Any suggestions re removing a virus running in memory?

[Ken90630]

A friend has an IBM ThinkPad laptop running XP Home. It's infected with a virus that's running in system memory. The machine is agonizingly slow (big surprise). A regular virus scan with NOD32 detects the virus but can't clean or quarantine it 'cuz it's running in memory.

I've never run across a virus running in RAM before. Any suggestions re what I might run into trying to fix it? I ran HijackThis! and cleaned up about 10 problems (red "X"s), but NOD32 is still giving me the "virus running in system memory" indication. How do you get a virus out of RAM?

My plan is to remove the laptop's HD, hook it up to my PC as an external drive, then scan (& hopefully clean) the drive with my PC. But will that detect the virus since I won't be scanning the infected laptop's RAM? I figure it has to be on the HD and reloading itself at every bootup, 'cuz otherwise the virus would disappear from RAM when the laptop is powered off.

Any tips/suggestions before I attempt to slay this dragon? Am I looking at a possible boot sector virus, and if so, what are the implications of that?

 

[MagnusTheBrewer]

A virus may be running in RAM but, it doesn't live there. Else, when you turn off the computer, it would disappear. Run HijackThis again. Scan online at TrendMicro.

 

[mrblotto]

If the virus is truly in 'RAM' then simply turning off the machine will clear it. However, there is a strong possibility that there are a file or files still on the HD responsible for the virus in the first place. Following are a couple of suggestions. I know there are many many other ways to do this, but here's the couple that I myself would try first:

1. Download CCleaner and Malwarebytes from another machine. Also download the def updates for Malwarebytes as well:
http://data.mbamupdates.com/tools/mbam-rules.exe

2. Copy CCleaner, Malwarebytes, and the updated malwarebytes defs to a thumb drive

3. start 'infected' machine in safe mode. Install CCleaner, paying attention to uncheck all BUT the top boxes (keep the 'create desktop shortcut checked). You dont need any more junk starting up than you have to lol

4. Run CCleaner. You may want to check the 'clear out prefetch' box as well. Just scroll down till you find it. Mash the 'analyze' button. It may take a few mins, it may take 45 mins.......it all depends on how much temp junk there it. After it's done analyzing, mash 'run cleaner', check 'yes/ok/proceed/whatever' to the generic warning box, then let it delete the stuff

5. Don't reboot yet. Install Malwarebytes, making sure to uncheck both 'run malwarebytes' and 'check for updates' boxes. Then, install the updated defs. Mash 'quick scan', which....again....may or may not be quick.....lol. After it's done scanning, see what it found, then if you're comfortable with removing all that it found, mash 'remove selected'. It'll do just that. Then it will probly want to reboot.

6. reboot the machine (normal mode). Again start malwarebytes, but click on the 'update' tab and mash the 'check for updates' button. Let it download the update, then run another quick scan. Hopefully that does the trick.

If not, option 2 is like you said: slave the drive out, run a scan on it (wouldn't hurt to run malwarebytes on it while it's slaved too, but as far as I can tell, you can't run a 'quick scan' with the freeware version, so be prepared to go do something for a long time if you decide to scan it w/malwarebytes.

good luck!

 

[bruceb]

I agree, you must do the scans in Safe Mode. Also do not use the antivirus currently installed. It will likely not find it. Disable it and run either Avira or Avast to see what it finds. And clear out all the Temporary Files for all users and also those under
C:\Windows\Temp and C:\Windows\Prefetch
Do you know the name of the virus ??? It may help us locate specific removal directions.
It must have created a file somewhere and a Registry Key that keeps loading it.

 

[mrblotto]

For the registry, one way is to do a search for 'runonce'. It drastically cuts down on the amount of time it takes to find.

Even easier is RegCleaner, I use it quite a bit. It's a lot easier way to see what's starting up automatically. Simply check and hit 'remove'

http://www.worldstart.com/weekly-download/programs/regcleaner.exe

 

[Devilpapaya]

If the virus is truly in 'RAM' then simply turning off the machine will clear it. However, there is a ...<clipped>

I agree with this, other than malware bytes isn't the end all AV/AS progarm. Its good, but it won't always find everything.

Spybot is great at removing spyware and small threats that cause security holes.

Run your AV of choice (MSE and AVG both are free and can be run in safemode)

Also, if you run safemode with networking you can download the updates right away and save yourself some time.

 

[RebateMonger]

Hunting down and removing malware is getting to be a real PITA, can happen to anyone nowadays, and favorable results are far from guaranteed.

You might consider biting the bullet and reformatting and reinstalling Windows and your applications and data one last time. Then get some good system imaging software and make ongoing backups of your system. Next time you get contaminated, just restore the latest image. That's MUCH faster than trying to remove most malware infections and the results ARE guaranteed.

There are also other precautions you can take:

Add Software Restrictions Policies
Use non-Administrator accounts for everyday use
Run your web browser in an isolated window using things like Sandboxie

 

[Ken90630]

Thanks for the suggestions, everyone. After considering the options, I decided to just hook the infected drive to my PC, as an external drive, and scan it that way. Sure enough, it had a trojan and a rootkit on it (the latter of which probably wouldn't have been detected by a native scan). At that point, I just backed up his files and used the factory recovery option to reformat the HD and re-install the O.S. Took forever (you know how long it takes to do all the Microsoft Updates after a Win XP install), but at least the malware is gone.