Advice on removing potential nasty root kit and/virus Windows 7

Forums › Desktop computing › Advice on removing potential nasty root kit and/virus Windows 7

lchiu7

6476 posts

Uber Geek

Trusted

#79420 17-Mar-2011 08:35

My daughter has come to me to help a friend with a laptop that has some nasty virus or rootkit on it. She was first alerted when the machine would not start up at all so she took the laptop to a local PC shop who said it was badly infected and by the way, it was not running a genuine copy of Windows (Ultimate). She had purchased the laptop in Thailand so that isn't a surprise.

Well they got the machine to boot up but told her she needed to purchase a copy of Windows. She did so purchasing Home Premium and this is where I was asked to help - how to install it?

Well it's easy enough to install if you want to do a clean installation but you lose all programs (I think Windows stuffs them into windows.old) so you really have to re-install everything. I thought I might circumvent that by editing the registry to change the version of Windows that it was running and then an upgrade and this is where I encountered problems.

Everytime I run regedit, msconfig or task manager, a genuine looking antivirus program pops up saying allow or deny this program to run. This is clearly a virus that has trapped those programs. I have tried firing up in safe mode but that AV software still runs. I tried booting from a Windows 7 disk, going to the command prompt and running a standalone virus checker (McAfee Stinger) but it finds nothing. I suspect there might be a root kit installed also.

Short of blowing away the current Windows installation, is there anything else I could do? I was thinking of a regedit replacement which might let me look at the startup programs to kill the fake AV program.

Any advice appreciated. I am not really a desktop support specialist!

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

freitasm

BDFL - Memuneh
79289 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#449121 17-Mar-2011 08:43

If she's got a root kit and a copy of Windows previously installed in a shop in Thailand, I suggest you forget anything on that laptop, blow the partitions and install Windows from scratch. Any other file, script, program on that machine could have keyloggers, viruses, bots...

kyhwana2

2566 posts

Uber Geek

#449122 17-Mar-2011 08:44

It will just be faster to copy all the data off and reformat the drive and do a clean install. Just installing over the top probably won't get rid of the rootkit/virus.

Kraven

729 posts

Ultimate Geek

#449126 17-Mar-2011 08:48

As above, a format and reload would be your best option - rootkits can be difficult to remove completely.

If you want to persevere, does the Fake AV still launch when you boot into Safe Mode? If not, you can probably install and run Malware Bytes in there which should deal to the Fake AV.

wreck90

780 posts

Ultimate Geek
Inactive user

#449129 17-Mar-2011 08:51

Your only safe bet is to reinstall.

Even if you could somehow repair the machine, would you feel safe doing your internet banking and email?

You could try using your windows installation disc to 'repair' windows. It gives you this option after inserting the disc.

Then, run your mcafee scanner again, in safe mode.

I believe , safe mode should stop auto-startup programs from running. If you are still having an issue in safe mode, then it is likely the windows objects are corrupted.

timmmay

20581 posts

Uber Geek

Trusted

Lifetime subscriber

#449132 17-Mar-2011 09:17

I'd trash it completely. If there's essential data on it i'd copy it onto a USB drive, but only data files, and I wouldn't plug them into another computer for a while.

Reinstall windows, patch it (ideally with autopatcher while you're still offline), then use ninite.com to install a whole bunch of software quickly. Get a good AV product on there (I use nod32). Turn off autorun. Plug the USB drive in and scan it. Set up the free version of Mozy to back up just the important data, photos or email can easily blow past the free 2GB account if the user isn't computer savvy.

Once it's up and running use DriveImageXML to create an image so it can be restored quickly later.

lchiu7

6476 posts

Uber Geek

Trusted

#449142 17-Mar-2011 09:57

Hi all, Thanks for the input. It's as I suspected but I was hoping to help preserve her programs. But then on checking she had Office and Photoshop and I doubt if they are legal either.

The AV program starts up in Safe Mode also so it's a bit insidious. I was going to look for a third party registry editor but I agree that recovering the system is likely to leave it in a suspect state, even if Windows is activated okay.

I think based on the suggestions I will

1. Copy the data files to a USB drive
2. Run AV on the files I copied
3. Do a clean installation of Windows with format
4. Backup the system (I will probably use Easeus Todo Backup Home which I like)
5. Pass on the bad news to my daughter's friend!

Looks like she is going to have to buy a copy of Office also on top of the Windows she already purchased.

I suggested to my daughter to tell her to pick up a copy of Office student edition or to see if the school has any deals going on.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

timmmay

20581 posts

Uber Geek

Trusted

Lifetime subscriber

#449145 17-Mar-2011 10:03

Back up to an image, try not to put the drive into a PC that it could infect. I wouldn't plug a drive with a known virus into my PC, which is why I suggested getting that machine working first.

If you have an illegal copy of Office you can sometimes get a discount on genuine. Try looking about the Microsoft website.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

lchiu7

6476 posts

Uber Geek

Trusted

#449273 17-Mar-2011 15:46

Couldn't find anything on replacing illegal software. She might have to bite the bullet and purchase one from a store or some place.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

Ramjet007

319 posts

Ultimate Geek

#449448 18-Mar-2011 06:13

I agree, Rebuild will be faster.
You could try combofix. Does kill fake AV very well.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

CYaBro

4586 posts

Uber Geek

ID Verified

Trusted

#449451 18-Mar-2011 06:55

You could try kaspersky rescue cd.
I've used that to remove rootkits before.
It should also get rid of any fake av software.

Opinions are my own and not the views of my employer.

lchiu7

6476 posts

Uber Geek

Trusted

#449476 18-Mar-2011 09:13

I told the girl I would have to do a complete installation and wipe out all the stuff. There is some mitigation in that her data is on another partition so the installation wo't wipe that. Then after the installation I can run a number of AV tools on that partition.

But like best laid plans, once I finished the Win7 installation from the ISO she downloaded from Microsoft, not surprisingly, there were no drivers for video, audio, network, wifi, BT etc. So I went to the Acer site to get them only find that drivers only exist for Win64 bit (this is an Acer Aspire Core I3 notebook)! It seems Acer distributes these machines with Win7 64bit only. So that means another iso download and another installation :-(

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

lchiu7

6476 posts

Uber Geek

Trusted

#450700 22-Mar-2011 12:19

Just to close this loop off I did the following.

Re-installed Windows on the C partition (the drive has 3 partitions) formatting it first. Then began the tedious task of finding all the drivers for the machine (Acer Aspire) including LAN, wifi, audio, BT, video etc.). Only when I started looking I could only find Win64 drivers, none for Win32 which I had installed since the machine only has 2G of RAM.

So that meant another installation :-( This time found all the drivers, installed Microsoft Security Essentials, scanned her data drive, imaged the boot drive using Todo Backup and then returned the machine.

She had earlier taken the machine to a local PC Repair place who charged her $90 to "fix"it. The fact that it came back with a virus(s) that had clobbered regedit, msconfig and task manager suggests to me she didn't exactly get value for money! To be fair, the virus was probably already there and they were asked to get the machine to be able to boot. But a responsible repair place would have told her about all the problems and quoted for a complete repair job, not dissimilar to what I ended up doing (for free!).

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

wreck90

780 posts

Ultimate Geek
Inactive user

#450954 22-Mar-2011 23:32

windows 8 will only run signed code. Maybe that will stop root kits?