Unable to removal malware from Win 7 computer

t38
t38 used Ask the Experts™
on
Hi,
One of our computers which contains critical data, is displaying the attached, this appears to be malware, I've run ComboFix and MalwareBytes in Safe Mode (which both removed files/infections) but the problem remains.  I have limited access to the computer as this infection kills most programs as I try to run them.  However, there's nothing listed to uninstall in the Program list.  There is however a rogue process listed in Task Manager which I'm unable to kill.  Any suggestions please?
malware.bmp
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Probably easier to remove the disk backup critical files to another drive and reinstall Windows 7 .

Commented:
Most malware, once on the system, are smart enough to evade the current installed antivirus/antimalware software, as it has the "upper hand" in that case.
The only way to defeat the "upper hand", is to have the malware NOT RUNNING. The only way? Use a boot CD (from Avast, AVG, or other reputable vendors). Obviously, you have to burn (or use USB) this CD/DVD on a CLEAN system (either your laptop, or some friend).
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
rogue process listed in Task Manager which I'm unable to kill.

Get Process Explorer from Microsoft SysInternals, install it and run it.

Look down the left side under Explorer for strange (alphanumeric) processes.

Kill these, but do not restart. Run Malwarebytes again to remove malware and then (when done) restart and test.

If it is really bad, then reinstall Windows as suggested above.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2015

Commented:
Don't run malwarebytes in safe mode unless you are explicitly told to do so, or if it won't run in normal mode. It (like most AV tools), needs to run in normal mode in order for it to find and be able to remove most infections.
Restart the PC in safe mode with networking - This should allow you to download and install MaleWareBytes free program.  Run the program then go into Start - Run - msconfig.  and click on Diagnostic startup.  
Then restart - in programs and features sort the programs by install date - the bad one should be apparent.

If you can't get into safe mode - you will have to remove the hard drive and hook it up to another working PC and scan the drive from the good PC.

If you are working remotely - try using Team Viewer - it allows you to reboot in Safe mode w/networking  

You will most likely have to use Task Manager   File - Run new task  to get anywhere. Just youe the remote host  version of TeamViewer  - not the full program
Most Valuable Expert 2015

Commented:
As I mentioned above, DON'T run malwarebytes in safe mode. Most malware must be active for MBAM to be able to reliably find it, and most malware isn't active when in safe-mode.

If you can't run malwarebytes in normal mode, use the chameleon version of malwarebytes. It won't get recognized by the malware as being malwarebytes, and therefore it will also install and run in normal mode:

https://www.malwarebytes.org/chameleon/
Just a thought this isnt a case that its run a script to make it start in some special king of startup, Run msconfig check the boot settings to make sure it isnt always starting in Safe Boot!

usually seen this with one of those Windows support calls where they log into your PC and change the settings.
If it keeps launching be sure to check:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

As well as the startup folder.  Some times these items will remain and you need to manually remove them.
t38

Author

Commented:
Thanks for the advice - this is our Call Recording 'server' so I really don't want to have to rebuild it but will do so as a last resort - I'm running an AVG scan on it atm to see if that can give me back the 'upper hand' as Kimputer so appropriately phrased it...  Will revert once complete.
t38

Author

Commented:
Btw, I hadn't refereshed my browser so didn't see all the additional input, will go through each and revert asap - thanks again.
Commented:
Thank you all for your suggestions - AVG Free in Safe Mode w Networking removed the infected files.  I was then able to install run MalwareBytes and HitManPro topped off by CCleaner and finally updated and ran EsetNod32.  All now working as normal.  Thanks again
t38

Author

Commented:
Resolved the issue myself.  Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial