Maleware Problem

[omega0401]

My son has some kind of maleware bug in his PC. It keeps popping up a message about a virus and to press ok to run his antivirus software (with no name of the antivirus software) to get rid of it. But it’s a bogus message. His antivirus wouldn't run that way.

When he tried to run his antivirus program manually it finds something but then the PC immediately boots itself preventing the antivirus from removing it.

He tried installing Adaware but when he installs it the PC boots itself to prevent that from starting.

He then tried booting to safe mode and then run the Adaware installer but it comes back with a message that it needs a few things like a C++ library. It's probably in his PC but not running because it is in safe mode.

I think if he could get Adaware running it would remove this maleware bug but so far he gets blocked.

I'll have him try to install Spybot and/or Windows Maleware remover and see if that works. He may have the same problem though.

If he restores his system from a previous restore point, does that physically get rid of the maleware file?

Are there any other suggestions he might try doing to get these maleware removers to install and run?

[HansV]

The free version of Malwarebytes Anti-Malware has a good reputation of purging fake anti-virus software.

[John Gray]

Agreed - but it might be necessary (or even preferable) to download, update, and run it in Safe Mode.
I would also run SuperAntiSpyware and HitMan Pro 3.5, again initially in Safe Mode, probably.

[omega0401]

Reporting back. We didn’t try everything mentioned but this is what happened. We ran SuperAntiSpyware in safe mode. It gave the message: Adware.Tracking Cookie 483 found. It quarantined those. That’s all it found. Ran Malwarebytes in Safe mode and found nothing.

Booted to normal mode and the virus popups started again as well as IE starting by itself to porno sites. Ran Nod32 antivirus and it found nothing.

Tried to run Malwarebytes and SuperAntiSpyware in normal mode and neither would run. Excel and Word would not run. Task Manager, System Maintenance, and System Restore do not run. The uninstall programs did run so it isn’t every program just most programs.

Something opens behind any window that is open that we launch a program from but then disappears. I think it may be the virus program intercepting most programs that are trying to launch.

We’ll try a few more things suggested perhaps Hitman. In the meantime is there anything else we could try? He has a Windows 7 PC.

How the bug may have happened…
He was doing a google on: *Watch V*. V is a tv show that he wanted to see. He clicked on a link and that’s when the popups started.

He has some programs he downloaded recently that I don’t recognize but I think they are safe. They are: Steam, Panda Media Booster, AA2Deploy, and PunkBuster Services.

[StuartR]

Try running Sophos anti-rootkit.

[omega0401]

Try running Sophos anti-rootkit.

Thanks Stuart. I'll give this a try. I will probably have the same problem running it as I do the other programs. I'll try safe mode first but if the virus isn't running in safe mode I hope it will find it anyway.

[John Gray]

I have found that on occasion HitMan Pro finds and fixes a few things that Malwarebytes and SuperAntiSpyware didn't - but Your Viruses May Vary!

[jonwallace]

Perhaps booting from a bootable recovery CD like UBCD4Win and running the anti-spyware tools from there may help. Note that when you create the CD, take the time to update Malwarebytes antimalware etc.

A good resource is http://www.bleepingcomputer.com/forums/forum103.html" onclick="window.open(this.href);return false;

[omega0401]

Update.
We turned on the PC to run a few things. Before we could do that, NOD32 lite up red saying there was a virus in RAM. We ran a complete scan and it found two virus files which it deleted. They were

Content.IE5\N6SNXRQN\na[1] - Win32/Adware.SpywareProtect2009 application - cleaned by deleting
00154995.exe - a variant of Win32/Kryptik.JLH trojan - cleaned by deleting

NOD32 probably had a database subscription update that may have found the virus or it may have been the same one my son found but he didn't write it down. But he said it only found one and then the PC rebooted.

We then had difficulty getting his browsers and online games working. We had to turn off Proxy Servers in IE and check on Automatic Detect Settings. Everything seems to be working fine now.

I think a root kit finder will be our next step just to make sure.

Thanks for everyone's comments.

[HansV]

You seem to have gotten rid of the nasties - very good!

I'd run a rootkit finder indeed, but treat the results cautiously - some rootkit-like items are legitimate.

I hope this'll be a lesson for your son - even with an up-to-date antivirus program you still have to be cautious!