Computer is melting down!
December 27, 2009 11:26 AM   Subscribe

Overrun by malware / viruses. Anti-virus programs won't work, system restore is blocked, files are being damaged - I don't know what to do!

Yesterday I returned to my computer and I saw a popup for "Malware Defense". I don't remember clicking anything on it (I believe I just closed it) but it's definitely a malicious fake program. At the same time I noticed porn shortcuts on my desktop and virus warnings coming from Windows Security on the bottom right.

Here's what happens:

I turn on the computer.
First message I see after Windows loads is:
Googleupdate.exe - Application error:
A breakpoint has been reached

Then it brings me to the fingerprint scanner, which is acting weird, making me scan twice as well as hit enter (usually I just scan once).

Then I receive error messages about Google Installer:
"Google Installer encountered a problem and needed to close."

As well as an error message for ViewMgr.

In the bottom right, there are virus messages for "Trojan-downloader.JS.Multi.ca"

I click "enable protection" and immediately a popup appears for Malware Defense, which I promptly close.

Here are other worms, trojans, etc. that have popped up, with frightening descriptions (keyloggers, password catchers, remote control, financial information, etc.):
email-worm.win32.netsky.q
trojan.win.agent.dcc
net-worm.win32.dipnet.d
win32.gpcode.ak
virus.win32.hala.a
Rootkit.Win32.Agent.pp
Backdoor.Win32.Kbot.al
Virus Chin09.win

I've attempted to use the following antivirus programs:
AVG
Antivir
Kaspersky (free version)

As well as tried to use Malware Bytes and Spyware doctor. All of these programs will not open. I rename the executables and try to use them and it still doesn't work. I also rename the extensions, and no luck.

When not in safe mode, I receive several popups that say:
"Security Warning: Application cannot be executed. The file rundll32.exe is infected. Do you want to activate your antivirus software now?"

I can't open most programs. Hijack This won't open, nor can I open the log file I created previously. What is more, I can't upload the Hijack This log to a throw-away email account I just created.

In safe mode, I am able to access all the programs (except blocked antivirus and anti-malware programs).

I try to use System Restore, and it brings me all the way to the screen right before you restore everything - and the Next button does nothing. I suspect it's being blocked by one of the many viruses on the system.

So, to sum up:

1. I'm overrun with viruses
2. Executables are being damaged when not in safe mode
3. Antivirus, anti-malware programs are being blocked
4. System restore is blocked

I've isolated the system, it is no longer online, I've avoided using any passwords on it or emailing anyone while on it.

I've looked around a bit online, and don't know where else to turn. I'd like to ask you, my smart and attractive online friends, for advice on the following:

1. What can I do to fix this situation? What immediate steps should I take?
2. What other forums are good places to ask this question?
3. How can I backup my critical work documents without carrying over the virus as well? Is it possible?

Much love. Any help would be greatly appreciated! If you need more information, just ask, and I'll post ASAP into this thread.
posted by mammary16 to Computers & Internet (20 answers total) 12 users marked this as a favorite
 
Best answer: In 1972, a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire... Combofix.

Download links, in case you can't load the page: one, two.

If you can't run .EXE files, try this registry patch to restore its appropriate association.

From the page: "If your EXE file associations are corrupted, it can be difficult to open REGEDIT, or to even import REG files. To work around this, press CTRL-ALT-DEL and open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window. Enter REGEDIT.EXE and press Enter."

Same might work for Malwarebits Anti-Malware and ComboFix.

If you can get Malwarebits to run, try that first. It's a bit less scary. ComboFix is like chemotherapy for computers.
posted by limon at 11:36 AM on December 27, 2009 [3 favorites]


Response by poster: Limon:

Thank you for your quick response!

From the page: "If your EXE file associations are corrupted, it can be difficult to open REGEDIT, or to even import REG files. To work around this, press CTRL-ALT-DEL and open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window. Enter REGEDIT.EXE and press Enter."

Tried this - still, can't get any of the programs to run. Also, I'm a bit wary of using Combofix, since every place I look for advice strongly warns against using it unless you know exactly what you're doing... which certainly doesn't describe me!
posted by mammary16 at 11:47 AM on December 27, 2009


Best answer: Backup your data to an external drive, disconnect it, then reinstall Windows. It's the quickest way. I don't know what you did, but Windows makes it complicated enough to unravel all of this nastiness that reinstalling becomes the best answer.

I know, we're all curious about what all is going on here, but ultimately I imagine you just want a machine that works. The choice between spending two hours reinstalling rather than 12 hours deleting hundreds of registry keys or getting EXEs to run again seems to be an easy one.
posted by rhizome at 11:56 AM on December 27, 2009 [6 favorites]


To back up your files, you can use Knoppix. It's a Linux live CD - meaning you can run the OS from the CD drive with out installing it.

Download it, burn it. Insert the CD in the infected computer & boot from the CD drive, not the hard drive. (It should do this automatically when you turn the computer on with the CD inserted - if not you may have to change the boot order.) Use this to copy your files off the hard drive.
posted by nangar at 12:01 PM on December 27, 2009 [1 favorite]


I agree with rhizome. Once you back up your files, the best thing to do is probably to do a fresh install of the operating system.
posted by nangar at 12:11 PM on December 27, 2009


This happened with one of our work computers recently, complete with the porn. Yep, porn.

The guy that came to work on it said a lot of people were dealing with this lately, so I wonder if something is going on....
posted by St. Alia of the Bunnies at 12:15 PM on December 27, 2009


Response by poster: I suppose that's the best way to go. Thank you everybody for your answers!

One thing - I don't have the Windows CD. Is it possible to do a clean restart of the system without the Windows XP CD?
posted by mammary16 at 12:19 PM on December 27, 2009


mammary16, I had to run Combofix a while back, I was scared witless because of the warnings I'd read online, but it was easy enough to follow the instructions and prompts, and it worked when nothing else did.
posted by essexjan at 12:20 PM on December 27, 2009


Boot the system from an Ubuntu bootable CD, copy the files you want to keep onto a large-ish flash drive, and nuke the site from orbit...
posted by thewalrus at 12:25 PM on December 27, 2009


Response by poster: I am able to enter Windows through Safe mode, so I'm backing everything up from there. Anything to worry about w/r/t viruses / trojans / worms etc. stowing away on my backup drive? I'll be sure to virus scan it when I retrieve the info, but is there any trick in particular I should use?

essexjan - OK, you convinced me - I'll try using Combofix before reinstalling!
posted by mammary16 at 12:29 PM on December 27, 2009


Is it possible to do a clean restart of the system without the Windows XP CD?

No. Go with Combofix then. Important thing - back up your data first.
posted by nangar at 12:32 PM on December 27, 2009


Best answer: I would try to find a Windows Disc or make a restore CD in windows if it is stable enough. Otherwise, you may be able to find a legit copy of XP for pretty cheap online and have it mailed.

Try to backup all of your media files but let the rest of it go down with the computer. The media will be easy to scan for viruses once you have your OS reinstalled.

I have helped people with tons of viruses over the years and now I have one set system that is the least time consuming.

1) Backup media files on separate drive
2) Reinstall Operating System
3) Install Antivirus and run Spywareblaster for browsers
4) Update computer to the latest windows updates
5) Attach Backup drive and scan ---> prepare to delete it if you are anything less than 100% sure it is not infected.
6) Enjoy nice clean computer with no residual viruses
posted by occidental at 12:50 PM on December 27, 2009 [1 favorite]


Nthing back up and reinstall. A friend of mine is dealing with this--incredibly frustrating.
posted by Riverine at 2:25 PM on December 27, 2009


I agree, unplug from the network and reinstall. At work we have to do this all the time. Much better than trying to fix the thing.
posted by fifilaru at 2:31 PM on December 27, 2009


Take a look at the footnote in the instructions in my profile for the really nasty stuff. And good luck.

Watch out for using ComboFix right now, there's a bug in it that's deleting too many files.
posted by deezil at 2:38 PM on December 27, 2009 [1 favorite]


Combofix will work.. its an incredibly good program.

deezil said: "Watch out for using ComboFix right now, there's a bug in it that's deleting too many files."

They pulled it offline for about a week.. and its back now.. is the new version having the same problem?.. (I've used the fresh new version..and had no problems with it)

The reason Executables are not working is probably because you have a Rootkit intercepting system calls (injecting itself before the Executables have a chance to launch successfully).

After running Combofix.. you should also run GMER. It's a rootkit scanner and will tell you if there is any "suspicious activity" still remaining.
posted by jmnugent at 3:11 PM on December 27, 2009


Hadn't seen where they had put it back up, last I checked (about a week ago) it was still killed. Thanks jmnugent.
posted by deezil at 6:48 PM on December 27, 2009


I strongly suggest copying all your important files to an external drive or other partition, and then reformatting your hard drive. There's a good chance that a part of the virus could remain in part of your drive. If your installation is unstable, use a live Linux CD. I like Slax, but you could also use an Ubuntu installation CD. You're bound to find one already made if you live on a college campus or other place with a decent nerd concentration.

Disconnect the drive with your backed up files, and format your Windows partition and reinstall it. Once it's back, set up an antivirus and then scan your backed up drive before you copy them back to your installation. I personally like Microsoft Security Essentials because it's free, lightweight and works quickly (plus, I like the karmic justice of Microsoft providing an antivirus for the holes they've failed to patch).

It may be overkill, but if you use this installation to store vulnerable data, it's all worth it on the off chance a piece of spyware that hunts for credit card numbers has access to your vulnerable machine. If it's purely a game machine that you never enter any sensitive data on, a decent scan and repair may be okay. I wouldn't risk it.
posted by mccarty.tim at 7:48 PM on December 27, 2009


my dad's puter had something similar a coupla weeks ago.. i restarted the system and the SECOND windows was on opened task manager and "stopped task" on anything that looked odd.. (if you don't know what usually opens on startup, this method is somewhat risky) .. after that (or again IMMEDIATELY on startup) open up MAlwarebytes and start the scan.. it took a coupla tries to 'beat' the virus to the punch, but i got that sucker.. then ran AVG on windows sys/sys32 and prefetch files and then ran iobit's total system care.. lastly regedit and cleared the ACMRU data.. and then the temp files and cookies and whatnot...seems fine now.. good luck
posted by axmikel at 8:28 PM on December 27, 2009


I'm not sure how Microsoft would view this but you could always borrow a copy of your operating system from a friend (make sure it is the exact same version) and use that to reinstall - making sure, of course, that you use the serial assigned to you.
posted by mr_silver at 1:48 AM on December 28, 2009


« Older What would you do with delicious but ugly fudge?   |   Help me with this Korean War era, U.S. Navy... Newer »
This thread is closed to new comments.