Jump to content

Question

Posted

Ok, I'm fixing a pc for a friend. When I turned on the computer I was blocked out by some dumb message about copyrights and wanting to pay $200. Finally was able remove some of the files, delete from start up, etc. installed spy bot search and destroy, ran the scan and removed all entries. Used the pc on and off for a few days. No issues. Gave the pc back... Within 2 days...it's back. Is there a better freeware scanner/remover for this. I'm at my wits end with this.

Share this post


Link to post
Share on other sites

37 answers to this question

  • 0

Posted

Download Malwarebytes and run a FULL scan in Safe Mode.
2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

Or install Avast and do a boot time scan.
2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

1. Boot in safemode
2. Empty ALL temp folders, including user temp folders, not just windows
3. Reset IE, checking the box to delete everything
4. Open regedit:

[b]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run[/b]
and
[b]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[/b]

Delete any suspicious looking entries

Also delete anything in [b]HKEY_CURRENT_USER\Software [/b]and [b]HKEY_LOCAL_MACHINE\SOFTWARE[/b] that look malware related

Open MSCONFIG and disable anything that looks suspicious in there too

----------

Reboot in normal mode, and run a full scan with a fully updated malwarebytes

You have already scanned with spybot but do it again anyway

Another good thing is installing Avast Free, and do a "Boot Time Scan" this will be able to remove malware that can not be killed inside of windows

Download and run a scan with "Hijack This" remove any suspicious entries in there too

Scan a couple of times with all the above programs until they all return a clean result

If you still have a problem after all that, wipe > reinstall windows
3 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

What exactly would be considered suspicious? I'd assume they would label anything that would set off red flags..

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='jerzdawg' timestamp='1353256494' post='595330526']
What exactly would be considered suspicious? I'd assume they would label anything that would set off red flags..
[/quote]

Well just anything you don't recognise as being installed on the machine as a genuine app, a lot of malware will have registry keys with weird symbols, such as !"

Share this post


Link to post
Share on other sites
  • 0

Posted

Running avast scan now, once that is done ill post the hijack this report
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

where you live? I am in warren county. I could get it fixed up for you. also don't use that old pos hijackthis...use olt
http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1353259673' post='595330642']
where you live? I am in warren county. I could get it fixed up for you. also don't use that old pos hijackthis...use olt
[url="http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/"]http://www.geekstogo...ldtimer-listit/[/url]
[/quote]

What is wrong with HijackThis ? Its a great piece of software

Share this post


Link to post
Share on other sites
  • 0

Posted

Latest version is 2.04....It doesn't work properly with 64bit oses. It also doesn't dig as deep as otl.

Compare a hjt log with a otl log.

sample otl log
[url="http://www.bleepingcomputer.com/forums/topic313328.html"]http://www.bleepingc...opic313328.html[/url]

sample hjt log
[url="http://www.techsupportforum.com/forums/f284/please-help-hijackthis-log-assistance-end-program-sample-error-at-shut-down-14837.html"]http://www.techsuppo...down-14837.html[/url]

which do you think is more thorough and can help you better find the cause?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1353261195' post='595330714']
Latest version is 2.04....It doesn't work properly with 64bit oses. It also doesn't dig as deep as otl.

Compare a hjt log with a otl log.
[/quote]

Ok, never used OTL, still HijackThis is a decent app, using both would be better than not using HJT, never had a problem with HJT and 64bit OSs though

Share this post


Link to post
Share on other sites
  • 0

Posted

read about hjt and 64 bit, while this isn't necessarily a problem people unfamiliar with it will go to disable critical processes and screw their computers up more. I don't recommend running this as a novice, nor do I recommend running it over the internet being that people can be tempted to try to fix it themselves causing more issues. bottom line, it doesn't work well with 64 bit oses and otl produces the similar findings as hjt with many more pieces to the os puzzle (more files, more reg entries, more points of infection, etc). Running otl with a good rootkit detection software, like gmer, will allow you, the tech, to actually find something useful and be able to repair the computer.
[url="http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/A_3178-HijackThis-reports-missing-files-on-64-bit-Systems.html"]http://www.experts-e...it-Systems.html[/url]

That being said, it may take a few hours to go through and verify a otl report.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1353261756' post='595330726']
read about hjt and 64 bit
[url="http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/A_3178-HijackThis-reports-missing-files-on-64-bit-Systems.html"]http://www.experts-e...it-Systems.html[/url]
[/quote]

Well that doesn't render HJT useless on 64bit systems, we're not looking for missing file entries, we're looking for malware entries, make no difference if HJT can't find 64bit files

And more to the point, I don't know many 64bit versions of malware

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Detection' timestamp='1353262008' post='595330736']
Well that doesn't render HJT useless on 64bit systems, we're not looking for missing file entries, we're looking for malware entries, make no difference if HJT can't find 64bit files

And more to the point, I don't know many 64bit versions of malware
[/quote]
not exactly useful either. if it is not useful, it is useless IMO.

Share this post


Link to post
Share on other sites
  • 0

Posted

you could do what others said and waste your time, or do what will be the easiest. Download a 10 meg file mawarebytes.com from [url="http://filehippo.com/download_malwarebytes_anti_malware/download/bad31b603665f4e2b1cfdedd7f8aeb61/"]here[/url] (filehippo link) on to a usb key. Boot into safe mode, install, run a scan, let it remove it. Done. If you want to do it the hard way, follow the other posts above.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

Secret....malware bytes doesn't remove everything. Their root kit detection piece is still in beta last time I checked. Malware bytes is not the end all be all.

I have been around a lot of malware, and I can tell you with 100% certainty that malware bytes doesn't remove all of it. Just a good portion. I run a min of three different removal utilities mwb being one of them when cleaning computers. Mwb isnt the first thing i run, it is the last. I do know its limitations.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1353262975' post='595330768']
Secret....malware bytes doesn't remove everything. Their root kit detection piece is still in beta last time I checked. Malware bytes is not the end all be all.

I have been around a lot of malware, and I can tell you with 100% certainty that malware bytes doesn't remove all of it. Just a good portion. I run a min of three different removal utilities mwb being one of them when cleaning computers. I do know its limitations.
[/quote]after servicing a couple thousand machines over the last couple years , i have had a 100% success ratio with malwarebytes when scanning in safe mode. Could you give me an example of malware that it can't remove? I would like to download it and see for myself.

note: i LOVE getting new stuff to test virus removal techniques. being serious.

Share this post


Link to post
Share on other sites
  • 0

Posted

Pick any root kit. The Remote Desktop attack 6months ago it couldn't detect (MSE was the first that did). Had problems finding, file name was close to a windows file name and I kept overlooking it.

I have been doing manual virus removal since late 90s. I have thousands over you. Hell, the hospital I was working at had a whole site infection over 10000 computers and hundreds of servers. Nightmare.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1353263617' post='595330786']
Pick any root kit. The Remote Desktop attack 6months ago it couldn't detect (MSE was the first that did). Had problems finding, file name was close to a windows file name and I kept overlooking it.

I have been doing manual virus removal since late 90s. I have thousands over you. Hell, the hospital I was working at had a whole site infection over 10000 computers and hundreds of servers. Nightmare.
[/quote]could you give me even just 1 name of a rootkit that you could not remove with it? the worst one in your mind/experiance

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='rippleman' timestamp='1353262834' post='595330762']
you could do what others said and waste your time, or do what will be the easiest. Download a 10 meg file mawarebytes.com from [url="http://filehippo.com/download_malwarebytes_anti_malware/download/bad31b603665f4e2b1cfdedd7f8aeb61/"]here[/url] (filehippo link) on to a usb key. Boot into safe mode, install, run a scan, let it remove it. Done. If you want to do it the hard way, follow the other posts above.
[/quote]
This. Why make the removal process difficult?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1353262356' post='595330746']
not exactly useful either. if it is not useful, it is useless IMO.
[/quote]


Huh? How is it not useful ?

What do you have against HJT ? It works, what more do you want ?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='rippleman' timestamp='1353264036' post='595330794']
could you give me even just 1 name of a rootkit that you could not remove with it? the worst one in your mind/experiance
[/quote]

Is it that hard to google root kit names, like I said pick one any one. Pull any one out of a google search. Malware bytes is 100% ineffective against any root kit. It doesn't have the scan engine for it, therefore it can't detect or repair against this type of infection. Google redirect is one.

Here you go read through and you will see that the user running malware bytes has no effect against it. http://www.bleepingcomputer.com/forums/topic434638.html

[quote name='Detection' timestamp='1353264396' post='595330806']



Huh? How is it not useful ?

What do you have against HJT ? It works, what more do you want ?
[/quote]

I don't like doing things twice and skimming through information I have been through before.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1353264786' post='595330826'] Is it that hard to google root kit names, like I said pick one any one. Pull any one out of a google search. Malware bytes is 100% ineffective against any root kit. It doesn't have the scan engine for it, therefore it can't detect or repair against this type of infection. Google redirect is one. Here you go read through and you will see that the user running malware bytes has no effect against it. http://www.bleepingcomputer.com/forums/topic434638.html I don't like doing things twice and skimming through information I have been through before. [/quote]

Ok, well each to their own, lets not hijackthis thread with our differences ;)
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1353264786' post='595330826']
Is it that hard to google root kit names, like I said pick one any one. Pull any one out of a google search. Google redirect is one.
[/quote]

Surprised you could not give one from your own extensive experiences and instead saying Google one. I am having no luck finding an .exe for the google redirect to infect myself with. Google is full of solution links and no actual download links (of course and expected). Do you know where i can get the .exe file? Or maybe a website that does give the infection?

Share this post


Link to post
Share on other sites
  • 0

Posted

Yeah Malwarebytes doesn't get Rootkits at all, I use TDSSKiller for that.. Along with Malwarebytes and Combofix to clean the rest.

Share this post


Link to post
Share on other sites
  • 0

Posted

I don't make it a habbit to self infect. I get enough examples that I don't need to search.



here is a sample file from 2011.

[url="http://www.ziddu.com/download/16318944/TDL4.rar.html"]http://www.ziddu.com...4/TDL4.rar.html[/url]
Password : infected


another
[url="http://download.softpile.com/download+rootkit+sample/"]http://download.soft...rootkit+sample/[/url]

do a search for[b] rootkit sample file download[/b]

This guys site has a bunch but you need to contact him/her for the password
[url="http://contagiodump.blogspot.com/2012/05/mbr-rootkit-xpaj-sample.html"]http://contagiodump....paj-sample.html[/url]
[email="MilaParkour@gmail.com"]MilaParkour@gmail.com[/email]


You should know that there are many different sample files that you can get with all sorts of infections in them to see if your av/antimalware software can detect them. This is how many companies test the softwares capabilities as well as many third party companies rate new softwares, but they usually have internal lists and usually are pretty large.

Like I said google it and pick any, not my fault you don't know the search terms.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.