Virus / Malware preventing access to Anti-Virus (and other) sites

[Gypsy]

Yesterday, I discovered that my desktop (a Dell XPS) had gotten a virus.

I was using AVG, with real time protection.  A scan did not reveal any threats.

The first indication was that my computer started repeat typing the letter 'e' in any open text box, or program where the cursor was blinking (like MS Word).  It would type it a few hundred times, and then I could get it to stop for a bit.

I thought it was the keyboard at first, but I replaced the keyboard, and it did not fix the problem.

Then, while looking for a solution, I found that I couldn't access certain sites, including any anti-virus site, or even Microsoft.com.  It would tell me that the site wasn't found.  I then tried using a USB drive to re-install my anti-virus, and that was blocked as well.

I was finally able to run SuperAntiSpyware from a USB drive, and that found 131 tracking cookies, which it deleted.  That seemed to fix the repeating 'e' problem, for whatever reason.  It did not fix the site blocking.

I tried to restore from a restore point, but it would not work.  I kept getting a message saying the restore did not complete because it could not access a file that was in use by an anti-virus program.

I tried to Restore Windows 10, saving my files.  That would not complete either.

When that failed, I tried going into Task Manager, and ending every process that I did not recognize.

That allowed me to get to the anti-virus sites.  I downloaded Avira and ran it.  It recognized no threats.  I ran Malwarebytes again.  No threats. 


I rebooted, and again, my access to these sites was blocked until I again used Task Manager to end every process I didn't recognize.  There's nothing in my Startup that I don't recognize at this point.

I then used RKill, and ran the scans again -- no threats.  When I rebooted, access was blocked again.

-------------------------------

I'm going to try to narrow down the processes next to find out exactly which one it is -- but I thought I'd ask and see if anyone had any experience with this type of virus and might point me to a fix.  I've tried searching based on the symptoms, but I'm not finding much of anything that's not pre Windows 10.

[AmberStarfire]

The tracking cookies shouldn't have any impact. It sounds like one of the processes is doing it.

I'd try Panda Cloud Cleaner. I think you can use it for free: https://www.pandasecurity.com/usa/support/card?id=1674

It can remove some viruses that traditional software can't if a program's being blocked.

I'd also have a look at the 'Uninstall a Program' list on Windows. You might find some things there have been installed that you don't need/want.

If you like I could give you a screenshot of my processes list so you know which ones probably ought to be there (or are optional but not virussy - hopefully)?

[Vekseid]

On a known-clean machine, download malwarebytes and its updates to a usb drive, along with FRST: https://support.malwarebytes.com/docs/DOC-1318

Boot into safe mode. Safe mode with Command Prompt isn't listed here, but it's what I use for 'emergency recoveries'. If it isn't available for you, use safe mode with networking.

Note that the command prompt only version keeps even certain accelerating drivers from being loaded, so your computer will be much, much slower. It's let me recover some machines in scenarios where nuke and pave wasn't feasible, though.

Anyway, run these programs while in safe mode.

[Gypsy]

After much frustration and cursing, I've made some progress.  Thanks for the suggestions!  :-)

Multiple anti-viruses, including those run with USB boots, found nothing.

I was never able to get the computer to start in Safe Mode.   (This was a Windows 8 machine originally, an all in one, and when we upgraded to Windows 10, it seemed to have triggered a flashing screen issue that is most prevalent before Windows 10 starts.  In the BIOS setup, it doesn't flash, but in all the 'options' for starting, and repair screens, it flashes on and off so that you're trying to read options a couple of letters at a time).  I could never find a '4' option in the restart, or a point where F4 did anything.

Once the scans found nothing, I sat down and started killing processes, manually, one at a time, and then tested by trying to go to the Avast website. 

The one that was blocking sites was identifying itself as Killer Network Service.   Stopping that process allowed me to reach the antivirus sites.

This was showing in my Windows Startup as a 'disabled' startup, but it was starting up anyway.

After checking out 'Killer Network' on another computer, and finding some info that some malware identifies as the program, I deleted the folder and the shortcuts identified and everything I could find that was related, and emptied my recycle bin.

After rebooting, at least so far, I'm not getting automatically blocked from the anti-virus sites. 

I found Killer Network Suite in my Control Panel/Programs and Features.  Trying to uninstall brought up an install screen with a prompt to disable antivirus software.  (It looked funky as hell rather than professionally done).

Using RegEdit to help, I tracked down every instance of Killer Network I could find in my computer -- files, temp files, and registration keys and deleted them all.

Now that that's done, I'll keep working on trying to get into Safe mode and then run scans again.

Mostly just mentioning it again in case anyone else has a similar problem, and finds 'Killer Network' on their computer.

[Regina Minx]

With a virus this pernicious, I'm almost wondering if it's worth backing up your important documents and data and nuking and paving the hard drive.

[NightLux]

With a virus this pernicious, I'm almost wondering if it's worth backing up your important documents and data and nuking and paving the hard drive.

That was my exact thought.  Or, even better, take this as an opportunity to upgrade your hard drive to something bigger/SSD...

[Gypsy]

It's an all in one, and not all that wonderful when it comes to modifications or repairs, and it weighs a friggin' ton.   My hubby bought it, and then decided he didn't like it all that much,  so I kept it for a 'central location' sort of storage machine.  If I have to reinstall everything, I will probably just buy myself a cheap desktop without all the gaming bells and whistles for probably about what it would cost to put in a new hard drive and OS.

I think, however, that I've gotten all the bits and pieces of the virus off. 

[Regina Minx]

Wiping the hard drive and reinstalling the OS should be free, no?

[Gypsy]

Well, it would be if I had a restore disk.   :-)  But following up with Dell to find out if I can purchase one now is probably a worthwhile endeavor.

[Cryptic]

I'd seriously suggest that, though it can get quite expensive. I had to do that a few years ago and they charged me $60 US. Just wow, but at least It's in a safe place for those rare occasions that I really need to get it done.

[Regina Minx]

Well, it would be if I had a restore disk.   :-)  But following up with Dell to find out if I can purchase one now is probably a worthwhile endeavor.

Doesn't Windows have the recovery partition built into the hard drive? I know that Apple stopped issuing physical medium of their OS starting in 2014, and I thought Microsoft had done the same thing since Windows 8.

[Cryptic]

Normally they do, but sometimes the virus can get into that area as well so she would have to do the same thing all over again when it started acting up again. Having the physical discs guarantees that there is no virus on it.

[Regina Minx]

Normally they do, but sometimes the virus can get into that area as well so she would have to do the same thing all over again when it started acting up again. Having the physical discs guarantees that there is no virus on it.

Which is why Apple also has an Internet Recovery option, I suppose.

[Gypsy]

I tried the built in restore -- both restoring the computer from an earlier restore point, and 'rebuilding windows' from the pre-windows boot screen, but neither one worked - they couldn't complete because files couldn't be accessed.

Of course, the outcome might be different now, if I have indeed gotten the virus squashed. 

[Cryptic]

Yea but kinda hard to access when the virus doesn't let you.