Solved Massive malware infection has made a mess

[Admiral Awesome]

I had a malware/trojan infection a few days ago that kept me occupied for the better part of two days with cleaning up using:

Malwarebytes Anti-Malware and Anti-Rootkit
AdwCleaner
Junkware Removal Tool
Norton Power Eraser
Sophos Virus Removal Tool
Trendmicro Housecall
SpyBot Search & Destroy
and Chrome Cleanup-Tool.

Now, when the smoke has cleared and I try to assess damage done, even the c:\users\MyName\appdata is gone(!) and I find files and and folders in completely new places, some empty, some not.

It is seemingly an unholy mess (but wholly a mess and I wonder if the best thing would not be to simply reinstall Windows 7 as it is next to impossible to distinguish what is whole and what is messed up.

Would a system restore really restore e.g. c:\users\MyName\appdata, a folder which is kinda, sorta useful?

So what say you? Would it be better beginning with a clean slate, or is there hope yet?

 

[Golden]

Clean install after running CLEAN ALL from DISKPART

http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html

 

[mitchell65]

I presume, Göran, that you have not been regularly backing up your system with something like Macrium Reflect. May I urge you after following Golden's advice to install Macrium and make regular backups at least once a week. Then when you have a problem you can restore your system and be up and running again within the hour!

 

[Admiral Awesome]

Clean install after running CLEAN ALL from DISKPART

http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html

Thanks Golden. This would give me about as clean a slate as they come

 

[Admiral Awesome]

Eeeey... Mitch, old friend! Good to 'see' you!! Hope your'e doing fine. Happy New Year to you btw! "I presume, Göran, that you have not been regularly backing up..." how dare you inseminate that...and who are you all of a sudden to presume...uh...how in blazes did you know?

"May I urge you /.../ to install Macrium and make regular backups...?" Yes my boy, you may.

Now it's off to clean this slate I go...thanks good buddies, happy New Year all around!

'It wasn't me but I'll never do it again...'

 

[iknowjohnny]

c:\users\MyName\appdata is gone(!)

R U sure it's not just hidden? Some of those anti malware and virus apps will turn "view hidden files and folders" back to hidden in folder options so you may just not be able to see it.

 

[Admiral Awesome]

"R U sure it's not just hidden? Some of those anti malware and virus apps will turn "view hidden files and folders" back to hidden in folder options so you may just not be able to see it."

Now you tell me Anyway, there's 106,304 files on the system drive to check, and at that point I had been awake for some 24 hrs straight not wanting to give up. At that point I gave up, and came here to write the OP.

After that I just went ahead and did what user Golden suggested and nuked the system drive - nuked it but good, then reinstalled Windows.

I could have never quite gotten rid of the nagging suspicion that, even if I had known about what you now tell me, there was still some bad code lurking in the depths of all those files, ready to pop up at some time in the future and wreak havoc anew.

I want my PC to be my PC, no compromise. Then I took that know-it-all whippersnapper Mitchell's advise and got Macrium and backed up the C drive on an external drive.

So I'm good. Thanks for replying though

 

[mitchell65]

Then I took that know-it-all whippersnapper Mitchell's advise and got Macrium and backed up the C drive on an external drive.

Thanks for that - I haven't been called a "whippersnapper" since circa 1947

 

[Admiral Awesome]

Then I took that know-it-all whippersnapper Mitchell's advise and got Macrium and backed up the C drive on an external drive.

Thanks for that - I haven't been called a "whippersnapper" since circa 1947

You're welcome young man. I hope it's not a derogatory term (as you know, this is not my first language); it certainly wasn't meant like that. Thanks for the reminder to back up - I had been meaning to for years. You obviously knew who you were dealing with

 

[tony22]

Göran, I'm curious. Can you recall what each of the various tools found during your efforts to identify and remove the problem(s)?

 

[MoxieMomma]

Hi, @tony22:

Göran, I'm curious. Can you recall what each of the various tools found during your efforts to identify and remove the problem(s)?

For the record:
Each computer is unique.
While there are general principles, malware detection and removal are best customized for each system.
Fixes for one system could break another system or even render it unbootable.

Although it may be interesting to hear what was on the OP's system, I respectfully suggest that the information NOT be extrapolated to your computer(s).

If you're concerned that your computer might be infected, then the safest course of action would be either to wait for one of the malware-trained experts to assist you here in your own threads, or to seek a bit of expert help at one of the many reputable computer disinfection fora.
Those experts will know which tools to run, in which order, for complete & safe detection and removal.

Just a friendly suggestion,

MM

 

[Admiral Awesome]

Göran, I'm curious. Can you recall what each of the various tools found during your efforts to identify and remove the problem(s)?

I'm afraid not Tony. As I said there was a sh*tload of them:

Malwarebytes Anti-Malware and Anti-Rootkit
AdwCleaner
Junkware Removal Tool
Norton Power Eraser
Hijack This
Sophos Virus Removal Tool
Trendmicro Housecall
SpyBot Search & Destroy
and Chrome Cleanup-Tool.

each producing slightly different results.

Malwarebytes I didn't run, not because it's no good - on the contrary it would have been my first choice - but because I had just finished my 30-day-trial with them, and thought the price a bit steep.

I did purchase SpyBot Search & Destroy though, and it ran for hours and finding stuff the whole time. Of course I don't know if that's just smoke-and-mirrors stuff i.e. if all they reported, or any other anti-malware reports, really was there and if they didn't purposely make things seem more dramatic than necessary, add artificial delays, blinking screens etc.

How would users know? For all I know, they may be cooking up the bad code at night that they then 'find' during daylight with great fanfare..

But I do seem to recall that one - I think it was Sophos Virus Removal Tool - that wanted to remove even Textmaker Pro and Planmaker Pro, from the excellent German MSOffice-like suite Softmaker Pro.

Papa don't like, cause this is highly legitimate software and made me think that perhaps the Sophos people are in cahoots with Microsoft.

But seriously, that was the only thing that stuck out. Like I said I had gone from 6 am one day to 6 am the next w/o sleep so forgive me for being hazy about what happenened when.

I do remember that Norton Power Eraser struck me as perhaps the best of the lot, mainly because the first thing it asked to do was reboot so as to be able to perform a root-kit search; none of the others did.

I think also Trendmicro Housecall came off as serious and knowing their stuff, but to be honest I didn't think about keeping my own log or even saving the logs of the respective programs except for a few that I will attach to this post.

I do remember that one of the cuprits was Wajam, that most of them blocked my actions to try and stop the infection from spreading (Task Manager wouldn't run or else access was denied when I tried to end suspicious-looking processes) and that many seemed at first to have been successfully eradicated - only to pop up again after reboot. Very persistent, very sneaky and malicious. But then that's what they are/do.

No surprise there. I will say this though, the infection(s) didn't 'just happen', I foolishly visited sites of ill repute and clicked on dubious links, so in my case I brought it on myself; nobodys fault but mine.

Not that I'd fall for obvious stuff like 'By incredible luck, you are the millionth user to visit this site, therefore you have won...', but there are sneakier, less obvious ways to haul you in.

Remember, the slimebag con-artists that write this malicious code do nothing else all day - they're bound to get good at it.

 

[Layback Bear]

Just a note:

If a trial version of Malwarebyte Anti Malware time runs out one can always use the Free version to scan your systems.

I chose to get the Premium Version.
----------------------------------------

Golden's method of a
Disk - Clean and Clean All with Diskpart Command
will certainly be the most complete.

Their are times when their is just to much junk and damage and starting new is a great idea.
I have went that path a couple of times. A clean start just made me feel safer.
Now that Windows 7 Updates take two life times to get does make it more time consuming.

 

[MoxieMomma]

Hi:

Malwarebytes I didn't run, not because it's no good - on the contrary it would have been my first choice - but because I had just finished my 30-day-trial with them, and thought the price a bit steep.
<snip>

For the record, a couple of clarifications:

1) MBAM Free and MBAM Premium use the identical malware detection and removal engines/methods/databases. IOW, anyone can run a manual scan with MBAM Free and remove malware exactly the same way a user with MBAM Premium would do so. So, you could very well have run a full scan with MBAM Free and it would have detected/removed all of the same malware as MBAM Premium or Trial. The major difference between Free and Premium is the real-time protection and some other features, NOT the malware removal.

EDIT: OOPS! I didn't notice that @LBB had replied while I was typing. Great minds think alike

2) The "Trial" version is for 14-days, not 30. The "30 days" applies to the money-back guarantee on the license purchase. (There is one Trial per PC per MBAM Program version.) As for the cost, it works out to pennies per day per PC -- it's probably cheaper than the lost time, effort and productivity recovering from a major malware problem, data breach or other catastrophe. <just sayin'>

3) MBAR-Beta (Malwarebytes Anti-Rootkit BETA) is a free, BETA tool. While most of the anti-rootkit functionality has been incorporated into MBAM, the tool does exist as a standalone. However, since it is a powerful, beta tool it is recommended that it be run with expert guidance and assistance.

Cheers,

MM

 

[Admiral Awesome]

Just a note:

If a trial version of Malwarebyte Anti Malware time runs out one can always use the Free version to scan your systems.

I chose to get the Premium Version.

Is that a fact? I didn't know. That would to my thinking lessen demand for the premium version - unless the premium version offers, for example, proactive measures.

Yes, that must be it. Immunization and such and such. An ounce of prevention is, after all, worth two in the bush. Or is that the other way around? Today was a very long, tiring day, for entirely different reasons than malware.

It's -time here (GMT+1=11:20 pm).

 

[Admiral Awesome]

MM said "As for the cost, it works out to pennies per day per PC -- it's probably cheaper than the lost time, effort and productivity recovering from a major malware problem, data breach or other catastrophe. <just sayin'>"

This is very true. 'Penny wise and pound foolish'.

 

[MoxieMomma]

s that a fact? I didn't know. That would to my thinking lessen demand for the premium version - unless the premium version offers, for example, proactive measures.

MBAM Free is only a manual, on-demand scanner that REMOVES malware that has already made it past your AV onto the system.

MBAM Premium provides complementary, layered, real-time protection alongside your AV, to help PREVENT infection by zero-hour and zero-day, non-viral threats often missed by the AVs.

The malware detection and removal capabilities are the same for both versions, as explained in my previous post.

Comparison between MBAM Free and MBAM Premium

Thanks,

MM (just a home user with no company affiliation or financial interest)

 

[Admiral Awesome]

LBB: you said "...starting new is a great idea./.../A clean start just made me feel safer."

I know it. That's why I did a clean install - for the peace of mind that's in it.

"Now that Windows 7 Updates take two life times to get does make it more time consuming."

That is a bummer...still, I'm not yet sure about Windows 10 - I deliberately missed Vista back in the day, and would rather let other people evaluate Windows 10 thoroughly before I make the switch.

Plus I don't really see the need - Im good with what I have, but then I'm not one to depend on to keep the wheels of business turning.

 

[Layback Bear]

Their are some that like W-10. We have a sister forum full of them.

Windows 10 Forums


I don't like W-10 but please understand I don't hate W-10.
I just don't have a need or desire for W-10 and the things that come with it.

Sense W-10 came out, Windows 7 updates have been very, very, very slow searching.
Members report that the time to search and download the Windows 7 updates after a Clean Install or a Repair Install for 8 to 48 hours.
Other than leaving your computer on and waiting I know of no cure for this slowness.

While Searching for Windows 7 Updates you can reboot and try again and hopefully you will get a Microsoft server that is not so busy.
Do Not reboot if your system is in the downloading or installing stage of Windows Updates.
Only in the Search stage.

Note:
To me Malwarebytes Premium is absolutely necessary along side of my anti virus program.
This is my opinion and I also don't get anything from Malwarebytes Inc. for stating this opinion.

 

[Jacee]

I did purchase SpyBot Search & Destroy though, and it ran for hours and finding stuff the whole time. Of course I don't know if that's just smoke-and-mirrors stuff i.e. if all they reported, or any other anti-malware reports, really was there and if they didn't purposely make things seem more dramatic than necessary, add artificial delays, blinking screens etc.

Spybot S&D has always been free to my knowledge ... I need to look into that.

Yikes! Just looked ... You'd be so much better off if you had purchased Malwarebytes'