Solved

Trouble doing a remote virus cleanup

Posted on 2009-07-16
4
427 Views
Last Modified: 2013-11-22
I got online with a distant customer, with them saying they were getting "weird stuff" on one XP computer.  The first thing I saw was "Personal Antivirus" giving some "infected" messages.  They assure me they never installed that, and, guessing it might be bogus, I removed that from the startup in msconfig.

Next, I transferred the spybot installation program from my computer to theirs, but after I installed it, it failed when it got to the point where it requires that it needs to be able to download updates, and thus made me cancel the install.  So, I had them go into safe mode with networking so they could go through the full install, and it did finish.  Then they rebooted into normal XP, but spybot would not run.  In task manager it would show that it was running--repeatedly if they tried to run it more than once--but it never would "run" on the screen like normal.

So, then I transferred the install for Malwarebytes and tried to install that one, but it would never even run the install.

I'm wondering if this might be that virus from not too long ago that prevents the user from connecting with helpful sites (such as Norton, Trend Micro, etc.), because I did notice that their AVG free edition has a warning that "the connection failed" for the update manager component.  Yet they do have some internet connectivity, evidenced by the fact that I'm still able to access the computer remotely.  However, just now I tried to get on some generic sites (like google, etc.) and noticed that it will no longer connect to any site, and as it is trying to connect, it shows the word "Blocked" for a few moments in the upper left area of the screen.

Finally, I ran a full scan using their resident free AVG Antivirus, and it found these two problems in the \Temporary Internet Files\ area:
Trojan horse Rootkit-Agent.EA
Worm/Generic_r.GO

AVG is still running, but I'm assuming that AVG alone is not going to be able completely "fix" my problems once it is finished.

So is there some good software I can use to solve their problems?  Since their IE will no longer let me go to any page, I'm wondering if there is a product that I can download to my computer, then transfer the installation .exe to their computer---and expect it to run correctly (unlike spybot or malwarebytes).  

Any suggestions on what I can do to help them from a distance will be appreciated!  TIA

0
Comment
Question by:sasllc
4 Comments
 
LVL 66

Accepted Solution

by:
johnb6767 earned 125 total points
ID: 24872673
Have Þhe download and run combofix from BleepingComputer.com. Should be a good first step....
0
 
LVL 27

Assisted Solution

by:David-Howard
David-Howard earned 125 total points
ID: 24874364
If you use Combofix, please read and forward the directions to the end user.
(The directions are located at the URL that John provided, Bleepingcomputer.com)
You should rename Combofix PRIOR to it being downloaded on the system as some malware/viruses prevent it from running under its default name.
This may also be the problem with Malwarebytes and AVG.
Once Combofix is renamed and downloaded run per directions.
You may also want to check the host file. It may have been altered.
There is a script to fix faulty connections. The script reinstalls the Winsock, TCP/IP stack, and HOSTS file.
http://downloads.subratam.org/WinsockFix.zip
The file is small enough that the end user could download it to a thumb drive or it could be sent via email. If you send it via email, please rename the .zip to something like .123 as some email programs will strip the attachment if it detects an extension such as .zip


0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 125 total points
ID: 24875098
Performing this process in safemode may not be possible, but here is what I suggest. It has worked for me before:

Restart into safe mode and run your anti virus and spyware detection programs. I suggest running this series in three back to back cycles, rebooting once per cycle back into safe mode:
1, Malwarebytes
2. SuperAntiSpyware
3. Spybot
4. Download and install the trial version of Symantec Endpoint

After three complete cycles, reboot into normal mode. If the situation continues, go to TrendMicro and run the online scan Housecall
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 125 total points
ID: 24880894
ComboFix would be very effective against such a problem. Another alternative is this:

http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk/

Download the ISO file from the above link and burn it as an image on a CD. Then boot your PC from it and let it scan your PC completely for viruses. After this scan is done, then reboot your PC in normal mode and install MalwareBytes and then scan with that.

Hope it helps.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Regedit Register where from, why everyday need to clean them  ? 13 94
ransomware virus 21 125
Virus Software comparrison 5 50
Windows Security Pop-Up 7 65
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question