Question about eliminating bogus antivirus malware

[jimdagys]

Had a xp computer that got the bogus antivirus malware. Tried to run Malwarebytes, but the virus would not allow me to run ANY exe, task manager or System Internals task manager. Then booted into Safe Mode and was able to run Malwarebytes and eliminated the virus.
My question is this: Suppose, even in Safe Mode, I wouldn't be able to run Malwarebytes. Then what would be the next (fairly simple) way to get rid of the virus? I've heard about some methods, but I'm not sure how to go about.
One is run Malwarebytes in Linux ( using windows emulation software). Another is using some kind of free Windows cd that boots into Windows from the cd and then trying to run Malwarebytes.
Please comment on the above methods and any other methods.

[CSULB71]

Do a disc image backup, like Acronis True Image, of the drive your OS is on. Clean out garbage/temp files first, do a complete system scan with AV/spyware software, do a defrag, then do the disc image. Easy restore in a few minutes if things get hosed up again.

[cal_tony]

Do a disc image backup, like Acronis True Image, of the drive your OS is on. Clean out garbage/temp files first, do a complete system scan with AV/spyware software, do a defrag, then do the disc image. Easy restore in a few minutes if things get hosed up again.

I've been doing that with Win XP for over 10 years. Still working from my original install. Only additional comment I would make to CSULB would be to use Acronis to clone 2 separate C: disks 1 if you need it and another just in case. amount of time it takes to do the clone is about 1/2 hour. The time it takes to stick the new disk in... about 2 min.

Tony

[hello_hello]

I got rid of a couple by opening msconfig and identifying the "suspicious"processes starting with Windows. I think I had to do that from safe mode. If in doubt, Google them from another PC.
Once I worked out which ones I wanted to remove, I used Eraser to do so, because I think even in safe mode they were locked and I couldn't just delete them. You can tell Eraser to erase files on the next reboot if it can't erase them immediately, which seems to do the trick.

I agree with the making an image of your setup idea. I've been doing it for years too. Only in my case I have two hard drives, and each has a small partition for just Windows and programs. Well the first drive has both, the second drive just has a clean installation of Windows. I've got the Norton Ghost exe on both drives. If I need to make an image, I just reboot, choose the second drive as the boot drive, then when Windows loads I run Norton and image the Windows and programs partition from the first drive onto the second drive. Much faster than messing about with burning images to discs. Likewise I restore images the same way. Once it's done I copy the image from the second drive to the second partition on the first drive, so if a drive dies I've got a backup copy.

[classfour]

Malwarebytes now has a folder named "Chameleon". This stores an executable that will install Malwarebytes on an infected machine - to include downloading definition updates and performing an immediate scan.

[wrathofbod]

i use this method a few times
Reboot and load windows in safe mode with networking.

Login with your admin account

Download and run Rkill.
http://www.bleepingcomputer.com/download/rkill/

Download and run tdskiller
http://support.kaspersky.com/faq/?qid=208283363

Download and run temp file cleaner
http://www.bleepingcomputer.com/download/tfc/

Download, install, update and run a full scan with Malwarebytes
http://www.malwarebytes.org/

That should kill 9/10 infections

hope you get sorted.

[aedipuss]

there's a program that is specifically designed just to remove these critters.

http://freeofvirus.blogspot.com/2009/05/remove-fake-antivirus-10.html

[classfour]

aedipuss - will try - Thanks!

I've battled several of these things this year - averaging three machines a month, most are creeping in past the browser.

[hello_hello]

Which browser?

Mind you I think 99.9999% of the time they creep in past the user. One of the teenagers in the house has had his PC infected with that sort of thing at least three times in the last year. Yet I don't run antimalware, I don't run antivirus software and I don't run a software firewall (I'm behind a router) and I travel to all sorts of corners of the internet without getting infected.

[ranchhand]

I think Freebird (correct me if I am wrong) has created an Ubuntu virtual distro that has AVG and Malwarebytes on it, and it even updates the indexes before running on the targeted hard drive. I have used it a couple of times, and it works pretty well. The only bump I encountered is that it required a direct cable internet connection; it will not access the internet and update with a wireless NIC (unless its just my setup).
Link: http://ubuntuantivirusrescuecd.appspot.com/

[lordsmurf]

I'd try the f-secure boot disc.
If that fails, run Combofix from bleepingcomputer.com (and ONLY from BC, nowhere else).

Malwarebytes is useless for this problem. Or at least it has been in the past.

[jimdagys]

I always find it interesting now many people provide non-answers to questions. In this case, comments relating to backup solutions are non-answers. Backups are great, but that is not related to the question I asked. Thanks for the 2 answers that I'm going to look into, esp, the one from "ranchhand" about running Malwarebytes from Linux. Several years ago, someone (maybe the same person) provided a Linux iso with Malwarebytes/AVG, but I couldn't get it to work. I will try this new "improved" version and see what I can do. In theory, this should be a near 1-click solution that I might be able to handle.
I'm still looking for a good source of viruses/malware to infect a machine, so I can practice getting rid of the viruses.

[jman98]

I'm still looking for a good source of viruses/malware to infect a machine, so I can practice getting rid of the viruses.

This isn't the best idea I've ever heard, but then again based on your posts you've proven that neither common sense nor lack of knowledge need to be an impediment in doing whatever you feel like, so go for it!

[sanlyn]

I'm still looking for a good source of viruses/malware to infect a machine, so I can practice getting rid of the viruses.

This isn't the best idea I've ever heard, but then again based on your posts you've proven that neither common sense nor lack of knowledge need to be an impediment in doing whatever you feel like, so go for it!

Amazing. The O.P. might try loading a rootkit like TDSS into the system and see what happens.

I see where someone earlier sez they kill the running process and delete its files. That does nothing for the registry entries or the copies that a lot of malware keeps in your restore points, the Java cache, and the re-installers they load as hidden files in your user settings (and copies of their code in your registry too, BTW). Most of the worst malware running in RAM doesn't show up in your Process list. It's known as file cloaking. Windows doesn't know it's there, and neither do you. But...to each his own.

[CSULB71]

I always find it interesting now many people provide non-answers to questions.

My suggestion may have been a "non-answer" to your specific problems, but once you've fixed things, a back-up disc image of your OS drive partition (best kept on a separate partition/hard drive from the OS) is the best and quickest thing you can do to get back to normal after you get infected again.

[TreeTops]

That doesn't work if that backup image has the virus also. Which just happened to a lady in our office.

[jimdagys]

I have nothing to fix. I just wanted info in case I need to fix somebody else's computer. By the way, I used the suggestion above from "ranchhand" using a Linux cd that runs Avast and Malwarebytes. See: http://ubuntuantivirusrescuecd.appspot.com/
The website includes a video of what to do. A person with limited computer ability can follow the steps.
From Linux, I ran Avast and Malwarebytes, each for about 20 minutes before aborting due to my time constraints. The scanning (displays in real time what is being scanned) hadn't even reached the Windows folder yet when I aborted. (Still was scanning Documents and
Settings.) At that rate, it probably would have taken several hours to finish scanning the operating system drive.
I'd like to hear from anybody that has done the above scanning to completion and the results ( including the time to finish scanning).
The above website also has a reference to where you can get free benign viruses (http://www.spycar.org) to infect your computer.

[ranchhand]

I'd like to hear from anybody that has done the above scanning to completion

Yes, two different times the Avast scanner found trojans and weakened the infection enough so that at least I could boot into Windows again and I finished the cleaning from there. Incidentally, when Avast finds something it recommends the "vault"; delete the virus instead. Remember that there is no vault in the virtual environment to put the virus in to. Yes, it takes a long time, but let it run and go do something else. The only tricky thing was when the Avast scan finished and the Malwarebytes started; it updated the indexes fine, and then wanted to install the newer version of the MB engine. The first time I said Yes and it exited out. The second attempt I said No and the scan proceeded normally. Nothing is guaranteed of course. I tried it on a kernel level rootkit once and it "saw" something but could not nuke it. I used Reatogo distro to run Old Timers, and it logged an alternate data stream as confirmation but could not remove it either. I had to end up reinstalling Windows on that one. To be reasonable, a kernel level rootkit is probably not fixable in most cases.

[sanlyn]

I tried it on a kernel level rootkit once and it "saw" something but could not nuke it. I used Reatogo distro to run Old Timers, and it logged an alternate data stream as confirmation but could not remove it either. I had to end up reinstalling Windows on that one. To be reasonable, a kernel level rootkit is probably not fixable in most cases.

Rootkits install as a hidden partition or as a corrupted boot partition. Can't be removed from outside the system. If you can get Windows started, run Kaspersky's TDSSKiller and/or ComboFix. Removing a rootkit from outside Windows will likely make the machine unbootable, since the rootkit controls bootup. The two apps mentioned will restore the boot sector and the Windows Control Set in the registry.

Most people don't seem to get the fact that serious malware isn't just one or two "files" but can consist of dozens or even hundreds of registry entries that take control of the OS.

[jimdagys]

Thanks for the info. If one browses "bleepingcomputer", TDSSKiller and/or ComboFix seem to be the prescribed medicine in the majority of virus problems. But you have to wait usually several days to be guided through when posting a virus problem on the bleepingcomputer website. Then, they never tell you the exact cause of the problem.
However, didn't know that things could be made worse by trying to fix the computer from outside Windows.

Removing a rootkit from outside Windows will likely make the machine unbootable, since the rootkit controls bootup.

[sanlyn]

That's because a rootkit overatakes control entries in the registry. As I said, a rootkit isn't just a few "files"; what you might find as an infected file is only one aspect of trojans and rootkits. They usually have hidden files and cloaked processes running in the background. If you run malwarebytes and look at its list of bad guys found, the list includes numerous registry values. Sometimes those registry entries are even a complete copy of the bad guy's code loader. More sophisticated anti-malware like MBAM or Combofix will restore certain areas of the OS to the proper values (such as repairing the Winsock layer, which often happens).

One advantage to running scans outside the OS enjvironment, of course, is intercepting and removing some of the bad guys' runtime scripts, etc., which can often get you back into Windows for further cleanup. I've done this many times, either in Linux or via bootable disc or even removing the hard drive and scanning with another PC. Simple adware and/or lots of those phoney virus alerts can often be cleaned up outside the system. But if it was something like TDSS that overtakes bootup and/or registry entries like your Control Sets and internet access, it's the registry that needs cleaning as well. I think MBAM does a neat job of repairing stuff, but it can't detect rootkit cores.

I haven't waited around for BleepingComputer to read a post, I just run combofix from Safe Mode. Slow as hell, but it loads executables that operate outside Windows, and often requires reboot so it can look over the system before Windows starts. Most rootkit killers, if they find the bad guy, will restore the boot sector. They get the restoral info from other files on the PC and from the registry.

Combofix and TDSSKiller are last-resort measures. I wouldn't run them unless there's no other way to get the bad guys.

[lordsmurf]

restore points, the Java cache, and the re-installers they load

There's several more niche tools for this:
- Temp File Cleaner
- JavaRa
- Kaspersky TDSSKiller

To date, the F-secure boot disc has been very effective at removing the most serious malware. What little remains tends to be weak, and can be zapped with MalwareBytes and similar non-niche tools. I clean up computers for friends and family at least twice per year.

I'm migrating one to Linux next month. I've not yet decided on which GUI or distribution is best. (Suggestions?) I'm leaning towards Mint. Linux isn't virus/malware-free, but it's less of a target (desktop only -- not server), and it'll be harder to infect.

[sanlyn]

Haven't come across JavaRa, lordsmurf, thanks for mentioning. I'll add that one to ye olde toolbox.

[jimdagys]

The above Linux cd from "ranchhand" is a near one-click operation, great for people with limited computer ability. I am curious, the F-secure disk that you mentioned, after it boots up (and what does it boot into?), what kind of options, methods, etc are used for virus removal? Is it easy to use?

[jimdagys]

F secure disk looks like an interesting tool, but it might be too geeky for me. I was reading a pdf file on usage of the f- secure disk, and it says that it will rename viruses in the boot sector. Presumably, although it doesn't say this, renamed files will be rendered harmless. At this point, I thought to myself, what if it renames a file by mistake, rendering the computer inoperative? Sure enough, later I read:

One of our customers had problems with a system file that was renamed by our virus scanner, but the detection was actually a false positive.

And to deal with that problem required ability to use the "command line". What I like about Malwarebytes, is that you can (with one click) undo any changes made to the computer.

[TBoneit]

Thanks for the info. If one browses "bleepingcomputer", TDSSKiller and/or ComboFix seem to be the prescribed medicine in the majority of virus problems. But you have to wait usually several days to be guided through when posting a virus problem on the bleepingcomputer website. Then, they never tell you the exact cause of the problem.
However, didn't know that things could be made worse by trying to fix the computer from outside Windows.

Removing a rootkit from outside Windows will likely make the machine unbootable, since the rootkit controls bootup.

ComboFix usage, Questions, Help? - Look here http://www.bleepingcomputer.com/forums/topic273628.html

ComboFix is an Anti-Malware tool used by advanced malware technicians
specifically trained in its use.

Please DO NOT USE COMBOFIX on your own without supervision!!!

We ask that you obey the warnings about using this tool. Why? The warnings are given for a reason and one of them is to inform our members about the consequences that may occur when using ComboFix in an unsupervised environment. Yes, ComboFix is an excellent but powerful tool. I liken it to Acetaminophen (Tylenol). Used correctly, the drug will help with your aches and pains. Used incorrectly, it can destroy your liver and eventually kill you. The same scenario applies to ComboFix. Used in untrained hands this tool can disable your computer and in some cases can make it unbootable. Further, trained helpers prefer to see preliminary scans from other tools like DDS and GMER before asking anyone to run Combofix because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows checking for the presence of rootkits, planning an strategy for effective disinfection and a determination if using ComboFix is necessary.

You can use it. I see posts all the time on BC about no boot after Combofix. That is why they have that warning I quoted above.

BC does not suggest anyone use it except in their Malware logs forum under supervision.

Your choice.

TB

[jman98]

I'm migrating one to Linux next month. I've not yet decided on which GUI or distribution is best. (Suggestions?) I'm leaning towards Mint. Linux isn't virus/malware-free, but it's less of a target (desktop only -- not server), and it'll be harder to infect.

We used Ubuntu at work a few years ago as our distribution because we had a lot of Windows users to give PCs to with weak Linux skills. At least at the time Ubuntu seemed to have the best driver support for home users and the kind of PCs we were putting together to give out. I thought it was pretty user friendly and our users came to grips with it quickly and with few problems.

I'm a Linux/Unix command line guy and I can't admit to much GUI experience on the platform. We disable the GUI stuff on our internal builds now as we don't need it. I guess if I had to use a GUI I'd probably use KDE or something based on that.

[sanlyn]

[You can use it. I see posts all the time on BC about no boot after Combofix. That is why they have that warning I quoted above.

BC does not suggest anyone use it except in their Malware logs forum under supervision.

Your choice.

TB

I'm sorry, TB, but your "forum supervision" is a joke. I have never -- I repeat NEVER -- in all the years I've followed thousands of posts on your forums, not ever ever ever seen any "special instructions" for running Combofix except to click the damn icon and run the thing. There are instructions for follow-up or cleanup if something goes wrong (and you'd better be an assembler programmer to do it). Meanwhile I've yet to find a single instance in which the dozens of prep steps you have people go thru before running Combofix have never, never, never produced results and the poor saps who've been hanging online for a week or two weeks running one usueless until after another, and end up running Combofix anyway.

Look at it this way: A rootkit hits your machine. Here's your choices: (a) back up anything you want saved, even if from an external box for your hard drive, then run something like combofix to get rid of the bad guy and restore operations. If it screws up, you have to reinstall. Or there's the other choice: (b) back up anything you want saved, even if from an external box for your hard drive, then reinstall. Or there's the third choice: (c) back up anything you want saved, even if from an external box for your hard drive, then buy a new computer.

Get it?

[TBoneit]

My point was that jimdagys seems to think you just run it whenever you suspect a virus. My point was that it can trash a computer.

I actually killed a infected but booting computer with a Microsoft tool. The one I'm thinking of you create a boot CD and run it from there, "Windows Defender Offline" It killed the virus alright, Unbootable = No more virus. I use Combofix myself, When nothing else works. Once all else fails and a reload is in the future, no loss if it trashes windows.

I just felt that Joe Newbie needs to be warned against thinking it to be a magic bullet with no risks. On my own computers, If I suspect a virus since something just got flaky, I zero the beginning and end of the drive and reload. I use a SSD boot drive and data is on a 1 or 2 TB 7200 drive except for the laptops in which case it is on one or two 64Gb flash drives or an External hard drive. My last reload on a I3 w/4Gb and 120Gb SSD I had reloaded Win7 and drivers, restored my files and A/V and was downloading security updates an hour later.

TB

[sanlyn]

I agree. Combofix and relatives are a last resort. Not for casual adware removal. I'd use it only if I couldn't clean the worst of rootkit infections by other means. As I say, by the time you reach that point the system is trash anyway. It's either backup and take a deep breath, or backup and reinstall.