Malware Infection

  kwil2 15:13 23 Feb 2012

I'd appreciate any advice on the following Malware problem. My girlfriend's computer was 'hijacked' a couple of days ago by some malware which claimed to have 'locked' the computer and demanded payment for 'unlocking'. It was obviously a scam though looked 'official', stating her IP address and location (both wrong, by the way!) When she tried going on the internet, the malware webpage appeared again, taking up the whole screen and allowing no other access, only a hyperlink to 'payment'. She's running Windows 7 Home, uses mostly Firefox for web access. I loaded Spyware Blaster, Malwarebytes and Avast antivirus for her some time ago and she updates these religiously as well as running regular scans (I've taught her well!) However, this may be just coincidence, but this malware hijack happened a very short time after a Windows Update. I noticed the malware had slipped an entry into 'msconfig' startup. It was showing a row of numbers with an 'exe' extension. So that would explain why it kicked in each time. I tried unticking the entry then rebooting. I saw it remained unticked in 'msconfig', though still there in the list as unchecked. Logging on to the web, the malware page again reappeared. Checking 'msconfig' I noticed it had simply placed another 'number' entry with 'exe' extension. Here's what I did to 'cure' the problem, so far working but I'm still unsure whether I could or should do more to prevent this happening again to her. I unplugged her router. Using 'CCleaner'-Tools-Startup-removed offending entries. I then manually flushed the 'DNS' cache via 'Command Prompt'>Run As Administrator>typing 'ipconfig/flushdns' I then did an 'sfc' scan of her hard drive: as above + 'sfc/scannow'. This showed no problem. I also cleared out her Windows>Prefetch folder I then ran a full Avast and Malwarebytes scan of the system. Nothing was flagged. Though I'm aware malware can possibly infect System Restore, I decided to roll back her system to a month ago - thankfully, with my encouragement, she'd already set up daily system image + restore backups! I then ran scans of the new restore - nothing amiss. The computer's been running perfectly since, the malware appears to have gone. However, I'd welcome any comment on the above, any steps I should have taken and other advice or software to include for future prevention. Many thanks

  Terry Brown 15:57 23 Feb 2012

Have a look in the Control panel under Scheduled tasks, it may be in there to start at start up.


  BurrWalnut 15:59 23 Feb 2012

I think you have done very well. It’s not exhaustive by any means, but here are a few extra pointers for the future:

1.If you cannot run any programs and System Restore is enabled, boot to Safe Mode and run System Restore selecting a date before the infection. If system restore is not a viable option, download the appropriate 32-bit or 64-bit version of Microsoft’s Standalone Sweeper here and burn a CD. Boot from the CD and run a full scan.

2.If possible run Rkill. It will stop all running processes, both legitimate programs and recognised nasties. By doing so, it will then allow you to run an ‘anti‘ program to remove any infection(s). There are 4 versions of Rkill; exe, com, scr and pif. Some malware may recognise the program and stop the exe version from running, if so, try one of the others. If you can’t download it, save it to an external USB device using a different computer, then plug it in to the infected machine. It is small and doesn’t need installing, so you may want to keep it permanently on a memory stick to run it, but remember it does need a new version every so often in order to identify new infections.

3.If your browser is being redirected, download/run HijackThis, from here and delete any redirection entries beginning with 01, 13 or 17. You may have to resort to ‘Google’ for one of the specialist HijackThis sites, but read the instructions on the site before posting a log.

  kwil2 02:59 24 Feb 2012

Many thanks Terry & Burrwalnut for taking time to reply. I had already checked Task sign of anything untoward. 'RKill'...again I do have a version of this myself but I haven't used it and it's now well out of date. So taking your points on board regarding that is very useful. 'Hijack This' I've also have loaded on my own machines for a long knew about that and the help given by the 'Hijack This' experts.

I'm sure you'll agree these malware cheats are the scum of the earth. My girlfriend, like many others, panicked but had the sense to do nothing at first till she'd asked around. Many people might not have that option and so feel forced into clicking 'payment'. That, as you know, would entail giving personal info: bank/credit card details etc. The bank account would be drained super-quick and the 'promised' unlocking would not take place.

I used to think using a computer was fun...but it became increasingly a battlefield the minute 'big business' hijacked the web!

Don't know who's worse: the scumbag malware writers/criminals or the banks for letting card details be compromised so easily. I have it from an very informed source that bank 'security' systems are still being hacked on at least a monthly basis. Of course, they'll never admit to it...just 'reassure' us all they'll refund any loss we make....grrrr! Anyway, many thanks again for your helpful input... Regards

  Input Overload 12:10 24 Feb 2012

You may want to run Kaspersky TDSS Killer which is free as you may still have root-kits, only takes a few moments to run.

  kwil2 04:21 26 Feb 2012

Hi Input...hadn't heard of that one...but well aware of Kasperky's good reputation. Downloaded and threats! So I guess, for the moment anyhow, we'll let sleeping girlfriends lie! Many thanks for suggestion...

  igennie5 07:42 29 Feb 2012

This is a very serious problem try to secure more than the normal security.. avoid downloading unknown program....

  igennie5 07:43 29 Feb 2012

This is a very serious problem try to secure more than the normal security.. avoid downloading unknown program....

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

iMac Pro review

Illustrator Charles Williams on how to create magazines and book covers

iMac Pro review

Les meilleures prises CPL (2018)