They went to a bad place
August 20, 2010 6:25 PM   Subscribe

So, we loaned our "spare" computer to our neighbor and it came back infected...

We have traced the problem to a virus called "Security Suite." We have done all of the recommended things including rKill (iExplore), Malwarebytes Anti-malware and Super Anti-Spyware. We get to a point (repeatedly) where we have removed all corrupted files and get a "0" with all three programs, but the virus is still there and won't let the computer access either FireFox or Explorer.

Any thoughts?
posted by Old Geezer to Computers & Internet (28 answers total) 7 users marked this as a favorite
Spybot Search & Destroy, run on the next start up.

Good luck, that virus is a pain in the ass.
posted by theichibun at 6:28 PM on August 20, 2010

Look up the profile of metafilter member deezil. He has an extensive list of steps to take.
posted by dfriedman at 6:30 PM on August 20, 2010 [3 favorites]

Nuke it.

A virus can be nasty to eradicate—you never know whether you've gotten the whole thing. I can never trust a computer again after it's gotten a virus. I grab any crucial information off it (careful. Convert documents to plain text where possible—Word documents and PDFs can be vectors for viruses) and reinstall a new OS.
posted by sonic meat machine at 6:32 PM on August 20, 2010 [2 favorites]

I recently got rid of Security Suite on my computer. I think it attacked so successfully because I had a lot of updates that I forgot to install. Getting rid of it wasn't difficult but took time. I ran the Malwarebytes scan in safe mode on my Admin account then took care of all the missing Windows and software updates. Then I logged in regularly to my personal account (the one I was using when the attack occurred) and ran Malwarebytes again.

It cleaned the virus out and the computer is working fine now.

I tried to run rKill at one point and couldn't get it to work.

Good luck!
posted by thewestinggame at 6:36 PM on August 20, 2010

seconding spybot (in windows safe mode) and "hijack this" as well
posted by pyro979 at 6:36 PM on August 20, 2010

Malware removal is a fairy tale. Back up any data you care about off the machine, and reinstall your OS. Recovering from an administrator-level infection is rather difficult. The malware may have replaced portions of your OS - how exactly will a cleaner program restore them back to a pristine condition? Even if you get the malware off odds are that you will encounter weird errors on the machine forever after.

Next time, don't let them have admin rights. (If they didn't have admin rights, then destroy the infected profile and recreate a new clean one.)
posted by benzenedream at 6:38 PM on August 20, 2010 [3 favorites]

Response by poster: @thewestinggame I did all that and rKill as well. It worked well enough to end up with, supposedly, no infected files. Yet, no access to the internet and the virus is very much in charge.

@benzenedream They didn't have Admin rights. They simply went somewhere that downloaded the malware.
posted by Old Geezer at 6:49 PM on August 20, 2010

I agree with nuking it -- I had a Windows XP machine that got a very similar virus. It looked like the virus had changed a bunch of entries in the registry and moved around some Windows system files so that running most programs wouldn't work. I don't think I could even run CMD.

I paid a computer shop to remove it; a week or so later the virus was back so I gave up and switched that machine to Ubuntu.
posted by Several Unnamed Sources at 6:54 PM on August 20, 2010 [1 favorite]

Test this out first - does a new clean account exhibit the same symptoms? If not, the malware didn't get into the actual OS but is hiding out in the infected account.

If it was a limited rights account (can't install software or change settings without an Admin password), then back up whatever you need out of the infected account, and delete the profile as an administrator. Create a new limited rights user account and the malware may be gone.
posted by benzenedream at 6:57 PM on August 20, 2010

make sure you've updated the malware definitions, even if you have to do this on another computer and import it with a jump drive. That's what I had to do to get rid of some security suite that got on my son's computer. This is the page I used to get rid of it - pretty easy once I had updated malware definitions.
posted by lemniskate at 7:06 PM on August 20, 2010

I'm going to agree with the "Nuke it" crowd. Don't waste your time trying to get rid of the infection(s). It's only going to leave you frustrated with a PC that is still infected.

Be careful, however, that you don't inadvertently infect the clean install when you move your files over. I would use something like Hiren's Boot CD to scan the files you're going to transfer
posted by Capa at 7:29 PM on August 20, 2010 [1 favorite]

Our Vista32 laptop picked that up in one account from a drive-by.

Getting rid of it was pretty simple, if time consuming. All we had to do was log in to the admin account, install MS Security Essentials and allow it to update, and then run a full system scan.

IIRC, that was it. At worst, we may have had to manually go into internet-settings and turn off the proxy it set too.

What exactly are the problems you're having?

Can you just not get onto the internet?

Can you not run firefox? If so, can you run other executables? When I was looking for answers, people were saying that rkill + this malware could interact so that you can't run executables, but that there are fixes for that.

Is the malware continuing to pop up its fake DANGER WILL ROBINSON windows?
posted by ROU_Xenophobe at 7:33 PM on August 20, 2010

Rather than nuking, I've found that removing the main drive, putting it in an external drive enclosure and scanning the drive from another computer is a very reliable way of cleaning out stubborn infections.
posted by randomstriker at 7:33 PM on August 20, 2010

randomstriker: bad plan! bad plan! Some viruses can infect the drive in such a way that accessing it from a machine which is vulnerable to the same exploit (the same OS, for example) is enough to infect the new machine. This happens constantly with USB drives in educational environments.
posted by sonic meat machine at 7:40 PM on August 20, 2010

I really disagree with the "nuke it" brigade. You can always nuke it in a couple-few days, and what with it being a spare machine you don't need to be in a big hurry..

In the end, all I had to do was install MSSE from an unaffected account and let it chew on the machine overnight. Not a big deal.

Even if that doesn't work, it makes more sense to delete the offending account and see what that does before nuking the entire system.
posted by ROU_Xenophobe at 7:45 PM on August 20, 2010

Response by poster: @ROU It has about four Danger Will Robinson pop-ups and the PUT ON PROTECTION prompts. Simple solitaire games and such are playable, but programs such as Office and anything haiving to do with internet FF or IE are blocked by pop-ups and offers to install a new malware fix.

We can (and have) import certain malware fixes by importing from a clean computer via DVD, but we just tried Spybot and it is blocked by the virus.
posted by Old Geezer at 7:50 PM on August 20, 2010

If you can, reboot in safe mode with networking by hitting f8 while restarting. Run Malware Bytes while in safe mode. You can often get around the warnings that malware puts up by renaming programs before running them.
posted by advicepig at 7:59 PM on August 20, 2010

I disinfect probably 20 computers a week. No need to go with the nuclear option straight away.

Try this:

Turn system restore/protection off.

Run Malwarebytes.

Download Combofix from (not anywhere else). Save it to the desktop -- change the file name to something (say, fixit) when saving it. Run Combofix from the desktop. Combofix may go for several minutes at a time without seeming like it's doing anything, and it may reboot your computer.

Run Malwarebytes one more time to be sure.

If that doesn't do it, then you could resort to the nuclear option or have someone take a more careful look at the computer who knows what they're doing. 'Cuz if the above method doesn't work, you either have a particularly nasty (well, at least rare) rootkit or (very unlikely) virut.
posted by GnomeChompsky at 8:29 PM on August 20, 2010 [4 favorites]

Oh, and sorry -- as someone mentioned, run Malwarebytes first in safe mode if you can't get it to run in normal mode.
posted by GnomeChompsky at 8:31 PM on August 20, 2010

There are a few antivirus programs that come with boot disks. Kaspersky is one I found a free version of, it boots into a stripped down Linux and then downloads new virus definitions. A Ubuntu live CD can work for this too- boot into Ubuntu and install an antivirus package (AVG, probably) and scan.

When it comes down to it, do whatever you think will cause less stress... at a certain point, back up, DBAN and reinstall is the least bad option. Oh, but virus check the backup. I got a virus that installed itself in all the HTML files on my system by sticking an iframe into them all.
posted by BungaDunga at 10:50 PM on August 20, 2010 [1 favorite]

reload the OS, easiest, fastest, and best way
posted by fifilaru at 11:13 PM on August 20, 2010

Old Geezer: "...we just tried Spybot and it is blocked by the virus."

You'll have to run it in safe mode. When my wife's mom got it, it wouldn't update at all from safe mode, so make sure it's up to date.
posted by theichibun at 5:30 AM on August 21, 2010

I removed this virus by removing the infected files and editing the registry manually. However, if you don't feel up to that, try following these (lengthy) instructions.
posted by Roger Dodger at 6:22 AM on August 21, 2010

Response by poster: Just to clarify, we've been doing all of our work on this problem in safe mode. Nothing functions at all unless in safe mode.
posted by Old Geezer at 7:21 AM on August 21, 2010

Best answer: I'm not sure if this will work, since it sounds like you've gotten yourself in a fairly sticky situation. If you don't have anything on the computer that you need to save, you might be better off formatting your drives and re-installing everything from scratch, as others have said.

But, here's something else to try:
  1. My own suggestion, so take this with a grain of salt (it helped me in a particularly tricky situation, but I've never seen anyone else suggest this): Use system restore to restore back to the earliest restore point you have. Weeks ago, if possible. This sounds counter-intuitive, since it is going to restore some of the spyware you've already removed, but it might possibly get you back to the point before the spyware completely took over. In the tricky spyware situation I mention above, I wasn't able to log into Windows until I did this.
  2. Go here to the Major Geek's Malware Removal Guide and follow ALL of the instructions. All of them. Pay close attention to the instructions on how to install and run each individual program, as there are special settings for many of them. I'd run the programs in safe mode, though I'm not entirely sure if it's necessary. Some of the programs they suggest are ones you've already tried, but some are not, and it can't hurt to do some of the work twice, especially if you've used system restore and you're restored some of what you've already removed.
  3. If you've gone through the entire Malware Removal Guide and you are still infected, read the "Yes, I’m still having problems" part of the removal guide, and post to the Major Geeks forums with logs attached. They have a lot of experience helping people with major spyware issues.
  4. If you DO think you've cleared out all of the spyware, remember to toggle System Restore after you've cleaned everything out. You don't want to restore the spyware back accidentally. There are instructions for this in the Major Geeks guide.
Seconding ComboFix; ComboFix and Malwarebytes together have beat many a spyware invasion for me. ComboFix is in the removal guide linked above.

You also have the option of posting straight to the forum with logs, but they may ask you to run the Removal Guide first if you do that.

(Or you could save yourself a lot of time and just nuke your computer.)

Good luck!
posted by anthy at 8:13 AM on August 21, 2010 [1 favorite]

I run into this one quite a bit at work. This particular one hides in the profile area, such as:

c:\documents and settings\username\local data\
c:\documents and settings\username\application data\
c:\documents and settings\all users\application data\

You may see it hiding inside of a suspicious looking jumble of letters of a folder..make sure you're also looking at hidden or system files.

The easiest way to remove these kinds of nusiances is to boot off of another media, like your windows installation CD (recovery console). Or if you have access to another PC, you can make a BartPE or UBCD4WIN cd that'll give you a graphical environment.

If Safemode is working however, get into those profile folders and look around. You can also run msconfig from your Start/Run to look at startup items.

These bugs usually don't come'll also want to open a CMD prompt and do the following commands:

dir/od/a c:\windows\system32
dir/od/a c:\windows\system32\drivers

These will list all the files in these folders, ordered by date (oldest to newest). If you see something suspicious and recent, you can try moving it out of that folder into a quarantine folder temporarily.
posted by samsara at 1:40 PM on August 21, 2010

Response by poster: We spent a little over half a day with Major Geek and, while Root Repeal froze the computer, everything else seems to have worked. Thanks everybody for your input and suggestions.
posted by Old Geezer at 3:44 PM on August 21, 2010

Make a rescue cd. I like ubcd. It allows you to get to files that are otherwise unavailable, and you can run the antivirus tools from it.
posted by theora55 at 10:21 AM on August 22, 2010

« Older Taking AdWords personally?   |   How to list GPA on applications Newer »
This thread is closed to new comments.