add arrow-down arrow-left arrow-right arrow-up authorcheckmark clipboard combo comment delete discord dots drag-handle dropdown-arrow errorfacebook history inbox instagram issuelink lock markup-bbcode markup-html markup-pcpp markup-cyclingbuilder markup-plain-text markup-reddit menu pin radio-button save search settings share star-empty star-full star-half switch successtag twitch twitter user warningwattage weight youtube

Viruses Galore, Where to Next?

December454

38 months ago

I just got a used Sony Vaio VPCSB and am in the process of cleaning it up. It seems its previous owners had never head of antivirus( or at least antivirus that isn't malicious in itself ) because this has to be the most virus infected machine that I have ever seen. I am greeted by a hail of pop ups when I boot up, and its browser is teeming with toolbars and pc security ads. I am running malwarebytes as I type this, but I know that won't catch everything.

Any suggestions on what to do afterwards. Any comments are appreciated, Thanks

Update: Just finished scanning memory and I am already well over 700 threats. This is going to be interesting.

Comments

  • 38 months ago
  • 2 points

An antivirus that isn't malicious in itself?

Do you have McAfee? Because that antivirus would sure let you down and get you to this point of trouble.

(Just keep in mind that you should not download any of these tools from a download site like CNET, Softonic, Download[dot]com, or FileHippo. BleepingComputer and the manufacturer's site are fine though.)

First, you will want to download and run RKill which will kill / terminate known malicious processes so they don't interfere with your scans. Don't restart after running RKill. If you need to restart your computer at some point on, you will need to run RKill again upon rebooting.

You will want to enable rootkit scanning in Malwarebytes and run a Custom Scan with everything checked (more thorough than the Threat Scan). However, you'll want to run Malwarebytes Chameleon scan first which is restricted to a Threat Scan.

Then download and run Hitman Pro and run a full scan using cloud and heuristic signatures from Kaspersky and BitDefender (which are BTW the highest scoring antivirus suites). You can have tracking cookie detection enabled if you want but tracking cookies certainly aren't the worst malware currently on your computer.

After that, download and run the latest version of RogueKiller and run a scan.

In addition, you may want to download and run AdwCleaner which will detect and remove adware however adware is clearly not the most significant problem you have however removing adware will still help.

After everything, let me know which antivirus you're using and I can let you know if you should replace it to help lower the risk of a similar incident happening again in the future.

Hope this helps.

  • 38 months ago
  • 1 point

Okay I look into what you suggested. I am trying to pretty much delete every program that isn't essential right now, so I will try those out in a bit.

Malwarebytes finished the basic scan with 7003 threats, but I don't know what all deleting them did.

Thanks for the help.

And no I don't have McAfee

  • 38 months ago
  • 1 point

Malwarebytes finished the basic scan with 7003 threats, but I don't know what all deleting them did.

Well, you should probably run RKill and then boot Malwarebytes Chameleon which will run a Threat Scan. After that, you can run the full, Custom Scan outside of Malwarebytes Chameleon.

And no I don't have McAfee

Then you have a rogue antivirus. You can also use Kaspersky TDSSKiller as a follow up scan although it probably won't detect anything since Hitman Pro already includes Kaspersky signatures. With AdwCleaner you'll want to open Tools > Options and check everything under Delete. Junkware Removal Tool is another tool you can use - while it doesn't ask you for permission to delete files, IMO this level of infection warrants its use.

Also it's worth noting that it's general security practice to rerun any and all scans that have detected something. For example, you should rerun Malwarebytes Anti-Malware to double check and confirm that it successfully removed everything it detected (especially with 7003 detections).

If all else fails, you should completely reformat your drive and reinstall your operating system. Note that at this level of infection I wouldn't exactly be too surprised if you have malware that can survive a reformat.

  • 38 months ago
  • 1 point

Okay I have been tinkering around a bit trying to fix some other issues and am still running into some problems. Last night I finished up that simple Malwarebytes scan and deleted 7003 threats. After that though I started having some strange issues. I would constantly get error messages saying "bad image", after some random file name. This made the computer nearly unusable and somehow also kept me from using the Internet, so I have been trying to fix that most of this morning. Just by doing some disk checks and running Windows defender a few times, I seemed to have fixed most of the error messages, but a few remain. Now that it is more usable I will do what you said since there are definitely still some unwanted things on this computer, around 2gigs of RAM at idle. It seems to be coming along though, thanks for the help.

  • 38 months ago
  • 1 point

Last night I finished up that simple Malwarebytes scan and deleted 7003 threats. After that though I started having some strange issues. I would constantly get error messages saying "bad image", after some random file name. This made the computer nearly unusable and somehow also kept me from using the Internet, so I have been trying to fix that most of this morning.

Malware / adware frequently tampers with your DNS so when it is removed your Internet connection goes out. I'm not really surprised given the severity of infections. You can actually restore your internet connection

Just by doing some disk checks and running Windows defender a few times, I seemed to have fixed most of the error messages, but a few remain. Now that it is more usable I will do what you said since there are definitely still some unwanted things on this computer, around 2gigs of RAM at idle. It seems to be coming along though, thanks for the help.

Not sure how Windows Defender would help as it has much lower detection rates than Malwarebytes or any decent antivirus. You may want to boot into Safe Mode (w/ or w/out networking), run RKill, and then run Chameleon. 2 GB of RAM at idle isn't bad.

  • 38 months ago
  • 1 point

My internet is working now, but it is somewhat strange. Both internet Explorer and Google Chrome which where both already on the computer refused to run after the scan, but I ended up getting Firefox via a USB flash drive and now it works fine.

I ran RKill and it found nothing. Chameleon works but Malwarebytes can't access its servers to update, nor can it download the rootkit drivers to scan them. I reinstalled it, but nothing happened.

If it truly is in unrecoverable shape, could it survive DBAN? I could just pick up a cheap copy of Windows 7 if need be..

  • 38 months ago
  • 3 points

As many have suggested already, you have 2 easy choices:

  1. High level reformat (DBAN would be an example). 99.9% this will work. It is possible for a highly sophisticated virus to overwrite the HDD firmware and survive, but these are viruses designed to infiltrate actually valuable networks(think government or huge companies), they don't care about any average Joes. You can attempt to rewrite the factory firmware to check, but it's difficult to be 100% certain.

  2. Buy a new HDD. 300 GB 2.5" drives can be found for ~$30. Personally I'd put down $30 just to get the mess over with any day. Beats spending hours scanning for viruses. You should still be able to use the key on the laptop to reinstall that version of windows with an iso.

Then again, there are actually viruses that can infect the GPU bios... so everyone get out your tinfoil hats and burn all da kompooterz!!!

  • 38 months ago
  • 1 point

While your suggestion and many others would have definitely saved me the hassle, I was able to get it running with the steps LeomonComputers posted originally. Many scans and deletions later, everything is working fine. I really think I got lucky with this as perhaps this infection was more quantity over quality if you will.

No matter what though thank you for the comment.

  • 38 months ago
  • 1 point

My internet is working now, but it is somewhat strange. Both internet Explorer and Google Chrome which where both already on the computer refused to run after the scan, but I ended up getting Firefox via a USB flash drive and now it works fine.

You should completely uninstall and reinstall Google Chrome as it is probably corrupted after being put through this. Speaking of Chrome you can also run Google's Chrome Cleanup Tool. It doesn't have anywhere near as high detections as Malwarebytes but it wouldn't hurt.

I ran RKill and it found nothing. Chameleon works but Malwarebytes can't access its servers to update, nor can it download the rootkit drivers to scan them. I reinstalled it, but nothing happened.

And this is after you followed the instructions to restore your internet access? You should check your HOSTS file (in Windows > System32 I believe) which may have been used by malware to blacklist Malwarebytes' update server preventing any updates from being downloaded and installed.

If it truly is in unrecoverable shape, could it survive DBAN? I could just pick up a cheap copy of Windows 7 if need be..

Potentially. If you have Equation Group malware then your HDD firmware is infected and would survive a reformat. However it's rather unlikely you have it. The Securelist/Kaspersky Lab article I linked provides more, interesting details about their discovery of the Equation Group malware.

  • 38 months ago
  • 1 point

Okay, I'm sorry for the late reply, but I do believe your advice worked. It took a bit of troubleshooting, but after following the original steps you gave me, it seems to be working fine. Memory usage is still a bit high, ~1-1.5 gigabytes at idle however that seems to be normal. Thank you very much for the help.

  • 38 months ago
  • 1 point

The logical thing to do is reinstall windows. Do a clean installation.

  • 38 months ago
  • 1 point

With some effort and determination, that wasn't necessary. I got it up and running virus-free as is.

Thank you for the suggestion nonetheless.

  • 38 months ago
  • 1 point

:)

  • 38 months ago
  • 1 point

don't even bother trying to clean it up. get a new HDD, like Lemon Computers said some malware can survive reformatting.

  • 38 months ago
  • 1 point

get a new HDD, like Lemon Computers said some malware can survive reformatting.

The Equation Group malware can survive reformatting, but I'm not aware of any other malware families that can also survive reformatting. Nevertheless, it would be a good idea to get a new HDD.

  • 38 months ago
  • 1 point

I think I got lucky. While this machine was definitely badly infected, I was able to get it working by following LemonComputers' original post.

Thank you for the comment, and I'm glad things didn't end up so poorly.

  • 38 months ago
  • 1 point

You were downvoted so upvoted back.

  • 38 months ago
  • 1 point

huh, wonder who it was. thanks.

  • 38 months ago
  • 1 point

Like some others have said, junk the hard drive and start over. If it's that bad, the hard drive may not be recoverable.

  • 38 months ago
  • 1 point

You can still salvage the internal mechanical components from inside the HDD including the extremely pristine platters, magnets, and valuable metals.

  • 38 months ago
  • 1 point

Okay, sure, but that's not what I meant. Haha.

  • 38 months ago
  • 1 point

Luckily the hard drive was fine, along with everything else. I was able to get the computer running smoothly by following LemonComputers' steps, no re-installation or replacement required.

Still, thank you for taking the time to comment.

  • 38 months ago
  • 1 point

Alright, sounds good to me. :D

  • 38 months ago
  • 1 point

I would just wipe the drive and go with a fresh install. Or you can start > run > msconfig > and disable startup apps and disable all non-Microsoft services. That may help. Then run Avast or whatever. Just not AVG because it sucks!

  • 38 months ago
  • 1 point

Just not AVG because it sucks!

Or McAfee.

[comment deleted]
  • 38 months ago
  • 5 points

This, a million times this. Rip out the old hard drive and burn it just to be sure.

Get a new drive and Reinstall the OS.

  • 38 months ago
  • 1 point

I believe that I got lucky. The computer did take a fair bit of work, but it seems to be working fine now.

  • 38 months ago
  • 1 point

see what atxon did, and do that

  • 38 months ago
  • 1 point

What?

[comment deleted]
  • 38 months ago
  • 1 point

The only true way to solve the problem with 100% certainty.

[comment deleted]
  • 38 months ago
  • 1 point

Yes, unless this computer is some kind of project for you, like a home lab to practice cleaning techniques.

I would never trust a compromised installation again, especially to such a significant degree. Potentially not even the HDD itself depending on where you got it from, but drives are cheap so no harm in getting a new one. If the mobo itself is compromised... well ****, that's just impressive.

  • 38 months ago
  • 1 point

With a bit of work, everything seems to have worked out. The computer was cleaned of viruses and is now up and running.

Thanks for the suggestion though.

[comment deleted]
  • 38 months ago
  • 1 point

Yes, but it can only find malware in your memory and browsing history and is far from comprehensive. Other scans run like Malwarebytes and Hitman Pro are much more comprehensive. Plus, as far as I know, the McAfee Security Scan Plus is just a marketing tool and if it finds malware on your computer it'll want you to either install Mcafee Antivirus which is no good or buy their Virus Removal Service which sometimes tries to scam you / rip you off.

[comment deleted by staff]
  • 38 months ago
  • 1 point

Can you please provide proof?

a) There could have been false positives, as can happen with any security program,
b) Their definition of adware/PUP is likely different from yours, and you can't just call a program insane because it doesn't have exactly the same standards as you.

[comment deleted by staff]
  • 38 months ago
  • 1 point

Oh OK. I thought you were saying that it's insane because it detected adware on a "perfectly fine" computer.

[comment deleted by staff]
  • 38 months ago
  • 2 points

You still can't be sure at this level of infection given that there is reformat surviving (Equation Group) malware in existence.

[comment deleted by staff]
  • 38 months ago
  • 1 point

Wow, I mean it's a massive breach in privacy but I seriously have to applaud them on their technical skill alone. The people they hire for this group must be ******* geniuses.

  • 38 months ago
  • 1 point

Damn, that is some amazing hacking going on.although, once you get the firmware reverse engineered for the hard drive the rest should be a peice of cake.

I wonder if it could protect files from things like the unix shred command, and if it does, how does it handle the overflow from it diverting these wrights without corrupting other files.

  • 38 months ago
  • 1 point

+1 for the Aliens reference.

  • 38 months ago
  • 1 point

Luckily I don't believe that I will have to go to that extreme. Following lemonComputers' steps, I seem to have gotten things working.

Thanks anyway for the comment.

[comment deleted by staff]
[comment deleted by staff]
[comment deleted by staff]

Sort

add arrow-down arrow-left arrow-right arrow-up authorcheckmark clipboard combo comment delete discord dots drag-handle dropdown-arrow errorfacebook history inbox instagram issuelink lock markup-bbcode markup-html markup-pcpp markup-cyclingbuilder markup-plain-text markup-reddit menu pin radio-button save search settings share star-empty star-full star-half switch successtag twitch twitter user warningwattage weight youtube