How can I fix a computer that is infested with malware and is extremely unresponsive?

Question

Possible Duplicate:
How do I get rid of malicious spyware, malware, viruses or rootkits from my PC?

I'm troubleshooting a Windows 7 PC for a friend. A couple of days ago it started running 'slow'. It turns out 'slow' is about 15 minutes to the first glimpse of the desktop, and another 30 to show icons. It is possible to open Task Manager, and nothing seems awry, CPU usage at 1-5%, plenty of memory free.

The machine is clearly infested with malware though, in particular a program called 'Optimizer Pro' is demanding money to 'remove 5102 files slowing down my computer'. This seems highly suspicious.

My problem is though, that I can't access msconfig (I left it for a couple of hours after having hopefully typed it into the Start Menu and hit enter - nothing seems to have loaded), or anything at all basically. I can boot from a Linux Live CD, but can I actually do anything useful from there?

System Restore hasn't fixed it either, and Safe Mode exhibits the same behavior.

Answer 1

I recommend reinstalling Windows

If you try to salvage the existing install you'll end up spending hours or, likely, days working on it and have nothing to show for your efforts. And even if you were able to successfully run all malware removal tools I wouldn't trust that all malware actually had been removed because, by definition, the malware authors are always one step ahead of the malware removal authors. Once a machine is infected this badly it's likely loaded with all kinds of bad stuff.

So...

1. Format hard drive
2. Install Windows

And, as one of the commenters suggested, you should assume that all files and data from the old install are infected and should not be trusted.

Answer 2

Various anti-virus vendors have bootable rescue/scan CDROMs available. Two free ones are:

Kaspersky Rescue Disk 10

Kaspersky Rescue Disk 10 is designed to scan and disinfect x86 and x64-compatible computers that have been infected.

The application should be used when the infection is so severe that it is impossible to disinfect the computer using anti-virus applications or malware removal utilities (such as Kaspersky Virus Removal Tool) running under the operating system.

AVG Rescue CD

AVG Rescue CD Get your business back up and running rapidly in case of system crashes.

Removes infections, repairs files and recovers systems.

Answer 3

I'm going to hop in here and ask more about this first, and then post my assumptions about the computer. You said that its using only 1-5% of the CPU, but its still moving slowly? While I'm not saying that it isn't riddled with viruses or anything because it could very be, I do want to point out that this is screaming faulty hardware to me. Next time you get the Task Manager open, Go check out the resource monitor. Here is a simple guide to using the resource monitor.

http://www.pcworld.com/article/241677/how_to_use_resource_monitor.html

Open up task manager and go to the Performance tab. At the bottom is a button for the resource monitor. Once its open, check out the Disk Tab at the top and look and see how long requests are taking. Looking at my computer and the computer image found on that site, I'm going to guess that for a non SSD drive, sub 100 millisecond response times seem to be what you are looking for. If the computer has more than 1 second response times for everything, your computer is going to be slow no matter HOW you boot it. Comment back on here and let us know if the disk response time is slow. If it is, you can try to run a Check disk on the drive and wait forever for it to finish and see if that fixes the problem.

Remember that this may not be the problem, but if it is, then reinstalling windows or running a virus scan won't fix the problem.

Answer 4

To add my ideas to the mix...

Try taking the offending hard drive out and plugging it in to an external caddy, then plug this in to a working PC. You can then check the disk, run anti-virus/malware checks, defrag, etc.

Also, salvage what you can of the files you need (taking care not to copy anything that could potentially infect another PC. Obviously, make sure that the host PC has got good protection before doing this.

If after placing the hard-drive back and it still runs poorly then I'd consider reinstalling Windows. The time taken to try to solve any other issues will not be worth it.

Answer 5

If you can boot into safe mode I would do that.

• Malwarebytes antimalware is an excellent free program as mentioned above and they have just released an Antirootkit program as well although in beta release

• I am also a fan of DR Web Cureit Free Antivirus (on demand scanner)

• Hiren's Boot CD is probably one of the most comprehensive boot malware CDs available

• It could be the case that your computer is severely fragmented and may need defragmenting in which case I recommend Ultradefrag Free Edition

• Ccleaner to clean out all the rubbish on your system

All the above wont cost you a penny either.

There is an excellent article written recently on November 6th 2012 by Whinston Gordon for Lifehacker which I think would be beneficial to all, entitled "The Assumptions You Make About Your Slow PC (and Why They're Probably Wrong)". Hope you find it an interesting read !

Answer 6

Download and boot any linux live distro to check if the machine is somehow handicapped (faulty RAM, bad hard drive, ...) or it's just too-old-windows installation (maybe virus attack). In case of virus attack you can download http://free.drweb.com/ bootable live cd with virus scanner to be sure that your PC is clean. The free drweb scanner us updated several times per day so it is able to detect and cure even newest malicious code.

Answer 7

The best tool I have used is Malwarebytes. I used it when I worked in IT a few years ago. Additionally, Kaspersky is good as is AVG (as suggested above), or a combination of all.

Another great option, that includes the live Malwarebytes image, is Hiren's BootCD (direct link to download).

Answer 8

At the end of the day, I still think that @hair of the dog's answer is probably the 'best' solution.

On the other hand, leaving a problem as it is, is probably not the way to do things.

This is really a condensed version of some of the previous answers, with a few more observations.

In my experience harddrives are a big reason for computers to slow down. They're quirky devices with many failure and error modes. There's other reasons worth looking at too

Booting into a generic linux live cd is pretty useful in this case. There's two things you want to do when looking into possible drive problems. Firstly you want to ask the drive if its ok - smartmontools (or its graphical front end, gsmartcontrol) is pretty good here. You want generally 'healthy' results. While you're at it, you may also want to run hdparm -Tt /dev/sdXx a few times to get a benchmark result of the disk speed. Run the same command on a healthy and similar enough disk to see if its really slower.

I'd also suggest doing file level recovery at this point. A drive that was uncleanly mounted won't mount automatically in linux - you will need to do a mount -f /dev/SDXx /mount/point to force it to mount. If the disk is obviously damaged according to smartmontools, use a recovery centric DD varient to do a backup - Gnu ddrescue is a good bet. This will create an image skipping bad sectors

Assuming the disk is ok, it gets tricky. You could probably run an offline AV scan to try to clean it up, then pop it into another system in order to do some maintainance.

You can also mount the registry hive of another windows system to edit startup entries manually (great time to do a virus check from a windows system, and a defrag) or use the registry editor from the offline password changer disk assuming you know what you're looking for.

If we're doing recovery/repair related activities using windows tools - you might want to consider building a PE disk (bartpe if you don't mind a XP based live disk), or using a seperate, 'disposable' install for these tasks to reduce the risk of malware cross contamination.

At this point you SHOULD have worked out if the disk is slow, whether its malware, and if you think its worth your time fixing it. You should have also gotten your data out. If its malware, and the offline scans and regedits failed, you can run shred from the livecd to wipe the disk. If its hardware failure, you can restore from that dd backup. If its none of the above, things get interesting

Answer 9

Hiren is your friend.

http://www.hirensbootcd.org/download/

Download it, burn it, boot it from the slow computer.

There's a series of tools there, to check for errors including Hard Drive, CPU, Memory, etc.

Run a couple of those to see what you find.

It also has some security programs there to allow you to do an AV/Malware scan.

Highly recommended.

Answer 10

Have you checked your hard drives? Maybe it has some bad sectors, causing a long delay whenever certain files are accessed. Try running chkdsk /r in Safe Mode (or use other disk repair tool).

Answer 11

Reinstalling is recommended. However, if there is data on the device you cannot afford to lose, then you might want to try out Microsoft Defender Offline.

Basically it allows you to bypass the operating system and then you can perform a scan of the harddrive. Make sure to download a fresh copy so that you have recent antivirus definitions.

If the PC is still slow after that, you can try booting with a Linux CD/USB to copy your data and then reinstalling Windows. But make sure to scan the backup harddrive on another (protected) machine before copying it back to the old machine.

Answer 12

At least this malware slows down the PC in an environmentally friendly way and doesn't max the CPU!

The short answer to the original question is to reinstall as previously mentioned. These days though, malware authors know most people simply reinstall instead of attempting removal, so most only take countermeasures against automated tools and not a knowledgeable person at the terminal. So if a reinstall is not desirable and you don't mind wasting a couple of hours (or more), it is usually not too hard to remove most malware.

However you need to be familiar with the command prompt, and be able to distinguish malware from legitimate software. There is no substitute for experience here, but I've found the approach below to be effective.

Firstly prep the environment:

1. From another clean PC, download a copy of the Sysinternals suite, and copy it to a USB stick (or to the PC's hard drive directly if possible).
2. Rename two of the utilities, procexp.exe and autoruns.exe to random file names (but make a note so you can recognise them!)
3. Disconnect any network connections.
4. Boot the computer in safe mode, get to the desktop. Safe mode is not essential, but it helps as there will be less running processes to wade through and malware should stand out more easily. Using a clean user profile can also help for the same reason, but this can obscure the infection from you as there are probably entries in the user's registry.
5. Open up a command prompt as administrator and run taskkill /F /IM explorer.exe to kill explorer. This stops a fair amount of malware in its tracks, making removal easier. If you're prevented from running the command prompt, a renamed copy from another PC can be effective (sometimes you can get away with simply making a copy on the same machine).
6. From the command prompt launch procexp and autoruns via the renamed executables. Note that it's possible malware could detect the hashes or other characteristics and prevent you from launching these tools, but hashing at least wouldn't be a reliable approach as they're updated fairly frequently. Usually any countermeasures against these tools look for the file name.

From here you can use autoruns and procexp to remove the malware, but it's as much art as science. Procexp shows you what's currently running, and autoruns shows you how it launched. Patterns to look for are:

• Filenames that look randomly generated
• Sofware running from temporary directories
• Software running in the user's profile. With Vista and later versions, running software from the profile has become more common to avoid elevation prompts, but most legitimate software will still install to Program Files. Given that this one clearly has root access you're going to be hunting for it in system directories, but there could be a watcher in there and usually the infection originates from somewhere in the user profile (Downloads, temporary internet files).
• Recently modified files in C:\Windows and System32
• Names that are close to legitimate windows binaries such as cmd.exe, services.exe (or the same filenames but in the wrong location). I have seen cnd.exe, service.exe. explore.exe in my time.
• Rundll32.exe entries. Many are legitimate but inspect the processes to see which DLLs are loaded.

Removal tips:

• It can be helpful to simply gather information before attempting to kill processes and delete entries - this gives you a more holistic overview, and taking multiple steps in quick succession is going to be more effective than doing things in isolation, as watcher processes can very quickly take you back to step 1.
• For anything obvious use procexp's kill and delete function. If this fails, sometimes using echo > "c:\path\to\malware.exe" on the command prompt to blank it's file followed by kill and delete can work.
• Use autoruns to find where it's hooked in. I use this tool because it seems to be complete, short of a rootkit or modifying system executables there aren't many other ways for malware to launch, if any. To save yourself time use the "Hide Microsoft entries" option, which is disabled by default.
• If you find a hook in autoruns that loads a DLL with every exe, your running processes (including your detection tools) are going to be keeping the malware alive. In this case you need to blank the offending DLL with echo as above, kill and relaunch all your software (should result in a DLL error every time you run a program), then reboot. But make sure you've removed any other hooks first.
• There may be a watcher process which looks for modifications to the malware and restores it. If this is the case you may have to perform multiple actions simultaneously, and the only reliable way to do this is to use a batch script. But depending on the check interval it can be enough to perform the steps quickly in sequence.
• If you can't find anything and it turns out to be a rootkit, finding and removing it becomes much harder - you need tools that bypass the higher level windows apis. This is probably a bit beyond the scope of what can be covered in a Superuser answer, but using RootkitRevealer followed by a linux boot cd to delete the actual files can be effective (remember to rename the exe).
• If you need to reboot before you're confident of complete removal, cutting the power instead of doing an orderly reboot removes one more opportunity for reinfection. Just make sure you've backed up their data first.

Given that this particular malware demands money to fix your computer and slows it down, the DLL load approach is likely. It probably doesn't modify system files or install a rootkit, as this carries a greater risk of breaking the system entirely. So you should be able to remove it using the general approach above, but if you miss just one hook you're likely to be back to square one on next boot.

If this sounds like a lot of effort, it is. Reinstalling is usually easier, and you can never fully trust a computer again once it's had malware on it. But personally I find it kind of fun - it's you vs the malware writer, and you have the clear advantage of being the human at the console!

Answer 13

You could have a look at Windows Defender Offline, it scans for malware and give you the option to fix.

Answer 14

To simplify, you either have a problem with the hardware, a problem with the software, or both.

Figure out if your computer has boot from CD or boot from USB enabled, and the steps to boot from external media if it's disabled by default. A quick Google search often speeds this process along.

Use a live cd like the Ultimate Boot CD to check the RAM and hard drive for errors. Test the RAM with Memtest86+, and use your hard drive manufacturer's test suite, such as DLG for WD hard drives. This will rule out most problems with memory and hard drive issues. You could also check system temperatures if you wanted to rule out thermal issues.

Next, run a Linux live CD or boot a Linux distribution from USB. If this exhibits no problems and runs much faster than the installed system without any stability issues, it's boot and nuke time. Transfer any "can't lose" items from the hard drive to some sort of external media at this point. You'll want to scan these files for malware before you get them anywhere near a clean PC. It's preferable to scan these in some sort of live environment.

If you hadn't already tried the restore partition, you could choose to perform a "destructive restore" from here, but I don't have a lot of faith in restore partitions, as they can be infected by malware just like the normal partitions. This is where being a Linux user is nice, because you don't have to sweat about license keys and install media.

If your mind is set with staying in Windows, here are your steps:

Locate a system restore disc or a legitimate version of the operating system that you wish to install. Verify that it is a "full" version, and is not an "upgrade" version that requires a previous version of the OS present in order to install. Make sure you have the license key and input it correctly. Be prepared to call the manufacturer if the restore doesn't work right, or Microsoft if the OS install goes wrong.

Take the previously mentioned "Ultimate Boot CD" and run Darik's Boot and Nuke. It will take a while to erase the drive. Since you plan on reinstalling, you can use one of the quicker format modes. A "quick erase" or "DoD short" should do the trick.

Install the operating system from scratch on the (now blank) hard drive.

If necessary, transfer the old files that have been scanned multiple times for viruses back to the fresh operating system install. Enjoy the process of installing software and system updates.

Curse yourself for not having a more recent backup or implementing a system image backup routine. Vow to be better at it, and hope that there won't be a next time. There probably WILL be a next time.

Answer 15

The proper solution is to nuke it and re-install windows. If that simply isn't a solution, the only other proper solution is to use a live cd/usb linux setup to run anti-virus software packages from outside your windows installation.

I've looked through the given answers and am surprised to see that Trinity Rescue Kit has yet to be mentioned!

This software suite is my goto solution when I'm trying to remove malware/viruses/rootkits from an infected computer. It has 3-4 different software solutions that will go out to the net and fetch its latest definitions before it starts its scanning/cleaning process.