John Smiley's Musings on Computers and Technology: Malware

Showing posts with label Malware. Show all posts

Friday, February 26, 2010

Spyware, Malware, Rootkit viruses

My friend David Turner wrote up some wonderful instructions on eradicating your system of malware and spyware---I'm including them here. Farther down in the instructions he refers to a "rootkit virus'. In my experience, you will know that you have one if Safemode fails to bootup--that usually means one of your device drivers has been corrupted. Combofix is a wonderful program to correct Rootkit viruses---I've written about it elsewhere, and you can find links to it on

http://www.mybleepingcomputer.com

Here are David' s instructions...

Hello Professor:

I saw your email concerning your computer problems so I thought you might like

some help.

As you already can see, most (all) antivirus programs don't work very well, at least not by themselves. So it takes a team approach to solve these infection issues, and a good

deal of time and patience as malware infects using the "buddy system"...one is active while the other is dormant but listening to see if the active one is removed whereupon

it executes a new copy for the most malicious.

Long story short, the following steps are ones that I have used many times and they

have NEVER let me down.

1) Disconnect from the internet (and of course any lan connections)

2) You will need the following programs:

a) Malwarebytes Antimalware (get it here:)

http://www.malwarebytes.org/mbam.php

b) WinPatrol 2010: http://www.winpatrol.com/download.html

c) Super Antispyware: http://www.superantispyware.com/superantispyware.html

d) Mozilla Firefox browser: http://www.mozilla.com/en-US/firefox/firefox.html

3) Follow these steps next in order:

a) Reboot the computer into Safe Mode: usually keep tapping the F8 repeatedly

while pc boots. (could be a different key which will display on the initial splash

screen)

b) Select Safe Mode (this takes some time)

c) Once in safe mode execute (but don't scan) Malwarebytes followed by WinPatrol and then Super Antispyware followed by the MozillaFirefox browser.

d) Next run the Malwarebytes scan (WinPatrol will be active automatically.

(run this 2 or 3 times after an interval of time...5-10 minutes)

e) Next run your present anti-virus application (again more than once with

the time interval as well) (make sure that you DON'T download and run

any other AV program as 2 applications will usually lock up your computer)

f) Then run SAS (Super Anti....)

g) Review the results (kinda' like admiring your own programs...as you always said!)

h) If results look satisfactory and computer functionality has returned, rejoin your

network

i) Don't think that you're done yet.....next use Mozilla to go to the Internet and run an

online A/V scan...use Trend PC as it's the only one that works with Firefox

Go here and download the program and then scan:

http://housecall.trendmicro.com/

When that completes (could be 5-6 hours..or more) you should be good to go..

unless you have been infected with a Rootkit... which requires more tools.

Friday, January 29, 2010

Malware Update---January 28, 2010

I thought I had fixed my problems on Wednesday, January 27th, but it turns it I didn't.

My PC refused to shutdown gracefully, and each time I fired up Windows, I received error messages indicating that I had a problem with

AXWin Frame

and this one...

To help protect your computer, Windows has closed this...

Generic Host Process for Win32 Services

Just about as soon as this occurred, all other windows had problems---and Task Manager failed to load.

A graceful shutdown was impossible.

Furthermore, booting into Safemode was also impossible. I would freeze on MUP.SYS

I used another computer to search the Internet for help, and it suggested that I download and run a program called

COMBOFIX

which I did. It took about an hour to download, install and run, and after several planned shutdowns and reboots (the first shutdown failed, so I had to power off), it told me that my ATAPI.SYS device driver was corrupted, and that it had fixed it.

1 hour later, I was able to fire up Windows (without any error messages) and I've been running continuously for the last day.

I'm just about finished performing a massive backup, and at some point today, I'm going to shutdown and restart in Safemode--after which I'll run Malwarebytes and my Symantec Anitvirus scan.

A former student of mine, David Turner, has also emailed me with some very detailed instructions to ensure that I'm finally free of this malware.

The name sounds like a nuisance, but it's far from that---it's a real pain in the ***

Wednesday, January 27, 2010

Antivirus XP 2010 Malware--what a pain

Thanks to everyone for the suggestions, and mainly for the support.

My wife's PC had been infected with the Antivirus Malware twice, and Malwarebytes (free download from CNET.COM) fixed it both times. However, it seemed to have gained some strength by the time it morphed into Antivirus XP 2010.

One interesting thing it did was to disable the other user accounts on my PC so that I could only execute programs via the "Run as' with the infected account I had--so I was really stuck using my infected account to try to solve the problem.

I also found I was unable to boot the PC into Safe Mode--not sure if that's related to the Malware--I hope not.

Also, when I tried to run my copy of Malwarebytes, it had erased mbam.exe--the executable. Then, when I tried to reinstall from the setup I had on my PC, it tried to stop the execution. Using Task Manager, I managed to kill av.exe long enough for the setup to run, but guess what---after the install worked, it once again deleted mbam.exe, leaving me with a folder containing all but the executable.

An Internet site I found suggested renaming the setup executable and installing it in a folder other than Malwarebytes. I did that, and again, using Task Manager to kill av.exe long enough to get started, managed to run Malwarbytes through an entire scan yesterday morning. It identified about 14 infections, rebooted to delete the bad guys, and I was hoping when it came back up all would be fine. It wasn't.

Again, I ran Malwarebytes, but this time it came back clean--as did Symantec and Spyware Doctor. Like you guys, and some advice on the Internet, I came to the conclusion that running a 1 month old version of Malwarebytes didn't cut it.

I fired up Malwarebytes again, selected Update, and it told me it was getting the latest signatures-version, and that it would shut down and reinstall. It didn't--av.exe seemed to be loading whenever anything tried to fire up.

Finally this morning I went out to CNET.com and downloaded the latest setup executable they had--it must have had something in there for this virus-malware, because after once again renaming the setup and installing it into a decoy folder and renaming mbam.exe to something else, I was able to run a 3 hour scan.

I must confess I had some doubt, but it found 5 infections, and after a reboot (shutdown failed, I had to pull the plug on the PC), when it rebooted the malware seemed to have been destroyed.
At least that's the way it appear.

I had some residual error messages that the Internet says indicates I need to clean my registry---I just did that using CCleaner (another free download from CNET.COM), so knock on wood, I seem to be OK now.

Thanks again for your concern and advice.