Virus Fighting Toolkit

Last Modified: Jul 5, 2015 @ 07:04:30 PM

Deezil’s Malware Fighting Toolkit Redux

You were probably sent here from my profile on MetaFilter where this used to live. That’s great. There’s a lot of MetaFilter language in here (MeMail being the most used word), so either ignore it if you aren’t from there, or replace MeMail with the word e-mail.

Note: This is a living document. Don’t like how something is? Have a suggestion? MeMail Me. I’m more than willing to consider edits.

PLEASE GO GET CRYPTOPREVENT FROM HERE AND MAKE SURE IT IS IN PLACE ON YOUR SYSTEM. CRYPTOLOCKER IS SOME BAD STUFF, YOU DON’T WANT IT AND I CAN’T FIX IT

So, you’re infected. It happens to the best of us man. Including myself. There’s no shame here. So let’s sit down, and calmly go through your treatment options, and we’ll get you patched up.

All things equal, this is more of a throw it against the dartboard and see what sticks. If you can get the name of the program that keeps popping up, you can me-mail me with it, and I’ll look through the Bleeping Computer archives for your particular brand of nasty and guide you more specifically. Else, go forth.

To download all this, you’re gonna need a computer that you know isn’t infected. Some of these malware/virus programs can redirect what you think is a good link on a trusted webpage, and turn it into a link they want to download more crap to your computer. If you need me to host these somewhere for you because you can’t get to a clean machine, let me know. They usually only rewrite links for known download pages.

If the FBI or CIA or any sort of government entity has your computer hostage and want a MoneyPak, STOP. LOOK AT THE VERY BOTTOM OF THIS POST.

The tools you are going to need are the following:

Download all these, and burn them to a CD (because flash drives can become infected too, but use one if you have to) and follow along.

Do you know how to boot into Safe Mode? For Windows XP and 7, you tap the F8 key about twice a second as your computer is rebooting. You should get a list of start up options, the first one being Safe Mode. If you miss hitting it, you’ll get the Windows logo that tells you Windows is starting up like normal. Reboot and try again. For Windows 8, look at option 2 on this page.

First, reboot into Safe Mode (NOT with Networking), and run rkill. Rkill will seemingly do not much, as all that program is there for is to stop viruses/spyware that are trying to run.

Second, if all the files on your desktop and start menu have disappeared, run Unhide. This will take a long time to run (an hour or possibly more). Nothing you can do to speed it up, just let it finish.

Next, run ComboFix, saying YES if it asks to install the Recovery Console (and don’t be alarmed if it doesn’t ask). Now, let ComboFix run, and just step away from the computer (usually over 30 minutes). No need to wait on it or do anything until you see a Notepad window with a funky looking log on your screen. Feel free to e-mail me (on profile) that log, and ask to look over it, and I’ll see what we’ve got.

After ComboFix is all done, it is time to move on to some more fun tools.

From here on out, any reboots you do need to be into Safe Mode With Networking.

Run TDSSKiller. If it finds anything threatening or suspicious, remove it. It’s a quick run (less than 10 minutes). When running TDSSKiller, hit Change Parameters, and check all boxes. When it asks you to reboot, do that, and then run the TDSSKiller program again, checking all check boxes again.

After that’s done, run RootKit Remover taking care of anything it finds as well.

Then, run MBAR, just to double check TDSSKiller and RootKit Remover.

Install MalwareBytes. Even if you have installed MalwareBytes before, install it again, don’t just update what was there and go on. The program updates frequently, and since you’ve already taken the time to download it above, just go ahead and get to installing. Once the install is finished, there will be two check marks for Update and Launch. Make sure both are checked, and hit Finish. Wait for the MalwareBytes window to come up (decline the free Pro trial, but if you are interested in Pro after researching, contact me and I’ll show you a good *legal* deal), and do a Full Scan. Again, this is another sit and wait, so sit, and wait (usually just a bit over an hour). Drink some tea. Relax.

That’s done? Remove everything it finds. Anything that can have a check mark needs a check mark, then press Remove Selected. Reboot if it asks.

Run Emsisoft Emergency Scanner. Remove everything it finds, and reboot if needed.

Now, run Microsoft Safety Scanner, Hitman Pro, and Stinger in about any order. Remove anything any of these three find.

Lastly, if you’re using Chrome, run the Chrome Software Removal Tool from above. Even if you aren’t running Chrome, but you have a new web browser that just looks like a gigantic piece of malware, get SRT anyway, because it may be an install of Chromium (the free-as-in-speech cousin that’s the basis for Chrome) that’s been bastardized.

You’re done, at this point for cleaning things up, but let’s talk quickly about how you got in this in the first place.

Let’s talk about your anti-virus solution. Did it come with the computer, either named McAfee, Norton, or Trend, and you never paid for it? It’s woefully out of date, and really if any of those products were worth paying for, I would tell you to do it. They’re not. I suggest Microsoft Security Essentials for using on your computer because it is fast, free, and updates regularly. Uninstall McAfee/Norton first. Instead of trying to do the uninstall from Add/Remove Programs, get the removal tools from either McAfee or Norton and run that program. Once it is done, install MSE, and run a full scan to make sure it doesn’t pick up anything either. For more alternatives, you could also try Avira "it may bug you to upgrade, but it’s a good product in free mode" or Panda Cloud Anti-virus (recommended to me by flabdablet), and I will add to this list as other users suggest things to me. Just be prepared to ask them questions, not me 😉

If you are running Windows 8: MSE now comes bundled with Windows, and is now part of the Windows Defender package. You are good to go with using just that. Microsoft actually bundled something useful with Windows this time.

In order to also protect from spyware infections on a more proactive basis, consider paying for the full version of MalwareBytes. It is an excellent program and the paid version monitors the system constantly for spyware. If not, at least run a scan with it every week, start it up over night, head to bed, and look at the results in the morning.

If you like what you see here, a MeMail of encouragement works, and I want to thank those that have called me out in the good way over in MetaTalk. Y’all rock. If you’re anywhere near Louisville Kentucky, drop in and buy me a beer. I have taken PayPal before, but that’s your call. I do this as a free service because I want computers to be useful and work well.

If you have questions, never be afraid to ask. I’ll answer most anything over MeMail, and if we need, I can assist over TeamViewer.

Also, make sure to take a look at samsara’s profile for some more tips and tricks on how to secure your home machine.

OKAY HERE’S WHERE I TELL YOU ABOUT THE FBI / CIA / GOVERNMENT MONEYPAK CLEANING INSTRUCTIONS

First, start by downloading just the Emsisoft Emergency Kit (from another machine of course) and unzip the zip file it comes in.

On this machine you are downloading from, run the start.exe program from the folder where things unzipped, and click on Emergency Kit Scanner. Wait patiently for the program to run, and it will ask to update. Say Yes. Let it update.

Once it updates, close out of all the Emsisoft windows, and then take that folder that unzipped, and either burn it to a CD, or move it to a flash drive.

Take the CD/flash drive to your infected machine.

Turn the machine off, then plug the thumb drive in, and turn the machine back on, going to Safe Mode with Command Prompt. (See profile for how to get into Safe Mode, just don’t pick regular Safe Mode, or With Networking)

Once it comes up to a command prompt window, (it’ll be black background with white text and have a flashing cursor in it) type explorer. This should bring up the normal windows start menu and desktop. Go to Start > Computer > your flash drive or CD, and run that start program again, also clicking on the Emergency Kit Scanner button.

There should be a Scan Now button on the middle right. Click that, choose Deep Scan, and then click Scan.

Sit back and watch the fireworks.

Clean everything it finds at the end. Do not be surprised if this scan takes two hours.

After that, boot back up normally. As long as the screen locking program goes away, run through the rest of the profile. If not, let me know.