Results 1 to 9 of 9
  1. #1
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Midwest, USA
    Posts
    108
    Thanks
    5
    Thanked 5 Times in 4 Posts
    I have spent much of my time this week cleaning a friend's computer, then my brother-in-law's computer, and finally my niece's computer. In the first two cases they were running Avast and McAfee. Both had Spybot Search and Destroy and Malwarebytes installed but hadn't updated or used them since the last time I cleaned their machines. Both cleaned up fairly easy from safe mode, basically following the BleepingComputer guidelines. I've explained over and over to them about never clicking anywhere on a popup warning, telling them to use Alt F4 and if that fails use the task manager to end the program, but they don't seem to get it.

    My nieces computer may be a complete wipe before it's all done. Rootkit I think. . I ran Rkill about five times and it found nothing. The trojan or virus had turned off all security functions on the computer and blocked any attempt to restart them, even from safe mode. It blocked Spybot and Malwarebytes from calling home for updates. When run in safe mode they both updated but found nothing. ComboFix ran, but, right in the command prompt window the first three lines read access denied to parts of the drive. That indicates to me that something malicious is running. Windows update shows all of the security fixes are up to date, but if you read the system log you see that the updates have all failed for about two months. When I first got the machine any .exe you clicked on that had to do with security popped up a message that said the program couldn't run because it's registry entries where scheduled for removal. I started teatimer (from Spybot) from safemode and it tried to work when I booted the computer into the normal user mode. Teatimer blocks any attempt to change the registry and opens a popup where you can allow the change or deny it. On boot it kept popping up warnings that something was trying to change the registry keys for Spybot and Malwarebytes, but the allow key was the only one that would work, the deny key was grayed out.

    My son and I took out the hard drive and hooked it up to his Mac to scan. It found some things and corrected them but we haven't had time to put it back in the computer yet I'm not sure, but I don't think the registry gets scanned when the drive is connected as a 2nd drive. Hopefully we can put the drive back in tomorrow and finish the cleaning. We'll hit it with a couple of rootkit removers and see if they find anything. I'm just afraid that there has been to much damage done to just fix it. I wouldn't trust the recovery section on the drive for a reinstall and I hope my niece has a recovery disk, but I doubt it.
    Attached Images Attached Images

  2. #2
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    John, will people never listen when told how to do simple things to keep their PCes clean. It only takes a half hour or less each week.
    Try Sophos Anti Rootkit. Got great reviews from Gizmo Richards, one of the authors of numerous articles on Windows Secrets Newsletters about free apps.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  3. #3
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Calif
    Posts
    182
    Thanks
    0
    Thanked 14 Times in 13 Posts
    Hi John :

    Regarding your niece's computer : Rkill.com should only be run once,
    using only the latest updated version, so I am unsure as to why you
    ran it so many times. As an Alternative to Rkill, I prefer the lesser
    known "exeHelper" program, which is used by the malware-fighting
    Experts on the Geeks To Go Forums . This program is available at
    http://www.raktor.net//exeHelper/exeHelper.com .
    Double-click on exeHelper.com to run the fix.
    A black window should pop up, press any key to close once the fix is completed.
    After exeHelper is run, then Malwarebytes Anti-
    Malware should be run . Since at this time the
    computer only operates in Safe Mode, I do NOT know
    IF exeHelper can be successfully run, but you can
    give it a try !?
    IF exeHelper does not help, then I recommend you
    seek the help of an experienced, trained, CERTIFIED
    Volunteer "Malware Removal Specialist" that are
    found on many "Advanced Malware Removal" forums &
    the One I recommend is Geeks To Go at
    http://www.geekstogo...rum/forums.html . Try to
    follow their "Malware and Spyware Cleaning Guide"
    to the best of your ability .
    For the BEST in what counts in Life :

    http://www.ctftoronto.com

  4. #4
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Midwest, USA
    Posts
    108
    Thanks
    5
    Thanked 5 Times in 4 Posts
    Thanks guys,

    I will give your suggestions a try.

    In regards to running Rkill.com more than once - I was following written instructions from a Malwarebytes forum on removing a rootkit. The instructions were dropped off with the computer by my sister-in-law. Those instructions said to run it multiple times so I did. You've already read the rest of the story.

    I'll report back on what happens.

    John

  5. #5
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Midwest, USA
    Posts
    108
    Thanks
    5
    Thanked 5 Times in 4 Posts
    We put the hard drive back in the laptop, scanned for root kits with a clean bill of health. The only problem is the firewall service won't turn on. But this is a common problem with Vista machines according to a bunch of forums. I found a Microsoft FixIt for the problem. Here is the link: http://support.microsoft.com/kb/943996/en-us. My son is re-installing svc pk 2 on the machine and will run the fixit when the install completes. Hopefully this will fix the problem.

    While I was typing this my son called to tell me the fixit timed out. He checked all the necessary permissions for the fixit and all were ok. He is going to reboot and try again.

    Rebooted and ran the FixIt as administrator - it still timed out. So no luck with the firewall.

    Does sfc /scannow work with Vista?

  6. #6
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    sfc should work with Vista. Give it a try. Here's hoping for some additional success. I have had the same problems with my mother. She is almost 80 and just does not get it. She is constantly sending email offers to me to check them out. I do now have her updating all AV/AM definitions and scanning once per week with MalwareBytes and Spybot S&D after updating sigs. At least she got this after the last reinstall.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  7. #7
    Super Moderator Deadeye81's Avatar
    Join Date
    Dec 2009
    Location
    North Carolina, USA
    Posts
    2,654
    Thanks
    7
    Thanked 113 Times in 97 Posts
    sfc is available in Windows 2000 Pro, XP, Vista, and of course Win7.
    Deadeye81

    "We make a living by what we get, we make a life by what we give." Sir Winston Churchill

  8. #8
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Midwest, USA
    Posts
    108
    Thanks
    5
    Thanked 5 Times in 4 Posts
    Hi folks,

    This is an update on my nieces computer.

    The system file checker said everything was ok. I opened the event log which showed the Firewall not turning on with error 13.

    In the VistaHeads forum I found the answer - and it worked. The firewall could not turn on because the Firewall rules in the registry were corrupt. Here is a link to the solution:

    http://www.vistaheads.com/forums/mic...-firewall.html

    I followed the instructions there and the Firewall turned on and stayed on. It was a matter of deleting the corrupt rules, saving the registry, restarting the security services and the firewall, then setting the Allow rules to the default for the firewall.

    So as of right now the computer is clean and protected.

    Thanks for your help and thanks to the VistaHead forum for the final bit of help.

    John

  9. #9
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    John,

    Take a while and make Images of all the PCes for future use. Then when they come back again it will only take a few minutes to fix them. Many threads in these forums talk about Imaging as the easiest way to restore a system in the shortest possible time frame.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •