Helping people with computers... one answer at a time.
Some malware go through great lengths to prevent you from downloading, running or trying to apply a fix. I'll look at what you can try.
I am trying to fix a computer that is running XP pro. It has adware that is preventing me from getting into regedit, task manager. It will not let me boot into safe mode. It will not let me install any antispyware or antivirus soft ware. Not sure where to go from here. It has stopped me from doing much of anything to get the malware off the computer. Any suggestions? I am not sure what the malware is but I think its one of the Antispyware 2010 or something like that. I keep getting alerts that I am infected and when you click it it opens a browser window and tries to take you to a website.
•
Sadly, this is all too common. Malware is getting pretty nasty. At best it may extort money from you for a real repair - at worst it'll extort money from you and do nothing.
I'll save the "prevention is so much easier than the cure" missive for another day. We just want this fixed.
There are things we can try, but there are no guarantees.
•
The Problem: Malware Interferes
The problem that you're seeing is that the malware on the machine is actively looking for you to try to remove it.
It's watching for downloads that "look like" anti-malware tools, and it's watching for web or other access that might be going to anti-malware sites. It's even monitoring what programs you run. When it sees you doing that (or other things that could lead to its removal) it steps in and either redirects you to sites of its choosing, or simply causes the operation to fail.
We'd love to download and run anti-malware tools, but we can't.
Temporarily Kill the Malware
One possible solution to the blocking problem is to temporarily kill the malware that's running. This won't remove it, but may allow you to download tools that will.
The folks at BeepingComputer.com have created a tool called RKill (be careful: at this writing there's an ad immediately above the download link that looks like the download link. It is not. Be sure to grab rkill itself).
You may need to download rkill on another machine (because of course it may well be blocked on the infected machine), but you can quickly copy it over using a USB drive or something else.
You may also need to rename rkill.exe to something else (like "notrkill.exe" or "leo.exe" or something else). Once again, the malware may be paying attention to the name of every program being run, and may prevent the software from running if it recognizes the name.
Run the program and do not reboot. Rebooting will "undo" the effect of having run rkill, and any malware that rkill killed will be back.
Download and Run Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is currently one of the most successful tools at identifying and removing the types of malware we're talking about here. It's not really a replacement for anti-virus software (you'll find them saying so in their support forums), but particularly in cases of infection it has a pretty darn good track record.
Download the free version, install it and run it and see what it turns up. (You may need or just want to download on the other machine and copy the download over as you did rkill.)
Try Other Tools
After running rkill you may, or may not, be able to run some of the other tools that the malware was blocking. You can try registry editing tools, the task manager, process explorer or others.
You can also try your other anti-virus and anti-spyware tools as well - perhaps they'll be able to download an update that catches this problem, or perhaps you can download a new tool that will.
But in general my money's on Malwarebytes.
What If It Doesn't Work?
If none of that works, things get complicated.
There are a couple of things you can consider trying:
-
Boot from a bootable antivirus rescue CD. There are several, including from anti-virus vendors like Avira, AVG and several others. If you have a favorite anti-malware vendor, check with them to see if they provide a bootable scanning solution.
The reason that these are interesting is that they boot from the CD, not your hard drive, so the malware doesn't have a chance to operate and block you. You can then run a scan of your hard disk and hopefully clean it off.
-
Remove the hard disk and place it in or connect it to another machine. Hardware issues aside, this needs to be done with care to prevent the malware from spreading, but just like booting from that CD this boots from the new machine's installation, not yours. You can then run anti-malware tools against your drive and, hopefully, clean it off.
Restore From Backup
If you have a recent system backup it's possible that restoring to that will take your machine back to a time before it was infected.
Regular backups are wonderful for this.
But beware, that they do have to be the correct type of backup: full system backups. Simply backing up your data, while better than not backing up at all, will not be helpful in a scenario like this.
And for the record, System Restore is pretty useless when it comes to bad malware infections like this (if it hasn't already been completely disabled by the malware, of course).
The Final Solution
It sounds dire, because it is.
As I've mentioned before, once your machine is infected it's no longer yours. You have no idea what's been done to it. And you also have no idea whether or not any or all of the cleaning steps you took removed any or all of the malware that was on the machine.
In other words, you know it was infected, but there's no way to know that it's not now.
Scary, eh?
The only way to know with absolute certainty that malware has been removed is to reformat your machine and reinstall everything from scratch.
Sadly, it's also quite often the most pragmatic approach to removing particularly stubborn malware. Sometimes all the machinations we go through trying to clean up from a malware infection end up taking more time than simply reformatting and reinstalling.
And reformatting and reinstalling is the only approach that's known to have a 100% success rate at malware removal.
If you don't have a backup of your data then before you reformat at least copy the data off somehow. Boot from a Linux Live CD if you have to (Ubuntu's a good choice) - that'll give you access to all the files on your machine and allow you to copy them to a USB device or perhaps even upload them somewhere on the internet.
Aftermath
After things are cleared up and working once again, take a few moments to consider how to prevent it from happening again, or what you can do to make the next time easier:
-
See if you can identify how the infection occurred, and to the extent that you can: never do that again.
-
Make sure you have all the up to date security measures that it takes to stay safe on the internet.
-
Consider investing in a backup solution of some sort. Nothing can save you from more different kinds of problems than a good, regular backup.
As I said at the beginning - prevention is much easier than the cure.
Article C4686 - December 22, 2010 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
June 21, 2011 9:52 AM
One thing which might help to download security items is to reset the HOSTS file as this is one of the things that malware will corrupt - here's the link;
http://winhelp2002.mvps.org/hosts.htm
It should also help in avoiding some malware in the first place, by blocking access to some of the sites hosting it.
November 24, 2011 1:42 PM
ok, i've been scammed. I don't have a problem with reformating & installing everything from scratch BUT ... want to know if it is safe to back up my non-executable files such as outlook express email, picture .jpg files & word .doc files? And can I safely transfer these files via shared files to another computer? Or ... will this compromise the other computer? Help ..... dumb then, smarter now!
26-Nov-2011
November 4, 2012 3:21 PM
It worked for me. I powered up the PC without connecting to network and run the rkill program. Then I was able to run the virus program and remove the virus.
Thank you
January 16, 2013 10:08 AM
I have had great luck using Kaspersky Rescue through a bootable USB thumb drive. Failing that, recently I had to remove the HD and connect it though an external USB adapter and scan it from a separate PC (which cleaned it). I had connected the drive that way to get data files off before a factory wipe. My system saw the infected drive and cleaned it.
March 5, 2013 10:46 PM
Your suggestion to run renamed Rkill with combination of Malwarebytes' Anti-Malware succeed!
Thanks a lot!