PDA

View Full Version : TGS Complete Malware/Virus Removal



TheGreatSatan
04-23-2010, 06:33 PM
Complete Malware/Virus Removal Guide

For this and future removals ONLY USE A DISK! Put all of these programs on a CD from a clean system before you start. Flash drives can easily become comprimised by the infected PC.

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/av2009.jpg

Malware isn't detected by spyware programs or your anti-virus. It sneaks in and disables your Anti-Virus. It then creates a virus building center and pumps out viruses. Vundo (http://en.wikipedia.org/wiki/Vundo) is the most common of the fake alert (http://en.wikipedia.org/wiki/Rogue_software) viruses. It tells you that you have a virus and that their software is the cure, when actually they are the virus! Usually, it just an effort to get you to buy their software. What you get is more of the same headaches and now they have your credit card number too!

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/securitytool.jpg

Every day I deal with viruses head on and usually win. Worst case computers are usually easier to wipe and then reload Windows. I'm going to show you how to easily remove malware and viruses and the best part is it'll all be FREE! When you are victim to Malware take these steps to be rid of it once and for all.

1.

Do not use an Anti-Spyware programs. Spybot, AdAware, and SuperAnti-Spyware are useless for malware removal. Even Anti-Virus programs won't help here. When you run your Anti-Virus program or if the Malware even lets you do so, you'll only be removing the viruses. It sounds like a good idea, but once you reboot, the Malware will detect the absense of the viruses and make more. The Malware MUST be dealt with first!

2.

First, let's use the system configuration utility to disable it and anything else we don't need running. Be sure to check the inside startup and services tab. Even if you use an iPod, you do not need the software running during this removal. You may even have to boot into Safe Mode (continuously pressing F8 on boot up) to get MSConfig to open.

RUN, msconfig

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/run.jpg

Disable anything that doesn't look like it belongs

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/hijack.jpg

Sometimes the malware is just a blank entry or one with random letters and numbers. Uncheck it and anything else you don't actually need running.

Press OK and reboot.

3.

Install Malwarebytes (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol), make sure it's updated, then run a quick scan. You may even have to run this program in safe mode on the first try because the Malware programs aren't stupid. They will try to stop you! If it doesn't let you install it, just drag the executable to the desktop and rename it anything: XYZ is just fine.

Some versions of these Fake Alerts are clever enough to delete the launching icon for Malwarebytes in your Program Files folder. Your desktop shortcut then becomes an orphan and totally useless.

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/mbam.jpg

In this case, install Malwarebytes on any other computer. Then open its Program Files and copy the launcher that you're missing on the infected PC. Burn it to a CD, NOT A FLASH DRIVE!! Put the CD in the infected computer and drag the launcher into the Malwarebytes folder where it belongs.

If you had used a flash drive then the Malware would delete it again and infect the flash drive. Then you would try to recopy the link again and infect the other system too!

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/mbam_folder.jpg

If the infection doesn't let you install Malwarebytes at all, then you need RKill (http://download.bleepingcomputer.com/grinler/rkill.com). This is a program that will kill all Malware programs from running. It will not delete the malware itself, just the active processes.

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/rkill.jpg

Malwarebytes will take anywhere from 5 minutes to an hour to run, it just depends how many total files are on the system.

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/infected.jpg

When Malwarebytes finishes scanning click Show Results.

On the next screen it will show all of the infections and automatically place a check mark next to each entry. Just click Remove Selected and it will do so.

You will probably be asked to reboot once this is done

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/malware.jpg

4.

After a fresh restart, hopefully all of the obvious Malware is gone. Now it's time to deal with the left over viruses.

I've used dozens of Anti-Virus programs over the years and I've had the best of luck with Avira. The free version is actually just as effective as the paid one. Install and run Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?tag=mncol). It's preferred that you update it before running, but it's been known to find a lot with old definitions.

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/avira9.jpg

5.

If you have a 64-bit system, skip to step 6.

On 32 bit OS's run ComboFix (www.combofix.org) to unscrew all the windows problems left by the infection. On this screen (http://www.combofix.org/download.php), right click combofix.exe and choose Save Target As. If you just made the CD before the infection you'll be fine. ComboFix expires at least every month, so you always need to make sure that you have the latest copy.

If you don't, but at least have an active internet connection it may update itself before starting. I've seen where it doesn't too. ComboFix will delete all of your old restore points, so at the end you'll need to make a new one.

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/combo.jpg

6.

Install Advanced System Care (http://download.cnet.com/Advanced-SystemCare-Free/3000-2086_4-10407614.html?tag=mncol) and run it to clean up all the remaining junk.

http://www.pcmodhouse.com/sitebuildercontent/sitebuilderpictures/asc.jpg

All you have to do is click the blue circle that says Care! The program will scan for and automatically fix:

Spyware
Registry
Privacy
Junk Files
System Optimization
Security Defense
Disk Defragmentation

It will also perform a security analysis that gives you a report of the running programs. You can use this information to kill rogue programs, similiar to Hi-Jack This. The problem is, if you are not sure what you are doing, you can easily damage Windows.

I would advise against using this feature unless you are an expert.

We just covered removal of Malware and Viruses. We used Malwarebytes (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol), ComboFix (http://combofix.org/downloadlink.php), Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?tag=mncol), RKill (http://download.bleepingcomputer.com/grinler/rkill.com) and Advanced System Care (http://download.cnet.com/Advanced-SystemCare-Free/3000-2086_4-10407614.html?tag=mncol). All of these programs are FREE and are available at CNet (www.Download.com), with the exception of Combofix. There are plenty of bogus websites that claim they have ComboFix, but I only recommend that you get it from the link above.

Once you are done, it's the best time to create a new restore point.

If you've done all of the above and still have the same problems, I suggest you wipe your system and start over. If you can recover your files, burn them to CDs or DVDs. After you have a clean install with Malwarebytes and Anti-Virus software on the new system, scan each backup disk separately to ensure there is no Malware hiding on the disks.

knowledgegranted
04-23-2010, 11:00 PM
Thank you so much for this guide. Recently I have been brought to some random sites when clicking links off of google. This no longer happens, I think it was probably malware designed to direct traffic somewhere so someone could make some money.

Thanks again!

diluzio91
04-24-2010, 01:52 PM
Nice guide, i work in the IT office, another good tool to have in your arsenel is rkill.com files... they help with self replicating viruses. +rep

billygoat333
04-25-2010, 02:59 AM
good guide. :)

dr.walrus
04-25-2010, 08:02 PM
Malware isn't detected by spyware programs or your anti-virus. It sneaks in and disables your Anti-Virus.

What definition of the term 'malware' are you using? Malware is any class of software that is deliberately harmful, including viruses, trojans, worms, spyware, keyloggers etc, and these can quite certainly be picked up by anti-virus software and by no means do they all disable anti-virus software...

TheGreatSatan
04-26-2010, 09:53 AM
Uh no, not usually. Nearly every case I've ever dealt with (We're talking hundreds), the malware comes in undetected by your Anti-virus. It then disables your AV's ability to remove it and then wreaks havoc. It usually fools Windows into thinking that it is legit and then even Windows recommends you use their software.

Sure once in a great while AV does work. It'll remove the virus/malware, but never all of the malware in the system. Because 99% of AV's are not designed to look/detect them.

Thanks for the reps everyone.

diluzio91
04-26-2010, 12:17 PM
ill second tgs, when we have computers come into the shop with something like xp antivirus 2010 or vista security, ect ect, the antivirus hasnt even blinked at it, we have symantec, some avg, and some mcaffee, and all of them get hoodwinked by something that an enduser wants to click on. i have seen some that actually show the antivirus's .exe file as being infected. lol... makes me laugh.

dr.walrus
04-26-2010, 03:17 PM
99% of AV's are not designed to look/detect them.


A virus is a form of malware. Anti-viruses are designed to detect viruses, surely?

diluzio91
04-26-2010, 04:09 PM
an anti virus is normally made to stop viruses from infiltrating the system, and to catch viruses that are piggy backed onto another program, cookies, ect, but when malware is installed it is an actual program that performs the function that is virus like. and many anti viruses cant handle them or remove them once they are installed. so yes, they detect viruses, but they unfortunately cant detect end user ignorance (not being used in a condescending manner, just expressing lack of knowledge) . except mcaffee, which knows that merely booting your computer is a threat to your security...

dr.walrus
04-26-2010, 04:24 PM
when malware is installed it is an actual program that performs the function that is virus like.

Basically, no. You're using the term malware incorrectly.

Malware is a 'catch-all' term used to describe all forms of malicious software. A virus is malware, A trojan is malware. A worm is malware. The original post keeps drawing a distinction between 'malware' and 'viruses'. This isn't correct.

mDust
04-28-2010, 01:00 AM
Basically, no. You're using the term malware incorrectly.

Malware is a 'catch-all' term used to describe all forms of malicious software. A virus is malware, A trojan is malware. A worm is malware. The original post keeps drawing a distinction between 'malware' and 'viruses'. This isn't correct.

The OP was using the term 'malware' to refer to a type of executable that is malware. It's used broadly but not incorrectly. I'm sure people that read this will figure that out and it won't be a big deal.

I have no viruses or malware on either of my computers...wth are people clicking on to have 787 infected files? Geez! I had a roommate years ago that had an old computer with over 5000 infected files...I recommended he wore a bio-hazard suit when formatting that sucker.

dr.walrus
04-28-2010, 08:42 AM
It's used broadly but not incorrectly.

No, it's used totally incorrectly. Viruses are described by the OP as independent of malware, and malware is used as a term to describe a specific type. The guide describes a pretty solid method of removing a particular type of rootkit infection (albeit a common problem being that this type of infection is the type that can't be dealt with using the standard technique of 'install/run *** anti-virus software'.

Why not use a simpler method - remove the hard drive and put it as a slave in a secondary system. Run an antivirus with good detection rates on it (I favour Kaspersky, and bulk licenses cost almost nothing), because the concealment techniques the executables use won't work if you're not booting from the infected drive. Much quicker, albeit with a bigger chance of registry or system file degradation, but if the computer is rescuable you should just be able to repair the OS install. For best results, scan it using several different types of detection software.


wth are people clicking on to have 787 infected files

In my experience, in order of probability
1) Young men who haven't discovered streaming porn sites
2) P2P file sharing, mainly illegal software
3) Those links that say 'ZOMG YR COMPUTER IS INFECTED' (I paraphrase)
4) Unfiltered spam emails

My antivirus scans every executable and every email, checks every hyperlink in my web browser and is set to automatically block and quarantine. Five Kaspersky licenses cost £10 off eBay, and it has the best rootkit detection rate (active and inactive) in the industry.

mDust
04-28-2010, 04:36 PM
No, it's used totally incorrectly. Viruses are described by the OP as independent of malware, and malware is used as a term to describe a specific type.
He never defined either term. The only way I would have it changed is to refer to "viruses and 'other' malware". There is other malware that are not rootkits that antivirus programs don't find...so I'm not sure what the issue is here.


In my experience, in order of probability
1) Young men who haven't discovered streaming porn sites
2) P2P file sharing, mainly illegal software
3) Those links that say 'ZOMG YR COMPUTER IS INFECTED' (I paraphrase)
4) Unfiltered spam emails
I guess that's why I don't get any viruses...I don't do any of those things.
I have noticed that even legit software nowadays tries to install browser toolbars, change your homepage, monitors your web activity, installs additional unwanted programs which usually mess with Windows defaults, and random other shady things. It used to be you could just keep clicking 'next' through any installation process and not worry about a thing...now it's much wiser to read what's going on. What 'ware' is between malware and legit software?

dr.walrus
04-28-2010, 05:46 PM
I'm not going to argue this any more, but I'll leave this to speak for itself:


Malware isn't detected by spyware programs or your anti-virus. It sneaks in and disables your Anti-Virus. It then creates a virus building center and pumps out viruses.

Drum Thumper
04-28-2010, 07:19 PM
What 'ware' is between malware and legit software?

Bloatware. Ever seen a fresh install from a major vendor? All that **** that you don't need and is guaranteed to slow your system to a crawl. Take AOL for example: hijacks nearly everything related to TCP/IP, and is an utter bitch to remove.

I've got an article that I started back in January regarding different types of attacks (DDOS, scareware, fake AV suites, worms, trojans and the like) along with a condensed history of virii in the computer sense. Perhaps I will dust off what I have so far and finish it up.

Now, as far as this whole malware argument...I have to side with dr. walrus. From Wikipedia:


Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent.

And from the same article, two sentences later:



The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including true viruses.


I would also add to this that if you follow this (or any other guide on here), TBCS will not be held responsible for any damages caused.

dr.walrus
04-28-2010, 08:56 PM
I've got an article that I started back in January regarding different types of attacks (DDOS, scareware, fake AV suites, worms, trojans and the like) along with a condensed history of virii in the computer sense. Perhaps I will dust off what I have so far and finish it up.

I could have done with that with my malware research project last year! Though I don't think my tutor would be mad keen on the reference (TheBestCaseScenario, 2010) ;)

Drum Thumper
04-28-2010, 11:23 PM
I could have done with that with my malware research project last year! Though I don't think my tutor would be mad keen on the reference (TheBestCaseScenario, 2010) ;)

This paper would not have been peer edited, so your prof might have had a bit of an issue there. However, I was/am planning on putting all my references at the end, APA style.

dr.walrus
04-29-2010, 07:15 PM
This paper would not have been peer edited, so your prof might have had a bit of an issue there. However, I was/am planning on putting all my references at the end, APA style.

Well, with this type of reference, peer review isn't an issue if the source is just reporting, you mean your work constitutes original research?

TheGreatSatan
04-30-2010, 06:15 PM
What a lively discussion!

TheGreatSatan
05-11-2010, 08:33 PM
In the pic above I used my biggest hit count with Malwarebytes of 787, I just worked on a computer that had 790!!:banana::eek: