[SOLVED] Nasty Malware Blocking Programs

GoodKingJayIII

So , my fiance went to use her computer today and found her internet explorer completely blocked with a message that the website she may be visiting would give her a virus, and that she should download something called Antivir. Clearly a scam, I went about the task of removing it by following this thorough guide.

Here's the problem. Every single one of the files that the guide recommends I download cannot be run, because this malware completely blocks the program from being removed. Further, it simply resets the internet explorer settings and prevents me from accessing websites and downloading other files. I cannot even open the task manager to try and remove some of the files.

I've never dealt with anything like this. I can't even imagine where she picked up something like this. Thanks for any help you can provide.

TetraNitroCubane

First: She probably picked this up just by browsing to any of the sites she normally visits. Compromised ads in flash banners, and/or malicious changes to presumed 'safe' websites are the primary methods of distribution these days. If the attack can find an unpatched flaw in your browser or OS, it doesn't even take any user input to get you infected.

Second: My primary advice is going to be that you nuke 'n pave. Reformat the HDD and reinstall windows, then restore from backup. It's much easier, and safer, than trying to remove the infection yourself. If you can reformat, reinstall, and restore, you'll save yourself a lot of headache! If any of the nastier strains of malware are on that computer now, it could be very difficult to remove them with any confidence.

If, for any of many understandable reasons, you can't reformat the drive, then I'd suggest the following. You say that you're following the BleepingComputer guide. That's good. Those guys know what's up with this infection, but it's obviously evolved a bit since that guide was written. The RKill step in that guide (Step #8) is intended to kill the malware long enough for you to run the cleaning programs. Unfortunately, it looks like RKill isn't doing the trick, and the malware is still preventing the tools you need from running.

Have you only tried rkill.com? If you go to this page, you can download different flavors of rkill that the malware might not recognize, including rkill.exe, rkill,pif, and rkill.src - These are all the same program with different names to evade the malware, so try any of those other three. If one of them works, then follow the guide from step #8.

If all four rkill versions don't work, download Hitman Pro 3.5. When you launch the program, hold down the left Ctrl key and double click the icon. This will activate Hitman Pro's "Force Breach" feature, and shutdown all non-essential processes - Essentially mimicking the rkill function. Then, you can resume the guide from step #8. You don't need to scan with Hitman Pro at all if you don't want to - just use it to kill the running malware.

I hope this helps. I know cleaning up a mess like this is trying to the patience, so best of luck.

matt has a problem

I actually removed this off a coworker's laptop a few weeks ago. I had to download Malwarebytes on a different computer, rename the downloaded file, put that on a USB key, copy it to the infected laptop while it was in safe mode, install malwarebytes into a non-default directory (renamed the destination folder), then rename the actual malwarebytes program .exe before running it in safe mode. Once I got malwarebytes to run in safe mode doing all this, it took care of the problem in one "full" scan.

GoodKingJayIII

Thanks guys. Quick update: I managed to use a back door open the task manager. I'm now trying to use a number of malware and spyware removal programs to delete it. Unfortunately both Spy Doctor and StopZilla require some kind of purchase. If anyone knows a good freeware spyware removal, that'd be great. I'm thinking about Malwarebytes at the moment.

Second: My primary advice is going to be that you nuke 'n pave. Reformat the HDD and reinstall windows, then restore from backup. It's much easier, and safer, than trying to remove the infection yourself. If you can reformat, reinstall, and restore, you'll save yourself a lot of headache! If any of the nastier strains of malware are on that computer now, it could be very difficult to remove them with any confidence.

I can handle my way around a computer, but I wouldn't trust myself with that kind of thing. I know that it's relatively simple, but I've actually never done it before. I think I am going to try and remove the spyware first, then back up all her files onto my external HD. If there are still issues afterwards, I'll look into reformatting.

Once I got malwarebytes to run in safe mode doing all this, it took care of the problem in one "full" scan.

Aha! Beautiful. I'll definitely try Malwarebytes now. Thanks.

W2

This happened to me last week, the trick to cracking it open was to frantically mash CTRL+ALT+DEL and open the Task Manager as Windows was booting, before the process could start and prevent me opening anything.

Then, Malwarebytes and anti-virus. I'm planning to reformat when I get time, and I'll only feel properly comfortable after I've done that. Best of luck.

Void Slayer

Take the infected computer off the internet, it may very well be downloading additional malware and viruses, the longer it is connected to the internet the more work you have to do.

Yes I would echo the recommendation for malware bytes, if you are interested in going into more technical detail download hijackthis. Unless you know what you are doing though it can be dangerous to delete the stuff that comes up in that.

The best way to download them is on a different computer and transfer it with some kind of media like suggested above, renaming every .exe file in order to prevent the malware from blocking the installation.

The primary reason i suggest hijackthis is it has a process manager that works similar to the task manager. Look under additional tools. If you run the basic scan it will also save a log file so anyone who is helping you can see exactly how screwed you are.

Many malware programs will be picked up by a standard antivirus when you try and delete their main files, as they will try and self replicate or stop the action like a virus. If you have an antivirus that is running successfully then try deleting all files in the download and temporary folders under both windows and any "my document" type folders. I cant tell you where exactly they would be without knowing the OS. Many malware programs stay inside these folders after being downloaded because copying them to another folder automatically might trigger your antivirus.

Good luck.

GoodKingJayIII

Thanks for the additional advice guys.

Malwarebytes and the latest version of Avast! took care of the problem, so I think we're in good shape.

Thanks again for the help!

Buttcleft

only way to be sure your system is clean is to nuke it from orbit, then on a fresh untainted install change all passwords just to be safe