Fight Off That Infection A Guide On Malware Removal
Introduction
It's happened to the best of us. It's late. You're not exactly sure what you're doing. You make one arrant click, and BAM! You got yourself an infection. Today's infections can be quite scary at first glance, and if let to sit on a machine can cause a lot of havoc. But fear not, for today's infections are easily handled in almost all cases. In the days of old, however, a virus infection normally lead to a blank hard drive (not at the choice of the user, mind you), or even damaged components.
Today's malware operates under a different directive: it wants your information. Today's infections are more about subtly taking information, rather than causing wide-spread damage. Before we get into the nitty-gritty on removing these infections, we need to clarify some terms that will appear multiple times in this post.
Please keep in mind, GH0 has already made a far more in-depth post as to the description of each form of infection. The definitions here are for completeness and brevity sake.
Malware - An all encompassing term for any form of infection (coming from malicious software) be it a virus, a worm, spyware, etc. This is often, and incorrectly, thought of as a separate form of infection.
Rootkit - Rootkits are nasty little pieces of malware that serve one ultimate goal: stealth. A rootkit may be in place to hide either it's actions, or the actions of another piece of malware that it accompanies.
Virus - A virus is the most commonly used word to describe an infection. In reality, viruses are in fact a subform of malware. Their main goal however is replication. As with a real-life organic virus, the piece of code will try to replicate as much of itself as it can - especially when it can transfer itself to another host.
Trojan Horses - Like viruses, Trojans' seek replication. However, Trojans' need to be wrapped into another program in order to operate. They are not standalone software. Like the associated history implies, Trojans' are typically used to open up a computer for further attacks.
Worms - Worms, like viruses, seek replication. Worms however are completely self-sufficient, and need absolutely no interaction from the user to operate. Worms typically are used to direct a computer to be part of a Botnet (explained later) rather than doing any direct damage to the host itself.
Botnet - Botnets are, as the name implies, a network of 'bots', or compromised computers that an attacker can use in tandem to exploit or attack another target. Botnets are usually formed via the use of worms. However, some groups willingly become part of a Botnet. One classic example is 4Chan, with their use of a LOIC botnet to launch DDOS attacks against targets.
Spyware - Spyware is an infection that, above all else, does not actually harm the infected machine. Spyware's main goal is to collect personal information (credit card numbers, PINs, SSNs, etc...) from a host, send it back to the author and remain undetected the entire time.
Scareware or Rogue Antivirus - This is quickly becoming the number one type of infection out there. These are small (~2-7MB) executable files that are meant to look and act like legit antivirus software. They will lock you out of Task Manager, and in some instances any program or utility at all while in normal mode for Windows. They will then say you have some huge amount of infections and that it will clean your computer for X amount of money.
This goes without saying, but: DO NOT INTERACT WITH THESE POP-UPS IN ANY WAY!!!.
Typically, you have to go outside Windows to remove these infections unless you want to remove them manually. While dozens are out there, here are some of the more prevalent ones I see at work:
Alpha Antivirus
Security Tool
System Tool
Windows Tool
Windows XP Antivirus/AntiSpyware
Windows Vista Antivirus/AntiSpyware
Windows 7 Antivirus/AntiSpyware
Windows Antivirus 2008/2009/2010/2011/etc...
Here is an example of what one of these looks like:
As you can see, it would look legit to a normal user. Also note, the reason these infections get past normal AV solutions so easily, is that they actually do operate exactly like legit software. As such, a new definition must be made for every individual variant of the malware.
Proceedure
Contrary to popular belief, almost any infection can be 100% eliminated from any machine if caught in time. The one exception to this is rootkits. Rootkits tie themselves into the kernel in such a way that manual removal is not possible by end-users. Several tools exist, however even they are not fool-proof. Most of the time, the tools are successful; but when they aren't, it is apparent and a reinstall is usually in order.
That being said, I would like to note that in the last 2 years I have only ever had 1 single system that I could not successfully clean and had to resort to reinstalling Windows. This was because the system was infected with not only a rootkit, but over 10,000 other infections. Had the customer brought the machine to me earlier, I may have been successful. Seeing as I do on the order of 4-10 virus removals weekly, I think my track record speaks for itself.
Back on topic, removing infections is nothing more than using a methodical approach to circumventing the effects of the infection. The easiest way to do this, is to not let the infection activate at all. That is, don't boot into Windows normally.
Step One: Secured2k Boot CD
The Secured2k Boot CD is a wonderful bootable environment, that allows you to make use of the NOD32 ESET Online Scanner. The CD boots to a Windows 7 environment, with a host of useful utilities built in. The NOD32 ESET Online Scanner will automatically update itself and scan the host system for any infections. In my experience, ESET is the best at removing rogue antivirus software.
You can either download the Secured2k Boot CD creation tool here or download the one I use for a host of systems here.
The helpful thing here, is that Secured2k loads itself completely into RAM - meaning once you're up and running, you can remove the CD and use it elsewhere if need be. Also note, that since you are booting to another environment the infections on your Windows installation can never become active - so connecting to the Internet is no risk at all.
Please note: while Secured2k does include a McAfee scanner I do not recommend using that scanner, nor any of McAfee's sub-par software.
Step Two: BitDefender or Kaspersky Rescue CD
The NOD32 ESET Scanner included in Secured2k Boot CD is very powerful, but it is always best to have additional layers of virus removal. As such, I highly recommend using either of these free tools put out by their respective companies. Both of these boot to Linux environments to run their scanners, and as such it is still safe to have the machines connected to the Internet while inside these environments.
BitDefender's Rescue CD can be found here. The rescue CD will automatically launch the updater and scanner once it finishes booting. Effectively, you can boot the CD and walk away for an hour or so with this.
Kaspersky's Rescue CD can be found here. This one you will have to manually tell to update, and it takes about 5 minutes to fully update. Before you begin scanning, make sure to choose 'Prompt at completion' as the scanning option. This way, the scanner will run completely and ask you what you want to do with any found infections at the end, rather than stopping every time it finds one.
Both of these tools are extremely powerful, however I have had more luck with Kaspersky than BitDefender with some of the more nasty infections.
If you find that either of these tools help you in a tremendous way, I strongly encourage you to support the publisher's and buy their antivirus software!
Step Three: Boot to Windows
After you have run either two, or all three, of the above scanner outside Windows, it's time to see how Windows is doing. Boot normally, and see if the main infection is still there. Here are some of the possibilities you may run into:
You boot normally into Windows
Great! Skip ahead to Step Four.
You boot to a 0x7B BSOD
Often, infections will force a divide-by-zero function which causes Windows to crash (to avoid imploding the universe). This is not as bad as most people make it out to be, and there are several ways to fix it.
Windows XP:
Boot to an installer disc, and hit 'R' for the recovery console once it finishes loading. Once inside the RC, choose your Windows installation and type the following commands:
fixboot
Select 'Yes' to any prompt.
fixmbr
Select 'Yes' to any prompt.
chkdsk /r
What this does replace your master boot record with a clean copy, and then runs a 5-stage check against your hard drive for errors, and will repair them. This is often the only solution needed to be able to boot into Windows normal mode again after getting a 0x7B BSOD.
Windows Vista or 7:
Hit F8 during boot, and choose 'Repair Your Computer' from the options. Let Windows run through it's process. This may take upwards of an hour. Before rebooting, choose 'Advanced' from the options given to you to get to the System Repair utilities. Open the Command Prompt window, and enter the following command:
c:
chkdsk /r
This again, will run a 5-stage check against your hard drive for errors, and repair them.
After the above finishes, try booting into normal mode again. If you can, skip down to Step Four, if not - read on.
You Get a 0x7B BSOD When Trying Normal Mode But Can Get Into Safe Mode
Again, something common when a machine is infected. Boot into Safe Mode, then run a program called ComboFix.
ComboFix is available here. It is a freeware program that is very powerful. It is often, and incorrectly, thought that ComboFix does not run correctly in Safe Mode. This is a fallacy - ComboFix runs perfect in either Normal Mode or Safe mode. Connect the host machine the Internet long enough to download any updates for ComboFix. It is true that most malware does not operate in Safe Mode so you should be fine connecting the host machine to the Internet, but it is always better to err on the side of caution.
Do NOT download ComboFix from anywhere other than the linked address, or the two sources contained within that post. There are a plethora of websites online that pose as ComboFix sources, that give you an infected source.
Cannot Get Into Safe Mode Either
This is a rare step to be taken, however it's cause is simple. Often, infections will tie themselves in with a specific system file so that if they are removed, they take the host with it.
This system file is atapi.sys. If you have access to ANY other machine running the same major version of Windows (meaning XP, Vista or 7 - you do not have to match Home, Home Premium, Pro, etc. You do have to match x86 vs. x64 where applicable) you can simply copy the atapi.sys file from that computer, and place it in the appropriate directory on the infected machine. I recommend using a Linux Live CD and a USB flash drive to facilitate the transfer. In the very few times I have had to do this, it has not failed me once.
The atapi.sys file can be found under:
C:\\Windows\\System32\\Drivers
Step Four: ComboFix
If you ran this in Step Three, skip ahead. If you didn't - then read along.
ComboFix is available here. It is a freeware program that is very powerful. It is often, and incorrectly, thought that ComboFix does not run correctly in Safe Mode. This is a fallacy - ComboFix runs perfect in either Normal Mode or Safe mode. Connect the host machine the Internet long enough to download any updates for ComboFix. It is true that most malware does not operate in Safe Mode so you should be fine connecting the host machine to the Internet, but it is always better to err on the side of caution.
Do NOT download ComboFix from anywhere other than the linked address, or the two sources contained within that post. There are a plethora of websites online that pose as ComboFix sources, that give you an infected source.
Step Five: In-Windows Cleanup Scans
In my experience, after running ComboFix and the Out-of-Windows scanners, most machines are completely clean - barring a few adware cookies. However, we want to be 100% sure that the machine is back to perfect health.
First, run MalwareBytes on the machine. You can run this in Safe Mode or Normal Mode, there is no difference. You can either connect the machine briefly to the Internet to download updates, or download the updates on a known good machine and transfer them over via a USB flash drive. The latter is safer, obviously.
Second, run either SUPER AntiSpyware or Spybot Search and Destroy. Or both, your choice. One is usually sufficient. These programs specialize in removing spyware better than most others. Often, you'll see hundreds of infections but these are simply cookies. They aren't inherently dangerous per se, but they should be removed regardless.
Step Six: Final Scan: Resident or Otherwise
The final scan you should run should either be the resident scanner you already use, or if you have grown less confident in it, one of the ones below. If you happen to use McAfee, Norton, Webroot or Viper anti-virus, I highly recommend ending your subscription and changing over to one of these providers:
AVG - AVG is a big player in the free anti-virus sector. AVG also has a paid version which gives you 24/7 tech support - or just the warm fuzzy feeling knowing you're keeping the programmers in business should you feel like they deserve the cash. The engines in the paid and free version are identical.
Avira - Avira is another one that has both free and paid for suites. Again, Avira is very powerful. The one draw back is that Avira is usually for reliant on the user for instructions than other programs.
BitDefender - If you ran this outside Windows, you'll want to run a different on for your final scan. However, they are worth a mention here if you are looking for a replacement AV solution.
ESET - Same as above.
Kaspersky - Again, same as BitDefender and ESET.
MSE - Free antivirus from Microsoft for any valid copy of Windows. Very powerful, and very lightweight on system resources.
Choose one of the above, and scan your system. More than likely, nothing will be found - yay!
Step Seven: Kill the Zombie Infections!
Often, an end-user will remove an infection, only to have it come back shortly thereafter. The reason is this:
Malware likes to hide in your system restore information.
It does this so that it can re-infect your computer at seemingly anytime. There is a way to combat this though, and it is very easy. Delete the system restore information.
For Windows XP:
Open Start->Control Panel->System->System Restore
Turn off System Restore, click Apply, then reboot your system. After it comes back up, you may safely re-enable system restore.
For Windows Vista or 7:
Open Start->Control Panel->System->System Protection
Now click on the Local Disk field and click Configure then select Turn off system protection and Apply. Reboot your system. After it comes back up, you may safely turn system protection back on.
That's it! Very easy, and no more going through pointless re-installs.
Wait! I'm Still Seeing Scareware/Rogue Antivirus!
Not to worry. While ESET/BitDefender/Kaspersky are all great at removing these outside Windows, new variants are released almost daily - and sometimes the updates for the scanners don't come out fast enough. Luckily, this is easily resolved.
Manual removal time!
Manually removing an infection like this is not hard at all, only tedious. You see, all scareware/rogue antivirus installs in well-known locations. I say 'well-known' because the file paths are predictable.
For Windows XP:
ALL rogue antivirus infections will install under the Application Data folder in the infected User Profile. That is:
C:\Documents and Settings\\Application Data
This is a hidden folder, so make sure you can Show Hidden Folders checked in Folder Options.
From there, it will be in either the Local, Locallow or Roaming folders. From there it will be a folder with a seemingly random string of characters. This is where the tedious part comes in, as some programs make the same kind of folder. The key difference is that the legit folders with random strings for names are very long (e.x. {35733029-9859-49C7-8475-1E78E2AAE413}), all rogue antivirus ones are relatively short.
In addition, inside the folder will be an executable with the same name as the folder. This executable IS the infection. Normally they are around ~5MB. Delete the folder, then empty the Recycle Bin.
For Windows Vista or 7:
Almost all of these infections will install to the AppData folder inside the infected User Profile. That is:
C:\Users\\AppData
This is a hidden folder, so make sure you can Show Hidden Folders checked in Folder Options.
From there, it will be in either the Local, Locallow or Roaming folders. From there it will be a folder with a seemingly random string of characters. This is where the tedious part comes in, as some programs make the same kind of folder. The key difference is that the legit folders with random strings for names are very long (e.x. {35733029-9859-49C7-8475-1E78E2AAE413}), all rogue antivirus ones are relatively short.
In addition, inside the folder will be an executable with the same name as the folder. This executable IS the infection. Normally they are around ~5MB. Delete the folder, then empty the Recycle Bin.
The other place it can hide is the Program Data folder on the root of your OS drive, that is:
C:\Program Data
Again, this is usually a hidden folder. From there it will be the folder name with a random string of characters, with the same-named executable inside. Delete it.
Note: You may have to change ownership/permissions on certain files/folders to delete them. If, for any reason, you are unable to do. I recommend booting to a Linux Live CD and deleting the file from that environment.
Luckily, these rogue antivirus programs do not duplicate any files outside of the system restore information. So, once you delete the executable - the infection is taken care of.
Rootkits
Rootkits deserve special attention. As I said earlier, you can only remove rootkits with special programs - and if those fail, you'll want to re-install.
ComboFix is also a rootkit remover in and of itself, however sometimes it cannot completely remove a rootkit. In that rare instance, I recommend the following to be run:
GMER - GMER is in fact powerful, but it is also confusing. I would only recommend it if you either: 1) Are fairly experienced or 2) Have a full backup of your data and you don't care if you mess it up.
TDSS Killer - TDSS Killer is put out by Kaspersky, and as the name suggests it's sole purpose is to detect and remove the TDSS (or Alureon) rootkit (pain in the arse it is). It will first scan to see if you are infected with it, and then if you are attempt to remove it. If unsuccessful, I recommend a re-install. In my experience, it has never failed.
It's happened to the best of us. It's late. You're not exactly sure what you're doing. You make one arrant click, and BAM! You got yourself an infection. Today's infections can be quite scary at first glance, and if let to sit on a machine can cause a lot of havoc. But fear not, for today's infections are easily handled in almost all cases. In the days of old, however, a virus infection normally lead to a blank hard drive (not at the choice of the user, mind you), or even damaged components.
Today's malware operates under a different directive: it wants your information. Today's infections are more about subtly taking information, rather than causing wide-spread damage. Before we get into the nitty-gritty on removing these infections, we need to clarify some terms that will appear multiple times in this post.
Please keep in mind, GH0 has already made a far more in-depth post as to the description of each form of infection. The definitions here are for completeness and brevity sake.
Malware - An all encompassing term for any form of infection (coming from malicious software) be it a virus, a worm, spyware, etc. This is often, and incorrectly, thought of as a separate form of infection.
Rootkit - Rootkits are nasty little pieces of malware that serve one ultimate goal: stealth. A rootkit may be in place to hide either it's actions, or the actions of another piece of malware that it accompanies.
Virus - A virus is the most commonly used word to describe an infection. In reality, viruses are in fact a subform of malware. Their main goal however is replication. As with a real-life organic virus, the piece of code will try to replicate as much of itself as it can - especially when it can transfer itself to another host.
Trojan Horses - Like viruses, Trojans' seek replication. However, Trojans' need to be wrapped into another program in order to operate. They are not standalone software. Like the associated history implies, Trojans' are typically used to open up a computer for further attacks.
Worms - Worms, like viruses, seek replication. Worms however are completely self-sufficient, and need absolutely no interaction from the user to operate. Worms typically are used to direct a computer to be part of a Botnet (explained later) rather than doing any direct damage to the host itself.
Botnet - Botnets are, as the name implies, a network of 'bots', or compromised computers that an attacker can use in tandem to exploit or attack another target. Botnets are usually formed via the use of worms. However, some groups willingly become part of a Botnet. One classic example is 4Chan, with their use of a LOIC botnet to launch DDOS attacks against targets.
Spyware - Spyware is an infection that, above all else, does not actually harm the infected machine. Spyware's main goal is to collect personal information (credit card numbers, PINs, SSNs, etc...) from a host, send it back to the author and remain undetected the entire time.
Scareware or Rogue Antivirus - This is quickly becoming the number one type of infection out there. These are small (~2-7MB) executable files that are meant to look and act like legit antivirus software. They will lock you out of Task Manager, and in some instances any program or utility at all while in normal mode for Windows. They will then say you have some huge amount of infections and that it will clean your computer for X amount of money.
This goes without saying, but: DO NOT INTERACT WITH THESE POP-UPS IN ANY WAY!!!.
Typically, you have to go outside Windows to remove these infections unless you want to remove them manually. While dozens are out there, here are some of the more prevalent ones I see at work:
Alpha Antivirus
Security Tool
System Tool
Windows Tool
Windows XP Antivirus/AntiSpyware
Windows Vista Antivirus/AntiSpyware
Windows 7 Antivirus/AntiSpyware
Windows Antivirus 2008/2009/2010/2011/etc...
Here is an example of what one of these looks like:
As you can see, it would look legit to a normal user. Also note, the reason these infections get past normal AV solutions so easily, is that they actually do operate exactly like legit software. As such, a new definition must be made for every individual variant of the malware.
Proceedure
Contrary to popular belief, almost any infection can be 100% eliminated from any machine if caught in time. The one exception to this is rootkits. Rootkits tie themselves into the kernel in such a way that manual removal is not possible by end-users. Several tools exist, however even they are not fool-proof. Most of the time, the tools are successful; but when they aren't, it is apparent and a reinstall is usually in order.
That being said, I would like to note that in the last 2 years I have only ever had 1 single system that I could not successfully clean and had to resort to reinstalling Windows. This was because the system was infected with not only a rootkit, but over 10,000 other infections. Had the customer brought the machine to me earlier, I may have been successful. Seeing as I do on the order of 4-10 virus removals weekly, I think my track record speaks for itself.
Back on topic, removing infections is nothing more than using a methodical approach to circumventing the effects of the infection. The easiest way to do this, is to not let the infection activate at all. That is, don't boot into Windows normally.
Step One: Secured2k Boot CD
The Secured2k Boot CD is a wonderful bootable environment, that allows you to make use of the NOD32 ESET Online Scanner. The CD boots to a Windows 7 environment, with a host of useful utilities built in. The NOD32 ESET Online Scanner will automatically update itself and scan the host system for any infections. In my experience, ESET is the best at removing rogue antivirus software.
You can either download the Secured2k Boot CD creation tool here or download the one I use for a host of systems here.
The helpful thing here, is that Secured2k loads itself completely into RAM - meaning once you're up and running, you can remove the CD and use it elsewhere if need be. Also note, that since you are booting to another environment the infections on your Windows installation can never become active - so connecting to the Internet is no risk at all.
Please note: while Secured2k does include a McAfee scanner I do not recommend using that scanner, nor any of McAfee's sub-par software.
Step Two: BitDefender or Kaspersky Rescue CD
The NOD32 ESET Scanner included in Secured2k Boot CD is very powerful, but it is always best to have additional layers of virus removal. As such, I highly recommend using either of these free tools put out by their respective companies. Both of these boot to Linux environments to run their scanners, and as such it is still safe to have the machines connected to the Internet while inside these environments.
BitDefender's Rescue CD can be found here. The rescue CD will automatically launch the updater and scanner once it finishes booting. Effectively, you can boot the CD and walk away for an hour or so with this.
Kaspersky's Rescue CD can be found here. This one you will have to manually tell to update, and it takes about 5 minutes to fully update. Before you begin scanning, make sure to choose 'Prompt at completion' as the scanning option. This way, the scanner will run completely and ask you what you want to do with any found infections at the end, rather than stopping every time it finds one.
Both of these tools are extremely powerful, however I have had more luck with Kaspersky than BitDefender with some of the more nasty infections.
If you find that either of these tools help you in a tremendous way, I strongly encourage you to support the publisher's and buy their antivirus software!
Step Three: Boot to Windows
After you have run either two, or all three, of the above scanner outside Windows, it's time to see how Windows is doing. Boot normally, and see if the main infection is still there. Here are some of the possibilities you may run into:
You boot normally into Windows
Great! Skip ahead to Step Four.
You boot to a 0x7B BSOD
Often, infections will force a divide-by-zero function which causes Windows to crash (to avoid imploding the universe). This is not as bad as most people make it out to be, and there are several ways to fix it.
Windows XP:
Boot to an installer disc, and hit 'R' for the recovery console once it finishes loading. Once inside the RC, choose your Windows installation and type the following commands:
fixboot
Select 'Yes' to any prompt.
fixmbr
Select 'Yes' to any prompt.
chkdsk /r
What this does replace your master boot record with a clean copy, and then runs a 5-stage check against your hard drive for errors, and will repair them. This is often the only solution needed to be able to boot into Windows normal mode again after getting a 0x7B BSOD.
Windows Vista or 7:
Hit F8 during boot, and choose 'Repair Your Computer' from the options. Let Windows run through it's process. This may take upwards of an hour. Before rebooting, choose 'Advanced' from the options given to you to get to the System Repair utilities. Open the Command Prompt window, and enter the following command:
c:
chkdsk /r
This again, will run a 5-stage check against your hard drive for errors, and repair them.
After the above finishes, try booting into normal mode again. If you can, skip down to Step Four, if not - read on.
You Get a 0x7B BSOD When Trying Normal Mode But Can Get Into Safe Mode
Again, something common when a machine is infected. Boot into Safe Mode, then run a program called ComboFix.
ComboFix is available here. It is a freeware program that is very powerful. It is often, and incorrectly, thought that ComboFix does not run correctly in Safe Mode. This is a fallacy - ComboFix runs perfect in either Normal Mode or Safe mode. Connect the host machine the Internet long enough to download any updates for ComboFix. It is true that most malware does not operate in Safe Mode so you should be fine connecting the host machine to the Internet, but it is always better to err on the side of caution.
Do NOT download ComboFix from anywhere other than the linked address, or the two sources contained within that post. There are a plethora of websites online that pose as ComboFix sources, that give you an infected source.
Cannot Get Into Safe Mode Either
This is a rare step to be taken, however it's cause is simple. Often, infections will tie themselves in with a specific system file so that if they are removed, they take the host with it.
This system file is atapi.sys. If you have access to ANY other machine running the same major version of Windows (meaning XP, Vista or 7 - you do not have to match Home, Home Premium, Pro, etc. You do have to match x86 vs. x64 where applicable) you can simply copy the atapi.sys file from that computer, and place it in the appropriate directory on the infected machine. I recommend using a Linux Live CD and a USB flash drive to facilitate the transfer. In the very few times I have had to do this, it has not failed me once.
The atapi.sys file can be found under:
C:\\Windows\\System32\\Drivers
Step Four: ComboFix
If you ran this in Step Three, skip ahead. If you didn't - then read along.
ComboFix is available here. It is a freeware program that is very powerful. It is often, and incorrectly, thought that ComboFix does not run correctly in Safe Mode. This is a fallacy - ComboFix runs perfect in either Normal Mode or Safe mode. Connect the host machine the Internet long enough to download any updates for ComboFix. It is true that most malware does not operate in Safe Mode so you should be fine connecting the host machine to the Internet, but it is always better to err on the side of caution.
Do NOT download ComboFix from anywhere other than the linked address, or the two sources contained within that post. There are a plethora of websites online that pose as ComboFix sources, that give you an infected source.
Step Five: In-Windows Cleanup Scans
In my experience, after running ComboFix and the Out-of-Windows scanners, most machines are completely clean - barring a few adware cookies. However, we want to be 100% sure that the machine is back to perfect health.
First, run MalwareBytes on the machine. You can run this in Safe Mode or Normal Mode, there is no difference. You can either connect the machine briefly to the Internet to download updates, or download the updates on a known good machine and transfer them over via a USB flash drive. The latter is safer, obviously.
Second, run either SUPER AntiSpyware or Spybot Search and Destroy. Or both, your choice. One is usually sufficient. These programs specialize in removing spyware better than most others. Often, you'll see hundreds of infections but these are simply cookies. They aren't inherently dangerous per se, but they should be removed regardless.
Step Six: Final Scan: Resident or Otherwise
The final scan you should run should either be the resident scanner you already use, or if you have grown less confident in it, one of the ones below. If you happen to use McAfee, Norton, Webroot or Viper anti-virus, I highly recommend ending your subscription and changing over to one of these providers:
AVG - AVG is a big player in the free anti-virus sector. AVG also has a paid version which gives you 24/7 tech support - or just the warm fuzzy feeling knowing you're keeping the programmers in business should you feel like they deserve the cash. The engines in the paid and free version are identical.
Avira - Avira is another one that has both free and paid for suites. Again, Avira is very powerful. The one draw back is that Avira is usually for reliant on the user for instructions than other programs.
BitDefender - If you ran this outside Windows, you'll want to run a different on for your final scan. However, they are worth a mention here if you are looking for a replacement AV solution.
ESET - Same as above.
Kaspersky - Again, same as BitDefender and ESET.
MSE - Free antivirus from Microsoft for any valid copy of Windows. Very powerful, and very lightweight on system resources.
Choose one of the above, and scan your system. More than likely, nothing will be found - yay!
Step Seven: Kill the Zombie Infections!
Often, an end-user will remove an infection, only to have it come back shortly thereafter. The reason is this:
Malware likes to hide in your system restore information.
It does this so that it can re-infect your computer at seemingly anytime. There is a way to combat this though, and it is very easy. Delete the system restore information.
For Windows XP:
Open Start->Control Panel->System->System Restore
Turn off System Restore, click Apply, then reboot your system. After it comes back up, you may safely re-enable system restore.
For Windows Vista or 7:
Open Start->Control Panel->System->System Protection
Now click on the Local Disk field and click Configure then select Turn off system protection and Apply. Reboot your system. After it comes back up, you may safely turn system protection back on.
That's it! Very easy, and no more going through pointless re-installs.
Wait! I'm Still Seeing Scareware/Rogue Antivirus!
Not to worry. While ESET/BitDefender/Kaspersky are all great at removing these outside Windows, new variants are released almost daily - and sometimes the updates for the scanners don't come out fast enough. Luckily, this is easily resolved.
Manual removal time!
Manually removing an infection like this is not hard at all, only tedious. You see, all scareware/rogue antivirus installs in well-known locations. I say 'well-known' because the file paths are predictable.
For Windows XP:
ALL rogue antivirus infections will install under the Application Data folder in the infected User Profile. That is:
C:\Documents and Settings\\Application Data
This is a hidden folder, so make sure you can Show Hidden Folders checked in Folder Options.
From there, it will be in either the Local, Locallow or Roaming folders. From there it will be a folder with a seemingly random string of characters. This is where the tedious part comes in, as some programs make the same kind of folder. The key difference is that the legit folders with random strings for names are very long (e.x. {35733029-9859-49C7-8475-1E78E2AAE413}), all rogue antivirus ones are relatively short.
In addition, inside the folder will be an executable with the same name as the folder. This executable IS the infection. Normally they are around ~5MB. Delete the folder, then empty the Recycle Bin.
For Windows Vista or 7:
Almost all of these infections will install to the AppData folder inside the infected User Profile. That is:
C:\Users\\AppData
This is a hidden folder, so make sure you can Show Hidden Folders checked in Folder Options.
From there, it will be in either the Local, Locallow or Roaming folders. From there it will be a folder with a seemingly random string of characters. This is where the tedious part comes in, as some programs make the same kind of folder. The key difference is that the legit folders with random strings for names are very long (e.x. {35733029-9859-49C7-8475-1E78E2AAE413}), all rogue antivirus ones are relatively short.
In addition, inside the folder will be an executable with the same name as the folder. This executable IS the infection. Normally they are around ~5MB. Delete the folder, then empty the Recycle Bin.
The other place it can hide is the Program Data folder on the root of your OS drive, that is:
C:\Program Data
Again, this is usually a hidden folder. From there it will be the folder name with a random string of characters, with the same-named executable inside. Delete it.
Note: You may have to change ownership/permissions on certain files/folders to delete them. If, for any reason, you are unable to do. I recommend booting to a Linux Live CD and deleting the file from that environment.
Luckily, these rogue antivirus programs do not duplicate any files outside of the system restore information. So, once you delete the executable - the infection is taken care of.
Rootkits
Rootkits deserve special attention. As I said earlier, you can only remove rootkits with special programs - and if those fail, you'll want to re-install.
ComboFix is also a rootkit remover in and of itself, however sometimes it cannot completely remove a rootkit. In that rare instance, I recommend the following to be run:
GMER - GMER is in fact powerful, but it is also confusing. I would only recommend it if you either: 1) Are fairly experienced or 2) Have a full backup of your data and you don't care if you mess it up.
TDSS Killer - TDSS Killer is put out by Kaspersky, and as the name suggests it's sole purpose is to detect and remove the TDSS (or Alureon) rootkit (pain in the arse it is). It will first scan to see if you are infected with it, and then if you are attempt to remove it. If unsuccessful, I recommend a re-install. In my experience, it has never failed.
Comments (1)