Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




5175 posts

Uber Geek

Trusted

# 79420 17-Mar-2011 08:35
Send private message

My daughter has come to me to help a friend with a laptop that has some nasty virus or rootkit on it. She was first alerted when the machine would not start up at all so she took the laptop to a local PC shop who said it was badly infected and by the way, it was not running a genuine copy of Windows (Ultimate). She had purchased the laptop in Thailand so that isn't a surprise.

Well they got the machine to boot up but told her she needed to purchase a copy of Windows. She did so purchasing Home Premium and this is where I was asked to help - how to install it?

Well it's easy enough to install if you want to do a clean installation but you lose all programs (I think Windows stuffs them into windows.old) so you really have to re-install everything. I thought I might circumvent that by editing the registry to change the version of Windows that it was running and then an upgrade and this is where I encountered problems.

Everytime I run regedit, msconfig or task manager, a genuine looking antivirus program pops up saying allow or deny this program to run. This is clearly a virus that has trapped those programs.  I have tried firing up in safe mode but that AV software still runs. I tried booting from a Windows 7 disk, going to the command prompt and running a standalone virus checker (McAfee Stinger) but it finds nothing.  I suspect there might be a root kit installed also.

Short of blowing away the current Windows installation, is there anything else I could do?  I was thinking of a regedit replacement which might let me look at the startup programs to kill the fake AV program.

Any advice appreciated. I am not really a desktop support specialist!




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/rooms/32019730  Mention GZ to get a 10% discount

 

System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

 

 


Create new topic
BDFL - Memuneh
65025 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 449121 17-Mar-2011 08:43
Send private message

If she's got a root kit and a copy of Windows previously installed in a shop in Thailand, I suggest you forget anything on that laptop, blow the partitions and install Windows from scratch. Any other file, script, program on that machine could have keyloggers, viruses, bots...





2460 posts

Uber Geek


  # 449122 17-Mar-2011 08:44
Send private message

It will just be faster to copy all the data off and reformat the drive and do a clean install. Just installing over the top probably won't get rid of the rootkit/virus.

 
 
 
 


621 posts

Ultimate Geek


  # 449126 17-Mar-2011 08:48
Send private message

As above, a format and reload would be your best option - rootkits can be difficult to remove completely.

If you want to persevere, does the Fake AV still launch when you boot into Safe Mode? If not, you can probably install and run Malware Bytes in there which should deal to the Fake AV.

780 posts

Ultimate Geek
Inactive user


  # 449129 17-Mar-2011 08:51
Send private message

Your only safe bet is to reinstall.

Even if you could somehow repair the machine, would you feel safe doing your internet banking and email?

You could try using your windows installation disc to 'repair' windows. It gives you this option after inserting the disc.

Then, run your mcafee scanner again, in safe mode.

I believe , safe mode should stop auto-startup programs from running. If you are still having an issue in safe mode, then it is likely the windows objects are corrupted.




15427 posts

Uber Geek

Trusted
Subscriber

  # 449132 17-Mar-2011 09:17
Send private message

I'd trash it completely. If there's essential data on it i'd copy it onto a USB drive, but only data files, and I wouldn't plug them into another computer for a while.

Reinstall windows, patch it (ideally with autopatcher while you're still offline), then use ninite.com to install a whole bunch of software quickly. Get a good AV product on there (I use nod32). Turn off autorun. Plug the USB drive in and scan it. Set up the free version of Mozy to back up just the important data, photos or email can easily blow past the free 2GB account if the user isn't computer savvy.

Once it's up and running use DriveImageXML to create an image so it can be restored quickly later.



5175 posts

Uber Geek

Trusted

  # 449142 17-Mar-2011 09:57
Send private message

Hi all, Thanks for the input. It's as I suspected but I was hoping to help preserve her programs. But then on checking she had Office and Photoshop and I doubt if they are legal either.

The AV program starts up in Safe Mode also so it's a bit insidious. I was going to look for a third party registry editor but I agree that recovering the system is likely to leave it in a suspect state, even if Windows is activated okay.

I think based on the suggestions I will

1. Copy the data files to a USB drive
2. Run AV on the files I copied
3. Do a clean installation of Windows with format
4. Backup the system (I will probably use Easeus Todo Backup Home which I like)
5. Pass on the bad news to my daughter's friend! 

Looks like she is going to have to buy a copy of Office also on top of the Windows she already purchased.

I suggested to my daughter to tell her to pick up a copy of Office student edition or to see if the school has any deals going on.




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/rooms/32019730  Mention GZ to get a 10% discount

 

System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

 

 


15427 posts

Uber Geek

Trusted
Subscriber

  # 449145 17-Mar-2011 10:03
Send private message

Back up to an image, try not to put the drive into a PC that it could infect. I wouldn't plug a drive with a known virus into my PC, which is why I suggested getting that machine working first.

If you have an illegal copy of Office you can sometimes get a discount on genuine. Try looking about the Microsoft website.

 
 
 
 




5175 posts

Uber Geek

Trusted

  # 449273 17-Mar-2011 15:46
Send private message

Couldn't find anything on replacing illegal software. She might have to bite the bullet and purchase one from a store or some place.




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/rooms/32019730  Mention GZ to get a 10% discount

 

System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

 

 


285 posts

Ultimate Geek


  # 449448 18-Mar-2011 06:13
Send private message

I agree, Rebuild will be faster.
You could try combofix. Does kill fake AV very well.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


3210 posts

Uber Geek

Subscriber

  # 449451 18-Mar-2011 06:55
Send private message

You could try kaspersky rescue cd.
I've used that to remove rootkits before.
It should also get rid of any fake av software.



5175 posts

Uber Geek

Trusted

  # 449476 18-Mar-2011 09:13
Send private message

I told the girl I would have to do a complete installation and wipe out all the stuff. There is some mitigation in that her data is on another partition so the installation wo't wipe that. Then after the installation I can run a number of AV tools on that partition.

But like best laid plans, once I finished the Win7 installation from the ISO she downloaded from Microsoft, not surprisingly, there were no drivers for video, audio, network, wifi, BT etc. So I went to the Acer site to get them only find that drivers only exist for Win64 bit (this is an Acer Aspire Core I3 notebook)!  It seems Acer distributes these machines with Win7 64bit only. So that means another iso download and another installation :-(




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/rooms/32019730  Mention GZ to get a 10% discount

 

System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

 

 




5175 posts

Uber Geek

Trusted

  # 450700 22-Mar-2011 12:19
Send private message

Just to close this loop off I did the following.

Re-installed Windows on the C partition (the drive has 3 partitions) formatting it first. Then began the tedious task of finding all the drivers for the machine (Acer Aspire) including LAN, wifi, audio, BT, video etc.). Only when I started looking I could only find Win64 drivers, none for Win32 which I had installed since the machine only has 2G of RAM.

So that meant another installation :-(  This time found all the drivers, installed Microsoft Security Essentials, scanned her data drive, imaged the boot drive using Todo Backup and then returned the machine.

She had earlier taken the machine to a local PC Repair place who charged her $90 to "fix"it. The fact that it came back with a virus(s) that had clobbered regedit, msconfig and task manager suggests to me she didn't exactly get value for money! To be fair, the virus was probably already there and they were asked to get the machine to be able to boot. But a responsible repair place would have told her about all the problems and quoted for a complete repair job, not dissimilar to what I ended up doing (for free!).




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/rooms/32019730  Mention GZ to get a 10% discount

 

System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

 

 


780 posts

Ultimate Geek
Inactive user


  # 450954 22-Mar-2011 23:32
Send private message

windows 8 will only run signed code. Maybe that will stop root kits?

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32


Vodafone 5G service live in four cities
Posted 10-Dec-2019 08:30


Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00


New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33


IMAGR and Farro bring checkout-less supermarket shopping to New Zealand
Posted 5-Dec-2019 09:07


Wellington Airport becomes first 5G connected airport in the country
Posted 3-Dec-2019 08:42


MetService secures Al Jazeera as a new weather client
Posted 28-Nov-2019 09:40


NZ a top 10 connected nation with stage one of ultra-fast broadband roll-out completed
Posted 24-Nov-2019 14:15


Microsoft Translator understands te reo Māori
Posted 22-Nov-2019 08:46


Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.