How to fix malware-infested machine?

a!!!!1 · Jan 25, 2009

I downloaded a textbook for one of my business classes, it was VBK format that required you to also download the company's "Coursesmart Bookshelf" software. The software came with malware that caused a lot of problems on my computer, so I uninstalled it and deleted everything related to it. There are still lots of problems, including:

- My Windows login is not an Administrator account anymore.
- Since I'm not an Administrator, I can't get access to the registry.
- Spybot shows in the taskbar but double clicking or selecting "run spybot" does nothing.
- Avira Antivirus still runs at startup but by default is disabled.
- In Outlook Express, clicking the "reply" button shuts down the program.
- Random webpages pop open in new windows constantly whenever I have Firefox open.
- Google search results appear to be as normal, but clicking on any of the links takes you to a totally random site. For example, I searched "outlook closes by itself," the names/descriptions/URL's of the results all looked normal, but clicking on them all took me to the wrong sites that had nothing to do with anything. I also tried it with searches I had performed before that I knew worked, such as "lyrics" "wickedfire" and "facebook" and all of the results took me to different sites.

All of these things were caused by the Coursesmart software. While I was installing/using it, Spybot came up a number of times saying it was changing root keys but the "deny change" button was disabled so I just clicked "allow change" to all of them. I don't have much experience with this kind of problem so if anyone knows what to do, please let me know. I'm running Avira virus scan now but I'm not sure where to go from there. Thanks.

jryan21 · Jan 25, 2009

You really need access to your processes to be able to fix this. You also will find some ActiveX controls in your browser that look like they belong to legit software, but if you look closely at the dll, there will be a slight variation in spelling (i.e. dxdiagno.dll). It is the ActiveX control that is messing with your search results.

Can you get the default Administrator when you boot into safe mode?

kblessinggr · Jan 25, 2009

By that point you need to either
A) Pull the harddrive and scan it in a controlled enviroment, (ie: don't try to clean it from the infected system itself).
or
B) Format and reinstall.

If you do attempt to clean from the machine itself USE Safe Mode, Better yet find one of those antivirus systems that can boot off a thumbdrive or CD to do a boot time scan.

Jizzlobber · Jan 25, 2009

There may be a chance to get out of it easy. Go to Malwarebytes.org and download their anti-malware software and run that. Browse their forums at malwarebytes.org/forums/ to see if anyone has posted about a similar issue.

Maybe before you install, go through all the shit that's happening and keep your taskmanager open and see what processes are starting up. If any window prompts come up and say that your firewall is disabled and your antivirus is not installed, DO NOT click any prompts to install antivirus software. You want to end these processes should they come up and interfere with your download and installation of the Malwarebytes software.

a!!!!1 · Jan 25, 2009

jryan21 said:
You really need access to your processes to be able to fix this. You also will find some ActiveX controls in your browser that look like they belong to legit software, but if you look closely at the dll, there will be a slight variation in spelling (i.e. dxdiagno.dll). It is the ActiveX control that is messing with your search results.

Can you get the default Administrator when you boot into safe mode?

What do you mean by access to the processes? I can open the task manager and see them and close them down and such. It's just when I try to go to regedit it says "registry editing has been disabled by your administrator" and won't let me view it. I'm guessing that might also be why I can't open Spybot or run the Malwarebytes installer.

How do you boot into safe mode? I'd Google it but I can't use Google, lol.

Jizzlobber said:
There may be a chance to get out of it easy. Go to Malwarebytes.org and download their anti-malware software and run that. Browse their forums at malwarebytes.org/forums/ to see if anyone has posted about a similar issue.

Apparently it's actually blocked me from going to malwarebytes.org. So I went to it on another computer, downloaded the installer to a USB drive and tried to run it on the infected machine, but it won't let me open it.

jryan21 · Jan 26, 2009

a!!!!1 said:
What do you mean by access to the processes? I can open the task manager and see them and close them down and such. It's just when I try to go to regedit it says "registry editing has been disabled by your administrator" and won't let me view it. I'm guessing that might also be why I can't open Spybot or run the Malwarebytes installer.

How do you boot into safe mode? I'd Google it but I can't use Google, lol.

Apparently it's actually blocked me from going to malwarebytes.org. So I went to it on another computer, downloaded the installer to a USB drive and tried to run it on the infected machine, but it won't let me open it.

See if you can get into the Group Policy editor and are able to save changes. You probably can't, but it's worth a shot. There are some things in there that you may be able to use to restore some of your privileges (go to start|run and type gpedit.msc). I don't remember offhand, but if you look it up, you will find out specifically what items you need to change.

When I asked about the processes, I was looking to see if you were able to get into the task manager. I've seen some that will gray out that button (on the screen after you hit ctrl-alt-delete), making it difficult to get the task manager.

When you start disabling things, you can watch the processes in the task manager to see if they disappear and whether or not they reappear a few seconds later. A lot of the malware programs out there these days are capable of self-preservation and will restart/reinstall after you kill the process.

If you're not comfortable with that procedure, get HijackThis (now owned by Trend Micro) and run a scan+logfile. On their main site, they have a list of msg boards you can go to and post the scan log; people on those boards will let you know which ones are suspicious.

F8 gets you to safe mode. Depending on your setup, you will probably need to hit it before the bootloader starts. For instance if you had a Gateway, you would hit f8 immediately after the screen with the Gateway logo.

There's also a way to set the system to boot into safe mode after the next reboot. Go to 'Run' and type msconfig. Look for the tab that says BOOT.INI and check the box that says /SAFEBOOT. When you're done, don't forget to go back and uncheck that box.

Honestly, it would probably be less of a hassle for you to just do a clean reinstall of Windows but personally I would only do that when everything else fails. I've had to do it a few times before but I don't like to; it always makes me feel like the terrorists have won.

montana · Jan 27, 2009

the malwarebytes tool above should get it for you

a!!!!1 · Jan 27, 2009

Thanks for the help, I finally got it back to normal. The only weird thing left is when I try to run regedit it says "registry editing has been disabled by the administrator," even though I only have 1 user account and I AM the administrator. What's up with that?

maffs · Jan 28, 2009

Seems this guy had the same problem and found a way out

Registry editing has been disabled XP Home - ukexpert

Tedel · Jan 29, 2009

Easier thing to do is this:

1. Go to a friend's house
2. Download and burn a Linux liveCD distribution (not Ubuntu, one that will allow you to access your hard disks)
3. Boot from your liveCD to start your computer.
4. Grab your USB flash drive. Buy a new one if needed.
5. Save all your files there.
6. Format your computer and reinstall the fukcing Windows.

a!!!!1 · Jan 29, 2009

Tedel said:
Easier thing to do is this:

1. Go to a friend's house
2. Download and burn a Linux liveCD distribution (not Ubuntu, one that will allow you to access your hard disks)
3. Boot from your liveCD to start your computer.
4. Grab your USB flash drive. Buy a new one if needed.
5. Save all your files there.
6. Format your computer and reinstall the fukcing Windows.

If I had a 3 TB flash drive and the actual install disks for all my apps, that would be easier

Everything is fixed now though, thanks for the help everyone.

agatto2 · Feb 7, 2009

For any one else that has these problems ,,,, I went to majorgeeks.com and followed their get rid of the garbage thread ... Was a bit of a pain but worked like a charm

SkipStaa · Feb 7, 2009

try to run combofix Google it download run it

-Matt- · Feb 7, 2009

Assuming you're still getting that message when trying to do admin stuff, run hijackthis and post the log to the TM forums.

Search

Search

How to fix malware-infested machine?

a!!!!1

Banned

jryan21

Level 4 Grindstone

kblessinggr

PedoBeard

Jizzlobber

Moist

a!!!!1

Banned

jryan21

Level 4 Grindstone

montana

going green.

a!!!!1

Banned

maffs

Small Member

Tedel

between her boobs

a!!!!1

Banned

agatto2

New member

SkipStaa

Banned

-Matt-

Chronic Crypto