Author Topic: How best to clean malware after finding it?  (Read 3866 times)

0 Members and 1 Guest are viewing this topic.

RonE

  • Guest
How best to clean malware after finding it?
« on: January 05, 2009, 04:49:42 PM »
I have been running Avast and ThreatFire on a home computer that is used as a file server for about 6 months without any issues.  I have been following this forum for a while and have been impressed with its helpfulness. 

Recently, my daughter asked if I would troubleshoot two unresponsive computers that belong to a couple of her college friends.  I was able to install and run Avast, Malwarebytes and SuperAntiSpyware on the first computer, a Sony laptop running Windows XP. With those programs, I successfully removed a "bunch" of malware and the laptop now seems to be in good working order.

The second computer, a Dell laptop, seems to boot into Windows Vista okay, but the desktop is not responsive, applications take a very long time to load and run, if they start at all.  New applications cannot be installed.

So, I rebooted to safe mode, installed Avast and set it up to run a boot scan.  The boot scan found Win32:Spyware-gen[trj] and two instances of "Win32:Adware-gen[ Adw]".  They could not be repaired and since they apparently exist in the Windows directories, I was not sure if I could quarantine or delete them without affecting the system adversely. So, I completed the scan finding only those three issues, but without removing the malware.  Once back to the Vista desktop, I still was not able to run an Avast on-demand scan.

An earlier attempt to use Malwarebytes from safe mode to remove the offending malware resulted in rebooting to a blank desktop where only the Task Manager could be brought up.  Fortunately, safe mode still worked.   I did a restore from safe mode and got the laptop back to its original unresponsive desktop.

Any suggestions as to the best way to proceed?  Thanks!

ardvark

  • Guest
Re: How best to clean malware after finding it?
« Reply #1 on: January 05, 2009, 11:05:01 PM »
Hi...

You mention you are not able to install software or successfully run anti-malware scans and/or remove malware on this notebook. What, if any, error messages did you receive when you attempted to do this? Also, could you give us the model name and number of this Dell notebook? :)

May God Bless you!
« Last Edit: January 05, 2009, 11:13:31 PM by ardvark »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9400
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: How best to clean malware after finding it?
« Reply #2 on: January 05, 2009, 11:26:20 PM »
You can try cleaning it in regular mode but if it fails, try safe mode.
Visit my webpage Angry Sheep Blog

RonE

  • Guest
Re: How best to clean malware after finding it?
« Reply #3 on: January 06, 2009, 03:03:26 AM »
The laptop is a Dell Inspiron 6400 with a T2300 CPU and 1GB RAM.  It originally ran Windows XP, but has been "upgraded" to Vista Home Premium. 

Most applications do not seem to run from the normal Vista desktop (not safe mode) due to its unresponsiveness.  And, it appears to be virtually impossible to install a new application when not in safe mode.

Although the Avast icon shows up in the notification area of the task bar, I cannot run "Start Avast! Antivirus" from the normal desktop using the Start menus nor the task bar icon.  The cursor just changes to the wait cursor (rotating circle) and the memory scan splash window never shows.

What are the consequences of quarantining malware that resides in the Windows directories?  Can such quarantining make the operating system unusable?

ardvark

  • Guest
Re: How best to clean malware after finding it?
« Reply #4 on: January 06, 2009, 03:56:52 AM »
Hi...

From what you've described, it doesn't sound like the malware that avast found would be enough to cause the effects you've mentioned, however, this depends greatly on what the malware is coded to do, so I could easily be wrong. If I remember correctly from other posts, the "gen" name given for the items in question refer to "generic." Sometimes these can be false positives. The only thing I can see the notebook possibly needing at this point is additional memory, especially if there is a lot being loaded into memory (that runs in the background) at bootup.

You might want to download both Process Explorer and Hijackthis and, if they will run, post the results so we can get a better idea of what is going on...

http://www.download.com/Process-Explorer/3000-2094_4-10223605.html

http://www.filehippo.com/download_hijackthis/

Hopefully, they will not need to be installed to be able to execute (run) them. :)

Best Regards...

RonE

  • Guest
Re: How best to clean malware after finding it?
« Reply #5 on: January 07, 2009, 10:04:14 PM »
Thanks for the responses!

I am still unable to run any applications in the normal desktop due to its unresponsiveness.  The only way that I can run an executable is in safe mode or after using msconfig to disable startups and services.

In addition to what Avast found and corrected, I ran Malwarebytes in safe mode. It found and removed Trojan.FakeAlert and an HKEY for Rogue.Installer.  The normal desktop was still unresponsive after this.

I am now trying to determine the source of the unresponsiveness of the normal desktop so that I can run some of the malware detection and analysis applications on the normal desktop.  I am selectively disabling startups and services using msconfig and have isolated the unresponsiveness issue to a few services, all of which are supposed to be from Microsoft.  When I figure out the offending services, I will disable them only and then run HijackThis from the normal desktop and post the log.

In the meantime, is there anything to be gained by running HijackThis from safe mode or after disabling startups and services using msconfig?

ardvark

  • Guest
Re: How best to clean malware after finding it?
« Reply #6 on: January 08, 2009, 05:57:20 AM »
In the meantime, is there anything to be gained by running HijackThis from safe mode or after disabling startups and services using msconfig?

Hi...

Absolutely! Going into the "startup" tab and unchecking unnecessary entries might help you to zero in on what is causing the unresponsiveness. I'm not sure, however, if running HijackThis in safe mode will be beneficial. I would think it would depend on the particular piece of malware as to whether it would load into memory in safe mode.

Please let us know how this turns out. :)

Best Regards...