Malware that cannot be removed

[BKLounger]

I am trying to help my uncle clean up a computer he has. Currently it will not boot into windows normally (it hangs when you click on a user). The machine can only boot up in safe mode. I have tried various boot discs and anti-virus programs. Everything from kaspersky, clamwin, mcaffee, webroot, panda, etc. Inside of safe mode i tried to install malwarebytes but cannot get it to install. Basically this malware/virus opens IE and directs you to an ip address for a site called popeo info auction. This still runs on startup even in safe mode. What else can i try to get rid of this? Reimaging the machine really is a last option if at all possible. Is there any additional info I can give to help get an answer?

 

[n0cmonkey]

Nuke it from orbit.

 

[AFurryReptile]

Pull the drive and slave it to another machine. Then try Malwarebytes from that machine.

 

[BKLounger]

i never even thought of that. thanks for kickstarting the thinking. i just plugged it in and avg starting going crazy finding all the virus. i've been scribbling down the virus names as i go. so far they are mostly all variations of SHeur2

 

[AFurryReptile]

I wouldn't use AVG either... that program has been pretty poor for a while now.

http://www.av-comparatives.org/

I'd recommend Avira Antivir.

 

[Lemon law]

You can try various anti viruses in the hopes of finding the culprit, but in my experiences, the most effective method is to post a hijackthis log file on something like spywarewarriors.com. Trained log file readers should spot the ah heck real quick. Its in the registry somewhere unless its a rootkit.

I have also had times when spyware Terminator was able to identify the culprit but not remove it. But once you have a name for it, you can google it and find ways to remove it.

And once you help your Uncle remove it, finish the job by setting up a multilayered security system to prevent any future malware.
Before the fact prevention is always easier than after the fact removal.

 

[BriGy86]

Originally posted by: AFurryReptile
Pull the drive and slave it to another machine. Then try Malwarebytes from that machine.

This is probably the best action. Just make sure it doesn't infect the host computer. a co-worker also suggested superantispyware

 

[Gamingphreek]

There are some last ditch things you can try in the event that the slave solution didn't work.

First off, you can boot from a Windows disk, use the recovery console and try and grab one of the shadow copies.

If that doesn't work, you can try to run just safe mode. Do NOT use safe mode w/networking.

If that doesn't work, you can try to run safe mode with startup prompt. As the machine starts up, you will be prompted for each of the "necessary" system libraries. Only approve those that you know are valid.

With all this in mind; honestly, it sounds to me like you have a rootkit - especially since safe mode is affected.

I honestly would not bother trying to clean the machine. If a rootkit is the culprit, who knows what kernel files have been infected - I doubt you want to disassemble numerous files that simply look suspicious.

Use a LiveCD and grab the documents that you know are safe. After that, format and reinstall.

-Kevin

 

[BKLounger]

just noticed this thread popped back up. My solution was to update all the anti-virus/spyware tools on my machine and then just slave the other machines drive to mine and it worked fine. I was able to remove all viruses and spyware.