Solved

How to remove the "Internet Security" malware for Windows 8

Posted on 2013-05-16
8
498 Views
Last Modified: 2013-05-22
I have an Ultra Book (Toshiba) that is infected with the Internet Security malware.  The laptop will not start in safe mode.  It shuts down any program that's started in about half a second.  A predominantly green dialog appears when the notebook is finished booting claiming that files are infected with various malware and soliciting payment for the program.  A firewall alert appears on the side at times, saying that the book is loaded up with child porn, and offering to delete it for a price.  

I tried using Greatis Unhackme which fails to install, mbam chameleon which starts in a DOS
Window, then stops.  

This is a critical ultrabook for us as it is used be the Medical Director and I really need it working quickly.  Can anyone help>
0
Comment
Question by:jeb-sb
8 Comments
 
LVL 12

Expert Comment

by:duttcom
Comment Utility
You could try Malwarebytes ( http://www.malwarebytes.org/products/malwarebytes_free/ ) or Superantispyware - (http://www.superantispyware.com/). If you can, download it onto a USB stick on another computer or you can burn it to a CD to prevent the USB drive from picking up anything nasty

The other thing that is worth trying if you are unable to run your usual anti malware applications (or the ones suggested above) is to rename the applications before you run them. So if you do decide to try Malwarebytes, once you have unzipped/installed the software, find the EXE file and change its name. From memory, Malwarebytes installs as mbam.exe, so you should change it to something like mbamXYZ.exe before running it.

Often this sort of malware changes the registry to block the running of specific software, such as Malwarebytes, so you can't run them and get rid of the malware. Changing the name of the EXE file will bypass this and allow you to run the software properly.
0
 
LVL 10

Accepted Solution

by:
cpmcomputers earned 500 total points
Comment Utility
This should sort your problem

https://support.kaspersky.com/viruses/rescuedisk
0
 
LVL 12

Expert Comment

by:kadafitcd
Comment Utility
You should try running the various versions of rkill on it.  It kill the software from memory then you can run Combofix and MBAM to clean your system.

If the rkill doesn't work then you'll be forced to use a rescue disk like the one posted above.  Problem is it takes an extremely long time to clean with that rescue disk, that's why I suggested the above.
0
 
LVL 24

Expert Comment

by:aadih
Comment Utility
Quickly?:  Try system restore to an earlier date.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
Since your post I am seeing others refering to a similar problem

There are files being renamed from xxxx.xxx to xxxx.xxx.html

Seems the virus encrypts the files and embeds a link in them so if you execute the file it just takes you to the site demanding paymant for an unencryption code

usually it is possible to get at a keycode hidden on the pc and use a decryption program to restore the files but this latest variant seems to delete the keycode.

I am not seeing any fix at all for this at present

If your symtoms look anything like this I would be tempted to backup the disc asap and then leave it completely switched off, certainly keep it off the internet, until a workable solution is found
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
This gives further insight

http://www.bleepingcomputer.com/forums/t/482584/met-police-virus-claims-to-have-encrypted-my-files-cannot-open-doc-jpg-etc/

Note:grinler is the guy would wrote rkill ( so I think we can accept he knows what he is talking about?)
0
 

Author Closing Comment

by:jeb-sb
Comment Utility
This was the only solution that helped.  The problem was complicated by the laptop using Windows 8.  It made gaining any control very difficult.  The Kaspersky solution that I used was Rescue Disk 10.  It allowed me to get to the file system and once I was there, I could control some applications by going directly to them.  using a command prompt invoked by a created icon started as Administrator, I was finally able to get the machine in safe mode  where the bug did not seem to work.  There I ran mbam chameleon and it scarfed it up.
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
Great job - would love to get my hands on the people who write this crap

Still no answer for the xxx.html issue if anyone is seeing snything ?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now