windows 8.1 malware and safemode help please

[jaedaliu]

My mostly computer illiterate mother got sucked in by Windows Advanced Security Center. (http://malwaretips.com/blogs/windows-advanced-security-center/) She used to call me every time windows firewall warned about outgoing connections, and they were always safe, so on her new computer, she figured she could just click OK every time it popped up.

So, I devised a plan:

1) have her download SuperAntiSpyware portable version to a flash drive

2) boot into safe mode and use part 1 to remove the malware.

my problems:
1) I'm across the country, and have to talk her through it on the phone. She's doing okay with my instructions. Her weak English isn't helping, as she slowly reads every word in every window from top to bottom, but that's what I get to deal with.

2) This malware is superbly designed. The window is splash across her desktop and start menu so that it covers almost everything. And when a new window is opened, the malware screen covers things up. I've tried to use different methods to get to safe mode, but the system doesn't work. Sometimes her clicks generate a "click in an invalid area" chime, sometimes a "torrent detected, download anonymizer now" window pops up instead of the desired window.

I tried to troubleshoot with her for a couple hours yesterday, then gave up and had dinner and tried to regroup.

Anyone have any hints? It's a cheapy Gateway that's mostly used for youtube viewing.

My planned approach for tonight:
1) try to get the system to boot off the stored Windows installer partition that's typically invisible within windows. I don't know if this computer has it. She has never made the restore CDs. Using this method, I hope to get her to safe mode.

2) That's all I have for today so far. If it fails, I'll let it stew until tomorrow before I get her to use the NUCULAR option.

My nuclear option for tomorrow:
1) factory reset via bios/alt boot. This is not an ideal outcome, as I don't know if the pictures saved on the computer will be erased. (not a huge deal as there are backups, but I won't be able to restore them for her until I visit home later this year)

tl;dr

1) I need help getting into safe mode

 

[jaedaliu]

Whoops. wrong forum. This should be in computer help.

Mods, please move.

Done. Moved from OSes to Comp Help
-ViRGE

 

[postmortemIA]

why does your mom have admin account when she has no clue?

 

[jaedaliu]

why does your mom have admin account when she has no clue?

Yeah, that's a change I need to put in after we get the computer fixed.

 

[PliotronX]

If she cannot get into advanced startup through the charms bar, your only option is to attempt a repair installation. Microsoft stupidly disabled the F8 to safe mode by default. To try the charms way... my greatest fear of this change in Windows 8 startup behavior comes to fruition on a regular basis when a machine cannot boot in order to set it to boot into safe mode for troubleshooting purposes. If she happens to have the 8 installation media, the charms link also has steps for advanced startup through there but I have not had good luck with it.

 

[Fardringle]

I agree with PliotronX's assessment that Microsoft STUPIDLY disabled the F8 at boot. However, I have had some (but not 100%) success bypassing ransomware viruses using Win+I to get to the recovery options through the charms bar.

 

[JEDIYoda]

5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

http://www.7tutorials.com/5-ways-boot-safe-mode-windows-8-windows-81

 

[jaedaliu]

5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

http://www.7tutorials.com/5-ways-boot-safe-mode-windows-8-windows-81

We tried 1,2,3, and 5 yesterday to no avail.

Will see if 4 will work when created from another computer.

Thanks for the help, guys. Will update after tonight's attempts.

 

[VirtualLarry]

I agree with PliotronX's assessment that Microsoft STUPIDLY disabled the F8 at boot.

And this, my friends, is why I would never want to run Win8. How can MS gimp Safe Mode? It was put into NT for a reason. When the @#%$ hits the fan, is when you need Safe Mode.

 

[PliotronX]

We tried 1,2,3, and 5 yesterday to no avail.

Will see if 4 will work when created from another computer.

Thanks for the help, guys. Will update after tonight's attempts.

Holy cow that is some bad luck, 8 is an IT nightmare.

Can she even open a command prompt to run this:

bcdedit /set {default} bootmenupolicy legacy

And then F8 into SM?

 

[jaedaliu]

Holy cow that is some bad luck, 8 is an IT nightmare.

Can she even open a command prompt to run this:

bcdedit /set {default} bootmenupolicy legacy

And then F8 into SM?

When I tried to get her to open the command prompt, she got some type of "Warning: Torrent Detected, press okay to download some type of anonymizer" I don't really know, I got tired of waiting for her to read the pop up and she said there was actually nothing to click. The Malware somehow reconfigured the command prompt command. I had her try win+R and also some right click via the charm menu, and what sounded like the same warning window popped up instead.

 

[Ketchup]

Can you get her to an earlier restore point? It won't totally get rid of the virus, but it might allow Windows to run enough that she can do an adequate Malware scan.

I recommend running Superantispyware and MalwareBytes with that one. Had a computer infected with the same thing over the weekend. I don't think it had as much time to infect as what you are dealing with.

As a side note, while I sympathize with with your situation, I find you post very interesting. Many people in past threads were bragging about how much more 'protection' 8 has over the former Windows OS's. People seemed to say that about every new Microsoft OS. Why? The people who create this crap just need time to work around the 'protection.' Nothing more.

 

[sm625]

Microsoft stupidly disabled the F8 to safe mode by default.

The only way to explain the stupidity of microsoft would be if everyone on the board of directors owned 100000+ shares of apple stock. It has always been a pain to get into safe mode. I have several machines here in my lab right now and they all fail to enter safe mode in different ways. Usually they just ignore the keypresses. Sometimes its because a usb keyboard isnt detected during the boot phase, which is beyond retarded. Especially when they've now gotten rid of the PS2 port. But sometime the malware will actually disable safe mode. What windows has needed since 1995 is a very simple easy way to simply get to the file system so you can find and delete the malware executable. 99% of the time its simply an exe that if it were renamed or deleted everything would be fine. But they make it so ridiculously hard to get into the file system. Even if you have the disc with recovery console, its still faster to pop out the HDD and stick it in another pc just because it takes so frickin long to load the recovery console. Bleh.

 

[Underclocked]

Does she own a thumb drive (USB flash drive) and will it open an explorer window when inserted?

 

[jaedaliu]

Does she own a thumb drive (USB flash drive) and will it open an explorer window when inserted?

She does have one, but I asked her not to insert it due to fear of infection. My plan was to wait until entering safe mode before inserting.

 

[Virgorising]

And this, my friends, is why I would never want to run Win8. How can MS gimp Safe Mode? It was put into NT for a reason. When the @#%$ hits the fan, is when you need Safe Mode.

Nothin but net. :|

 

[Virgorising]

In this event, I would employ Combofix.

But I would not recommend that to a novice, much less someone at yr mom's level.

Might she have a friend or a neighbor who is more computer savvy than she?
maybe a savvy offspring of a neighbor?

Someone who could maybe download Combofix, burn it to a disk and run it on her system?

Not even sure if that would be possible in light of this terrible insect.

If not, it does appear a clean install would be necessary.

 

[Virgorising]

Can you get her to an earlier restore point? It won't totally get rid of the virus, but it might allow Windows to run enough that she can do an adequate Malware scan.

I recommend running Superantispyware and MalwareBytes with that one. Had a computer infected with the same thing over the weekend. I don't think it had as much time to infect as what you are dealing with.

As a side note, while I sympathize with with your situation, I find you post very interesting. Many people in past threads were bragging about how much more 'protection' 8 has over the former Windows OS's. People seemed to say that about every new Microsoft OS. Why? The people who create this crap just need time to work around the 'protection.' Nothing more.

Brilliant in every element. Sad truths.

 

[mindless1]

These days I don't even try to work with the infected OS booting, instead pulling the drive and scanning from another system, one where autorun is NOT enabled. If you can't mount the registry you won't get rid of the garbage in it, but you'll usually at least get rid of the executable files, even if they aren't detected and you have to resort to a file creation date... hackers could change that date but apparently most don't seem to think that is as important as other countermeasures.

 

[PliotronX]

The only way to explain the stupidity of microsoft would be if everyone on the board of directors owned 100000+ shares of apple stock. It has always been a pain to get into safe mode. I have several machines here in my lab right now and they all fail to enter safe mode in different ways. Usually they just ignore the keypresses. Sometimes its because a usb keyboard isnt detected during the boot phase, which is beyond retarded. Especially when they've now gotten rid of the PS2 port. But sometime the malware will actually disable safe mode. What windows has needed since 1995 is a very simple easy way to simply get to the file system so you can find and delete the malware executable. 99% of the time its simply an exe that if it were renamed or deleted everything would be fine. But they make it so ridiculously hard to get into the file system. Even if you have the disc with recovery console, its still faster to pop out the HDD and stick it in another pc just because it takes so frickin long to load the recovery console. Bleh.

Very true, those USB-to-SATA adapters are a must in any toolkit for this reason. However, try instructing from across the country an older person from a mostly foreign tongue how to remove a hard drive to run a MBAM scan Not to be snide but this is an effed up situation caused directly by one of the worst changes MS made in 8. True, malware can prevent F8 functionality but that is a rare occurrence.

 

[Underclocked]

I would have her get RKill.com, JRT.exe, and Combofix put on that thumb drive using a clean computer at a friend's or the library, plug that stick in and run them in that order. Seems to me there isn't much to lose at this point.

 

[Virgorising]

I would have her get RKill.com, JRT.exe, and Combofix put on that thumb drive using a clean computer at a friend's or the library, plug that stick in and run them in that order. Seems to me there isn't much to lose at this point.

I totally ditto this. And, as I posted somewhere, I would start with Combofix, I think. But it's not for novices. Again, might there be someone she knows who is more puter savvy tnan she?

Not much to loose is the foundational truth.:|

 

[jaedaliu]

update:

Phone-based tech support failed. She wasn't able to get to BIOS or system recovery or anything like that. Either my instructions to her were too vague, or her key presses too slow, or something. She's taking it to my sys admin cousin that lives in the area for help.

It'll cost my mom a lunch and maybe a small red envelope. (standard Taiwanese gift of cash)