I'm using AT&T and they have a package deal that they say will check out your
computer online and get rid of all virus and malware etc problems for so much
per month, but they want you to agree to a contract of a year at a time and
they're already charging me way more for the service I have than what I agreed
to to begin with. That part's another issue but I don't want to give them even
MORE... Can anyone suggest a good online service that will find that crap and
keep it off the computer at a reasonable price, but that's dependable? AT&T is
sending me emails saying it's infected now:
"AT&T has received information indicating that one or more devices using your
Internet connection may be infected with malicious software. Internet traffic
consistent with a malware infection was observed on Sep 15, 2014 at 9:34 PM EDT
from the IP address..."
Thanks for any help!
David
It's good to be skeptical of the ISP-offered packages.
I've read enough horror stories about ISP-offered malware
packages, to steer well clear of them.
To start your cleaning, you can use the free one-shot MBAM scanner.
"Think you're infected? Fire up Malwarebytes Anti-Malware Free"
http://www.malwarebytes.org/antimalware/
That one runs while Windows is running. It can use heuristic
behavior (watch what malware does) to figure out malware is
present. The hard part of using that one, is getting it to start.
As the malwares are skilled at defeating MBAM.
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial
*******
There are also a few offline scanners. Windows is not running when they
do their work. The scanners come as a "boot CD" and so the scanner
has its own (clean) OS to use. The scanner cannot use heuristics,
as Windows is not running, no malware behaviors can be observed. The
scan is signature based.
The download here is listed as "~375MB" but the size increases
regularly due to the size of malware definitions. The definitions
when you download will be within a week of being up to date, so
if the CD attempts to download definitions at the start of the
run, it won't need a lot of files to bring it up to date. Three
months from now, the size of download could be pretty big.
http://support.kaspersky.com/8092
*******
We'll assume MBAM quarantined the bad stuff.
That leaves nuisance-ware. Which probably isn't the stuff making
a "bot" out of your machine right now. Your machine is probably
sending spam email, or participating in a botnet (doing denial
of service attacks when commanded to do so). If all of that
stuff was cleaned up, there is the milder "potentially unwanted programs"
or PUP to get rid of.
http://www.bleepingcomputer.com/download/adwcleaner/
http://www.bleepingcomputer.com/download/junkware-removal-tool/
Programs like MBAM were not intended to remove everything.
Programs which "claim to not be malware" are in a gray zone,
and antimalware companies don't touch them. For fear of
being sued by the lawyers of the companies making PUP programs.
That's why small developers, in countries far away, make programs
to clean your machine.
*******
Your machine could have a rootkit. A popular rootkit is TDSS.
http://support.kaspersky.com/viruses/disinfection/5350?qid=208280684
Kaspersky makes TDSSkiller.exe, a program maintained specifically
for the purpose of stopping variants of TDSS/Alureon.
I've also seen a page on another site, with specific removal
packages for some pretty nasty malware. So nasty in fact,
that the chances of "saving" the installation are slim indeed.
Many malwares have a "light touch" and the damage can be
repaired. But some just ruin the OS (over 200 files are modified)
and the chances of a specific tool fixing all of those successfully
is limited.
Even for a professional, such as the malware guy at the computer
store, at some point they just re-install as it's faster.
You can get "guided help" at bleepingcomputer.com and other sites,
to help you remove stuff. But you can wait several days before
they see your posting, and they're normally swamped with work. But
they're also pretty good at figuring out what the machine has. Sometimes
your case is unique enough, several of their experts will be working
in the background, trying to defeat the new example.
*******
When I got something nasty a number of years ago, I used the
"trial version" of Kaspersky to remove it. It took several reboots
of the computer, until Kaspersky "got in control" of the machine.
And if I was doing that today, there's a good chance the malware
simply wouldn't allow the software to install. And that's where
the offline scan method is better than nothing.
*******
In terms of free programs, there are three of them that begin with
the letter "A" that you might consider.
http://en.wikipedia.org/wiki/Comparison_of_antivirus_software
And there are sites that test the AV programs (commercial ones),
to see how effective they are. I would think a subscription to
a real AV program, a good one, would be cheaper than the ISP offer.
http://www.av-comparatives.org/
These would be for your "cleaned up" machine, for later.
Not all of the programs are equally adept at taking over
from a malware attack. Some of the weaker AVs are just
"gutless" when under attack, and can't stop anything.
I particularly remember a "free web scan" site, that
just threw up error dialogs the whole time it was running
*******
Steps:
1) Back up the computer. The link in the lower left corner of the link below
can be used. The purpose of making a backup, is in case any of
your attempts to clean the machine, prevent the computer from
booting. This software includes a boot CD, which allows "bare metal
restore", so no matter how ruined C: is, you can return things to
their current (infected) state. You would discard the backup image,
once things are under control again. In this case, if my drive had
a C: partition and a data partition, I'd just make a copy of C: onto
the data partition. Macrium makes a single .mrimg file holding the
whole thing (whatever you ticked to be backed up). If you want to
image the whole disk, Macrium will likely ask for a second disk to
hold the output.
http://www.macrium.com/reflectfree.aspx
You would install Macrium on your "clean" computer, make the boot CD
(which cannot be infected), carry the boot CD to the infected machine,
and make your backup copy by booting the CD, not booting the hard drive.
The boot order of the machine should have the CD before the hard drive,
as set in the BIOS.
2a) Go crazy. Knock yourself out. Run some of the tools above. If a system
file is quarantined and the OS no longer boots, you can restore from
your backup.
or
2b) Seek guided help from bleepingcomputer.com or similar. Use
a second, uninfected computer, until your helper has finished
repairing the damage, one repair tool at a time. For safety, do not
connect the two computers to the same router or switch at the same
time, in case this is Sality. The infected machine will need to be
connected to the router long enough, to get AV definition updates.
You should also be careful moving data between machines with a USB key,
since some (U3) USB keys have fake CDROM drives in their configuration, and
an autorun can be used to infect the second computer. Microsoft thinks
it is OK to run software off any CDROM, which is a dumb-ass idea.
3a) Install your new suite of tools, on the clean computer
or
3b) If you're just not cleaning the stuff off, reinstall the OS from scratch.
You can "browse" the Macrium backup image to get at your data files. Make sure
your new AV scanner is installed, before you start browsing the Macrium
backup image. Same would go for keeping the "infected" disk drive separate,
using a new hard drive for your clean OS install, and then re-connecting the
infected disk later. Make sure your defenses are ready. You can start with
a "long scan" using your new AV, when the old disk is connected.
There are some really bad malwares out there. The worst for removal so far,
is called "BadBIOS", for its ability to leap from machine to machine. A
malware researcher happened to get attacked by it. And it defeated virtually
all efforts to remove it. Even new computers brought into the building,
end up infected. The guy has some idea how it works, but still doesn't
claim mastery of the thing. That's an example of what nation-states use
for malware, to attack others. That's not something normally deployed
against end-users like yourself. A copy of something like that, is
sent as an email attachment, to the "victim". A more focused delivery
method is used. They've even been known to use the "I left a USB stick
in your driveway" trick, and you'd be surprised how many people are
stupid enough to immediately plug that into their USB port.
Good luck,
Paul
