I began working on a computer where the owner was complaining of "pop-ups" and not being able to browse the web.
The computer is a Gateway running Windows Vista. I logged in to the Administrator account and got to the desktop, before I could do anything else about 9 "Windows Security" pop-ups came up telling me to download various removal tools. Most of them were recommending I download Antivirus 2009. Then I noticed the owner must have already taken the advice because Antivirus 2009 was running in the background asking to run a complete scan.
Antivirus 2009 is Malware, or software designed to infiltrate and damage a computer. One of the best removal tools for Antivirus 2009 is Malwarebytes Anti-Malware software. Upon searching for this software from the computers web browser I discovered another problem. The go.yahoo.com / go.google.com virus. This virus prevents you from actually going to any website by redirecting you to an unlimited amount of search websites. I downloaded Malwarebytes on my laptop and transferred it to my flash drive and then installed my flash drive in the computer. When I tried to run the mbam-setup.exe file it wouldn't run, which is another symptom of Antivirus 2009, it blocks the installation of things that can kill it. A simple work around for this was to rename the .exe file and then it allowed the install to happen. After installing I rebooted into safe mode (this is accomplished by hitting F5 or F8 during the boot process before the Vista splash screen comes up) I then ran a Quick Scan which completely cleaned the Antivirus 2009 off the system, but upon reboot into normal mode I discovered that the go.google.com virus was still present, so I disconnected the ethernet connection and rebooted into safe mode again and ran a Complete Scan with Malwarebytes, this found 8 more infections in which it cleaned, and upon reboot I ran another Complete Scan in normal mode and it found 5 more infections which required a reboot to clean. When it came back up everything seemed to be working great.
I always run HiJackThis on all systems I am working on just to make sure that no malicious Browser Helper Objects (BHO) are left behind that will continue to allow malware / spyware to be installed. The HiJackThis log looked pretty clean, but I removed a few toolbars and search assistants that only slow the functionality of Internet Explorer down. After a final reboot the system was running smoothly with no further infections showing up in either Malwarebytes or Windows Defender. They were using an expired version of McAfee so I uninstalled this and installed AVG Free Anti-Virus and updated it. A complete scan from it reported no infections / problems. All in all it took around 4 hours to remove all infections, but most of that was time spent performing the scans which doesn't require direct intervention so I was able to do other things while they ran.
There are also manual removal methods for the Antivirus 2009 software which involves booting into safemode and killing certain processes (av2009.exe, etc.) and then deleting registry keys and deleting all files related to Antivirus 2009, but I find using software not only does the trick but also removes items you may not know was infecting the system.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment