NoLeafClover
Beta member
- Messages
- 5
This is a quick removal and cleaning guide for some of the most annoying malware out there right now, symptons being alerts claiming you are infected with a virus and instructing you to download antivirus software, popup windows from similar sites, appearances of programs masquerading as the windows security center, or a Microsoft Antivirus/Antispyware product... I'm a malware removal specialist on the job, and have fixed over 100 infected PCs with such infections in the last quarter alone, so I figured I'd share my proven methods. I will probably touch this guide up later and add a few automated batch scripts I've made for this, add pictures, etc... once I find the time.
THIS GUIDE IS MEANT FOR ADVANCED USERS ONLY!
I offer no guarantee or warranty of any kind; perform any and all of these steps AT YOUR OWN RISK. Things may go wrong at any time if you don't know what you're doing, or even if you do, and I accept no responsibility for any damages to your system or loss of data. Back everything up beforehand if possible, and be prepared for the worst. If you do not consider yourself an advanced user, or are afraid of breaking something, do not follow this guide; only follow directed advice from a professional.
This guide is not endorsed by Tech-Forums.net.
This guide is only meant for serious infections, and Internet Explorer settings WILL BE LOST during the process.
I do not recommend following this guide if you are running Vista, but you may opt to use any of the methods or software listed here which are available and practical to you.
Actual time may vary up to 6 or more hours, depending on mow much data you have on your drive and how long various scans take, but shouldn't take more than an hour of actual manual work.
I've found that certain things are more likely to be broken in this process than others. The most susceptible are: HP Multifunction Drivers, and McAfee AntiVirus. You may need to reinstall these things if you have them, once finished. (although I don't recommend reinstalling McAfee -- just removing it and replacing it with something better would be preferred)
All disclaimers out of the way now, let's get started....
First things first, back up all of your data in any way that works for you. A full backup image with something like Norton Ghost or Acronis TrueImage is preferred if at all possible -- things CAN go wrong, especially if you don't know your way around the system.
Second, assemble your tools. Free tools used in this procedure and Listed in a loose order of priority, you will want:
Combofix
AutoRuns
SmitFraudFix
HijackThis
MalwareBytes' Anti-Malware
SpyBot S&D
A² Free
A good antivirus, recommend Avira
VirusTotal Uploader
RegCleaner
AdAware
Dial-A-Fix
Optional tools are highly recommended if they are available to you:
A second computer that you can hook up the infected drive to in order to browse the files, or a bootable CD Windows environment such as BartPE. Linux-based bootable CDs only recommended if you are intimately enough familiar with the Windows OS to not be reading this guide in the first place.
You will also want a second PC for the purpose of looking things up that you come across if you're not sure what they are.
Optional things that are nice to have, but may cost money:
XoftSpy
Kaspersky or NOD32 Antivirus
If you have a Windows Installation CD, it might be nice to have it handy, in case you need files from it.
PREPERATION:
MalwareBytes Anti-malware, the latest SpyBot SD, and AdAware will need to be installed on your infected machine to run them, before you begin. You should install them from safe mode if you can before attempting to use them.
AdAwareSE, if you have it, as well as AutoRuns, HijackThis, RegCleaner, and A² can be installed on another machine, then transferred over without any ill effects simply by copying the program file folder to a removable device such as a flash drive. SpyBot SD can also be made to work this way, if you have the patience and know-how to tweak it a bit.
The other tools you just want to download, and have on hand for when you're ready to use them.
OPTIONAL (PREFERRED) PREP:
For best results, boot into a separate (uninfected) installation of Windows, using either a bootable Windows CD, or another computer, with your infected drive attached (removed from the affected PC).
First off, delete all files in the following locations if they exist (Substitute WINNT for WINDOWS if running Windows NT/2k, or an upgrade version of XP. Substitute %username% with the account name for all user accounts):
DRIVELETTER:\Temp\
DRIVELETTER:\WINDOWS\Temp\
DRIVELETTER:\WINDOWS\Prefetch\
DRIVELETTER:\WINDOWS\System32\Temp\
DRIVELETTER:\Documents and Settings\%username%\Cookies\
DRIVELETTER:\Documents and Settings\%username%\Local Settings\Temp\
DRIVELETTER:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\
Now Use a good Scanner, such as Avira (linked above) to scan for the infections from the uninfected system.
On the uninfected system, install the VirusTotal Uploader, if you are able; it will make things easier.
Now browse into the \WINDOWS\ directory of the infected drive. In the Tools menu of Windows Explorer, select Folder Options>View and make sure hidden and system files are shown, and that the extensions of known filetypes are not hidden. Click OK to save and close out the open dialogues.
Next, go into the View menu of Explorer. Select the Details View. Go back into View again, and Select Choose Details... make sure Date Modified, Date Created, and Company are checked. Click OK.
Sort the items in your WINDOWS folder by Date Created first, look for any suspicious looking entries, such as .exe or .dll files with shady sounding or gibberish names, created recently, or around the time the infection started. If they are unsigned (do not have a company name displayed) they should be considered suspect unless you know they're legit. Send the suspect files to VirusTotal using either the uploader, or by going to virustotal.com and uploading them manually. Delete any files that come up positive. You can use some of your own judgment here to save time, for example, if multiple suspicious files are found created at exactly the same time, and one checks out as infected on virustotal, it's generally safe to assume they're all infected and delete the lot of them.
If you haven't backed up your system at this point, it may be a good idea to save the infected files to a password-protected .zip or .rar archive before deleting them, in case you need to put them back.
Be on the lookout for a file named "brastk.exe" -- it's the executable responsible for the popup alerts in the latest series of infections telling you you're infected and prompting you to download more fraudulent software. Delete it.
Next, sort by date modified, and look for anything with the same modified date as the infected files. Specifically, "beep.sys" may be acting as a rootkit. If it is modified around or after the infection date, delete it.
Now repeat all of the above steps with the WINDOWS\System32 and WINDOWS\system32\drivers folders.
It's generally safe to ignore the other folders at this point, since any infections in them are usually cleaned out or rendered harmless in later steps.
Once finished, return your drive to the infected machine, and prepare to boot into safemode.
OPTIONAL (PREFERRED) PREP END
Now the Real Work begins... if you followed the optional prep steps, this should go a lot smoother, and with little or no complications. If not, don't worry, there's still a decent chance it'll clean up nicely.
Once you have all of your tools assembled, you will want to boot into safe mode.
Safe mode with command prompt is ideal, but if you're not familiar enough with DOS/Windows command-line to use it, regular safe mode or safe mode with networking is fine, too.
KEEP THE COMPUTER IN SAFEMODE UNLESS INSTRUCTED NOT TO FROM THIS POINT; booting into regular mode can cause any remaining infections to send you back to square 1 by reinfecting you.
First things first, go into the program files folder and delete any folders that are obviously a part of the infection (luckily, most infections here are blatantly obvious about what they are, in the foldername). Be on the lookout for fishy sounding folders with a Date Created equal to the day you got infected; if you didn't install these intentionally, they're probably bad--delete them.
If in safemode with command prompt, you can perform a deletion of a folder and save a log of files deleted using the following commands:
DEL /F /S /Q "FolderName" >>C:\log.txt
RD /S /Q "FolderName"
Delete your temp files now, if you didn't during the optional prep phase; instructions are above in that section if you need them.
Now run SmitFraudFix.exe (linked above). Once it has finished, it will start windows explorer if it's not running already, and display a log. Save the log if you want.
If you were working in command prompt, reboot at this point to get back into safemode with command prompt, otherwise continue...
Next up, run ComboFix.exe (linked above) and follow the prompts on your screen. Don't bother with installing the recovery console unless you know how to use it.
Once combofix finishes, it may need to reboot your system, especially if not working from command prompt, or if you didn't do the optional prep steps. Allow it to reboot your PC into normal mode, as it requires, and SAVE THE LOG FILE IT GENERATES. Then reboot again into safe mode to continue.
Back in safemode, open the log file and look for suspicious entries in the list of recently created files. these may or may not be a part of your infection, so make sure you know what they are before deleting them. Use google here on another PC if you're not sure.
Now run AutoRuns. Look for unsigned items in the various lists, especially ones without descriptions. Be warned that many legit drivers are unsigned also, especially ones from ATI, so make sure you know what you're deleting. it is ok to delete any entries for which the File is Not Found. If the file is found, and clearly malicious, you will want to delete the file before you delete the entry.
Also feel free to uncheck entries for any Startup programs that you don't think you need running when Windows starts. This will help speed up your PC, but don't delete them if you're not sure. If you simply uncheck, you can re-check them again later if necessary.
LEAVE ALONE: Anything related to a legitimate antivirus program, anything related to a Lexmark or brother printer. Most HP utilities and networking utilities.
Next, run HijackThis.
Delete anything that says "(no file)"
Under R0 and R1, just look for and delete Start or Search pages pointing to anything other than microsoft.com, google.com, or the homepage or search engine of your choice.
under 02: BHOs, delete anything not relating to a legitimate antivirus program, or an extension or toolbar that you intentionally installed and want to keep.
under O16: DPFs, delete anything and everything. You can leave the Windows Update and Microsoft Update controls if you want, but you can always just reinstall them fresh by going to the Windows Update website.
For information on dealing with the rest of the hijackthis log, see the sticky topic on this forum.
Now comes the time-consuming part: running scanners.
You should still be in safemode, so Use the scanners linked to at the beginning of this guide, and scan for remaining infections. Delete anything they find. Most can be installed from safemode now if you haven't done so already, or worked out another way of transferring them onto the infected PC.
A², SpyBot and MalwareBytes' are all likely to find something you missed. AdAware is hit or miss with SE, though with the latest may find some things.
You can also use RegCleaner to search for any software registry keys that had the courtesy of naming themselves honestly, such as "XP Antivirus 2009", etc... or use it to clean up after any trivial programs you know for sure you already uninstalled or removed.
Once you've finished scanning and removing the infections, reboot into regular mode and see the results. If everything went smoothly, you should be more or less spotless.
If you get a Data Execution Prevention error window on startup, try uninstalling and reinstalling any HP printer software and drivers.
go to start>run and type "inetcpl.cpl" without the quotes.
if you have IE6, you will want to reset your homepage if necessary, then go into the security tab and reset each zone to the default. Also set privacy settings and advanced settings to default.
If you have IE7, just go to the advanced tab and click the big Reset button at the bottom, then set your homepage to something you want.
If having connection or Windows Update problems after this, try running Dial-A-Fix, checking everything but the date.
If you think you may still be infected, go here:
http://www.techist.com/forums/f51/hijackthis-tutorial-guide-165818/
THIS GUIDE IS MEANT FOR ADVANCED USERS ONLY!
I offer no guarantee or warranty of any kind; perform any and all of these steps AT YOUR OWN RISK. Things may go wrong at any time if you don't know what you're doing, or even if you do, and I accept no responsibility for any damages to your system or loss of data. Back everything up beforehand if possible, and be prepared for the worst. If you do not consider yourself an advanced user, or are afraid of breaking something, do not follow this guide; only follow directed advice from a professional.
This guide is not endorsed by Tech-Forums.net.
This guide is only meant for serious infections, and Internet Explorer settings WILL BE LOST during the process.
I do not recommend following this guide if you are running Vista, but you may opt to use any of the methods or software listed here which are available and practical to you.
Actual time may vary up to 6 or more hours, depending on mow much data you have on your drive and how long various scans take, but shouldn't take more than an hour of actual manual work.
I've found that certain things are more likely to be broken in this process than others. The most susceptible are: HP Multifunction Drivers, and McAfee AntiVirus. You may need to reinstall these things if you have them, once finished. (although I don't recommend reinstalling McAfee -- just removing it and replacing it with something better would be preferred)
All disclaimers out of the way now, let's get started....
First things first, back up all of your data in any way that works for you. A full backup image with something like Norton Ghost or Acronis TrueImage is preferred if at all possible -- things CAN go wrong, especially if you don't know your way around the system.
Second, assemble your tools. Free tools used in this procedure and Listed in a loose order of priority, you will want:
Combofix
AutoRuns
SmitFraudFix
HijackThis
MalwareBytes' Anti-Malware
SpyBot S&D
A² Free
A good antivirus, recommend Avira
VirusTotal Uploader
RegCleaner
AdAware
Dial-A-Fix
Optional tools are highly recommended if they are available to you:
A second computer that you can hook up the infected drive to in order to browse the files, or a bootable CD Windows environment such as BartPE. Linux-based bootable CDs only recommended if you are intimately enough familiar with the Windows OS to not be reading this guide in the first place.
You will also want a second PC for the purpose of looking things up that you come across if you're not sure what they are.
Optional things that are nice to have, but may cost money:
XoftSpy
Kaspersky or NOD32 Antivirus
If you have a Windows Installation CD, it might be nice to have it handy, in case you need files from it.
PREPERATION:
MalwareBytes Anti-malware, the latest SpyBot SD, and AdAware will need to be installed on your infected machine to run them, before you begin. You should install them from safe mode if you can before attempting to use them.
AdAwareSE, if you have it, as well as AutoRuns, HijackThis, RegCleaner, and A² can be installed on another machine, then transferred over without any ill effects simply by copying the program file folder to a removable device such as a flash drive. SpyBot SD can also be made to work this way, if you have the patience and know-how to tweak it a bit.
The other tools you just want to download, and have on hand for when you're ready to use them.
OPTIONAL (PREFERRED) PREP:
For best results, boot into a separate (uninfected) installation of Windows, using either a bootable Windows CD, or another computer, with your infected drive attached (removed from the affected PC).
First off, delete all files in the following locations if they exist (Substitute WINNT for WINDOWS if running Windows NT/2k, or an upgrade version of XP. Substitute %username% with the account name for all user accounts):
DRIVELETTER:\Temp\
DRIVELETTER:\WINDOWS\Temp\
DRIVELETTER:\WINDOWS\Prefetch\
DRIVELETTER:\WINDOWS\System32\Temp\
DRIVELETTER:\Documents and Settings\%username%\Cookies\
DRIVELETTER:\Documents and Settings\%username%\Local Settings\Temp\
DRIVELETTER:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\
Now Use a good Scanner, such as Avira (linked above) to scan for the infections from the uninfected system.
On the uninfected system, install the VirusTotal Uploader, if you are able; it will make things easier.
Now browse into the \WINDOWS\ directory of the infected drive. In the Tools menu of Windows Explorer, select Folder Options>View and make sure hidden and system files are shown, and that the extensions of known filetypes are not hidden. Click OK to save and close out the open dialogues.
Next, go into the View menu of Explorer. Select the Details View. Go back into View again, and Select Choose Details... make sure Date Modified, Date Created, and Company are checked. Click OK.
Sort the items in your WINDOWS folder by Date Created first, look for any suspicious looking entries, such as .exe or .dll files with shady sounding or gibberish names, created recently, or around the time the infection started. If they are unsigned (do not have a company name displayed) they should be considered suspect unless you know they're legit. Send the suspect files to VirusTotal using either the uploader, or by going to virustotal.com and uploading them manually. Delete any files that come up positive. You can use some of your own judgment here to save time, for example, if multiple suspicious files are found created at exactly the same time, and one checks out as infected on virustotal, it's generally safe to assume they're all infected and delete the lot of them.
If you haven't backed up your system at this point, it may be a good idea to save the infected files to a password-protected .zip or .rar archive before deleting them, in case you need to put them back.
Be on the lookout for a file named "brastk.exe" -- it's the executable responsible for the popup alerts in the latest series of infections telling you you're infected and prompting you to download more fraudulent software. Delete it.
Next, sort by date modified, and look for anything with the same modified date as the infected files. Specifically, "beep.sys" may be acting as a rootkit. If it is modified around or after the infection date, delete it.
Now repeat all of the above steps with the WINDOWS\System32 and WINDOWS\system32\drivers folders.
It's generally safe to ignore the other folders at this point, since any infections in them are usually cleaned out or rendered harmless in later steps.
Once finished, return your drive to the infected machine, and prepare to boot into safemode.
OPTIONAL (PREFERRED) PREP END
Now the Real Work begins... if you followed the optional prep steps, this should go a lot smoother, and with little or no complications. If not, don't worry, there's still a decent chance it'll clean up nicely.
Once you have all of your tools assembled, you will want to boot into safe mode.
Safe mode with command prompt is ideal, but if you're not familiar enough with DOS/Windows command-line to use it, regular safe mode or safe mode with networking is fine, too.
KEEP THE COMPUTER IN SAFEMODE UNLESS INSTRUCTED NOT TO FROM THIS POINT; booting into regular mode can cause any remaining infections to send you back to square 1 by reinfecting you.
First things first, go into the program files folder and delete any folders that are obviously a part of the infection (luckily, most infections here are blatantly obvious about what they are, in the foldername). Be on the lookout for fishy sounding folders with a Date Created equal to the day you got infected; if you didn't install these intentionally, they're probably bad--delete them.
If in safemode with command prompt, you can perform a deletion of a folder and save a log of files deleted using the following commands:
DEL /F /S /Q "FolderName" >>C:\log.txt
RD /S /Q "FolderName"
Delete your temp files now, if you didn't during the optional prep phase; instructions are above in that section if you need them.
Now run SmitFraudFix.exe (linked above). Once it has finished, it will start windows explorer if it's not running already, and display a log. Save the log if you want.
If you were working in command prompt, reboot at this point to get back into safemode with command prompt, otherwise continue...
Next up, run ComboFix.exe (linked above) and follow the prompts on your screen. Don't bother with installing the recovery console unless you know how to use it.
Once combofix finishes, it may need to reboot your system, especially if not working from command prompt, or if you didn't do the optional prep steps. Allow it to reboot your PC into normal mode, as it requires, and SAVE THE LOG FILE IT GENERATES. Then reboot again into safe mode to continue.
Back in safemode, open the log file and look for suspicious entries in the list of recently created files. these may or may not be a part of your infection, so make sure you know what they are before deleting them. Use google here on another PC if you're not sure.
Now run AutoRuns. Look for unsigned items in the various lists, especially ones without descriptions. Be warned that many legit drivers are unsigned also, especially ones from ATI, so make sure you know what you're deleting. it is ok to delete any entries for which the File is Not Found. If the file is found, and clearly malicious, you will want to delete the file before you delete the entry.
Also feel free to uncheck entries for any Startup programs that you don't think you need running when Windows starts. This will help speed up your PC, but don't delete them if you're not sure. If you simply uncheck, you can re-check them again later if necessary.
LEAVE ALONE: Anything related to a legitimate antivirus program, anything related to a Lexmark or brother printer. Most HP utilities and networking utilities.
Next, run HijackThis.
Delete anything that says "(no file)"
Under R0 and R1, just look for and delete Start or Search pages pointing to anything other than microsoft.com, google.com, or the homepage or search engine of your choice.
under 02: BHOs, delete anything not relating to a legitimate antivirus program, or an extension or toolbar that you intentionally installed and want to keep.
under O16: DPFs, delete anything and everything. You can leave the Windows Update and Microsoft Update controls if you want, but you can always just reinstall them fresh by going to the Windows Update website.
For information on dealing with the rest of the hijackthis log, see the sticky topic on this forum.
Now comes the time-consuming part: running scanners.
You should still be in safemode, so Use the scanners linked to at the beginning of this guide, and scan for remaining infections. Delete anything they find. Most can be installed from safemode now if you haven't done so already, or worked out another way of transferring them onto the infected PC.
A², SpyBot and MalwareBytes' are all likely to find something you missed. AdAware is hit or miss with SE, though with the latest may find some things.
You can also use RegCleaner to search for any software registry keys that had the courtesy of naming themselves honestly, such as "XP Antivirus 2009", etc... or use it to clean up after any trivial programs you know for sure you already uninstalled or removed.
Once you've finished scanning and removing the infections, reboot into regular mode and see the results. If everything went smoothly, you should be more or less spotless.
If you get a Data Execution Prevention error window on startup, try uninstalling and reinstalling any HP printer software and drivers.
go to start>run and type "inetcpl.cpl" without the quotes.
if you have IE6, you will want to reset your homepage if necessary, then go into the security tab and reset each zone to the default. Also set privacy settings and advanced settings to default.
If you have IE7, just go to the advanced tab and click the big Reset button at the bottom, then set your homepage to something you want.
If having connection or Windows Update problems after this, try running Dial-A-Fix, checking everything but the date.
If you think you may still be infected, go here:
http://www.techist.com/forums/f51/hijackthis-tutorial-guide-165818/
