The "FBI" wants $200 from me.
January 30, 2013 10:41 AM   Subscribe

Can anyone help me with a malware problem in system 7, possibly related to a recent ransomware attack?

The attack hit me last week and totally shut down my computer. It also disabled my firewall and killed MSE and Malwarebytes. I was using MSE for real-time protection and reserving Malwarebytes for scans only. I managed to get my computer, a Lenovo Thinkpad T-61, running again by going to system restore in safe mode with networking. Then I re-installed both anti-virus programs, using my old XP machine, and ran scans that found nothing.

Everything seemed fine until yesterday, when I noticed some problems with browsing. I ran scans that, again, found no problems… but I was unable to access safe mode to run scans or to do a restore. Then I checked the firewall and found it disabled and refusing to re-start.

My next move was to download a trial version of Kapersky, partly for the firewall that it has. Kapersky found no problems on scan, but this morning as soon as I went on line it caught two backdoor Trojans trying to install. It removed those, then did a rootkit scan and a full scan that turned up nothing

That’s about it, except to say that I’m no computer guy, Windows 7 is new to me, I don’t have the installation discs for this computer, but I do have the product ID #. My cousin, a project manager in IT, picked up the machine when her company did their yearly upgrade. I dread the thought of having to resort to combo fix, but I might be persuaded to give it a shot. I found a couple of Exploit. Drop. Gs. killers online but they seem to require access to safe mode. I wonder if those are any good and, if they are, might they work outside of safe mode.
posted by Huplescat to Computers & Internet (16 answers total) 4 users marked this as a favorite
If your machine is well and truly infected (and it sounds like there are a couple of things going on there), the best thing to do is to wipe it, re-install from scratch and update is quickly as possible.

If you don't have Windows CDs and don't want to buy them, you could probably install Ubuntu Linux on there with a minimum of hassle. If you're using the laptop for general-use stuff (surfing, mail, basic word processing), all of that and more will come for free.

Another option is to try to fix it with a bootable CD. You can download the image for the one from Kapersky here. You'd boot the infected laptop with the CD, and use the tools on it to clean it off.
posted by jquinby at 10:53 AM on January 30, 2013

The above advice from jquinby is solid.

I'm making this post to warn you: though it is often advised in this situation, DO NOT USE THE MOST RECENT VERSION OF COMBOFIX, especially from a mirror site. Yesterday, it was discovered that the software package was compromised. The official mirror has taken the package offline, but it's still available from some third party mirrors. Do not trust them for the time being.
posted by BrandonW at 11:01 AM on January 30, 2013 [1 favorite]

I dealt with this exact problem and virus yesterday at work by following the instructions posted here on the Major Geeks forum:

Worked for me.
posted by infinitywaltz at 11:05 AM on January 30, 2013 [2 favorites]

Just for future reference, when us computer guys hear "system 7" we think of a very old Mac OS from the mid-90's, so you'll probably get better results using the term "Windows 7".
posted by tylerkaraszewski at 11:09 AM on January 30, 2013 [6 favorites]

Thanks, jquinby. I have the product ID # and also the product key. Will that allow me to download a fresh copy of 7 from Microsoft to a thumbdrive on my old XP machine? Can I wipe the new machine and re-install from a thumbdrive, or do I need to put it on a CD? I have accumulated next to no personal stuff on this laptop, so a re-install might be my best option.

Except for the ruined firewall and no access to safe mode the machine seems fine. But I’m still waiting for the other shoe to drop.
posted by Huplescat at 11:10 AM on January 30, 2013

Ruined firewall and no access to safe mode means it's time to nuke it from orbit. Those things are fundamentally not OK; those are only the symptoms you can see. Your computer is completely owned.

Since you have the product key, you can get a clean DVD image here and install from that.
posted by zjacreman at 11:13 AM on January 30, 2013

Zjacreman, my XP machine can’t write to DVD, only CD. Would it be safe to use the infected PC to get that on DVD? I take it a regular CD isn’t “bootable”?
posted by Huplescat at 11:22 AM on January 30, 2013

Do you have a CD burner on your older XP machine? If you can burn the CD or DVD image from zjacreman's link to a disc, your product key get it activated/licensed.

To make it work with a USB drive, you will probably need to make that thumbdrive bootable. It looks like there's a tool for that very purpose here.

So: download the image and use that widget to transfer the ISO to your thumbdrive. If your laptop allows booting from USB, you'll be home free.
posted by jquinby at 11:23 AM on January 30, 2013

...and it's asking for a DVD (instead of a CD) because the windows distributions have gotten too large to fit on a regular ol' CD. Make sure your thumbdrive is large enough to hold it, something larger than 2G.
posted by jquinby at 11:25 AM on January 30, 2013

jquinby, my cousin gave me this computer as a Christmas present. No manual came with it, but I might be able to google that, thanks.
posted by Huplescat at 11:27 AM on January 30, 2013

Huplescat: "No manual came with it, but I might be able to google that, thanks."

You may have to enable it in the BIOS, but you should be good to go.
posted by jquinby at 11:29 AM on January 30, 2013

As far as I know, after I do a re-install I won’t have the drivers that I need for this machine. Can I just look at my system, write down what I need, and then find them on line with my old computer?
posted by Huplescat at 11:55 AM on January 30, 2013

There's a good chance Windows will already have what it needs, especially if the machine is a few years old. I imagine Windows 7 will attempt to download what it can (in the same way XP used to). If that doesn't work, you may need to manually download drivers for hardware after you're up and running, but you should only have to do that if you've got hardware that's super-old, super-new or strange/out in left field.
posted by jquinby at 12:09 PM on January 30, 2013

Consult the instructions in this profile. Deezil is wise.
posted by EmpressCallipygos at 12:50 PM on January 30, 2013 [1 favorite]

Drivers are easy, get double driver and backup all non-microsoft drivers. Then when you reinstall, if you have a missing driver, point windows to that directory (which you copied onto a usb stick) and tell it to find the drivers there. Works like magic
posted by defcom1 at 1:34 PM on January 30, 2013 [1 favorite]

I’m going to consider this resolved, even though it’s hard to do that with a nasty rootkit issue. As of about two weeks ago I have had no apparent problems. Ten days ago I made an internet purchase and gave my credit card information. I’ve also done online banking since then. There has been no unusual activity in either account.

I favorited everyone who offered good advice, and I thank them all, but I tried the easiest to implement first… and it worked. That came from EmpressCallipygos with her link to Deezil’s guide.

I went straight to Deezil’s RootKitRemover and it took out a Zero Access Rootkit. After that I was able to do a system restore. That got back Safe Mode. Then I did full safe mode scans with both Malwarebytes and Kaspersky. Malwarebytes found two Zero Access Trojans and Kaspersky found one. After that, I ran Deezil’s other tools and came up clean.

I guess I owe Deezil a beer.
posted by Huplescat at 1:22 PM on February 17, 2013

« Older Should I pursue another fancy piece of paper?   |   Stories on cassette 20+ years ago... Newer »
This thread is closed to new comments.