Page 1 of 2

Malware removal guide

PostPosted: May 29th, 2011, 11:20 am
by Klinc
For those that struggle to get pesky malware of your system here is a easy guide to follow to remove most malware.

REMEMBER IF ITS A FILE INFECTOR LIKE VIRUT OR SALITY THEN THIS WILL NOT WORK. YOUR ONLY WAY WILL BE WITH A BOOT DISK LIKE HIRENS BOOT CD AND SCAN YOUR SYSTEM OFFLINE.
Here is how to make a Usb boot disk with it

Or you can use the Dr. Web Live Cd

Remember Virut contains a bug in its code making any file it infects close to impossible to disinfect. A complete format and OS reinstall is advised with Virut.

Here are some info about this nasty polymorphic virus
http://www.helpmyos.com/t879-virut-information
http://free.avg.com/us-en/66558

Follow these steps do not skip any!!

Make sure your in normal mode first. Go to start-> msconfig (remember to right click run as admin) then make sure normal startup is selected. If not. Select it and boot into normal mode. If you can't boot into normal mode. Then run in safe mode.

1. Enable Windows Firewall

Go to the cmd prompt and enter the following commands one by one

Ipconfig /flushdns /c
Netsh winsock reset
Netsh winsock reset catalog
Netsh interface reset all
Netsh firewall reset


Then reboot your computer

If you have Browser Redirection problems download GooredFix from one of the locations below and save it to your Desktop .
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.

XP users run the tool, double-click it

Windows 7/Vista users right-click and select Run As Administrator .

When prompted to run the scan, click Yes .

GooredFix will check for infections, and then a log will appear.

If you have multiple Antivirus applications installed remove one. Same with firewall. Only have 1 AV solution and 1 firewall solution on your pc.

3. Cleaning
First go to Add/remove programs and look for entries like these

MyWay or MyWay Search Assistant
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
Viewpoint Toolbar (Remove Only)

Download latest version of JAVA and save it to desktop. Do not save anything under my users documents or in a temp folder.

Do not install it. You have to remove older versions of Java first. You can do it with one of the following two methods:

FIRST METHOD
Download JavaRa to your desktop and unzip it to its own folder.

Run JavaRa.exe ( Vista users! Right click on JavaRa.exe , click Run As Administrator ), pick the language of your choice and click Select.
Then click Remove Older Versions .
Accept any prompts.

2ND METHOD
Go to Add remove programs and uninstall all your older java versions first. When everything is uninstalled install the latest version.
Same with Adobe flash. Use the Adobe Flash Uninstaller to uninstall it then install the latest version of ADOBE FLASH

Remove all the files from your antivirus quarantine and empty your recycle bin.

Download and Install CCleaner

Install it and run the cleaner once. When your done close it.

4. Disable disk Emulation tools
Disable any disk Emulation tools like Daemon tools, power Iso etc etc. Its very important do not skip this!
To do this download Defogger
Run it. Click on disable button and it ask to reboot click yes.
Download the following applications and save them to the desktop. Make sure your time and date is correct!

DO NOT RUN ANY OF THEM UNTIL INSTRUCTED

Just note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category.

RKill.com Download Link
RKill.exe Download Link
RKill.scr Download Link
eXplorer.exe Download Link
iExplore.exe Download Link
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download Link

Note: eXplorer.exe may trigger an alert from MBAM. It can be ignored and is safe.
The other filenames are RKill as well, just renamed in order to allow it run by certain malware.

SuperantiSpyware
Malware Bytes
Combofix (IMPORTANT RENAME IT TO JeniP.com when saving it TO desktop)
Tdskiller
MGtools

Disable your security software. If your using windows firewall leave it enabled. Third party firewalls its best to disable them as they can interfere with the cleaning.

If you got Spybot Search and Destroy make sure its Tea Timer is disabled. VERY IMPORTANT!!!!!

If you have AVG antivirus installed, download the AVG UNINSTALLER uninstall it.

For Vista users disable UAC
1.Click Start , and then click Control Panel .
2.In Control Panel , click User Accounts .
3. In the User Accounts window, click User Accounts .
4. In the User Accounts tasks window, click Turn User Account Control on or off .
5. If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
6.Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK . If it is already uncheck, then you should also notice a red shield with an X in it located in your system tray. Ignore any messages about UAC being disabled.
7.Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)

Do NOT continue untill UAC has been disabled.

For Windows 7 users disabling UAC
1.Click Start , and then click Control Panel .
2.Click User Accounts and Family Safety
3.In the User Accounts and Family Safety window click Change User Account Control Settings
4.Then move the Slider all the way to the bottom to Never Notify
5. Click OK and then Yes to the popup warning that you are turning off UAC
6.If it is already unchecked, then you should also notice a red shield with an X in it located in your system tray. Ignore any mesages about UAC being disabled.
7.Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)

6. Scanning
Install and Run the applications in the following order. If prompted to reboot do so.

Rkill
When RKill is run it will display a console screen. That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running. Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected.

These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself.

Two methods that you can try to get past this and allow RKill to run are:
When you receive the warning message, leave the message on the screen and try running RKill again.
If that does not work, just keep launching RKill until it catches and stays up long enough to kill the malware
Yes, both methods are not elegant, but they will work if you keep trying. Unfortunately, there is not much better I can do at this point for some malware that are very tenacious at killing all processes that run.

SuperantiSpyware
Double-click the icon on your desktop named SUPERAntiSpyware.exe. This will start the installation of SUPERAntiSpyware onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings, and when the program has finished installing, click on the Finish button to get back to your Windows desktop.

SUPERAntiSpyware will now automatically start and you will see a message asking you to select the language you would like the program to use. Please select your language and then press the OK button to continue.

You will now be prompted to update the SUPERAntiSpyware definitions. Please press the Yes button to allow the program to download and install the latest updates so that it can properly detect and remove the latest malware.

Please click on the Preferences button to customize how SUPERAntiSpyware will scan your computer.
When the program's preferences screen opens, click on the Scanning Control tab and put a checkmark in the following options

Close browsers before scanning.
Scan for tracking cookies.

When done, the settings on the Scanning Control preferences screen be similar to the image below.
Image
Now press the Close button to go back to the main screen.
You will now be at the main screen and should click on the Scan your Computer... button to begin the scanning process.
You will now be at the Scan page where you can choose the type of scan you would like to perform.
When the scan is finished a screen will appear showing the summary of what was detected.
You should click on the OK button to close the summary screen box and continue with the removal process.

MalwareBytes
Malwarebytes is designed to run best in Windows normal mode. If you can run it in normal mode, then you should. If you cannot run it in normal mode, run it in safemode; however, once you have the system running better, you should scan again in normal mode.
If installation fails, simply rename the downloaded file (mbam-setup.exe) to a random name, and try running it again.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
Image
On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for infections.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When it's finished click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.

Combofix (Double Click on JeniP.com on your desktop)
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
Image

It will then back up the registry and ask if you want to installl the recovery console. Press yes
Image
Once its done press yes again and you should see the following sequence
Image
Image
Image
Image
When ComboFix has finished, it will automatically close the program and change your clock back to its original format.

Tdskiller
Extract and Execute TDSSkiller.exe
Press Start Scan
If malicious software was found then make sure cure is selected. If there is no option to 'Cure' its critical that you select skip.
Click continue ->Reboot now

MGtools
Just double click on the mgtools.exe and let it run

When your done you need to enable UAC again.
Navigate into the \\MGTools folder just created in the root of your Windows boot drive.

*.locate the EnableUAC.reg file and double click on it and allow it to be added to the registry.
*.This registry patch is used to enable the User Account Control feature
*.You should reboot after applying the registry patch so that it works properly.

When that is done disable system Restore and enable it again.

For Windows 7

1. Click Start
2. Right click Computer > Properties > Choose Advanced System Settings option in left menu listing.
3. Click System Protection tab
4. Then highlight the drive you wish to turn off System Restore and click Configure
5. Then choose Turn off system protection
6. Click Apply > OK
Reboot

To re-enable follow steps 1 - 4 and then choose Restore system settings and previous versions of files > Apply and OK

For Vista

1. Click Start
2. Right click Computer > Properties > Choose Advanced System Settings option in left menu listing.
3. If UAC enabled you will get a UAC prompt at this click Continue
4. Click System Protection tab
5. Then Untick any Drive Listed and in the popup window click Turn Off System Restore
6. Click Apply > OK
7. Reboot
To enable repeat the above steps

Run Ccleaner once.

Remember to save all the applications you download on another spot as OTL is going to remove them and clean up the pc.

To cleanup download OTLcleaner

Click on the Green Clean Up button

If your still having issues upload the mgtools.zip folder. It contains all the logs of the applications above.
To help with not getting infected again or better pc security follow these guide lines.

System Repair
To repair any damage done by malware use Virus Effect Remover
It is a repair tool Assists end-users to remove the effects, of either a live virus or left over by a virus (or trojan,) in most Windows® Operating Systems W98SE/WinXP/Win2K-All/Vista & Win7.
Repairs and fixes OS items such as : Taskmanager, Regeditor, MSconfig, Folder Options.
Image

RE: Malware removal guide

PostPosted: May 29th, 2011, 11:36 am
by shovenose
I unspammed them all. Now there are like 10. Decided which one you want to keep and delete the rest... :-) sorry about the spam filter, but it has blocked a LOT of spam

RE: Malware removal guide

PostPosted: May 29th, 2011, 11:45 am
by Klinc
Its alright delete them finally got one through. Wasn't sure how much characters a post takes but it all fitted.

edit no I didn't go all through lol
Last part is missing ill post it now you can just move it up

RE: Malware removal guide

PostPosted: May 29th, 2011, 11:48 am
by shovenose
Is this the thread you want? I will delete all the other threads. OK?

RE: Malware removal guide

PostPosted: May 29th, 2011, 11:51 am
by Klinc
Nevermind you fixed it Thx lol
Think its my mistake notice the one was seperated by two lines not 1 that's what probably triggered it

RE: Malware removal guide

PostPosted: May 29th, 2011, 12:02 pm
by shovenose
Um I didn't do anything yet. There are like 5 of these threads "malware removal guide" would you like me to remove the other ones? (I think you can do it too just delete the posts in the threads and the thread will go away)...

Greta guide BTW and thanks for posting it!

RE: Malware removal guide

PostPosted: May 29th, 2011, 12:08 pm
by Klinc
I deleted the duplicates Thx. if you want to test it I can give you a trojan lol

RE: Malware removal guide

PostPosted: May 29th, 2011, 12:14 pm
by shovenose
No thanks. I'm fine :D

RE: Malware removal guide

PostPosted: May 29th, 2011, 12:38 pm
by Klinc
If you want to test your firewall and security download metasploit. Then use a virtual machine. Choose a exploit, payload and see if you can penetrate your own security. It doesn't have malware that runs when click on it so its perfectly safe. People use it for penetration testing. Its a great app

RE: Malware removal guide

PostPosted: May 29th, 2011, 12:43 pm
by shovenose
I might try it on my netbook that i dont care about at some point...