Question

Locked

How to remove Malware

By Defragme ·
I'm a beginner and I love it, but I'm getting frusterated with not being able to clean the machine of some malware. My machine is fine, but I keep running into family, which I'm working on now, that download the malware "your computer is infected" Windows has detected spyware infection! click this message to install the last update of windows security software... and then I think the "Warning! your're in Danger" Wallpaper get's going. I've googled it, and found some folders in Documents and Settings, found some registry keys that I've deleted, but it's still there. What am I missing? Any help would be greatly appeciated.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

It's quicker and easier

by Jacky Howe In reply to How to remove Malware

these days to use a few tools to cleanup infections.

To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore.

Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

Download Malwarebytes Anti-Malware, install it and update it.

<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.


With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.


If you are still having problems try this.

Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

http://www.combofix.org/


http://www.combofix.org/download.php

When all is clear you may need to tidy up the Registry.

Registry:

Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

Cleaner: Windows

When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

You don't have to install all of the add ons or shortcuts just the one to the Desktop.

http://www.ccleaner.com/download

Collapse -

It won't let me install anything

by Defragme In reply to It's quicker and easier

I have a symantec disk and it won't install, I can't run anything.

Collapse -

Maybe

by Jacky Howe In reply to It won't let me install a ...

You could remove the Drive and add the Drive as a Slave to another System or a USB enclosure and then run MalwareBytes.

Follow the steps below with the System started in Safe Mode with Networking. Keep tapping the Function Key F8 as the System starts up.

Click Start, Run type msconfig and press Enter.

Now if you have the Configuration Utility open.
Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, save the settings and restart the System.

Then see if you can install the tools.

When you have it sorted out re-run the Configuration Utility and in the System Configuration Utility dialog box, click the General tab, and then click Normal Startup.

Edit: are there any error messages displayed at all

Collapse -

Thank You

by Defragme In reply to Maybe

Sorry, I had to cut out last night and give up, too many adult beverages and thought it would be best to start fresh in the AM. The selective start up allowed me to install malwarebytes and spybot search and destroy. I ran them both with system restore off and then again on normal start up. I am getting two error messages RUNDLL error loading C:\windows\sys32\wotupogo.dll the specific module could not be found and onestep210.exe has encounterd a problem and needs to close. I'm also having a hard time trying to get rid of the red shield with white x saying your computer might be a risk, click this ballon to fix this problem, Trend Micro might be out of date. Once again, thanks for your help, I love this site and being new I'm learning a ton from pro's like yourself.
It looks like trend micro is real antivirus software, again it's not my system but this trend micro has been expired since 1/2009 so I'm getting rid of it.

Collapse -

That's OK as we are in different time zones anyway

by Jacky Howe In reply to Thank You

onestep210.exe has been identified as Adware

wotupogo.dll is related to Vundo (Virtumondo)

Run Ccleaner and if that doesn't remove the references use msconfig to track them down.


To check the Registry location for the offending file you can use Msconfig
Click Start and type msconfig and press Enter.
For the first item, expand the "Location" column to see where it is loading from in the registry.
Click on Start, Run, type "regedt32" and click OK.
Browse to the key listed in the "Location" column for Msconfig.
Delete the key on the right hand side only, that specifically matches that startup item. See example below.:::

Note the "Command" folder in Msconfig. Browse to this folder, and delete the .exe file itself. See example below.
:::::EXAMPLE:::::
In this example, the Startup Tab of Msconfig indicates that:
pop.exe loads from Command "C:\WINDOWS\pop.exe" and Location
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

In this case, we go to the registry editor and find that Run key on the left window. On the right hand Window pane you'll see each item in that Run key, specifically "pop.exe" in this case. Delete the entry for "pop.exe".
Browse to the C:\WINDOWS folder, and manually delete the pop.exe file that resides there if it is still there.
Repeat these steps for each item.


I have been using Avast which is free for home use on my five networked Systems for months now without any problems, no impact on performance either. You only have to register it and then re-register again annually.

<a href="http://www.avast.com/eng/avast-free-home-antivirus-antispyware.html" target="_blank"><u>Avast-Free-Home-Antivirus</u></a>

When you install your new Antivirus it will remove the red shield with white x message that windows displays.

Collapse -

I used the msconfig (start up tab) for location?

by Defragme In reply to That's OK as we are in di ...

I found them in there and then went into the regisrty and deleted them, couldn't find them in C:\Windows, but I've been searching files and folders and deleting for a couple of days now. Avast is running and so far found additional items that all the other popular favorites missed, thanks for that, I think I'm really going to like Avast. A non related question if I may. I just started with a organization as a help desk tech, wierd story, I was selling real-estate and got slow with the market in the crapper, they asked if I wanted work installing software on their end users machines for their new Xerox machines and Voip system, I did and they asked me to stay full time. I really like working with computers and thought at 45 yrs old to try a carrer change. It's only me and the Boss in our IT department and the Boss won't show me anything regarding the servers, windows 2003, exchange, Novell or anything solving day to day problems. I google and go to you guy's. My question is, What path should I take to try and be as good as you guy's, I know it takes years of experience but so far I took the CompTIA A+ course and am getting ready for the test, it definately helped but by no means taught me the registry key functions, next I'm planning on taking a Networking course, but then what? I think I would really like to program, but want to know everything on the way.

I really appreciate your time and any advise you could offer me.

Collapse -

Regarding the servers....

Until the boss knows you are ok and up to the task, then, and only then will he/she show you the servers. Do not try and be the big shot here, buy books and mags about computing and networks. test out some bits at home so you feel comfortable with the tasks. If you have the money then subscribe to some Linux magazines. Have a look in your home town library for any more info plus here of course.
Hope all goes well.

Collapse -

My 2 bobs worth

by Jacky Howe In reply to I used the msconfig (star ...

The references to the registry would have been trying to start non existent programs. Hence the error messages.

Unfortunately there are no real shortcuts but if you have a passion to learn it will be a lot easier. The A+ will give you a good base to start from and Networking will be to your advantage. My father inlaw taught me how to take them apart and put them back together. The first few years I fixed anything and everything that I could get my hands on for the experience. What started out as a hobby for me eventually took over. I got a break at a local high school where I was thrown in the deepend.

I didn't know anything about networking so I had to learn real fast. In a way I was lucky as in those days it was BNC cabling so long as someone didn't pinch the terminators or disconnect the cable it was OK.

I setup an NT4 file server and a Windows 98 workstation at home to test with. I used .INF files at logon to load restrictions on the 98 PC's Registry. I know that 98 is passthrough security but I had it pretty tight. I tried to replicate the schools file server as best I could. Creating users and mapping drives with logon scripts is easy when you know how. It was a learning experience for me.

There is a lot of information available on Technet: http://technet.microsoft.com/en-au/default.aspx
and for scripts I use Guy Thomas: http://www.computerperformance.co.uk/vbscript/index.htm

Registry troubleshooting steps for advanced users: http://support.microsoft.com/kb/822705
You can Google registry tips and get a good response.

As you can see I'm basically self taught and I don't have any paperwork but I know a little bit about a lot of different areas and if I'm unsure of something I will Google it. I read a lot and I have a few reference books that I use occasionally. It all comes down to experience and I have found that hands on for me is invaluable. You can get trial versions of Server Operating Systems to help you get up to speed.

As for programming I have no experience and someone else may chip in with some information for you. I have so far been able to get by with a bit of knowledge in DOS creating batch files and basic VBScript. I started at the age of 33, twenty years ago and it seems like yesterday as the time has gone so fast.

Sorry about rattling on but I never could put words to paper properly. Good luck in your future endeavors.

Rob

Back to Malware Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums