I know, some people might considers MS Windows a virus in and of itself, but this is a bit different.
I am trying to recover an old PC (running XP SP2) for a friend so that she can retrieve all her files and settings, although at this point I’m in it more for the challenge. The machine was loaded with adware, spyware and quite a few viruses. I installed MacAfee and got rid of quite a few, but there’s one that’s still a big problem.
It shows up in the process list as “Windows” (not windows.exe, just Windows). I assume it’s overwriting its original process name in the process table. It tends to start a few minutes after the machine is running, and runs as SYSTEM. If you kill it, it restarts immediately (so I assume there’s another process that’s running that monitors it). If you kill it a few times in a row, it goes away for a while, but comes back a little later.
The worst part is that if I let it run for more than a few seconds, it eats up all the physical memory and CPU (it’s so bad that moving the mouse pointer around the screen can take a minute). Because of the name, it’s pretty much impossible to search for, so I figured I’d try here…
Interesting… I’ve not come across that one. For serious virus/malware infections, it’s often necessary to use a number of different AV programs in succession.
Another thing that might help is running Windows Update - as this also includes a malicious software removal tool.
Unfortunately, one of the spywares still installed has broken IE (constantly redirecting URLs), which in turn is preventing Windows Update from working (and also from updating Windows Defender with current signatures). I do have firefox, so I’ll try some of the other anti-spyware packages…
Here’s a way to retrieve any of the data without having to boot up: go out and buy an IDE to USB adapter. They’re about $20. Disconnect and remove the problem drive from the case. Take it to a clean, working computer and connect it up to the USB port, with the host computer’s file scanning (for viruses) on full. The drive will now show up as an external storage device. Transfer any files your friend needs onto the clean hard drive. Back them up on a CD.
Then you can decide whether you’d still like to restore the infected drive, or just reformat it and start over. I’ve had to do this three times since last summer, but it works very well.
System Restore might help - if it’s switched on, and if you can restore back to a very early restore point.
But if it’s that broken, you probably should give up trying to fix it - get the data (documents and email folders, etc, but not programs) off it - onto a USB drive or some such, or temporarily install the HD from the machine in a different PC - then wipe and reinstall from scratch. It will be loads better.
FWIW I have been able to run Windows update from Firefox. I know it’s not supposed to work that way, but on my machine it does. Give it a shot.
You might also want to download and try Spyware Terminator another free anti-spyware utility. It comes highly recommended from Cnet. I find it catches some stuff that Spybot, and ad-aware seem to miss.
I would advise you not to try to install any Windows updates until you have cleaned your computer of any spyware or viruses. Malware can interfere with the installation of Windows updates, resulting in new problems, or, worst case, an unbootable computer. Wait on the Windows updates until you have removed the spyware.
Try Avast and take the option of a boot-time scan, this will seek out malware that is inactive as Windows isn’t running and is therefore unable to activate another copy of itself as you delete on, nor replicate itself.
Sometimes they infect the Windows Restore files so running that just brings them back.
Give firefox a try and go to Malicious Software Removal Tool from Microsoft. Otherwise, try the external drive trick - that should work a treat. I just went to the link on Firefox so it should work fine as it’s just a file download.
We do exactly this in our shop on a daily basis. That said we do this on machines that have zero valuable data on them that we can reimage back to working condition in about 20 min if the infection should mess with the shop computer. Generally if the machine you are using to run the scans has its AV apps up and running you have only a miniscule chance of a problem.
I highly reccomend the previos suggestion of Superantispyware, it kicks 8 flavors of ass. Some others to look into if the standards fail, trojan hunter, AVG anti spy, and rogue remover.
