Virus Issue

[Gbsnplr]

I have picked up a virus that shows itself as a virus protection program. It will not allow me to into msconfig and it has shut down Essentials. I have shut down the system and removed it from my network and online capabilities.

How can I delete this issue without reinstalling Windows? And I will reinstall if necessary.

 

[NoGoodNamesLeft]

Have you tried starting your computer in safe mode without networking and then running a virus scan?

 

[dranfu]

You can also use the tools (and the virus detection is decent, too) in SuperAntiSpyware

This program has a collection of tools that you can use to perform repairs, such as re-enabling msconfig, system restore, and other windows tools. If you can get to the net, you can try downloading a copy of malwarebytes, going into safe mode, and running a full scan.

However, because you have a virus written by a programmer who is diligent enough to disable MSE, I would bet money that in his code (malware code), he has probably spent the extra time to write functions to disable, or hide from, the majority of AV vendors (kapersky, malwarebytes, hitman, ESET, etc.) The more popular your Anti Virus program is, the more likely a malware writter has written code to look for it, and disable it. They are, after all, aware of these AV tools

The best method of scanning is to use a Live Boot CD. With these, you pop a cd in your cd-rom, an operating system is loaded into memory (from the cd-rom) and you scan your hard drive while it is off. Since windows isn't loaded, it's very hard for the viruses to hide. In fact, it's darn near impossible for them to hide. And since the windows os is off, the virus can't do anything to regenerate itself when its deleted, since it is unaware that it is being deleted.

If you're feeling frisky, you can read about Manually Cleaning Up a Virus Infestation

 

[Tews]

What antivirus program/s have you used to clean your computer...

 

[Skulblaka]

Pretty much, go into "Safe Mode" then click "Run" in "Start Menu". Then type "MSConfig".

Go to "Startup" tab, then look for names of start up programs that stand out, no manufacturer or a very odd name like "ssjsufgg" etc.

This usually works, also you can go to "Services" tab, and do the same thing you did for "Startup".

If you find the virus listed, you can see the directory of it, just follow it and delete it, after that run a scan.

 

[dranfu]

Pretty much, go into "Safe Mode" then click "Run" in "Start Menu". Then type "MSConfig".

Go to "Startup" tab, then look for names of start up programs that stand out, no manufacturer or a very odd name like "ssjsufgg" etc.

This usually works, also you can go to "Services" tab, and do the same thing you did for "Startup".

If you find the virus listed, you can see the directory of it, just follow it and delete it, after that run a scan.

Good advice, and definitely useful in certain cases. but I think it is fair to note: that would only work for very simple infections, where it is easy to locate the offending program visually. More sophisticated Malware would not make itself so easy to be seen.

 

[Skulblaka]

Pretty much, go into "Safe Mode" then click "Run" in "Start Menu". Then type "MSConfig".

Go to "Startup" tab, then look for names of start up programs that stand out, no manufacturer or a very odd name like "ssjsufgg" etc.

This usually works, also you can go to "Services" tab, and do the same thing you did for "Startup".

If you find the virus listed, you can see the directory of it, just follow it and delete it, after that run a scan.

Good advice, and definitely useful in certain cases. but I think it is fair to note: that would only work for very simple infections, where it is easy to locate the offending program visually. More sophisticated Malware would not make itself so easy to be seen.

It is worth a try, I've done that every time I had to do come "cleaning" for others, majority of the computers I cleaned were easily fixed using this technique.

Alas it won't work every time, still effective and very worth the try.

 

[jimbo45]

Hi there.

I personally would NEVER trust a computer that had an infection on it that was "ostensibly" removed by AV software.

I might be in total disagreement with 99.99% of other members on the Forum -- but relying on an Infected OS to clean itself up is a bit like asking the Fox to guard the chickens in the henhouse.

If you have a decent UNINFECTED backup image of the OS -- restore that. If you don't then IMO the only SAFE option is to re-install the OS.

ALWAYS TAKE REGULAR BACKUPS and you can avoid these types of problems.


This also shows the need for REGULAR BACKUPS - which you can easily scan to ensure they are virus free.


Even a 70 GB Windows installation doesn't take more than around 25 mins to backup or restore on a modest laptop using good backup software -- I use Acronis but there are others.

Cheers
jimbo

 

[Tews]

+ 1 to everything you said Jimbo! I would NEVER trust an installation after an infestation... Thats why I'm so anal about imaging my drive (with Acronis).. Its so much easier to restore a clean image, than spending hours reinstalling the OS along with my programs....... +rep to you!!

 

[Borg 386]

I agree with dranfu, you should try running a rescue boot up disk, which loads before the OS does.

There are several out there, I have all of them in my arsenal but I usually start with this one.

AVG Rescue Disk – Free AVG Bootable Antivirus CD

You have others boot disks to choose from also - Avira, Kaspersky, Bitdefender, etc. The links for these are also listed on the page

 

[Skulblaka]

If he says "reinstalling" then perhaps he has no system image to restore from. Thus, wasting hours to do a clean install.

Hm, still no response on his progress...

 

[Keiichi25]

FYI - The 'virus' he is referring to is actually Hijack-ware (A variation of Malware) which I know you all know this.

This particular one, though, doesn't really 'infest', so much as just hold your computer hostage and preys upon the less technically inclined.

It is possible to get it off your system without having to re-image your system (Again, not everyone will image or backup their system or have the ability to do so until this happens the first time to them)

From what I have seen in the past, these things also tend to make themselves hidden, inject Registry morphisms to help keep it 'alive' at times (Via - two hidden files, one executable, one fall back to put back the malware code if it has been removed)

The current, reasonable solution is to reboot into safe mode, access the machine through another, untouched account (As the account that originally got it will be sometimes execute the malware code, even under safe mode due to the registry modification, one of which has put in a .exe execution handling.

Using a program like Malwarebytes Anti-Malware or any good malware removing program should be able to isolate and remove the offending files.

You do, however, have to run it again after a reboot on the affected accounts, as the variants I have seen target the HKCR registry for exe entry to try and run the malware code, thus causing some new errors when you try to run programs. This is easily bypassed by just finding the malware removal program and re-running it, or by manually looking through the registry for the HKCR and I believe removing any other entry that is associated with .exe that isn't the Content Type, PersistentHandler. Although I lean more towards letting Malwarebytes Anti-Malware to clear it out.

For real viruses, I do agree it that trying to clean it off on an infected system is not the best way to go, but hijack-ware like this, it isn't nearly as nasty, just plain annoying.

 

[Skulblaka]

Then perhaps much easier to remove.

 

[Corrine]

FYI - The 'virus' he is referring to is actually Hijack-ware (A variation of Malware) which I know you all know this.

This particular one, though, doesn't really 'infest', so much as just hold your computer hostage and preys upon the less technically inclined.

That is true of some of the rogues but not all. Some are "ransom ware", others trojans and some are indeed rootkits. However, in this case, we only have very general information so don't know what it is that is on Gbsnpir's computer.

 

[brianzion]

i dont no if this will help they have most fake anti virus tool removers on softpedia
Download Red Cross Antivirus Removal Tool 1.0 Free - Remove fake Red Cross antivirus from your computer - Softpedia also have a look at my thread>http://www.sevenforums.com/news/108205-microsoft-security-essentials-alert-removal-tool-1-0-a.html

 

[Skulblaka]

i dont no if this will help they have most fake anti virus tool removers on softpedia
Download Red Cross Antivirus Removal Tool 1.0 Free - Remove fake Red Cross antivirus from your computer - Softpedia also have a look at my thread>http://www.sevenforums.com/news/108205-microsoft-security-essentials-alert-removal-tool-1-0-a.html

Hah!

Anyway, we'll get nowhere if the "Thread Starter" doesn't respond.

 

[Keiichi25]

Well, the problem is, the thread starter is probably too busy trying to deal with it and getting into other problems.

Corrine - What you say maybe true. So far, though, most of the ones I have seen that have taken this vector are conflicker type Hijackers or a variant where it takes it a step further, but I haven't seen a rootkit yet, or a trojan where it pushed itself to other computers nearby yet.

The ones posing as an Antivirus one (Under various names, but always saying the rough same thing of your computer having viruses that must be removed) generally sticks with the Hijack/Ransom ware method of rendering your computer unusable until you 'buy' the software. It doesn't go further to spreading to other computers or send trojans to other computers based off any information it gleans from the computer it hijacked.

Furthermore, from what I have seen in the numerous cases of those, they tend to be just a real pain to get rid of if you don't know what you are doing and rarely damage the system other than set you up for identity theft via paying the ransom just so you can use it again. Most true Viruses are self-propegating and detrimental.

I will admit I am not too familiar with rootkits other than a vague understanding that it allows literal universal access to your system.

 

[Gbsnplr]

Sorry guys my progress is no existent I am out of town. I will be back on Friday. I do have a backup, I currently use WHS and backup everyday. I was thinking about reinstalling windows them restore from my WHS backup

 

[Jacee]

Backing up Corrine's post ... Fake-Antivirus (Ransom ware) is now bundled with the latest TDSS Rootkit payload

 

[Uber Philf]

Hi there.

I personally would NEVER trust a computer that had an infection on it that was "ostensibly" removed by AV software.

I might be in total disagreement with 99.99% of other members on the Forum -- but relying on an Infected OS to clean itself up is a bit like asking the Fox to guard the chickens in the henhouse.

If you have a decent UNINFECTED backup image of the OS -- restore that. If you don't then IMO the only SAFE option is to re-install the OS.

ALWAYS TAKE REGULAR BACKUPS and you can avoid these types of problems.


This also shows the need for REGULAR BACKUPS - which you can easily scan to ensure they are virus free.


Even a 70 GB Windows installation doesn't take more than around 25 mins to backup or restore on a modest laptop using good backup software -- I use Acronis but there are others.

Cheers
jimbo

Also +1, very much in full agreement here.