My friend's XP computer is plagued by some virus/malware... cant get rid of it

Hyper_Psycho

2[H]4U
Joined
Mar 26, 2002
Messages
2,944
My friend has a older Dell that runs XP. His anti virus was about to expire and I said, hey don't spend money, get avast.

When the removed McAfee he started getting these popups:



He successfully installed ad-aware and avast and he still gets these popups. Basically every time he opens a folder or does anything the popups resume.

I haven't been over (he lives 40m away) to see this in person and I tried to coach him over the phone, but so far we had no luck.

Any drastic steps that I need to get here? Should I just say, dude your computer is old, time to get win7?

Is there something I should try that I haven't thought of yet?
 
Try nod32. Scan in safe mode. It could be a virus in the master boot record. Years back i had a virus where no matter how many formats/reinstalls of windows i did it would still be infected. Ended up low level formatting the hard drive and all was good after. If the virus infected too many system files you might have to reinstall. There is a point of no return lol.
 
Not recently. Need more. Especially those fake antiviruses.

Combination of ComboFix, SuperAntiSpyware, Malwarebytes should do it.

Not true. Malwarebytes will pickup most of todays spyware and picks up all of the fake virus alerts from what i've seen. However most of them will not allow you to install or run the program. They will kill the process.

You must kill the fake antivirus first then run the program
 
Try nod32. Scan in safe mode. It could be a virus in the master boot record. Years back i had a virus where no matter how many formats/reinstalls of windows i did it would still be infected. Ended up low level formatting the hard drive and all was good after. If the virus infected too many system files you might have to reinstall. There is a point of no return lol.

malwarebytes.org

/thread

Not recently. Need more. Especially those fake antiviruses.

Combination of ComboFix, SuperAntiSpyware, Malwarebytes should do it.

Download and run this

http://www.softpedia.com/get/Antivirus/Remove-Fake-Antivirus.shtml


Then download and run this

http://www.malwarebytes.org/
http://majorgeeks.com/download.php?det=5756


Just cleaned that same infection on a clients PC yesterday with those two tools

Cool I'll try these an report back tonight.
 
Also, install MSE. It's pretty good at picking up this crap in real time and suspending it so it doesn't take over the screen. I've only found 1 thing MSE couldn't take care of.
 
Some might agree that you should talk your friend into doing a system recovery because once a computer's infected, there's probably always going to be residues left behind leaving you at risk.

It would be a great time to back up his stuff and reinstall his computer after you do a successful scan and removal of this fake antivirus virus.
 
If your friend has the install disks then tell him to do a clean re-install Win XP. You know, format the hard drive before installing the OS.

Before re-installing a clean copy of XP, tell him to perform a scan on all drives except the C:\ drive to make sure they are free of any viruses.
 
Over in the networking and security forum, there's a stickied thread in removing malware. This one you have here is easy, we get lots of those each week to clean up.

MalwareBytes, Symantecs UnhookExec.inf tool, and Microsoft Security Essentials will mop this one up easily. MalwareBytes has a manual definition updater so you can manually update the definitions if the rogue blocked your software updates. And check Internet Explorers connection settings, it probably flipped it to use a proxy to local host, so uncheck the proxy.
 
Not true. Malwarebytes will pickup most of todays spyware and picks up all of the fake virus alerts from what i've seen. However most of them will not allow you to install or run the program. They will kill the process.

You must kill the fake antivirus first then run the program

If you rename malwarebytes setup.exe to winlogon.exe most will not kill the process because winlogon.exe is a critical system process. Once it installs you have to do the same thing to run it, rename the mbam.exe to winlogon.exe.
 
My friend got that same trojan. I had to boot into safe mode and run msconfig and turn off everything in there that didn't look familiar (actually just turn everything that isn't MS)
I downloaded MSE on my netbook and copied it over and installed it.
Ran MSE and it got all of it (at least it seems like it did) and the machine was working fine after I was done.

You may have to check the Proxies in IE and Firefox to make sure that the trojan didn't change/add it's own proxy.
 
Some might agree that you should talk your friend into doing a system recovery because once a computer's infected, there's probably always going to be residues left behind leaving you at risk.

It would be a great time to back up his stuff and reinstall his computer after you do a successful scan and removal of this fake antivirus virus.

Maybe if you don't get it all off... but it is pretty simple to do with a specific set of anti-malware programs.

#0: Uninstall Ad-Aware.. it is a lousy resource hog and doesn't catch a lot of stuff.

#1 : Boot into safe mode with networking

#2: Get Trojan Remover : http://www.simplysup.com/ Update it and then do a scan. Once it completes the scan, it will want to reboot to finish the changes. After it reboots and says file operations complete, uninstall it. It will also fix things that have been disabled by malware such as the Security Center, auto updates, etc.

#3: Get MalwareBytes, update, and then run a full scan: http://www.malwarebytes.org/

#4: Get Spybot S&D, do a custom install WITHOUT teatimer, update, immunize, run a full scan: http://www.safer-networking.org/index2.html

#5: Get SuperAntiSpyware, update, and do a full scan: http://www.superantispyware.com/

#6: Get Microsoft Security Essentials, update, and do a full scan... leave this as your Anti-virus/resident anti-malware: http://www.microsoft.com/security/

It is also a good idea to wipe files from c:\windows\temp and c:\windows\prefetch.
 
This one is not worth trying to remove. You will finish and think you're done and all of a sudden it will creep back.

Save data, wipe and reformat.
 
Some might agree that you should talk your friend into doing a system recovery because once a computer's infected, there's probably always going to be residues left behind leaving you at risk.

x100

All that anti-virus and anti-spyware can do is help remove discovered infection types. That shit isn't what scares me. It's the shit it doesn't find. All that the AV and AS software can ever do is play catchup. They will always be a step behind if not more.

Do a clean install. It's the only 100% way to know that your clean. Besides, after you run all that stupid anti-spyware and anti-virus crap, you probably could have finished a clean install before being done with those. With the added bonus of knowing you're 100% clean.
 
How does one ensure the MBR is not infected? Does a full re-format also clean the MBR on a drive?
 
Besides, after you run all that stupid anti-spyware and anti-virus crap, you probably could have finished a clean install before being done with those. With the added bonus of knowing you're 100% clean.

Vast experience has shown me otherwise.

The rogues/fake alerts these days, such as the one he posted in the screenie, over 95% of them...they're quite easy to remove. The other 5%, I don't run into many of those, they usually only become difficult if the end user followed the prompts and went and downloaded/installed it. In the screenie above, that's just a stub loader, it's not fully on the rig yet. We have waves of these PCs coming into our office for cleaning every week. Heck just 2 days ago I walked an end user into cleaning it over the phone.

A lot of people run out and say "It's quicker to wipe/reinstall" than to clean. Well...not true...if you're partially competent at cleaning. But if you're going to properly support this end user, you have to go down the road of "What is it you need to back up..what do you need to save?"
***My Documents...easy. Desktop stuff..easy. Browser faves...easy. E-Mail folders/addy books...easy. E-Mail settings....ahh...here comes a possible unknown...does the end user always know their password?
***Peripherals....like printers, scanners, fax machines, Cameras. Add more time to run out and download the latest drivers and install/configure. Camera...oops...wait, was it an older model that kept alllllll their pictures in a non-standard location like Program Files\Canon\Image library instead of My Docs\My Pictures...did you remember to back that up?
***iTunes....ah crap, gotta go through that import libraries bullshit again, and lets hope they remember their iTunes account credentials...here's one most people forget.
***It runs on their home wireless network, they forget their security key to the wireless, the SBC DSL guy set it up for them and they can't remember the password to get into that crappy 2Wire SBC DSL router web management.
***They have an oddball home built cloner PC with weird brand name parts that will send you on the driver hunt for hours for some unheard of el cheapo onboard NIC or video driver
***They run some oddball software that breaks if you do certain things like run all your Windows Updates and you installed the latest .NET Framework 3.5, and this application breaks if you have anything higher than .NET Frame 1.1. Yeah it shouldn't break, yeah .NET Frame should conflict with versions...but in the real world it happens..and it can lead to hours and hours of manual cleaning of .NET to revert back a few versions.


If you're to take on the task of wiping the persons computer clean, you should also be responsible for getting them back up and running, and all the above stuff is often overlooked when someone says "Oh it's easy to wipe and clean your machine, it'll only take me an hour, I'll do it for ya". Think ahead. ;)

The tools that are out there today, the good ones, they do a good job, they've been at this cat 'n mouse game for a while now. The vast majority really are easy to clean off of the machines without reoccurance. I don't like repeat trips, I don't like to go back and clean a system the second time, I make more money doing my network and server stuff, I waste time and it's really a loss for me to sit there and spend multiple trips cleaning the same PC over and over, so believe me...I'd know if it I had to go back time and time again because some rogue wasn't completely cleaned off and kept coming back.
 
Try nod32. Scan in safe mode. It could be a virus in the master boot record. Years back i had a virus where no matter how many formats/reinstalls of windows i did it would still be infected. Ended up low level formatting the hard drive and all was good after. If the virus infected too many system files you might have to reinstall. There is a point of no return lol.

I had NOD 32 installed and that damn software VirusSoft Ransomware got thru and installed itself on my wife's computer. Had to run Spybot in Safe Mode to clean it out. Thanks Eset for the $58.00 I spent on your software......
 
I understand most PC's can be cleaned, but there is no 100% way to know you're well, 100% clean. I have seen the especially nasty stuff out there. Things you can't easily find such as certain rootkits. You run a couple of cleaner programs, and they find and remove spyware. Run a different one and it finds stuff that the other two missed. Considering this, it seems logical that there are things that slip under the crack entirely.

That's my view though. The really good viruses and spyware aren't going to boast their intrusion. And considering people are throwing out their personal info and credit card numbers over the internet, why risk it?
 
I understand most PC's can be cleaned, but there is no 100% way to know you're well, 100% clean. I have seen the especially nasty stuff out there. Things you can't easily find such as certain rootkits. You run a couple of cleaner programs, and they find and remove spyware. Run a different one and it finds stuff that the other two missed. Considering this, it seems logical that there are things that slip under the crack entirely.

That's my view though. The really good viruses and spyware aren't going to boast their intrusion. And considering people are throwing out their personal info and credit card numbers over the internet, why risk it?

This is why you examine services, startup and use additional tools like HijackThis. It is quite simple to ensure a machine is 100% clean. At work is your SOP on an infected machine to just to re-image the thing? Somehow I seriously doubt it.
 
Rootkit - Most rootkits typically hide files, processes, network connections, blocks of memory, or Windows Registry entries from other programs used by system administrators to detect specially privileged accesses to computer system resources.

And that leads to my point. By the time you spend the time to "properly" clean a system, you could have reinstalled by then. Most people use what? maybe two or three programs for cleaning? I have a lot more than that and each one finds something new if the infection is bad.

Sure, the odds are you'll get everything if it's a mild infection. But the bottom line is, there is only one 100% failsafe solution.
 
Last edited:
I too recommend the wipe and reinstall method..but thats just me.
 
And that leads to my point. By the time you spend the time to "properly" clean a system, you could have reinstalled by then. Most people use what? maybe two or three programs for cleaning? I have a lot more than that and each one finds something new if the infection is bad.

I dunno, reinstalling everything could take hours. If I suspect rootkits, I pull the drive and scan with another compter as the first step, doesn't take very long at all.
 
That's a good point. Some users have had their install for years. Plus, my slipstreamed disk has spoiled me a bit. :)

I always give the customer the choice. As long as they know the risk, there is no issue either route you take. And there are plenty of customers out there who don't wish a reinstall.

I had one guy get grumpy with me once because he got infected a week later after I cleaned his PC. He claimed I didn't get rid of all the infection. While I suppose that's possible, it's more likely he is doing something unsafe to get re-infected. Regardless, it can be hard to prove considering the nature of malware.
 
I have seen the especially nasty stuff out there.

Same here..I do computers for a living, networks, support, etc. Live and breath this crap every day.

Yes there are a couple of very nasty ones out there, but the vast majority of these rogues/fake alerts are really just a nuisance, and quite easy to clean off. Working with sheer volumes of them, it's easy to recognize 'em. It's just nag-ware designed to get you to surrender your credit card..once they get it, your ### is off on the black market.

Just like if something happens to your car, have to determine if you want to "total" the car with your insurance company...or simply fix it. Sometimes just getting a 1" scratch on the side of your door doesn't warrant trying to total your car. ;)

Another point I forgot to add to the list of stuff to think about ahead of time before wiping someones computer...do they have all their installation disks..and just as importantly...license keys. How many times have you gone to format a computer, and find out they had a new/higher OS on it than the restore disks or license on the case have? Or they "borrowed" MS Office from someone to install it a year ago, and can't find that disk again. If they don't have it, they're out of luck...until they go purchase a new copy. Cuz they don't get loaner/pirated copies from me...no way, they're outta luck there.
 
That's a good point. Some users have had their install for years. Plus, my slipstreamed disk has spoiled me a bit. :)

I always give the customer the choice. As long as they know the risk, there is no issue either route you take. And there are plenty of customers out there who don't wish a reinstall.

I had one guy get grumpy with me once because he got infected a week later after I cleaned his PC. He claimed I didn't get rid of all the infection. While I suppose that's possible, it's more likely he is doing something unsafe to get re-infected. Regardless, it can be hard to prove considering the nature of malware.

Slipstreamed? I assume it's XP or Vista then?

If you had Windows 7, you'd see why a lot of us say you would save time reinstalling. Win7 install is super quick and almost entirely automated.

A friend of mine across the country wanted Win7 and I convinced her to do it herself. She came back online in less than an hour and sang praises on how super easy it was and how well Windows Update installed every one of her drivers without fail.

Of course your mileage will vary, but I think the general consensus is that reinstalling that computer with Win7 will not only wipe that computer clean, but will enhance your security and improve your computer for the most part.
 
Slipstreamed? I assume it's XP or Vista then?

If you had Windows 7, you'd see why a lot of us say you would save time reinstalling. Win7 install is super quick and almost entirely automated.

A friend of mine across the country wanted Win7 and I convinced her to do it herself. She came back online in less than an hour and sang praises on how super easy it was and how well Windows Update installed every one of her drivers without fail.

Of course your mileage will vary, but I think the general consensus is that reinstalling that computer with Win7 will not only wipe that computer clean, but will enhance your security and improve your computer for the most part.


Win 7 installation is awesome. I had Vista, popped in the win7 CD, chose the upgrade option, went to make dinner, came back and my computer was back on, upgraded, with firefox having all the tabs I had left open in Vista. I nearly cried from the awesomeness. :cool:
 
Rootkit - Most rootkits typically hide files, processes, network connections, blocks of memory, or Windows Registry entries from other programs used by system administrators to detect specially privileged accesses to computer system resources.

And that leads to my point. By the time you spend the time to "properly" clean a system, you could have reinstalled by then. Most people use what? maybe two or three programs for cleaning? I have a lot more than that and each one finds something new if the infection is bad.

Sure, the odds are you'll get everything if it's a mild infection. But the bottom line is, there is only one 100% failsafe solution.

Trojan Remover is VERY GOOD at removing rootkits. It detects and gets rid of stuff the other scanners can't even see.

As for things that jack up registry permissions, there are some scripts that can completely reset registry and file permissions back to default.

I haven't run into a computer for at least a year now that I haven't been able to completly clean.
 
A boot-time scan would certainly prevent any malware from hanging on, sense even in safe mode you can't gaurantee the malware isn't active.
Maybe UBCD4Win?
Update the Antivir and A2Free, put it on a USB drive, boot and clean. After that, run MBAM in Windows.

Or, if he still has Avast Installed, and it's a 32bit OS, then there is a built-in boot scan.
 
Last edited:
A boot-time scan would certainly prevent any malware from hanging on, sense even in safe mode you can't gaurantee the malware isn't active.
Maybe UBCD4Win?
Update the Antivir and A2Free, put it on a USB drive, boot and clean. After that, run MBAM in Windows.

UBCD4Win is awesome. I had mine loaded with everything back in the day. Some of the anti-spyware stuff runs in Linux too with wine. Either can be effective tools as you know you have 100% control over the infected drive you're cleaning.
 
If you rename malwarebytes setup.exe to winlogon.exe most will not kill the process because winlogon.exe is a critical system process. Once it installs you have to do the same thing to run it, rename the mbam.exe to winlogon.exe.

I think I hv something similar on my PC. But I'm not sure what you mean by all the renaming of the setup executables. Can you pls explain? Sounds like you're renaming twice.
 
I think you should use avira rescue cd. Its a bootable linux partition, have it scan and rename some of the files. Ill be honest, once the system files become infected would you really feel comfortable allowing a friend to use this for banking.
 
I think I hv something similar on my PC. But I'm not sure what you mean by all the renaming of the setup executables. Can you pls explain? Sounds like you're renaming twice.

The tricker malwares will watch not only for the anti-malware applications but for their installers, and kill them if they can. So to deal with that kind of malware, you'll need to rename both.

When you go to malwarebytes.org and download the Anti-Malware program, you're actually downloading the installer, which is called "mbam-setup.exe"; you would need to download that, rename it to winlogon.exe, and run it to install Anti-Malware. When the installer is finished with the install process and asks to run Anti-Malware, say no! Then go to the Programs folder on your PC, find the Malwarebytes folder, and in there, change the name of mbam.exe (I think that's what it's called) to winlogon.exe.
 
I think I hv something similar on my PC. But I'm not sure what you mean by all the renaming of the setup executables. Can you pls explain? Sounds like you're renaming twice.

evilsofa did a pretty good job of explaining it, but just to make sure you understand: you want to rename the installer (setup.exe) and then the program executable (mbam.exe). Renaming the first file allows the program to be installed; renaming the second file allows it to run.
 
When I uninstalled mbam, I got a message saying it couldnt uninstall everything - that I had to manually delete the rest. Well I couldnt find any evidence of mbam in the programs folder, desktop, etc. So did the rename of the installer to winlogon.exe and when it tried to install, there was an error code 2 that came up. And when I lookd in the mbam folder (in the program files folder), there was no mbam.exe to be found. Now what?
 
Back
Top