# Virus removal help



## AquaNekoMobile (Feb 26, 2010)

I was just checking out some B/S/T when this program popped up saying 'XP TOTAL SECURITY'. looked like very winxp themed so I was thinking it may have been a M$ program but then again I do not remember ever installing that program.

I was just looking at Igors shrimp thread when that happened suddenly. I've seen fake virus scans online before as HTML's looking like a program window scanning and just closed them but this one is in the icon tray and I can't get rid of it. I can't open IE and it is just barely letting Firefox work. I'm in no way saying Igor's thread or his latest shrimp video infected the box FYI. The icon tray suddenly said 'firewall something alert' so I checked why the Windows Firewall was off and when trying to enable it and the antivirus alert in the same window it would not allow me to turn the Windows Firewall back on and that's when the pop ups started.

It happened so quick with the pop up scans and I do not remember clicking anything to consent to the scans. Yes I know it is malware and am asking for help from the community on how to remove this problem. 

My default anti-virus is Norton and a quick search on firefox found a site that said that this malware avoided norton. Please help. Looking for help with legit sites if there is any virii removal programs. Oh yes, I do have Ad-Aware on the box that has the problem and a scan about a week ao came back clean. I did download that off the makers site (Lavasoft). 

Hoping for a quick fix program.


----------



## AquaNekoMobile (Feb 26, 2010)

On winxp pro box here.


----------



## qwerty (Dec 15, 2009)

Something geared more specifically towards spyware/adware should do the trick.

Spybot Search & Destroy is a popular one.

I think AdAware is another popular one.

Google "spyware removal scan" or similar keywords. There's dozens of programs out there and they're all free as far as I know.

Some freeware antivirus or scanner tools may present warnings with Norton, or other anti-virus software asking you to remove them. To my knowledge nobody has reported any compatibility issues with basic scan and removal tools. Other features like Spybot S&D's 'TeaTimer' may however pose some issues if you install and enable it. It's always a good idea to do a quick google for any known compatibility issues when installing security-related software.

It's also a good idea to google the malware that's found to understand more about it, where it might have come from, what sort of data it may have been collecting, whether it's commonly reported along with other viruses, etc.

Also, you may have unintentionally agreed to install this malware when installing another program. Most people don't read the end-user license agreements when installing software so it's not uncommon for software you've downloaded online to contain a line or two in the agreement that says you agree to install packages of adware, etc in exchange for free use of the program.

Good luck!


----------



## AquaNekoMobile (Feb 26, 2010)

AdAware is installed months ago. I did update the defintions recently but it won't run/open on the downed box right now. When I try to run it, the malware pops up doing it's fake anti-v scan window and alerts.

MalwareBtyes won't install. I changed the .exe name to 'iexplore and winlogin' but won't run the install file that I copied off of a usb drive.


----------



## Y2KGT (Jul 20, 2009)

Your best bet is System Restore. Just choose a restore point date when you know your computer was clean.

Click Start->Programs->Accessories->System Tools->System Restore
--
Paul


----------



## qwerty (Dec 15, 2009)

Have you tried booting up in safemode to run the scan?

Sounds like whatever you've got may be trying to prevent you from detecting and removing it.

Also might be worth checking the icon that you're clicking to launch AdAware just to make sure it hasn't been redirected to launch the malware.

When I have a problem like this, I normally just do a restore and don't bother worrying about it too much. Of course we don't always keep backups like we should, and sometimes we have things we just can't afford to lose.


----------



## bedpan (Jan 13, 2009)

Download superantispyware and malwarebytes. Install, update and run both. Full scans. This should clean everything up. Recommend run each twice just to be sure

Previous suggestion of system restore is good , but this will leave crap still in non system locations. Just be sure to still run the above.


----------



## qwerty (Dec 15, 2009)

He can't install it, or run a scan because the malware screen just loads up instead...

Booting in safemode will run with the bare minimal components and drivers running and nothing else, so you should be able to perform the scan without the malware running in the background to interfere.


----------



## dr3167 (Feb 18, 2011)

If safe mode or system restore doesnt work, you may need to format/ reinstall. Another reason to make sure your critical files are backuped and/store on an external drive.

PS I hate computers.


----------



## AquaNekoMobile (Feb 26, 2010)

I ran rkill.exe which I got off bleepingcomputer which killed any processes. I did not go into safe mode. After I rkill'ed malwarebytes was able to install. I enabled wifi again (disabled when I found this problem) and installed it. Updated the malwarebytes when I found wifi. It has been scanning for about 1.5hrs now. Supposititly after the malwarebytes scan and del all the malware files the box would be clean then. I may scan again in safe mode when I charge the batteries on my mates box.

I can't find the ghost image cd or I'd go that route but if it gets that bad I normally extract the data and fdisk myself and drop a fresh os install. 

I normally check to make sure the utilities like malwarebytes or adaware or act or avast are the correct websites by googling the name and the word 'wiki' and click on the homepage link in the wiki so I know I'm getting the program from the source.


----------



## qwerty (Dec 15, 2009)

> I normally check to make sure the utilities like malwarebytes or adaware or act or avast are the correct websites by googling the name and the word 'wiki' and click on the homepage link in the wiki so I know I'm getting the program from the source.


I'm not sure if that's in reference to my comment about checking the shortcut you were using to make sure it wasn't redirected.

If so, what I meant was that some malware will redirect all the shortcuts icons in your start > programs, or on your desktop, etc.

So when you think you're double-clicking the desktop icon to start norton, instead of launching Norton.exe, it's actually launching Malware.exe so the more you try to get your antivirus to open, the more instances of the malware you start running.


----------



## AquaNekoMobile (Feb 26, 2010)

2H 43M 55S on the scan. 9 files infected. All but one file was removed. The reason it could not be removed according to Malwarebytes is because that was in memory'.

Well the program says to reboot after the scan so I'm waiting for the reboot right now. Thank goddess I lock and loaded a 9cell in before doing the scan. Hope that malware is removed.


----------



## george (Apr 11, 2009)

What I also have handy is a cd with LIVE CD which has about 7 or 8 antispyware and malware programs inclusing Search& destroy and Malware Bytes.

Look into it. It's a gem in the dust. If you actually find the gem, HALF IS MINE


----------



## AquaNeko (Jul 26, 2009)

Ok home now , just did a scan in safe mode (safe mode only no network support/etc) with Malwarebytes. This time it shows 0 files infected (last time all files except one was removed. That 1 was in memory then).

After a reboot and going into normal boot up mode I was now able to enable the Windows firewall and Windows anti-virus monitor. I tried to run Ad-Aware but it won't do any definition updates. It just sits and hangs. I went to the Ad-Awares website and downloaded a new copy of the free software. I uninstalled the older version (a couple months old) then rebooted, installed the new version, rebooted, then ran the new version of Ad-Aware. Once again it would not do any web updates.

I also was going to be doing the M$ Windows update for WinXP for any security patches and such. I have WinXP SP3. When I was using IE v8.0.6001 the windows update site did not load up. Curious, I did a google for the 'microsoft windows update' and clicked on the M$ site. It did not load the site. It came up with the 'diagnose problem' page like if you're not getting a connection. Curious again I went back to google and decided to check the 'cached' page 

-edit-
will finish reply after dinner


----------



## george (Apr 11, 2009)

Have you also tried Search & Destroy?

Here's the link: http://www.safer-networking.org/en/index.html


----------



## qwerty (Dec 15, 2009)

If you're using Norton Anti-virus and Norton Firewall, you don't need to be running Windows firewall. Running multiple firewalls and anti-virus packages can create incompatibility issues which may compromise the performance of the software.

For what it's worth all major anti-virus companies share information and databases with each other, so most software by reputable companies is more or less the same as far as that's concerned, so there's really no point in running multiples.

My first guess would be that Windows firewall is blocking your connections.

Easy way to test this is to shut it off and try loading the page. If the page still wont load, that rules out that possibility.

Furthermore, it may be a good idea to run a registry cleaner as well, since you had some malware which could have changed some things around.


----------



## bedpan (Jan 13, 2009)

Last couple of these infections I have dealt with have also dumped a wack of entries in the HOSTS file. These will redirect sites like google, Windows Update, AV sites etc... 

Host file is located (assuming default install paths and no funky setups): C:\Windows\System32\drivers\etc

View the hosts file.. You should see every line with just a # mark and some text.. If you see entries like 
127.0.0.1 google.com
(without the #) 


You will need to remove them...
Or just rename the Hosts file and reboot... See if it fixes it..

Again this is assuming default setups..

Good luck


----------



## Web Wheeler (May 13, 2006)

Malware removal has become a very complicated subject. Disinfecting an infected computer can become very complicated because of scareware:

http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx

Free virus removal software that are themselves trojans:

http://deletemalware.blogspot.com/2010/10/how-to-remove-smart-engine-malware.html

http://www.howtogeek.com/howto/8693...s-live-and-other-roguefake-antivirus-malware/

And rootkits:

http://www.vanish.org/security/rootkits.htm

And, the fact that malware authors frequently test their creations on name brand virus removal software before releasing them into the wild:



> However, the actual reason why the top selling antivirus applications don't work is because malware authors are specifically testing their Trojans and viruses to make sure they can bypass these applications before releasing them in the wild.
> 
> Source: http://www.zdnet.com.au/why-popular-antivirus-apps-do-not-work-139264249.htm


If all this is very alarming, it should be!

In my opinion, THE BEST AND EASIEST WAY TO REMOVE MALWARE IS TO DO A COMPLETE RE-INSTALL OF YOUR OPERATING SYSTEM, INCLUDING RE-PARTITIONING OF YOUR HARD DISKS BY DELETING ALL PARTITIONS AND RECREATING THEM.

Unfortunately, because many people fail to do proper backups, a reinstall of the operating system becomes a nightmare.

But, here's a few things you might consider investigating, which may have something to do with why you cannot update your software:

1. http://malwareremoval.com/forum/viewtopic.php?t=22187
2. check your firewall and tcp/ip connection, which some viruses manipulate

EVEN IF YOU THINK YOU HAVE COMPLETELY LIBERATED YOURSELF FROM MALWARE, READ THIS:

http://en.wikipedia.org/wiki/Malware


----------

