If you can boot/download files on the infected computer, install and update the following three free trial virus removal programs: Kaspersky Superantispyware Malwarebytes If the above fails, boot your pc from cdrom, this prevents the virus from being loaded. Try booting from your Operating System disk shipped with your computer. See Boot from cd or dvd. Otherwise, If you have an old Windows XP cdrom, create a free UBCD4Win boot disk. It contains a large number of Virus fighting tools. In, particular, run AvPersonal and spybot, their icons can be found on UBCD4Win task bar. IMDisk, an alternative to UBCD4Win permits remote access to an infected computer. Be sure to download all current updates before running and always perform a full scan. Once these anti-viruses have uncovered and quarantined your virus, open a dos window and run: sfc /scannow If errors are encountered, open file %windir%\Logs\CBS\CBS.log. The error messages contain text similar to this Package_30_for_KB936330~31bf3856ad364e35~x86~~6.0.1.18000.936330-187_neutral_GDR" You can then visit the Microsoft Update Catalog and type in the knowledge base number KB936330 and download the update containing the dll or exe. If the above steps fail, continue on with steps below: Windows PE is free and can be downloaded with the Windows AIK. Windows PE. Pe doesn't run all windows programs, however, it does run a few free products which are likely to uncover your virus: Microsoft® Windows® Malicious Software Removal Tool and McAfee Avert Stinger Defender. Sigcheck.exe, a file verification utility returns different results when running under PE or the native operating system. SigCheck.exe references files in directory C:\Windows\System32\catroot2 to discover corrupted files, however when run under PE, it uses PE catroot directory, resulting in misleading results. Be sure to point the -c command line argument to the matching catroot2 folder. Sata drivers can be loaded once pe boots, execute drvload x:\drivername.inf Microsoft windows malicious software removal tool is packaged in a file resembling windows-kb890830-v3.3.exe. When you boot your infected workstation from your pe cdrom, the system drive will point to the cdrom drive instead of c:\. This has the undesireable effect of causing windows-kb890830-v3.3.exe's extraction to your cdrom drive. To prevent this, append the extract option: windows-kb890830-v3.3.exe /x, and extract to your c: drive. the extracted executable is called mrt.exe, run mrt.exe from the command line. If after running these products, you still have a virus, see section "How to remove these infections manually" of this manual 9 step process. Even after removing the virus with the Windows Malicious Software removal tool, some of the registry keys may have been overwritten by the virus, use the below steps to correct: If Windows Malicious software discovers viruses, but you still can't run programs and receive messages like Contro Panel rundll32.exe application not found, run the 9th utility (EXE File Association Fix )on this webpage: http://www.dougknox.com/xp/file_assoc.htm it resets the registry keys to allow program execution. If your system logs you off immediately when you try to logon "Loading you personal settings" and "Logging off" right away, follow these steps: http://www.pcreview.co.uk/forums/thread-424416.php Re-register system dlls Corrupted Dlls and exe's can be repaired by extraction from computer's operating system disk, service packs or a computer running the same operating system. Individual Microsoft files can be downloaded here. Security updates are available on ISO-9660 DVD5 image files from the Microsoft Download Center Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, "MS07-036"), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ. Certificate verification Visit Microsoft's Malware protection center for detailed list of viruses and recovery procedures. You may have to perform this procedure mulitple times, Some malware can re-install themselves. Diconnect your computer from the network, or run tcpview and remove any suspicious connections. This will prevent the virus from installing more malware as your fixing it. Microsoft's Sysinternals tools here. Here's what to look for with Process Explorer Have no icon No description or company name Unsigned Microsoft images Live in windows directory are packed Include strange urls in their strings Have open tcp/ip end points Host suspicious dll's or services Check for dll's hosted by rundll32 -> look for purple color
If your malware opens popups, drag them to process explorer to determine it's host process. If your not sure whether a process is malware, select it and Menu->process->Search Online. Menu->Options->Difference highlight duration->set to 9 Menu->Options->Configure highlighting Take note of color for packed images (usually purple), viruses tend to pack themselves to prevent anti-virus from looking up urls and things. Take note of the new objects, usually light green. It may indicated a virus starting and stopping as your working. Orange processes are job processes, and are not useful for debugging viruses.
Menu->Options->Verify signatures->checked Procexp will verify every process and dll for valid signatures. check for any marked as a Microsoft product without a valid signature. The verification process requires nework access, to see if the cert had been revoked, If you disabled your network, will will need to re-attache.
Menu->View->select columns->verfied signer->check If the virus displays a popup, you can drag the popup over Process Explorer and it will highlight the owning process. If you see a process that is suspicious, Menu->Process->Search Online Malware sometimes hides in dll's hosted by rundll32. You must check these, the rundll32 process will show up as a Microsoft process and will be digitally signed by Microsoft, but the dll it's hosting is malware. If you hover your mouse over the rundll32, it will display the dll it's hosting and the company name and signer. Viruses will not usually have any info for this. If you double click on it and look at the image tab, it will show us as not verified. Services can run in their own process or run under svchost.exe. Those services are hosted as dll's not processes. Malware uses svchost to blend in with the other services on the system. Double click on any process and open the strings tab. You can check the image for suspicious strings. Purple images which are packed will not have any identifiable strings, however if you look all the way at the bottom, there's an in memory radio button. Search the file for http, www, .com find malware urls Dll view is also a feature to help find malware hiding in a dll. Select a process and press the view dlls button. Any packed dlls' will show up in purple The system process in procexp hosts all the system drivers. If you select system and look at the dll list, it will show you all the loaded drivers. Same checks as above, check for the description field having data, if it's from Microsoft, check if it's digitally signed. What to do with Malware processes Don't terminate them, they will restart. Instead suspend them. Note, this might cause a system hang for svhhost processes. The process or dll will turn gray. Record the full path to each malicious exe and dll When all the processes are suspended, then kill them. As your suspending and killing processes, look for any startup, bright green. Viruses usually install nanny processes to restart themselves. Use autoruns to clean up any startups. It has a better interface then Hijackthis. Goto options and say verify signatures and hide signed microsoft entries. AFter you've turned off all the malware entries, do a refresh to check if anything has come back. Some malware watches the reg keys and puts itself back. If you can't figure out how it's getting put back, use procmon to trace what process is restoring it. Run autoruns after a normal boot, and then after a safe boot. Save the log entries from each. Then use autoruns to compare the results. You should delete all the malware exe and dll's. Rootkits are spyware that hide themselves. They can even infect user mode processes. They hide files, tcpip connections, drivers anything can be hidden from view of all the utilities you ran above. RootKit forum: www.rootkit.com Microsoft advanced debugging tools To remove rootkits, use more than one tool: System virginity tester GMER Dark Spy anti-rootkit FSecure Blacklight After you've run all the above tools, always run sigcheck sigcheck -e -u -s c:\ Be especially alert about any files in c:\windows directory Investigate all unsigned images Delete any files you can't verify. it doesn't matter what extension is on the file, viruses sometimes use .bmp or any other extension, however inside the file there's an exe header and windows will execute it. So if sigcheck shows you a file with a weird extension, like.txt, it may very well be a virus and should be deleted.
If you can't delete a file, because it's in use, try renaming it. If you can't rename it, use Movefile to schedule it for removal on the next boot. ex: movefile malware.exe "" If it still won't clean up, pull the drive and move to another pc to delete. For hard to dellete registry keys, run regdelnull regdelnull -s hklm\software It searchs the registry for embedded nulls, replaces them with an asterisk and lets you delete them. |