Malware blocking taskmgr, safe mode, and spyware removal sites

[Syndicated_Death]

I've got a computer on my hands that has got one hell of a bit of spyware/malware on it. the damn thing has disabled task manager for all accounts, made it so I can't boot to safe mode, and is blocking all web access to get the machine cleaned.

so I figured ok I can handle this... wrong....
I slapped in a ubuntu live boot cd downloaded spybot S&D. booted back into windows and started to install it. well naturally the installer wants to pull files off the website for install but that's being blocked via loop back. so I figured ok check out the hosts file remove the loops and I should be good. nope nothing in the hosts at all.

the damn thing has a popup on the tray menu that says I've got spyware click to download more spyware. and it's turned active desktop on so the desktop says the same. click here to download more spyware.... ok ok ok it doesn't say to get more it is just trying to get me to by saying click here to download bogus spyware removal tool.

so as of now I have the drive out and am running a windows vista defender scan on it. I don't know if that's gonna help and or work but it was worth a shot.

in the off chance this doesn't work has anyone else had any experience with this critter and eradicating it?

 

[stormy1]

there are several that do this what is the name on the window it pops up?

easiest is back up the data, format and reinstall.

 

[Syndicated_Death]

there are several that do this what is the name on the window it pops up?

easiest is back up the data, format and reinstall.

yeah I was completely ready to do that right up until the part where I realized that this dell didn't have the recovery partition.

Fortunately defender did find the dirt on the drive a few trojans, adwares, and a spyware. Vundo, clickspring, renos-gen, web hancer, renos cr, matcash, and arove.

so I did some more diging on teh machine... the mcafee antivirus failed it's alst update, and for some reason windows automatic updates were turned off all together and it was still on SP1. SO! here's to hoping.

thanks for your response!

 

[exstyle]

Spybot doesn't need to connect to the internet to install, just un-check download updates immediately, also you can download spybot updates separately from the website for just such a situation. I've run into a lot of these ones myself lately. Specifically one called Antivirus 2009.

 

[elleana]

That is one nasty malware.

 

[Rurik]

With something like this, you really don't want to use an automated "user" tool like Spybot. This is one to get out the big guns. Use HijackThis, ProcessExplorer, and Unlocker and start weeding it out (or use HijackThis to find it, and Ubuntu Live to remove). Then, come in and clean up with tools like Spybot.

I'm curious WTH the user was doing to get all that crap on there.... though I can probably imagine.

 

[Syndicated_Death]

the only thing she did was use an outdated box really.. in between using XP SP1 , and IE 6 it was a lose lose.

it used to be a box she used for work. I'm guessing the admin had auto updates off so he could test them before implementing them. the down side was that he wasn't implementing updates for those who worked from home.

like I said though I took the HDD out had vista clean it up then put it back and then did spybot. I also ran hijackthis. which found relatively little compared to spybot.

 

[Jutsu]

You should be able to re-enable task manager through the registry. I encountered a malware that did the same thing a couple of years ago. The first thing it did was modify the registry that disabled task manager from running on all accounts, even admin.

Once you can get into task manager you should be able to end whatever is running and kill it with a good scan.

I strongly recommend ESET's free online scanner. I have used this a quite a few time and its cleaned up some of the worse messes I have ever seen on client computers.

 

[pigster]

Try running MBAM and Superantispyware, that combination has been pretty good in removing these infections.

 

[madafakapc#]

Wow man!
I am sorry to tell you but i recently had same problem on my network and i had to clean all my disks from a file that was a virus thing...an autorun.exe on every disk and i had to clean and just on linux i made it! So i suggest you to: linux and clean windows partition or format and install all again!

 

[Magik Smoke]

Boot to a linux live cd.

Create a disk image using your favorite VM.
Write zeros to every physical disk in the system using DD.
Re-Install windows.
Update the crap out of it. (No flash, no java, no acrobat, no shockwave, no office)
Install your favorite anti-crapware
Update anti-crapware
Mount VM disk in linux.
Move necessary files being careful with office docs, flash files and PDFs.
Back into windows and log in under a heavily restricted user account that has read/write privs to the recovered dir.
Scan the recovered files.
Kill what shit made it back from original infestation.
Snapshot with VM.
Install apps.
Update apps.
Good as new... maybe.

 

[marley1]

mbam cleans alot of it, if it doesn't you gotta use a utility to get onto hard drive without windows running, knoppix could work, delete the bad files in windows, system32, program files.

run cleanup! and ccleaner in safemode after mbam.

update spybot and run it in safe mode, shoudl be good