Tools for safely removing rogue anti-malware

Topic

New Reply

	PERIMETER SCAN[/size][/font] Tools for safely removing rogue anti-malware[/size]
	By Ryan Russell The last several rounds of malware I’ve had to fight were all of a type — bogus security applications. In this article, I’ll share my favorite techniques for removing those fake “You’re infected!” warnings that pop up on your PC.[/size]

---

The full text of this column is posted at WindowsSecrets.com/2010/03/18/07 (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

I have found that you can install Spybot Search and Destroy on a thumb drive and update it on a clean computer and then run it on the contamimnated computer from the thumb drive. Using this while a computer s running in safe mode usually works to remove evough of the rouge anti-virus software that other programs like Malwarebytes can then be installed and run normally.

Reply | Quote

I have found that you can install Spybot Search and Destroy on a thumb drive and update it on a clean computer and then run it on the contamimnated computer from the thumb drive. Using this while a computer s running in safe mode usually works to remove evough of the rouge anti-virus software that other programs like Malwarebytes can then be installed and run normally.

Don’t forget to scan your flash drive after using it on an infected machine.

Super Antispyware is also a great product, but it uses the Microsoft Installer, which is unavailable in safe mode without jumping thru hoops. Super Antispyware also has a portable version that can easily be run from a flash drive while in safe mode. However, depending on the malware present, you may be unable to launch the executable file. If this is the case, change the *.exe extension to *.com. Make sure that “don’t display hidden files” is unchecked or you can’t change the file extension.

My technique for eliminating rogue:

1. Use the outstanding free product from Microsoft, formerly Sysinternals, called Autoruns to try and identify and disable rogue processes. Once identified, the application will show you the location of the offending executables, dll’s, etc.

2. Then use Windows Explorer to search for the rogue security product previously identified and delete the executable. Most rogue will have a folder with a random name, such as “12345678.” Also, some variants will have an executable with a name such as “av.exe.” Most rogue stores itself in the user directories. To fully search these directories, you must however uncheck “hide hidden folders.” Go thru EVERY user, and EVERY user folder to look for anything suspicious. If unsure whether a file or directory is legit, rename the file temporarily for diagnostic purposes. Download and run ATF cleaner to remove all temp files which may contain rogue. You may need to rename the *.exe file to *.com in order to run the program.

3. Download AVZ Antiviral Toolkit. Depending on the severity of the infection and damage that may have been done to Windows, you may need to rename the *.exe file to *.com in order to run the program. Update the product, then do a full scan with removals.

4. Scan with Super Antispyware to remove any remnant dll’s and to remove registry entries.

5. Reboot, then scan with MalwareBytes Antimalware to catch whatever was not eliminated by SAS.

6. Reboot again. Launch AVZ again and perform a restore of Windows functionality, ie. networking repair, file association repairs, etc.

7. Install a GOOD anti-malware solution, such as NOD32, Kaspersky, Microsoft Security Essentials. If you already have a solution, make sure it’s updated and finish with a scan just to make sure.

Some rogue is so insidious that it installs Trojans and Rootkits that can actually infect critical Windows files, which can be removed by antivirus products, leaving the Windows system unbootable. This will require file replacement from the applicable service pack.

If this sounds like too much work, format and reinstall Windows and your apps. This will definitely give you back a clean system. :-/

Reply | Quote

A method I have used successfully every time removing a virus or malware from acquaintances’ computers is to remove the infected hard drive and install it in a USB enclosure. I then attach it to my computer which has an up to date anti-virus program (e.g., McAfee, but any good one will do). I then run a full scan on the attached infected drive. Similar to running the infected drive in Safe Mode, but totally unable for the malware to protect itself, the virus scanner is able to remove the malware without interference.

I have found that it helps to run the scan more than once, because sometimes it finds additional infections the second time around (I’m not sure why). And, of course, you can run several different anti-virus and/or anti-malware programs in case all problems are not detected by the first one.

Reply | Quote

I’ve found the VIPRE Rescue Program at http://live.sunbeltsoftware.com/ to be effective for cleaning heavily infected computers. They update the program regularly with new definitions, so each time you run it, you should download the latest build. They give clear instruction for running in Windows from a USB drive and also from the command line in safe mode. This is what they say at the link:

The VIPRE Rescue Program is a command-line utility that will scan and clean an infected computer that is so infected that programs cannot be easily run.

The VIPRE Rescue Program is packaged into a self-extracting executable file (.exe) that prompts the user for an “unpack” or installation location, then starts the scanner and performs a deep scan. The user can start the program either by opening it via windows or from the command line.

Virus definitions are included, and the program is self-running once executed. The initial scan, and all subsequent scans, include Rootkit Detection. Four command line options are available, perform a deep scan, perform a quick scan, log the events, and disabling the rootkit.

Detections are consistent with the full VIPRE, and the VIPRE Rescue Program is designed to disinfect a system so infected that a user cannot install VIPRE.

Reply | Quote

I have not been able to get the Windows Live OneCare scanner to run on my Win 7 64 bit machine. I found a website that indicated that program does not run on 64 bit machines. Any suggestions?

Reply | Quote

I have not been able to get the Windows Live OneCare scanner to run on my Win 7 64 bit machine. I found a website that indicated that program does not run on 64 bit machines. Any suggestions?

Hi Ron, and welcome to the Lounge!

See bobprimak’s post here (post 3) for insight on this and an alternative suggestion.

Reply | Quote

For myself, I use Vipre from Sunbelt Software as well as AdAware, and Spybot S & D to clean up infected PC’s. I’ve had several friends bring infected laptops over for me to clean and I’ve always been able to get rid of the problems with these probrams.

Reply | Quote

Just wanted to add a few steps I’ve been using with GREAT success.
I don’t remember which exact forum on bleepingcomputer.com I found this but this is the basic method I follow:

[*]As your computer starts up, right after the BIOS screen (the mfr’s screen) but before any Windows screens start pressing the F8 key. Select ‘Safe Mode with Networking’ [*]Run RKILL.EXE (see below for where to download) [*]Start Malware Bytes then update it. It does absolutely no good if you don’t update it.
(also if MAB has been damaged you may have to uninstall it and then reinstall it)
Obviously if you don’t have MAB download it, install it and update it![*]Run a complete scan. [*]Do what it says. [*]I do this whole procedure one more time after a regular reboot to let MBAM do its thing.

You can find RKILL
Rkill.exe http://download.blee…inler/rkill.exe
Rkill.com http://download.blee…inler/rkill.com
Rkill.scr http://download.blee…inler/rkill.scr
Rkill.pif http://download.blee…inler/rkill.pif

Typically after I do the above procedure I “reset” the browser(s) and run through some checks to make sure everything looks okay.
If Windows looks okay and appears to be clean but acts quirkly at all I do a no-format, non-destructive reinstall of XP.
(an old Information Week article by our estmeed Fred Langa – http://www.informati…_requestid=3713)

Dan[/size]

Reply | Quote

One other thing… I will oftentimes run this particular temp file cleaner: “Temp File Cleaner v 3.0.4″ from http://software.addpcs.com/, it’s handy because it will delete all temp files, restore files, e-v-e-r-y-thing. Only complaint I have is that it uses Java. One thing that is especially helpful for sysadmins is that it deletes the temp files for ALL users.

Sometimes I will run it after RKILL but before MBAM in my above procedure to speed up the scan times (and delete possible infected files ahead of time).
Don’t make the mistake of Googling for temp file cleaner – that’s a disaster looking for a place to happen!

Sorry for the extra post.

Dan

Reply | Quote

All good suggestions. But I am curious about Woody Leonhard’s assertion that “most PC users” have encountered fake popup alerts.

I use nothing more than Avast and Comodo Firewall, and I NEVER get fake alerts or detectable infections. Is it just me?

(BTW, Comodo Firewall is now in Version 4, and this version does limited “sandboxing” of unknown applications, among other improvements. )

(Windows XP Pro, SP3, Firefox 3.6, NoScript, and Limited User Account with Folder Permissions denied for all accounts.)

(This “Permissions denied” means that my Local Security Policy blocks any user from seeing the contents of, or writing to, the folders of any other user — even the Administrator cannot override this from within Windows. Also known (under Properties>>Sharing Tab) as “Make this Folder Private”, applied to the entire tree for each user and (separately) the Administrator. Windows XP Professional allows this setup, but XP Home may not.)

Am I just lucky, or am I onto something here?

-- rc primak

Reply | Quote