Virus Removal Instructions

Collapse

Ad

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • RaTix
    Emperor

    Virus Removal Instructions

    Fake Alert/Conficker B++ is the biggest pain in the ass to remove if not caught quick enough. It attaches to explorer.exe, winlogin.exe and svchost as well as a few other key Windows files. Which makes it impossible to remove when the system is actually loaded and running (can't delete or modify files when in use).

    The FakeAlert (or MS/XP Antivirus) viruses that have been just as rampant help open the doors on your computer to allow the conficker variants in. Fake Alert viruses are those like Antivirus 2009, Antivirus 360, Spy Guard, etc.. Pretty much anything that pops up in the middle of your screen and starts a auto scan for viruses and tells you you're infected and to buy their product. Usually let in through browers and certain websites they have embedded themselves on.

    If you notice any of those types of scans and XP Antivirus variants, you should REMOVE AS SOON AS POSSIBLE!!!! First thing to go after virus appears is your browser connections. All pages regardless of browser app you use (IE, FF, Safari, etc..) will return "unable to display webpage" type message. After this it will attack your network connections and configuration on the network adapter's TCP/IP, Winsock levels. After that, expect conficker variants and to see some Blue Screens of Death. Or a windows logon loop, where after selecting your user profile, it kicks you back out to the same login screen.

    There are tools to help try and remove these pests. However the people that make these viruses know which tools techs use to try and remove infections, and block them from running.

    Things you should have and things to look for.

    1. Everyone should have an Antivirus program. I recommend AVG as it's the most resilient to these variants and less resource heavy then Norton and Mcafee.
    However these variants of both Conficker and Fake Alert will disable your AV first and foremost once on your computer. So if you use Norton, McAfee or AVG, and notice it's no longer protecting and can't be "fixed" with built in measures, you more then likely have the virus.

    2. Use TWO different Anti-spyware type programs. One is usually not enough to catch everything on your system, and they don't conflict with each other as with two antiVIRUS programs would. The two best programs to use are Spybot Search and Destroy and Malwarebytes.
    If you have the symptoms of Item 1 on this list, and when you click to open spybot or malwarebytes they don't open, your more fucked then most. As the virus has been on long enough and manifested to the point of attacking system files. However all is not lost and can still be removed.

    3. FIREWALL!!! Even if you have only one computer I recommend having a router between the modem and PC connection. Routers are essentially hardware firewalls that will block a lot of bullshit internet traffic and attacks on your system.
    Even with a router, I still suggest a software firewall as well. I use an out of date Sygate firewall, but does the job well and has many professional options to setup rules and block/allow just about whatever you want. The windows built in firewall is just as good though.

    4. UPDATE UPDATE UPDATE!! If you XP system is still in service pack 2, Update it ASAP to SP3. Then update again and again until no more priority updates are available.


    If you have all 4 of those steps fulfilled you should not have any problems with these viruses and variants.



    !!!!TRADE SECRETS ALERT!!!!
    OK so you have the symptoms listed above and want to clean your system. Here's how to fully remove viruses in XP or Vista.

    1. Reboot your computer in Safe Mode WITH NETWORKING.
    To do this, shut down your computer, not restart, shut it down. Then immediately after you hit the power button to turn it on, repeatedly hit the F8 key on the top of your keyboard until you get to the Advanced Options Menu. Use your arrow keys to highlight Safe mode with Networking, Hit enter. Hit enter again on next screen asking to select operating system.

    Some files will scroll on the screen, this is normal. Wait till the login screen appears and login as ADMINISTRATOR.


    Prep Work
    Open My computer and click on TOOLS -> Folder Options -> View Tab -> Look for Hidden File sand Folder and select the bubble for Show hidden files and folders.
    Also, uncheck the next two items below for "Hide Known Extensions" and "Hide Protected Operating system files". We may need these files visable for some of the steps listed below.


    2. Troubleshoot Internet Connection
    Through safe mode you should be able to open IE and bring up web pages without a problem. This will allow you to download the needed files and programs to help clean everything out.

    *If you are still unable to reach a web page, the virus may have attacked the network connections themselves and this will need to be fixed before continuing.

    The best option is to go to your Start Button -> Right click on My Computer -> Click Properties.
    Then click Hardware Tab -> Device Manager -> Click the + next to Network Adapters to expand the list.
    Now this is where you need to pay attention. If your using Wireless you may run into problems. I highly suggest you Hardwire your PC connection directly to router or modem.

    In Vista, well let's face it, Vista SUCKS. It is notorious for it's horribly unreliable wireless connections. If it's built in to say a laptop, your in much better shape then a USB wireless adapter.
    what we need to do is Uninstall the network adapter, then reinstall it. With USB adapters this means you need to have the disk that came with the adapter to reinstall the drivers.
    If it is built in wireless or Ethernet connection, the drivers stay in Windows. So when you reboot the machine after uninstalling, it will automatically find the hardware and reinstall the proper drivers on it's own.

    If using hardwired connection or Built In wireless, the steps are the same.

    - Anything in the network Adapters list that says Ethernet or NIC (usually Realtek or Nvidia) should be your LAN connection.
    - Wireless adapters will usually list with Wireless in the name.

    Right click on the network adapter your using and choose Uninstall.
    For Vista, make sure NOT to check the box to uninstall the drivers in the confirmation message.

    Any other Network adapters that are listed, go ahead an uninstall as well. Some viruses actually create other network adapters to control your internet connection.

    Reboot the computer BACK INTO SAFE MODE WITH NETWORKING!! Once back in safe mode, Windows will detect the network adapter and reinstall the drivers for it. Once this is done you should be able to open up IE and reach any web page. Test by going to Google.com or msn.com.

    If unable to reach a web page, you may have to look into reinstalling TCP/IP protocol.


    3. Verify Web page Access
    If able to reach a web page, go to the following links and download these programs.
    *even if you DO NOT have a virus, I urge EVERYONE to download and keep these files in case you need them.

    Spybot Search and Destroy
    Main Site - http://www.safer-networking.org/en/download/index.html
    Download Link - http://www.spybotupdates.biz/files/spybotsd162.exe
    *You may want to download the definitions updates as well, as sometimes Spybot is unable to reach their servers during install because of some viruses.

    Malwarebytes
    Main Site - http://www.malwarebytes.org/index.php

    Meet The Smits
    The next two Smit programs are simple command line removal tools that can help remove a few nasty viruses. SmitRem is less useful, if at all. I use it mainly for diagnostic purposes, so I suggest you do to and I'll explain why further down.
    SmitRem
    Main Site - http://noahdfear.geekstogo.com/
    Download Link - http://noahdfear.geekstogo.com/click...click.php?id=1
    SmitFraudFix
    Main Site - http://siri.geekstogo.com/SmitfraudFix.php
    Download Link - http://siri.urz.free.fr/Fix/SmitfraudFix.exe

    ComboFix
    Main Site - http://www.bleepingcomputer.com/comb...o-use-combofix
    Download Link - http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    HiJackThis
    Main Site - http://www.trendsecure.com/portal/en...ols/hijackthis
    Download Link - http://www.trendsecure.com/portal/en...HiJackThis.exe

    CCleaner
    Main Site - http://www.ccleaner.com/
    Download Link - http://download.piriform.com/ccsetup218.exe


    4. Let the Cleaning Begin!!
    First run SmitRem. Opening the EXE will extract files to a folder. Go to the SmitRem folder and run the RunThis.bat file.
    I run this tool mainly to see what, if any, errors occur. If you receive an error that registry editing has been disabled by the administrator, you will need to follow these steps.

    - Close Smitrem by hitting X in top right corner.

    - Go to Start -> Run ->
    Type "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f" (no quotes)
    -> Click OK.

    This will restore registry editing. Rerun SmitRem again. Once done you can cancel the Windows cleanup that opens (that's what CCleaner is for later on).

    *Note, if you do receive the Registry disabled error, the virus is pretty well infested on your computer and this will be a long painful process to remove. However it is possible to still clean it.


    5. Run SmitFruadFix.
    Another diagnostic trick is to see what errors smitfruadfix gives when run. however the removal tools built into this smit tool is actually useful in removing many viruses, including Fake Alert, unlike SmitRem.

    If you get a error and the program crashes, you need to run the program first on another computer. This will extract the EXE files to a folder. That folder itself must be transferred to the infected computer.

    Once transferred over, open the folder and click on SmitFruadFix.exe. The program should now run.

    Choose option 4 to update to the latest version. Once done will take you back to the main menu, you then want to choose option 2 to start the scanning process. Once done, type Y and hit enter to start the registry cleaning. Again you can close the windows cleanup window that appears.


    6. Now it's time to run HiJackThis
    Again there are some errors to be aware of and diagnostic tricks.
    If you go to run HiJackThis and it does not appear, you have the virus that is disabling most tech tools we will use. Here's how to try and get around it and see how bad the virus is.

    First open the Task manager -> Go to Processes tab -> find the HiJackThis.exe process -> Right click -> End Process

    Rename the HijackThis.exe file to Fizz.bat and try to run again. 9 out of 10 times this will allow the program to run.

    **You may also run ComboFix, renaming the file to k.bat or whatever if it doesn't run. This should help clear up problems with programs not running. However if you are remoting into someone else's computer to fix, skip this step for now as it may disconnect you. If you are physically in front of the computer, I highly recommend this step at this time.

    Now HJT is a bit tricky and may seem overwhelming to use. It basically lists all the programs and stuff that is running on your computer. You want to run a system scan WITH LOG.

    Once done, copy the entire log and paste it at HijackThis.de. This website will analyze the log and show you what the site, and users have listed as possible viruses.
    Go through the list and check off any nasty or unknown items. Be careful and ignore any IP entries if you are using DSL. You want to look for what I call "qwyjibos". Simpson fans will know this word. basically you want to look for files that are named with random letters. Like weufhweou.dll, or qwyjibo.dll. These are almost 99.9999% of the time viruses. when in doubt, do a Google search for the file name. If no results turn up, or first 10 sites are about malware removal, then you know it's bad.

    When done, click the Fix Selected button. If asked to reboot, do not do so at this time.


    7. Install Spybot and Malwarebytes.
    This is where you may run into many of the problems.

    We will install Spybot, but are not going to run a scan just yet. Basically we want to see if we can install and launch it, or if it's getting blocked like HJT might have been.
    If you can not install, and nothing shows up when you run the setup file, try the same steps as HJT. Rename to z.bat and try to run again.

    ** When renaming files, do not use any letters that were in the original file name. So for spybot you DO NOT want to use s, d, y, etc.. as the file name or anywhere in it.

    Do the same for Malwarebytes, try to install, rename installer file if it doesn't run.

    After both programs are installed, try to launch them. If they DO NOT open, we still have some renaming to do.

    Go to the My Computer -> Program Files and look for the folders for "Spybot" and "Malwarebytes".

    Go into Spybot folder and rename the SpybotSD.exe to z.exe. Go back one folder and rename the Spybot folder itself to just Z. Go back into the Z folder and try to run z.exe. Program should open now (at least 9 out of 10 times).

    Follow same steps for Malwarebytes, using different letters, X works well too.

    If the programs still do not run, we have one last ditch effort. Rename Combofix to k.bat and try to run. Use the guide on the link above to see how to use ComboFix. It's a command line tool like the Smits, but on steroids. If this program can run, it will solve most the problems of programs not running.


    8. Running Spybot and Malwarebytes scans.
    After both are installed and able to launch, make sure both are fully updated with latest definitions.

    Run Quick scan with Malwarebytes, then scan with Spybot.

    Spybot - After scan click on "Fix Selected Problems" at the top.
    Malwarebytes - After scan click on Show Results -> Removed Selected

    Choose to NOT restart if either program asks until both scans are completed. Even then still choos eot NOT RESTART.

    After both scans complete, go to Start -> Run -> Type "MSCONFIG" -> Hit OK.

    In the MSCONFIG app, make sure Normal Startup is selected on the main general page.
    Apply -> Close and Choose to Restart.


    9. Finishing
    Once in normal mode, all the registry entries that Malwarebytes and Spybot may have setup to remove files on restart will be executed. Spybot may run another scan before the desktop appears, so be patient if the screen hangs.

    **Allow 10-15 minutes if needed. After that if nothing comes up, there are some other problems that still exist.
    In which case press CTRL+SHIFT+ESC to bring up Task Manager. Click on FILE -> New (Run Task) -> type Explorer -> Hit OK.

    Desktop should load up. Run FULL Malwarebytes scan and Spybot once more.

    If Desktop loads up without any problems, you may still want to run a FULL Malwarebytes scan as well as HJT to remove any left over remnants of the viruses.

    Make sure to run the Windows Updates till no more priority updates are available.

    Make sure windows Firewall or any firewall is enabled.

    Repair Norton/McAfee with built in FIX option. They should now be able to correct themselves.
    If no AV is installed, go download AVG (just Google "AVG" and you'll find it) and install.

    That's it, the computer should now be fully cleaned out of viruses and Spyware. If not, seek professional help as the problem may be more complex then I'm willing to go into here. A Repair install of XP, or Parallel install. worst case a full formatting may be done, but not always needed.

    ** I find Formatting a Hard Drive as failure of a technician to fix a computer. formatting is a defeat, not a solution.


    All in all , this process can take anywhere from 2 - 16 hours of work. Depending on what errors and problems you run into, as well as knowledge and skill level.
    Last edited by RaTix; 02-06-2010, 02:40 AM.
    "POWER!!! UNLIMITED POOWWWEEEER!!!!!!

    "Tell me what you regard as your greatest strength, so I will know how best to undermine you; tell me of your greatest fear, so I will know which I must force you to face; tell me what you cherish most, so I will know what to take from you; and tell me what you crave, so that I might deny you."
    ?Darth Plagueis

    "Peace is a lie, there is only passion. Through passion, I gain strength. Through strength, I gain power. Through power, I gain victory. Through victory, my chains are broken. The Force shall free me."
  • #2
    BOSS
    Imperial Advisor
    • Jun 2005
    • 5834

    Fake Antivirus

    So I've gotten that fake anti-virus warning that wants you to buy a fake product and I've followed the method posted here to get rid of it:


    I didn't click the false link that tells you to turn your security on (because that activated the problem last time), but these fake warnings are showing up in safe mode where I'm trying to get rid of it. The real problem is I can't run Malwarebytes to get rid of this thing like last time. Any suggestions?
    sigpic
    "You either die a hero or live long enough to see yourself become the villain."
    <a href="http://psnprofiles.com/dsaBOSS"><img src="http://card.psnprofiles.com/1/dsaBOSS.png" border="0"></a>

    Comment

    • #3
      raquel55x
      Civilian
      • Mar 2011
      • 21
      • none

      just wondering if youve tryed uninstalling it?
      A winner is a person that fights to the end not the person that gives up half way through the game ...

      Comment

      • #4
        MajinTony
        Honorary DSA
        • Aug 2005
        • 3153

        less internet porno:p

        "Beefcake the Mighty, clotted with spew. His sword falls, skulls burst in two. The eyes burst from sockets, he is not through. Thousands of warriors he does this to. Piling the corpses of those that he slew. Untill it was hard to tell if the pile grew!"-GWAR

        Comment

        • #5
          RaTix
          Emperor

          Try here

          [ame="http://www.darksidealliance.com/showthread.php?t=32445"]Virus Removal Instructions - Dark Side Alliance[/ame]

          Those instructions I wrote specifically for this type of virus.
          "POWER!!! UNLIMITED POOWWWEEEER!!!!!!

          "Tell me what you regard as your greatest strength, so I will know how best to undermine you; tell me of your greatest fear, so I will know which I must force you to face; tell me what you cherish most, so I will know what to take from you; and tell me what you crave, so that I might deny you."
          ?Darth Plagueis

          "Peace is a lie, there is only passion. Through passion, I gain strength. Through strength, I gain power. Through power, I gain victory. Through victory, my chains are broken. The Force shall free me."

          Comment

          • #6
            raquel55x
            Civilian
            • Mar 2011
            • 21
            • none

            well i feel dumb right now lol
            A winner is a person that fights to the end not the person that gives up half way through the game ...

            Comment

            • #7
              BOSS
              Imperial Advisor
              • Jun 2005
              • 5834

              @Tony: HA...if that was the case it would make sense at least lol.

              @Ratix: All is well now. If something happens again I know where to look. Thanks again.
              sigpic
              "You either die a hero or live long enough to see yourself become the villain."
              <a href="http://psnprofiles.com/dsaBOSS"><img src="http://card.psnprofiles.com/1/dsaBOSS.png" border="0"></a>

              Comment

              • #8
                FunkyFaulc
                Civilian
                • Mar 2009
                • 711

                Originally posted by BOSS
                So I've gotten that fake anti-virus warning that wants you to buy a fake product and I've followed the method posted here to get rid of it:


                I didn't click the false link that tells you to turn your security on (because that activated the problem last time), but these fake warnings are showing up in safe mode where I'm trying to get rid of it. The real problem is I can't run Malwarebytes to get rid of this thing like last time. Any suggestions?
                It can be a real pain in the butt to get rid of. As you now know they don't go away with a normal uninstall. If for some reason Ratix's instructions don't clear it all I can do is offer my own experience. I had to clear my inlaws computer with one of these. I ended up getting the free CNet.com download for AVG antivirus and it was able to finally get rid of it... or at least all the pop ups that still didn't go away after the uninstall.


                "Are you questioning my Bad-Assness? Have you seen my guns?"

                Comment

                • #9
                  Hogezz
                  Honorary DSA
                  • Jan 2009
                  • 1543

                  Here's a bit of info on this subject...

                  search.slashdot.org/story/11/05/07/229200/Poisoned-Google-Image-Searches-Becoming-a-Problem
                  Last edited by Hogezz; 05-08-2011, 06:23 AM.
                  sigpic

                  Comment

                  Ad

                  Collapse
                  Working...