An easy way to de-activate a malware

This morning I had the surprise to see my machine infected with a malware, Antimalware Doctor, a pseudo-antivirus that is itself a virus! Since I am running Windows 7 in non-admin mode and didn’t see any install window, I was not only surprised, but also disappointed by all the security promises that Microsoft did for the last years.

This malware was particularly boring since once logged in, it killed immediately any processus of any applications started! (task manager, others windows tools and any antivirus included!).

None of the multiple fixes found by googling worked for me. Hopefully I had the idea of an easy fix after an hour struggling. So the idea is:

  • Log as another user (admin or not)
  • Start menu > Type MSConfig in the cmd menu
  • Deactivate every service and application started at logging time
  • Restart the computer
  • Relog with the infected account
  • Now the malware is deactivated, it is time to search for every infected registry keys and files with a solid anti-virus, and remove everything (Malwarebytes’ Anti-Malware did the trick for me).

Note that searching for every infected registry keys and files from another account than the infected one didn’t work.

Hope this help!

This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Anton

    This is why I boot my Windows 7 from vhd, and switch to a differencing disk before doing anything potentially dangerous. In reality it is entirely reasonable to always boot from the difference vhd and drop down to the base vhd only to install and update stuff. With some bcdedit magic the whole cycle can be automated down to “Reboot to install/update” and “Reboot after updating”, plus “Reboot and discard differences” to solve any malware etc. problems. Backing up the entire system also becomes a piece of cake — just boot into the PE system and copy the vhd file.

  • Adrian

    Now you should reverse engineer the exploit and get money from Google, unless it is already reported and fixed.

  • http://codebetter.com/members/Patrick-Smacchia/default.aspx Patrick Smacchia

    Interesting feedback Josh, I guess Chrome was also the entry point of the malware I had.

  • http://www.josheinstein.com Josh Einstein

    Indeed it sounds like UAC kept the mess confined to your user account which is all that it can promise. I recently had some malware creep onto my machine through a hole in Google Chrome. It was an infected image hosted on imageshack.us and I got to it while searching Google for Draqon Quest IX maps. I too was shocked that something could get onto my machine so silently since I was up to date on AV and UAC was on, etc. Once I tracked down the thing and cleaned it off, I went through my Chrome history and found the page that did it. Knowing it couldn’t do any more damage than it had already done I went back to the page and sure enough got the same virus.

  • Joshua Flanagan

    It sounds like the virus only impacted the single user, which is why admin rights were not needed to install it.
    Can you imagine how much worse the UAC nagging would be if it prompted you for every action, even ones that did not impact the rest of the system?

  • Adrian

    Safe Mode + Sysinternals Suite + any A/V

  • http://codebetter.com/members/Patrick-Smacchia/default.aspx Patrick Smacchia

    >Installing Windows 7 doesn’t take very long.

    ok, but reinstalling VS 2008/2010 + dozens of tools + setting all my preference takes at least a whole day (I generally do it twice a year)

  • http://nerdydeeds.wordpress.com/ Nathan

    I usually try to find the malware on the filesystem and (assuming NTFS here) change the security settings to deny Full Control to SYSTEM and remove all other permissions. If you only delete permissions, some malware apps can restore them while they are still in memory, so the deny setting is critical. After a reboot, the malware can’t execute at all and you can remove the permissions and delete the files.

  • http://rikkus.info Rik Hemsley

    I would advise that you don’t try to ‘recover’ from this by surgery: Instead, simply format and re-install. Installing Windows 7 doesn’t take very long.