Question

Locked

Anyone out there uo to a virus removal challenge?

By SadPandaBear ·
I need help BIGTIME. I have come across the nastiest virus or combo of virus's that i have come across. I am trying to avoid the "fix-all" of doing a wipe and starting from scratch.
Vcleaner and antivirus softwares will download but when run, ever so breifly a command box pops up and goes away, and nothing happens.
System restore- when trying to run it get the "System Restore turned off by group policy" crap. Deleting Policy Key thru REGEDIT had no effect.
Comp is running Vista ultimate. Greatly appreciate anyone willing to help me straighten this out

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

You're not giving us much to go on, but have you tried

by Darryl~ Moderator In reply to Anyone out there uo to a ...

the ole standbys?

Malwarebytes - http://www.malwarebytes.org/
Spybot S & D - http://www.safer-networking.org/index2.html

I also like doing a "boot time" scan with Avast antivirus - http://www.avast.com/eng/download-avast-home.html

Give some of that a try....

Also....download Ccleaner & run it 3 or 4 times on the registry cleaner option - http://www.ccleaner.com/

Get back to us

Collapse -

Reccomendation Results

by SadPandaBear In reply to Anyone out there uo to a ...

Fo the software from malwarebytes.org, ccleaner.com and spybot, they would all download, but when ran, seems like they failed to initiate as the black command line box flicker(as mentiond in original post)also happened to these.
Avast downloaded, actually began the installation process, however upon completion of the down load the setup does, an error occurs. Tried again, same result.
I also was able to download kaspersky, and it began installation process as well. After teh extraction and it actually started to complete the install itself, blue screen of death causing no more display(black screen) yet not causing a shutdown as all hardware was still powered up.
Srry for the time it took to respond, was awaiting email notice for a response which did not happen. Thx for the tips, please let me know if u have any more or if you need any info from me about the computer/what it is doing to help out.

Collapse -

Are you running them in safe mode?

by jimmy-jam In reply to Reccomendation Results

When things are really ugly alot of time you must run in safe mode or it just won't work.

Collapse -

Safe Mode

by SadPandaBear In reply to Are you running them in s ...

Tried a few earlier, went back and tried teh rest. The ones that were failing to initiate in normal mode, once again were failing to initiate again, however it did give reports as to why(temp file required to initiate could not be made in safe mode)
Avast still hung up at the same point in safe mode.
Now for good news, Kaspersky was able to install under safe mode, up to the point of validation. REbooted to normal mode, validated copy, currently is updating database and will run a scan as soon as that is complete. Ill get back to yall with results once the scan is complete.
Thx again
-SlightlyLessSadPandaBear

Collapse -

A couple of tips

by Jacky Howe In reply to Anyone out there uo to a ...

Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download the files.

If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

Removing malware from System Restore points:

When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can re-infect you. It's best to remove them.

XP
Press the WinKey + r type sysdm.cpl and press Enter.
Select the System Restore tab and check "Turn off System Restore".


Vista
Press the WinKey + r type sysdm.cpl and press Enter
Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.


After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

Download Malwarebytes Anti-Malware, install it and update it.

<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
<a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

I would keep scanning with it until it is clean by closing out and rebooting and running it again.

Run this Rootkit Revealer GMer
<a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

FAQ
<a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>

Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

and one to turn it off but a System restart is required. Place a Batch file on the USB to turn it off.

reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

Command line removal or create Batch files.

Click Start Run and type cmd and then press Enter.

Execute the following commands in the command line in order to activate the registry editor and Task Manager:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

You could also check these registry entries and change the values from 1 to 0 if they are disabled.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"

If you are still having problems try this.

Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

http://www.combofix.org/

http://www.combofix.org/download.php

Fixmbr - Repair Master Boot Record and remove Viral activity

Site
http://www.ambience.sk/fdisk-master-boot-record-windows-linux-lilo-fixmbr.php

Download
http://www.ambience.sk/experiments/MbrFix.exe


Download MbrFix to c

Press Winkey + r and type in cmd and press Enter.

now type cd\ and press Enter.

now type MbrFix /drive 0 savembr Backup_MBR_0.bin and press Enter.


now type MbrFix /drive 0 fixmbr /yes and press Enter.

now type exit and press Enter.

Restart the System for it to take effect.


When all is clear you may need to tidy up the Registry.

Registry:

Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

Cleaner: Windows

When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

You don't have to install all of the add ons or shortcuts just the one to the Desktop.

http://www.ccleaner.com/download

Collapse -

Geez Jacky......

by Darryl~ Moderator In reply to A couple of tips

That's pretty much is what we've already said....you just went into a whole bunch more detail.

Sometimes people won't read that many instructions

Collapse -

LOL

by Jacky Howe In reply to Geez Jacky......

more fool them, then. The OP did ask if anyone was up to a challenge. I just supplied a few workarounds. Probably won't need them all but they are there if needed. Turning off System restore and renaming the .exe's to get them to work can come in handy. Looks like the OP already had problems installing and running the AV.

Collapse -

I wasn't picking on you....

by Darryl~ Moderator In reply to LOL

it was just like....Gee wiz.....that's one h3ll of a lot of info.

Yeah, I always turn of restore points when working on a virus problem....why bother scanning them also....once it's clean...turn them back on. :)

I have a BART cd I boot to & scan the HHD that way on the really bad systems...that works well but is very slow.

Collapse -

Your cool

by Jacky Howe In reply to I wasn't picking on you.. ...

Last week I wasn't giving out enough information. I took it that the OP was a Tech. That's what the profile said, and I thought that a Tech, would already know how to clear CMOS. lol

Slow is an under statement, boringly slow, is how I see it.

I loath, Spammers and Malware/Virus/Spyware writers. If only they could put their knowledge to good use, I'm sure that we would all benefit.
I try to keep up with Michael Kassner's Blogs as he is right up to date with what is happening and occasionally I will chime in, if I think that someone can benefit from my input.

I used to use Barts CD but I discoverd PE2. It's available from the AIK (Automated Installation Kit). It can easily be modifed to run applications. I occasionally use it along with a USB drive that has my DOS based removal tools.

Sometimes if I can't access the System, I will slave the drive to another System and then scan the drive. I redo the scans when the drive is back in the original System. To be sure, to be sure.

I found that the best way, but it's not always possible, is to try and clean the infected System by going into Safe Mode. That way the scanners can disinfect the registry as well as system files. A lot of AV scanners can't access System Restore points, so it's best to turn it off.

SadPandaBear hasn't been back, so the problems may have been solved. Lets hope so anyway.

Collapse -

On the path to recovery

by SadPandaBear In reply to Anyone out there uo to a ...

Kapersky did its job, while i passed out on the couch and took a nap. Now just to repair the damage that was done, comp should be back to normal operation by the end of the evening. Thx for yalls help. If i have any more issues tonight i will surely let yall know.

Back to Malware Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums