Malware infected windows 8

peige · 9 Jun 2015 at 11:29

Cousin has a recently purchased windows 8 laptop. She's infected it with malware, popups and "fix this now" type stuff.

Recently installed programs list below. On the 31st I remoted in and removed the offending stuff with malwarebytes (you can see its installed) She went away for a few days and you can see when she came back its re-infected itself.

Any ideas? Do I really need to factory reset it?

infected by Paul Jones, on Flickr

Just ran malwarebytes again and it was something like 200 "threats"

something daft already!! · 9 Jun 2015 at 11:37

Tell them to stop all that one handed surfing first off. Tell them to stop installing crap from dodgy websites which say things like "You need media player 12 to view this content please click here to download" or "Click here to update flash player". These things are not what they say they are and they bundle in further malware. Computer do NOT infect themselves. People do it.

Tell them that if they want to view dodgy content, at least find a website which wont infect them.

Run full scans of Superantispyware, Malwarebytes and Spybot 2. Check browser shortcuts for added urls, check browsers for hijacks and check the exts. If still infected try ESET online scanner.

SAS will offer to remove dodgy programs for you but it's also good to check programs and features as well.

peige · 9 Jun 2015 at 11:42

I don't think she is viewing dodgy content, no doubt she has clicked a link at some point as she has added "new" software thats got her into this mess but from what I can tell she's been terrified of it since she last got infected! This is all the same stuff as last time so I think malwarebytes didn't remove everything.

Will try the others too.

thephoton · 9 Jun 2015 at 16:07

Last time I saw one of these it was a pain to get rid of!

Have a go with Windows Defender Offline (http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline) - you'll need a spare flash drive or CD. Do a full scan and let it clean what it finds.

Do several MWB scans, rebooting after each.

If you know what should be running on the system, use Process Explorer to identify known malware (turn on the 'submit to VirusTotal' option) - the column on the right will let you know about potential bad processes.

Finally use Autoruns, again turn on the submit to VirusTotal option and see what that picks up.

The last infection I saw of these, there was a scheduled task that downloaded everything again 2 weeks after I first cleaned it. Sounds like something similar might have happened with your case?

Matt

demonix · 9 Jun 2015 at 16:13

If MBAM is showing that many threats, I'd suggest that you factory reset it and create a non admin account for your idiot cousin to use so that this doesn't happen again and lock down the main admin account with a password so that it can't be accessed improperly.

Minstadave · 9 Jun 2015 at 16:16

Factory reset ftw!

Glanza · 9 Jun 2015 at 16:39

Adwcleaner,
JRT,
MBAM.

Run those through it in that order then see how the state of play is.

bledd · 9 Jun 2015 at 16:52

Fresh install, then give her a standard user account with no admin access.

peige · 9 Jun 2015 at 18:19

Well I did Superantispyware, Malwarebytes and Spybot 2 remotely.
SASW found 4 things that I think were the key to the problem, the others all come back clear now.
You can see by the days the malware has installed again that it builds over a couple of days but it must be asking for elevated "yes" clicks so I've told her to watch out for them too.

If it reinfects itself again I will get it back, try some of these extra steps and if that fails then its a factory reset!
I'd rather fix it if I can

Destination · 9 Jun 2015 at 19:24

Have you done this with system restore turned off and the old shadow copies removed, then purge the malware?

koolpc · 9 Jun 2015 at 20:40

My father in law once had 3,000 infections of malware according to Malwarebytes!!!

peige · 10 Jun 2015 at 07:51

Hikari Kisugi said:
Have you done this with system restore turned off and the old shadow copies removed, then purge the malware?

No, just ran the software. Can't see how system restores can reinfect the computer unless the pc does a system restore?

Ether way, time and remote constraints meant that I could only do so much. If it goes down again then she will have to bring it over and I'll have a proper go at it but fingers crossed that i've nailed it now

Raumarik · 10 Jun 2015 at 09:04

Depending on when the last backup ran for system restore the problems could simply be backed up onto it, which is why you typically disable it, scan/clear and then turn it back on. Personally I never use system restore.

bledd · 10 Jun 2015 at 09:49

peige said:
No, just ran the software. Can't see how system restores can reinfect the computer unless the pc does a system restore?

Always disable SR when cleaning a machine.

demonix · 10 Jun 2015 at 17:01

peige said:
No, just ran the software. Can't see how system restores can reinfect the computer unless the pc does a system restore?

The PC doesn't need to do a system restore to be reinfected since the malware can do it all itself if the main body has been removed from the computer.

Destination · 10 Jun 2015 at 21:37

peige said:
No, just ran the software. Can't see how system restores can reinfect the computer unless the pc does a system restore?

Without switching off system restore, some files with elevated privileges can restore themselves without needing the UAC command point checked, as that's already been done when they were installed initially.

The gate is open.
Close the gate before you wipe then wipe.
Else over the course of a few restarts, it'll all install again which is exactly the behaviour you got previously (when you couldn't see what a system restore active might do)

peige · 11 Jun 2015 at 08:09

Ok, well I think I will remote in again today and see if things have changed. Turn off system restore while I'm at it and do another flush.. then on again.

Thanks for the help people