August 9, 2010 6:16 PM   Subscribe

How to remove "rogue scanner 1514" Windows malware?

My mother in law's computer (XP SP3) is infected with something called "rogue scanner 1514," according to AVG. Windows Firewall is complaining that port 3076 is open. She can't access any web sites. Somehow this happened when she was downloading a video and logged into her own (non-admin) account, but it seems to have affected all users.

She's not much of a computer user, and I live far away and won't be seeing her for a few months at least. And I'm far from a Windows expert myself. I was able to coach her through booting in safe mode and running Malwarebytes, but it didn't have any effect. I know she has AVG installed as well (but I guess it didn't work).

I would post the Malwarebytes and AVG logs, but I'm not sure she's capable of sending them to me.

Is there some simple program that I can tell her to run that will get rid of this malware/spyware/thing?

If you have non-computer-literate relatives who live far away, how do you keep them from getting tons of viruses? She can't afford a Mac.
posted by miyabo to Technology (7 answers total) 1 user marked this as a favorite
Can she access websites in safe mode with networking? If so, try the Trend Micro Housecall site. That's my favorite online virus scanner app.
posted by omnipotentq at 6:51 PM on August 9, 2010

As a programmer, I have said this before and I'll say it again.... reinstall Windows from scratch and put a good antivirus program on it (Kaspersky, etc). Once the operating system has been compromised, trying to quarantine it is really a band-aid.... some of the malware out there is so sophisticated that you're better off wiping the OS and starting from scratch. Plus if there's an AV program showing a virus right now, it's plausible that the surfing/clicking habits that may have allowed this on the system have resulted in other stuff being installed.
posted by crapmatic at 7:37 PM on August 9, 2010 [3 favorites]

These viruses are evil, evil things. This guy's instructions are good. I've also referred to Bleeping Computer a lot.

When doing the Malwarebytes scan, she will need to be in as a full Administrator, otherwise mbam won't scan other user's data and prevents it from being fully wiped. (Ask me how I know...)

As for keeping systems clean, you have to make sure that all updates for the OS, software, and antivirus programs are done automatically with no input from the user. Get the user on a browser with ad-blocking to prevent compromised advertisements from infecting the machine. A USB key with emergency software (Malwarebytes installer, hijackthis, and others) is very handy as the user can plug it in and run any software without having to get on the internet.

On preview, really think about doing what crapmatic suggested if you do not feel that you would be able to walk her through all this from a distance.
posted by cathoo at 7:41 PM on August 9, 2010

Boot into safe mode. Run Malwaebytes from there. Dont bothering scanning in normal mode.

If that doesn't work then download and run combofix.
posted by damn dirty ape at 8:39 PM on August 9, 2010

I battle variants of this thing ALL THE TIME, and getting rid of it takes somewhere between about 3 hours if you're lucky and 15 hours if you're not. It's infinitely easier to backup documents/music/bookmarks and reinstall.

The system can be recovered, but it's not for the faint of heart. My tools of choice are generally the bitdefender AND kaspersky rescue discs, then removing the lan cable and rebooting and running rkill, then ccleaner, then superantispyware portable, then malwarebytes, using revo (or ccleaner) to check for things in startup, rebooting again, making sure the hosts file is clear, running saswp and mbam again to be sure, then attempting to reconnect the cable and make sure it's clear by looking for redirects. Assuming that all works ok, immediately download all available security updates through windows explorer.

Then, if that all goes well, all you have to do is scrub all the recovery points, which will also be infected.

If all that goes well, image the system using something like driveimagexml so that next time, you've got someplace to fall back to.

If you know the exact infection name (which you seem to), bleepingcomputer has some very nice guides w/ direct links to necessary tools.

In the future, use firefox (or chrome), with adblock/flashblock installed always, together they'll block about 90% of bad things. Now avoid visiting free porn sites and using kazaa/bearshare/etc. Not saying you did these things, but that's where most of these things come from.

(and damn dirty ape is generally correct, however MBAM the second time should be run from normal mode, because rootkits load as drivers, mbam and others may fail to see them from safemode. Any scans in safemode should be done w/ the network cable disconnected.)
posted by TomMelee at 5:30 AM on August 10, 2010

Response by poster: Thanks everyone.

They had viruses repeatedly until I reformatted the machine about 6 months ago -- I did separate user accounts, Firefox only, AVG antivirus, automated backups to a second hard drive, the whole deal. Seems she got infected while browsing as Administrator, but in Firefox -- didn't think this was likely to happen.

I'd rather reinstall Windows but I can't even imagine coaching her through that on the phone, it would take a month.

For the record I'm a cs grad student and a Linux user, which means my family thinks I know how to do IT support but really I don't have a clue.

Now I just have to decide if I'd rather buy a plane ticket to fly down there are fix it, or just buy them a new computer (that will get infected again).
posted by miyabo at 7:14 AM on August 10, 2010

Seems she got infected while browsing as Administrator, but in Firefox -- didn't think this was likely to happen.

Why wouldn't it? Firefox has all sorts of vulnerabilities and if she's behind on patches then they will be exploited. On top of that she probably has flash installed, which also has published holes. If she has Adobe reader then its the same deal. Java also has a pretty big recent hole. According to a recent article by Brian Krebs, it looks like the Java exploit is currently the most popular. Make sure to update it when done.

Running as admin is just a bad idea all around. There is just too much exploitable software. Ironically, IE7+ in Vista and 7 is run in a sandboxed mode by default for the 'internet zone' which makes it safer, in theory, than FF or Opera which is just run as a normal application.

You could try training her to run Firefox as a limited user via runas, which can be automated using a script with savcred, if running as a limited user is too difficult. Use Foxit instead of Acrobat. Use Security Essentials instead of AVG. But generally, just being limited user means no more infections.

If you have non-computer-literate relatives who live far away, how do you keep them from getting tons of viruses?

Typically I use crossloop for remote control and encourage limited user accounts. I find that XP is a security nightmare and nothing short of limited account can really help. Vista/7 use the UAC and IE sandboxing which seems to make a pretty big difference. I also don't install Java (I find most people dont have a need for it) and use Foxit instead of Adobe.
posted by damn dirty ape at 7:50 AM on August 10, 2010

« Older Heard a "saying." Is it real?   |   Should I put drop handlebars on my bike or get a... Newer »
This thread is closed to new comments.