Needs ideas to save friend's computer

[zavulon]

Hi all,

My friend needs me to save his computer, which has been infected by a
trojan. I'm a computer programmer myself, and therefore know nothing
about this stuff - but try explaining it to my friend! ;-)

Anyway, he has some kind of a nasty trojan infestation, and every time
he goes to an anti-virus website, the browser closes, and every time
we try to install an anti-virus or anti-spyware program like AVG or
HiJackThis, the installation gets closed.

I searched online, so far nothing helped.. What's the best way to
handle this? I would imagine the best way would be to boot the PC from
some source other than his hard drive, and then run all kinds of anti-
virus software from there. But what's the best way to do this? Is
there a Windows XP Live CD that's easy to make?

I'm thinking of bringing him my hard drive and booting from there, but
I'd like to avoid that if at all possible, since it's too much hassle
with the hardware.

Any ideas, anybody?

Thanks!

 

[John John]

It's a *really* bad idea to try and install anti-virus software on a
computer that is already infected! Some malware is written to detect
attempts to install AV software and can deliver a pretty nasty payload
when these attempts are detected! It is preferable to use the bootable
software disk that came with the AV package, or to create a bootable
disk with your AV software program and have it do an offline scan on the
hard disk. You can also mount the disk in another computer to scan it
or use a Bart's PE disk.

The best thing is usually to properly identify the pest then remove it
manually if you can. It is usually easier to remove these pests while
booted in Safe-Mode. Removal instructions and removal tools are
available free from most of the major AV vendors.

You can read Malke's help section for more advice:

Removing Malware
http://www.elephantboycomputers.com/page2.html#Removing_Malware

John

 

[McFly]

zavu,

HiJackThis isn't really an antimalware program, so it shouldn't be a
problem to install it. Since you can't install any antimalware
programs FOR NOW, try to download the executable files of the
following antimalware programs: Grisoft AVG Free Anti-Virus, Spybot
Search & Destroy, Lavasoft Ad-Aware SE Personal, Microsoft Defender,
Grisoft AVG Free Anti-Spyware and Spyware Blaster.

- Clear/clean cache and cookies folder of all internet browsers.

- Reconfigure Windows XP to show hidden files:
* Click Start. Open My Computer.
* Select the Tools menu and click Folder Options. Select the View Tab.
* Under the Hidden files and folders heading select "Show hidden
files and folders".
* Uncheck the "Hide protected operating system files
(recommended)" option.
* Uncheck the "Hide file extensions for known file types"
option.
* Click Yes to confirm. Click OK.[/list]

- Delete all files and folders contained in the following folders, but
not the folders themselves:
* C:\Documents and Settings\<profile name>\Application Data\Sun\Java
\Deployment\cache\javapi\v1.0\file
* C:\Documents and Settings\<profile name>\Application Data\Sun\Java
\Deployment\cache\javapi\v1.0\jar
* C:\Documents and Settings\<profile name>\Local Settings\Temp
* C:\Windows\Prefetch (DO NOT DELETE the layout.ini file)
* C:\Windows\Temp
* Recycle Bin

- Configure IE7 to prevent third-party pop-ups from appearing:
[*] Open IE7.
[*] Go to Tools > Internet Options. It will open the Internet Options
dialog box.
[*] Click on the Privacy tab.
[*] Click on Advanced. It will open the Advanced Privacy Settings
dialog box.
[*] Put a check beside Override automatic cookie handling].
[*] Under First-party cookies, put a dot beside Accept.
[*] Under Third-party cookies, put a dot beside Block.
[*] Put a check beside Always allow session cookies.
[*] Click OK to save setting and close the dialog boxes.

- Reboot.

- Now try to install all the antimalware executable files, one at a
time of course.
- Connect to the internet and perform updates on all of them.

- Reboot to safe mode.
- Run a full scan using all antimalware programs in the following
order: AVG AV, Spybot, Ad-Aware, AVG AS and Defender.
- Reboot to normal mode.
- turn off system restore.
- perform disk defragment
- turn on system restore.
- create a restore point.

You should be set...

-fly-

 

[Ronaldo]

It may be necessary to remove the internet connection line from the computer
to cut-off the trojan from home. Next try to disable the trojan in
Start\Run\and type msconfig and hit enter, next go to the Startup tab and
disable the trojan if you find it listed there, if not go to the registry
(start\run) and browse to the following keys;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
See if you find a value for the trojan there and delete it. Do this in Safe
Mode if necessary... (F8 at computer startup several times at 2 sec
intervals).

Also check in the Taskmanger and if you can ID it (probably cosumes high CPU
memory), right click it and select "End Task" . Or install Process Explorer
for much more details than taskmanager on all processes.
http://www.microsoft.com/technet/sysinternals/miscellaneousutilities.mspx

If you can find the trojan's location (in msconfig, registry or Process
Explorer) delete tha trojan.exe file.

Also try scanning with HijackThis from a diskette in safe mode if necessary.

 

[SingaporeWebDesign]

Hello,

Disconnect from the internet (or disconnect the cable) and install/run
SuperAntiSpyware from here
http://www.superantispyware.com
(The free home edition is sufficient for your needs)

--
Singapore Web Design
http://www.bootstrike.com/Webdesign/
Singapore Web Hosting
http://www.bootstrike.com/WinXP/faq.html
Windows XP FAQ

 

[zavulon]

Thanks all.

I tried some of those already, and will try the rest.

McFly, HiJackThis may not be an anti-malware program, but its
installation gets closed immediately anyway. Any idea where to get the
executables of those programs without installation?

Thanks again all, I'll try it out and see what happens.

 

[RRShaver]

Download sysclean.com at
http://www.trendmicro.com/download/sysclean.asp

and the latest virus pattern at
http://www.trendmicro.com/download/viruspattern.asp

Unzip the virus pattern file and place it and the sysclean.com file in the
same directory
on the infected computer and execute sysclean.

Run's better in safe mode and can take quite a while. It will find the
infected files and try to clean or quarantine
them, if not it will delete them. If the system is highly corrupted or
infected it may not boot later, and you will have to reinstall the OS.

 

[Chuck Bleistein]

RRShaver:

Download sysclean.com at
http://www.trendmicro.com/download/sysclean.asp

and the latest virus pattern at
http://www.trendmicro.com/download/viruspattern.asp

Unzip the virus pattern file and place it and the sysclean.com file in the
same directory
on the infected computer and execute sysclean.

Run's better in safe mode and can take quite a while. It will find the

infected files and try to clean or quarantine
them, if not it will delete them. If the system is highly corrupted or

infected it may not boot later, and you will have to reinstall the OS.

I just went through this with my sister-inlaws computer, the best way
that i/ve found is to pull the hard drive out of the infected machine
and hook it up to a clean computer. Go into the up to date anti-virus
program and have it scan all files on the infected drive. When it finds
a virus, have it put it in the virus vault. When done with the first
scan, run it a 2nd time to be sure you have a clean drive. This should
do the trick, then put the drive back into the other computer. PS, I use
AVG PRO.