• Follow us on Twitter @buckeyeplanet and @bp_recruiting, like us on Facebook! Enjoy a post or article, recommend it to others! BP is only as strong as its community, and we only promote by word of mouth, so share away!
  • Consider registering! Fewer and higher quality ads, no emails you don't want, access to all the forums, download game torrents, private messages, polls, Sportsbook, etc. Even if you just want to lurk, there are a lot of good reasons to register!

Cleaning a bad infestation of malware, virii, trojans, rootkits etc

Muck

Enjoy Every Sandwich
Since I seem to be on a security kick lately I thought I might as well post some detailed directions I put together for a friend on another board who's having severe issues with all the little nasties...

(Feel free to comment, ask questions or add to the guide)



1. Update your anti-spyware & antivirus programs to the newest versions available.

2. Run Disk Cleanup (If you have a third party app like CCleaner, Clean Up!, ATF Cleaner or Advanced Windows Care run that instead).

3. Download HijackThis from Trend Micro.

- Run a scan and save the logfile (be sure to change the name from "hijackthis.log" something you will remember like "hijackthisbefore.log").

4. Open "Add/Remove Programs" and check to see if there is anything weird that needs to be uninstalled (unknown toolbars, search utilities etc)

5. Turn off the real time monitoring of all your security programs (any antispyware, antivirus, firewalls)

6. Download & run McAfee Stinger.

7. Download & run the newest version of Microsoft's Malicious Software Removal Tool

8. Go to eset Nod 32, F-Secure, BitDefender or TrendMicro and run an online scan (these all use ActiveX so you must use IE).

9. Reboot the computer and start up in safe mode.

10. Do a full scan with your primary anti-spyware program. Once the scan is complete & repairs made make sure the program is completely closed. If there is an icon in the system tray that means it is still running. Right click on the icon and select “exit” (or “close”, “shutdown” etc).

- Repeat with your secondary anti-spyware program.

- Finally do a full scan with your anti-virus program.

11. Reboot normally

12. Again turn of real time monitoring and completely close any of your antispy/virus programs that install on start up.

13. Run your anti-spyware scanners & anti-virus again as you did while in safe mode.

14. Run HijackThis a final time and again give the log file a unique name to distinguish it (ie “hijackthisafter.log”.

15. If you are still having problems you can copy & paste your HijackThis logfiles into the analyzer at I Am Not A Geek which will help you find files that may be causing problems. Google anything listed as bad to find specific methods of removing the problem files. (Be careful as the analyzer does give false positives at times.)

- You can also paste the logs at the Castle Cops, Hijack This Logs forum. Start a new thread with a title describing the problem you are having and then paste your logfiles into the main body of the post. The members of the forum will be happy to help you figure out what the problem is through your log file.
 
Last edited:
step 16. format C:/
step 17. install linux

great doc muck. most internet providers have free security software that they update daily or weekly. once you get things cleaned up, do yourself a favor and at the very least use those. if you do have an infection of sorts. be patient, its possible you may have to repeat these steps over and over to get rid of it.
 
Upvote 0
Can't resist....
[ame=http://www.youtube.com/watch?v=gFAJDbV9Vfs]YouTube - Mac Spoof: Security[/ame]


Now back to the topic on hand. Does anybody have a good solution for when no .exe's can run (even in safe mode)? On top of that, I 'fixed' one recently that had implemented the built in security policies to prevent explorer.exe from ever running (ran a boot-time scan, virus took some system files with it. Had to re-format their box).
 
Upvote 0
leroyjenkins;1171155; said:
I assumed from the thread name, that I would only need some penicillin to get rid of that stuff.......:)
When it comes to your data accept no substitutes ...

cipro_pills.bmp


Cipro ....
 
Upvote 0
Hodge;1171131; said:
Now back to the topic on hand. Does anybody have a good solution for when no .exe's can run (even in safe mode)? On top of that, I 'fixed' one recently that had implemented the built in security policies to prevent explorer.exe from ever running (ran a boot-time scan, virus took some system files with it. Had to re-format their box).

---Check to see if run32.dll is missing or corrupted.

---Try the system file checker:

c: sfc/scannow

...it will check all the system files to see if they need replacing (you'll need an XP CD).

---If you just want to try and run an antivirus scan than boot off of a live CD.
knoppix and the like will work fine or you can use BartPE to build an XP live CD.

There is also the Ultimate Boot CD for Windows which already has just about every tool imagineable already slipstreamed in (you'll need a valid COA for the UBCD4W).

Finally there's Windows XP Ultimate Edition which will let you build a full XP install disk (with a shitload of software preloaded). Again it was built using BartPE and requires a valid COA.

There is also the older DOS based Ultimate Boot CD which is the spiritual predecessor to the UBCD4Win.

FWIW BartPE, UBCD4Win & XPUltEd have been among the most important & usefull tools available to me from a support standpoint.
 
Upvote 0
Heads up to everyone in BP land. My computer was just attacked by a virus/malware. It disguises itself as a microsoft security program scanning for viruses. Here's the info from my subscription security scan:

Name: XP Internet Security 2010

Type: Rogue Security Software

Location: Key "hkey_current_user\software\c...

File "c:\documents and settings\...

I'll edit with more details. I've run a scan with my normal security suite (CA), and it seems to be quarantined, but any suggestions would be appreciated.

EDIT: The site I was on when it happened was wwtdd.com (What Would Tyler Durden Do?)

EDIT2: So, I was just gong thru my web routine, sites visited: BP, O-zone, 11W, ohd.com, Buckeye Battle Cry, personal email, library account, yahoo sports; no problems. Then I went to wwtdd.com, and was scrolling down the front page when my browser (firefox, just updated within the last few days) shut down, and 2 "virus scan" windows appeared. I'm not sure if it's identical to MS security, since I don't use it, but it's obviously intended to imitate MS or XP, even had the multi-colored shield icon in the toolbar.

I immediately assumed it was bullshit since I don't run any MS security, plus I had just run a routine virus scan within 48 hours, and this "MS" scan said it found 20 in just a few seconds. I close the windows (which prompt more windows with "your computer is at risk" and "update your subscription" or the like), close them, and the tray icon stays put. I right click on the icon (maybe not the smartest thing), and the "virus scan" windows pop back up. I close them again, and try to start malwarebytes from the start menu, but it doesn't seem to respond. The "virus scan" wins pop up again. Close, and open my security suite from the toolbar, run a quick scan, quarantine, and restart.

The thing was able to do some kind of shit while it was running. When I opened the start menu after the reboot, the primary web browser had been changed back to IE. Haven't checked much else, but I'm gonna run another scan, just to be safe.
 
Last edited:
Upvote 0
generaladm;1684780; said:
Heads up to everyone in BP land. My computer was just attacked by a virus/malware. It disguises itself as a microsoft security program scanning for viruses. Here's the info from my subscription security scan:

Name: XP Internet Security 2010

Type: Rogue Security Software

Location: Key "hkey_current_usersoftwarec...

File "c:documents and settings...

I'll edit with more details. I've run a scan with my normal security suite (CA), and it seems to be quarantined, but any suggestions would be appreciated.

EDIT: The site I was on when it happened was wwtdd.com (What Would Tyler Durden Do?)

I've dealt with this virus a few times already. (I'm assuming this is the same on that puts a blue and white shield in your task bar)

Another thing to look for to make sure you remove all files, is in your local user settings there will be a folder named with random letter or numbers or a combination of both. It gives itself a hidden attribute so you need to show hidden files and folders find it.

Also look for this registry key

[FONT=&quot]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antivirus 7[/FONT]
 
Upvote 0
scarletandgrey;1684790; said:
I've dealt with this virus a few times already. (I'm assuming this is the same on that puts a blue and white shield in your task bar)

Another thing to look for to make sure you remove all files, is in your local user settings there will be a folder named with random letter or numbers or a combination of both. It gives itself a hidden attribute so you need to show hidden files and folders find it.

Also look for this registry key

[FONT=&quot]HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "Antivirus 7[/FONT]

Thanks a ton. I deleted anything in my user settings that I didn't recognize, and was modded around the time of the attack. Did a full computer search for the registry key, and no results.
 
Upvote 0
generaladm;1684817; said:
Thanks a ton. I deleted anything in my user settings that I didn't recognize, and was modded around the time of the attack. Did a full computer search for the registry key, and no results.

You might want to take another look for that registry key, it might be a little different since the virus has changed the name of the anti-virus it's trying to disguise itself as. It might end in something like anivirus 10 or something like that. DO NOT DELETE something though if you're not sure in it. You might be paying for it big time later with computer instability. Also try Malwarebytes.
 
Upvote 0
scarletandgrey;1684843; said:
You might want to take another look for that registry key, it might be a little different since the virus has changed the name of the anti-virus it's trying to disguise itself as. It might end in something like anivirus 10 or something like that. DO NOT DELETE something though if you're not sure in it. You might be paying for it big time later with computer instability. Also try Malwarebytes.

I did a malbytes full scan, and it did come up with these:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) ->

Q'tine and rebooted. Thanks again. Don't worry, I wasn't going thru my settings files and deleting random shit. I found three that had jibberish names, with the same creation date and modded at the time of the attack. Since you've seen this before, are there any things I should check for settings changes? Any idea what the malware was intended to do?
 
Upvote 0
Back
Top