seem to be there.
 
TangoWhiskey said:
He ended up having a DNS hijack in the registry, redirecting name resolution to some servers with Ukrainian IP addresses. We manually corrected that, which fixed the blocks to anti-malware sites. Several safe-mode scans later, we seem to be there.
Click to expand...

Man, I suspected (from the blocking of certain sites) that this was the case, but I lack adequate grok-age to know how to spot and fix it.

Good work, guys!
 
Oh, SNAP!
 
TangoWhiskey said:
He ended up having a DNS hijack in the registry, redirecting name resolution to some servers with Ukrainian IP addresses. We manually corrected that, which fixed the blocks to anti-malware sites. Several safe-mode scans later, we seem to be there.
Click to expand...

We shoulda' nuked those commies when we had the chance... :D

-Rich
 
TangoWhiskey said:
He ended up having a DNS hijack in the registry, redirecting name resolution to some servers with Ukrainian IP addresses. We manually corrected that, which fixed the blocks to anti-malware sites. Several safe-mode scans later, we seem to be there.
Click to expand...
Without giving away your super geek secrets, how'd you find it? What would I have to do to fix something like that? What's a good giveaway you've been hijacked?
 
bbchien said:
This, dear friends is an object lesson. Everyone needs to image their HDs periodically, and progressively, with a non-windows boot-from the CD drive system.

Then, the data on the HD is just that. Data. You can pick and remove whatever you need to get rid of.

But more importantly, if you get some tough crap in your system, you simply groc the files you want from the outboard image, save them, and restore last months ( or last week's) image, pre- invasion.

You then reload your groc'd files, reimage the new HD, and proceed with life.

Acronis costs ?$21, there are numerous others.
Credit for this belongs to the Master himself, Mr. Mike Andrews.
Click to expand...
+1

I've used True Image for five years and I've not lost a byte. The latest version is as good as the $50K NetBackup setup in the data center I run in terms of "just tell me what you want, from what day, and I'll get it for you". It's really teriffic.
 
silver-eagle said:
Without giving away your super geek secrets, how'd you find it? What would I have to do to fix something like that? What's a good giveaway you've been hijacked?
Click to expand...

Sure. No big secrets. If you want to REALLY learn a lot about how to identify and fix these kinds of issues, sign up for and take the free GeeksToGo.com Geek University course.

If you don't want to take a course but just want to get some good tips on removing malware, their generic Malware and Spyware Removal Guide is very good.

Back to your question: Dave could get to "some sites" (so I knew Internet was working) but couldn't get to any of the important malware prevention sites, such as www.malwarebytes.org.

That's why I suggested he check the HOSTS file in <Windir>\system32\drivers\etc; some viruses or malware will write entries there to redirect certain domain names to new IP addresses. He checked his HOSTS file, and it was ok.

The other common "attack" is to install new TCPIP interfaces with NameServers (DNS servers) hijacked; essentially, saying "instead of looking up urls in good phonebooks, use OUR phonebook".


In the registry, using regedit, I had him check each interface listed under My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, and for each interface check the Nameserver entry, if any existed. On most systems it will be blank, or point to your router (192.168.x.x on most home networks). On two of his interfaces, the IP addresses for the name servers pointed to "93.188.162.173; 93.188.166.66".

These COULD be okay (perhaps his ISP's DNS servers, or an OpenDNS IP address--for example, Google has a great public DNS with EASY to remember IP addresses).

I punched the IP address 93.188.162.173 into Google, and used one of the IP / Subnet geo-location tools to locate it to the Ukraine, a known hotbed of bad-a$$ scammers / virus programmers:

http://www.ip-adress.com/ip_tracer/93.188.162.173

We edited the NameServer entries to blank them out, and rebooted -- rechecking the entries to make sure an active virus wasn't still modifying those entries -- and suddenly he was able to get to all sites correctly again.
 
Troy is a genius, and a heart of gold to boot.
Thanks Troy. Literally hours of posting back and forth all weekend.

Others made good suggestions, but I was getting a dozen different directions to go in at once so had to stick with one - so thanks to all for trying to dig me out.
 
Looks like he got right to the heart of the issue, and you can't do better than that!
 
You must log in or register to reply here.
Back
Top