We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Contact Forum Editor

Send an email to our Forum Editor:


PLEASE NOTE: Your name is used only to let the Forum Editor know who sent the message. Both your name and email address will not be used for any other purpose.

Windows Help


It's free to register, to post a question or to start / join a discussion


 

Malware Infection


kwil2

Likes # 0

I'd appreciate any advice on the following Malware problem. My girlfriend's computer was 'hijacked' a couple of days ago by some malware which claimed to have 'locked' the computer and demanded payment for 'unlocking'. It was obviously a scam though looked 'official', stating her IP address and location (both wrong, by the way!) When she tried going on the internet, the malware webpage appeared again, taking up the whole screen and allowing no other access, only a hyperlink to 'payment'. She's running Windows 7 Home, uses mostly Firefox for web access. I loaded Spyware Blaster, Malwarebytes and Avast antivirus for her some time ago and she updates these religiously as well as running regular scans (I've taught her well!) However, this may be just coincidence, but this malware hijack happened a very short time after a Windows Update. I noticed the malware had slipped an entry into 'msconfig' startup. It was showing a row of numbers with an 'exe' extension. So that would explain why it kicked in each time. I tried unticking the entry then rebooting. I saw it remained unticked in 'msconfig', though still there in the list as unchecked. Logging on to the web, the malware page again reappeared. Checking 'msconfig' I noticed it had simply placed another 'number' entry with 'exe' extension. Here's what I did to 'cure' the problem, so far working but I'm still unsure whether I could or should do more to prevent this happening again to her. I unplugged her router. Using 'CCleaner'-Tools-Startup-removed offending entries. I then manually flushed the 'DNS' cache via 'Command Prompt'>Run As Administrator>typing 'ipconfig/flushdns' I then did an 'sfc' scan of her hard drive: as above + 'sfc/scannow'. This showed no problem. I also cleared out her Windows>Prefetch folder I then ran a full Avast and Malwarebytes scan of the system. Nothing was flagged. Though I'm aware malware can possibly infect System Restore, I decided to roll back her system to a month ago - thankfully, with my encouragement, she'd already set up daily system image + restore backups! I then ran scans of the new restore - nothing amiss. The computer's been running perfectly since, the malware appears to have gone. However, I'd welcome any comment on the above, any steps I should have taken and other advice or software to include for future prevention. Many thanks

Like this post
Terry Brown

Likes # 0

Have a look in the Control panel under Scheduled tasks, it may be in there to start at start up.

Terry

Like this post
BurrWalnut

Likes # 0

I think you have done very well. It’s not exhaustive by any means, but here are a few extra pointers for the future:

1.If you cannot run any programs and System Restore is enabled, boot to Safe Mode and run System Restore selecting a date before the infection. If system restore is not a viable option, download the appropriate 32-bit or 64-bit version of Microsoft’s Standalone Sweeper here https://connect.microsoft.com/systemsweeper and burn a CD. Boot from the CD and run a full scan.

2.If possible run Rkill. It will stop all running processes, both legitimate programs and recognised nasties. By doing so, it will then allow you to run an ‘anti‘ program to remove any infection(s). There are 4 versions of Rkill; exe, com, scr and pif. Some malware may recognise the program and stop the exe version from running, if so, try one of the others. If you can’t download it, save it to an external USB device using a different computer, then plug it in to the infected machine. It is small and doesn’t need installing, so you may want to keep it permanently on a memory stick to run it, but remember it does need a new version every so often in order to identify new infections.

3.If your browser is being redirected, download/run HijackThis, from here http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html and delete any redirection entries beginning with 01, 13 or 17. You may have to resort to ‘Google’ for one of the specialist HijackThis sites, but read the instructions on the site before posting a log.

Like this post
kwil2

Likes # 0

Many thanks Terry & Burrwalnut for taking time to reply. I had already checked Task Scheduler...no sign of anything untoward. 'RKill'...again I do have a version of this myself but I haven't used it and it's now well out of date. So taking your points on board regarding that is very useful. 'Hijack This' I've also have loaded on my own machines for a long time...so knew about that and the help given by the 'Hijack This' experts.

I'm sure you'll agree these malware cheats are the scum of the earth. My girlfriend, like many others, panicked but had the sense to do nothing at first till she'd asked around. Many people might not have that option and so feel forced into clicking 'payment'. That, as you know, would entail giving personal info: bank/credit card details etc. The bank account would be drained super-quick and the 'promised' unlocking would not take place.

I used to think using a computer was fun...but it became increasingly a battlefield the minute 'big business' hijacked the web!

Don't know who's worse: the scumbag malware writers/criminals or the banks for letting card details be compromised so easily. I have it from an very informed source that bank 'security' systems are still being hacked on at least a monthly basis. Of course, they'll never admit to it...just 'reassure' us all they'll refund any loss we make....grrrr! Anyway, many thanks again for your helpful input... Regards

Like this post
Input Overload

Likes # 0

You may want to run http://support.kaspersky.com/viruses/solutions?qid=208280684 Kaspersky TDSS Killer which is free as you may still have root-kits, only takes a few moments to run.

Like this post
kwil2

Likes # 0

Hi Input...hadn't heard of that one...but well aware of Kasperky's good reputation. Downloaded and ran....zero threats! So I guess, for the moment anyhow, we'll let sleeping girlfriends lie! Many thanks for suggestion...

Like this post
igennie5

Likes # 0

This is a very serious problem try to secure more than the normal security.. avoid downloading unknown program....

Like this post
igennie5

Likes # 0

This is a very serious problem try to secure more than the normal security.. avoid downloading unknown program....

http://www.igennie.net/microsoft-windows-support.html

Like this post

Reply to this topic

This thread has been locked.



IDG UK Sites

iPhone 6 release date, price, specs and new features: Invite confirms 9 September launch

IDG UK Sites

Nostalgia time: Top 10 best selling mobile phones in history

IDG UK Sites

How Ford designs next-generation cars at its Melbourne Design Centre

IDG UK Sites

iPhone 6 release date, rumours, video, UK price & images: iPhone launch event confirmed for 9...