Malware

[Clark Doughty]

I had malware on my computer, purchased the Malwarebeytes software recommended on this forum and now my computer is clear.
Thank you Wiz for all you do for us on the forum.
I would never have purchased this software had it not been recommended from a subject matter expert who we can trust.............thanks again....clark

[Wiz Feinberg]

Thank you very much Clark!

[Wiz Feinberg]

I'm sorry to hear that the malware has returned (offline). It appears that the Big Brother was hiding in your System Restore area and has been restored as though it was part of the OS.

How to proceed.

Restore the computer to an earlier date than when the malware attacked it. You see, malware often hides in the System Restore folders. By the same token, uninfected system files are backed up in System Restore, going back X-far, depending on your S.R. settings and free disk space.

If you can restore to a date prior to the attack, be thankful and empty out all remaining Restore Points.
You do this by disabling System Restore temporarily.

If you aren't able to restore to a clean state, disable System Restore and carry on the fight again. Update MBAM to the latest version and definitions, then reboot into Safe Mode With Networking and scan from there.

MBAM does not replace a good anti-virus program. It works along side of one. If you have no other security programs installed, get Microsoft Security Essentials, which is free and better than nothing.

If you have more than one identity on the computer, scan from each one.

Once your security scanners say your PC is clean, reboot into normal mode and see if this remains true. Then, run Windows Updates as many times as required to receive all available patches, rebooting as required. Uninstall all instances of Java technology. If you have Adobe Flash, Air, Reader, Shockwave, or Acrobat, check for updates for them. Reboot between updates to flush out previous versions that may have been lurking in RAM.

If you new scans reveal the presence of a Rootkit, or Bootkit, like ZeroAccess, or TDSS, prepare to escalate the fight to a different level, or to wipe the disk and reinstall Windows.

[Alan Brookes]

How does one know how far to go back to be sure of being before the malware came into the system?

In what directories does the malware hide, or does it vary ?

[Wiz Feinberg]

How does one know how far to go back to be sure of being before the malware came into the system?

In what directories does the malware hide, or does it vary ?

Keep going back until you either find a clean restoration point, or run out of them.

Malware hides in the Windows directory and sub-directories, in Program Files and in the user profile directories (%AppData%). Malware alters your Windows Registry to ensure that it starts up with the computer, or is restored from a backup. Rootkits load as a Windows driver (e.g; a .sys file).

Most of the common types of malware will modify an existing system file, or may even inject itself into memory without leaving behind an identifiable file. This is a characteristic of the ZeroAccess Rootkit.

Fighting ZeroAccess requires a hootable anti-virus scanning CD, or slaving the infected drive in another tower and using its scanner, or the use of System Internals, or a full or trial copy of Hitman Pro.

Sometimes, it is simpler to format C and reinstall everything. When I first built my Windows 7 PC, I saved a complete system image to a secondary hard drive. This was done using the backup tools built into Windows 7. If my other Acronis backups should become infected, I can restore the computer to the first day I operated it, then add on other updates.

[Alan Brookes]

I have so many program installed that formatting the hard drive and reinstalling would take weeks. Plus, some of the software was downloaded off the internet and I have no installation CDs.

People who create malware and viruses are at war with society and should be shot.

[Kevin Lichtsinn]

People who create malware and viruses are at war with society and should be shot.

I'll second that motion!