How do you do this and what are the steps?
I am trying to learn as much as I can.

Are there any common viruses/spyware, that most infected computers get?

What do you do when a infection disguised as a anti virus/anti spyware, keeps popping up and cannot be un-installed? Ive tried spy doctor, ccleaner, hijackthis, AVG,ad-aware but it just does not go away. Im ready to re-format.

I had this problem a while back with a customers pc. I tried everything you tried and still got the pop up at the lower right telling me that the computer was infected and I needed to install their "special software". This is what I did to get rid of this:

first run spybot s&d in safe mode after thats done:
Be carefull here
Open regedit (start run regedit press enter)
expand the branches untill you are at this location
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\cmdservice
Hilight cmdservice rightclick choose delete in the context menue

If you have trouble deleting a key. Then click once on the key name to highlight it and Rightclick > Permissions.
Then make sure you are Administrator and give yourself Full Control of that key. place a check next to allow full control (if its not there already)
You might need to click advanced and place a check next to [x] inherit from parent the permissions that apply to child objects.
Click Apply then ok untill your back at the suspect service key , right click and delete the key, Close the registry editor when done.

Do the same for this key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c mdService

This fixed it for me.

For the viruses I'd run Kaspersky. They have a free trial version on their website. For the spyware I'd run Advanced windows care and Windows Defender (both free).

If all that fails I'd format and be done with it. Some of this crap is just impossible to remove and its getting worse.

Or you could try www.aec.cz (http://www.aec.cz)

For viruses get any of the good antivirus software and for spyware get spyware doctor rest of the work software will do.... so enjoy:)

I use an old version of AVG's Anti-Rootkit to remove a virus like this. They no longer upgrade the Anti-Rootkit software because it is part of the paid versions of AVG. A combination of virus removal tools are needed in one's arsenal to remove them.

You can get 99% of them by hand with no scanners. Scanners should not be used as a crutch. They should be used at the end to finish the job by scanning for all the random junk that doesnt matter and getting rid of it.

I use an old version of AVG's Anti-Rootkit to remove a virus like this. They no longer upgrade the Anti-Rootkit software because it is part of the paid versions of AVG. A combination of virus removal tools are needed in one's arsenal to remove them.

You use an outdated and no longer updated anti-rootkit program to remove new rootkits ?. :confused:

For viruses get any of the good antivirus software and for spyware get spyware doctor rest of the work software will do.... so enjoy:)


Finally!! Now I know how those "techs" advertise that they remove viruses and all sorts of infections for $40 or less. :rolleyes:

strip unnecessary startup items with CCleaner
remove temp files to speed scan process
MalwareBytes AntiMalware
then Spybot S&D
then online Trend HouseCall

Since I'm trying to differentiate myself from the big box stores, I rarely wipe and reinstall (unless the person has practically nothing on their computer).

My clients usually are having problems because they not only click on the wrong things, they (1) have no antivirus or let it expire or (2) are having problems because they're running too many AV/malware programs. As part of the cleanup process, I usually have to uninstall a few programs.

I make sure that the hidden files are viewable, then almost always run ccleaner, malwarebytes, and Hijack This. (I usually forget to do this, but I've read that it's good to enable all programs in startup/msconfig.)

Then, depending on what it is, I try fixes specific to the problem (googled):

Two good sites for such fixes are Bleeping Computer and MajorGeeks.

For example, I got the following from Bleeping Computer on how to remove
Windows Police Pro that's worked very well for me:

[unable to post URL!]

Sometimes removal tools, such as Combofix (which I understand is no longer available), are the only things that do the trick--not to mention fix damage to Windows/connectivity problems. (FYI: Combofix can be dangerous, if you're in a hurry . . . )

I finish with an online scan (usually either Bitdefender or Symantec) in safe mode to be sure I got everything, and then toggle system restore to wipe out old restore points that might harbor bugs.

The before I give the computer back, I make sure they have some kind of protection, even if it's only AVG free.

This probably isn't as efficient a system as the other answers, but I rarely get a call back to fix the same problems.

Phase 1:
I run a quick scan of the system32 directory with DrWeb to cure any infected drivers (bastard rootkits) (ETA 5-10 mins)
Use tools on the avast BART cd to:
-Scan for viruses using avast! (ETA XX mins (depends on ammount of files,etc))
-Remove temp files (ETA 1min)
-Remove infected registry autostarts/drivers/services/etc (ETA 1min)

Phase 2:
Next I do manual removal from the host operating system which involves:
-Suspending/killing/removing infected process' with Process Explorer (ETA 1min)
-Run a couple of passes of HiJackThis on the machine removing anything bad (ETA 2 mins)

Phase 3:
Now I run a spyware scanner:
-Quick scan with MalwareBytes or SUPERantispyware if MBAM won't load (ETA 10 mins)

Phase 4:
Restart and make any finishing touches (change IE home page, reset wallpaper, flush system restore, remove registry restrictions, etc) (ETA 5 mins)

I don't always do it in this order, sometimes I skip unnecessary bits out.


What do you do when a infection disguised as a anti virus/anti spyware, keeps popping up and cannot be un-installed? Ive tried spy doctor, ccleaner, hijackthis, AVG,ad-aware but it just does not go away. Im ready to re-format.

These infections are all based on pretty much the same thing, they're mostly variants. Therefore it is difficult for the antivirus vendors to keep up, so it's a good idea to brush up on manual removal. Good programs to use are: Process Explorer (by SysInternals), Autoruns (by SysInternals) and HiJackThis (by Trend Micro), however you'll need to learn how to use them effectively.

I generally remove the offending drive from their system, hook it to my scanning system, then throw many scanners at it. Eliminates MANY problems due to their system, and is much quicker and more efficient.

Layoric

If you remove the drive and hook to another PC and scan ,you still have to hook back to original PC to remove remaining malware when booted into Windows. Some malware has to be running to remove.

If you remove the drive and hook to another PC and scan ,you still have to hook back to original PC to remove remaining malware when booted into Windows. Some malware has to be running to remove.

True, but usually (if done well) the left over infections will not actually pose much (if any) threat. Things like redundant registry keys pointing to files that don't exist or services that can no longer start without their files. This is usually fixed with a quick scan of the registry

Layoric: Never thought to slave drives routinely to scan for viruses. I only do that on my worst cases (and learned the hard way that you have to delete any files in quarantine before you remove the drive).

What do you scan with? (Since you said "many" what are the top 5 or so?)

iisjman07: Sounds lean and mean. I'm going to try your way on an infected computer I'm getting tomorrow.

You said."Good programs to use are: Process Explorer (by SysInternals), Autoruns (by SysInternals) and HiJackThis (by Trend Micro), however you'll need to learn how to use them effectively."

Autoruns is amazing. Very familiar with HJT. Any tips/website to help me learn to use Process Explorer effectively? Found this video:

microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

avast BART is $300.00? Holy <expletive deleted>.

First of all, have a backup of the hard drive.
Secondly, hook it up externally to your tech laptop or desktop, if you are at your garage/shop/home, scan it with 2-3 antiviruses, some spyware/malware removal software tool (e.g. Malwarebytes, etc).
I found in several cases that this last step eradicates about 70% of "crapware" on the computer, maybe more.

Hook up the hard drive to the computer it came from and do some more scanning for "crapware" on it.

It's not an easy process, time consuming and expensive.

If really bad cases, forget the whole removal, backup the stuff you need and wipe it clean. Before you put your stuff back on it, install an Antivirus first.

I generally remove the offending drive from their system, hook it to my scanning system, then throw many scanners at it. Eliminates MANY problems due to their system, and is much quicker and more efficient.

Layoric

This is a great way to deal with stubborn infections or systems that are very unstable.

I usually boot in safe mode and run "Malwarebytes Antimalware". However other difficult infections might take several passes.

I cannot post URLs yet but do a search on Elite Killer and look for John's Malware Guide. I have read it several times and sometimes come back to consult. I think it is a great resource.

I generally remove the offending drive from their system, hook it to my scanning system, then throw many scanners at it. Eliminates MANY problems due to their system, and is much quicker and more efficient.

Layoric

me too if it's a really slow PC :)

Phase 1:
I run a quick scan of the system32 directory with DrWeb to cure any infected drivers (bastard rootkits)

anyone else use this? any good?

anyone else use this? any good?

Yes, it's a must to have in your toolkit.

I started out slaving and doing scans, but I found that it took to long and too often they wouldn't find the rootkit. All I do now is boot off a UBCD4WIN cd and remove everything manually. Reboot and then run a MBAM scan. This will fix 95% of the current rogue antivirus viruses in under 30 minutes.

I usually boot in safe mode and run "Malwarebytes Antimalware".

I heard an interview with the MalwareByte's guy a while ago and he said it's intended to, and runs best, *not* in Safe Mode. He said it takes advantage of (relies on) some of the same technologies as the malware to do the cleanup.

I understand the concerns, I'm just passing along what he said. I want to say it was on Mike Tech Podcast, but I'm not 100% sure.

I usually don't slave the drive to run the antivirus software. Usually it takes longer. You run the antivirus when the computer is slaved. But so many viruses are left once you boot the computer back up. I've tested it before. You ran the exact same antivirus program when you had the hard drive slaved, and all of a sudden it starts finding so many viruses. It makes slaving the drive almost pointless.

The only time I slave the drive is in the worst case scenario, where windows won't even boot up.

Usually I ran Superantispyware doing a full scan, then malwarebytes at quick scan, hijackthis, based on the log file I might use smitfraudfix or combofix. Then I check msconfig, and use autoruns, ccleaner to remove temp files, then disable and renable systemrestore, then i use ccleaner again to remove unnecessary registry entries, but i keep backing up the registry first.

the Elite Killer guide is excellent. I've been looking for an in depth guide just like it, thanks to wayliff for the suggestion!

Hello to all, I was readining the post here trying to learn more about how people were handling removing malware and viruses to get better at it and wanted to add to the discussion.

I usually start by booting to see how bad the computer is. If the desktop is showing, I try to install malwarebytes and do a manual update. If it installs, I go ahead and install Superantispyware and manually update it. If it doesnt install i run rkill and try again. Check to see if the customer has antivirus on pc and if not, i install an extra copy of nod32 I have. I enable all folders to be seen. Install ccleaner and clean all temp files and run a scan with mbytes and super and reboot. When pc comes back up, make sure I have latested updates on everything and run a scan with dr web. Usually run scans w/ mbytes and superantispyware until they find no traces of malware. Then usually run a scan w/ Housecall online scanner. Dont deal much w/ HJT or Autoruns becauce dont know how to use them, but if anybody has any sugestions how to learn them, it would be nice to learn. I then uninstall my tools and antivirus and install at least a free copy if they dont buy a copy from me and clean the registry using ccleaner and run a chkdsk. I am now starting to add Threatfire to my list of installations.

If desktop does not show, I try Rkill and if that doesnt work, I boot to safemode and try it from there, and just start w/ mbytes and when pc reboots i can usally get to my regular starting point.

For those computer that are lock up or to bogged down, I usually remove the drive, hook it to my laptop and run a set of scans and reinstall the drive or use a boot disk and that usually get me where I can do what needs to be done.

This has seemed to all work real well for me, but recently I have one pc that was showing clean with everything I scanned it with and someone looked at a HJT log and said I was still infected.

Im looking to learn so if anyone has better ways please let me know.

I heard an interview with the MalwareByte's guy a while ago and he said it's intended to, and runs best, *not* in Safe Mode. He said it takes advantage of (relies on) some of the same technologies as the malware to do the cleanup.

I understand the concerns, I'm just passing along what he said. I want to say it was on Mike Tech Podcast, but I'm not 100% sure.

Thanks for the info! I'll keep it in mind.
I have been succesful doing it like that but maybe I could have done better.

the Elite Killer guide is excellent. I've been looking for an in depth guide just like it, thanks to wayliff for the suggestion!

Yes it is awesome - I come back to refresh from time to time..

What bothers me is that some techs are only taking a few minutes to find and get rid of viruses/ etc etc... This is a time consuming process. One must remove the files we think are problem/bad but thats only part of the battle. Seems that a majority of us are on the right track. Scan Scan and Scan. Dont rely one just one program. You need to use several programs that have worked for you in the past. Hey this can take hours and hours but in the end its about doing a job you can be proud of. Then there is the joy of seeing the computer work and giving it back to its user. :)


--Jose--

For the viruses I'd run Kaspersky. They have a free trial version on their website. For the spyware I'd run Advanced windows care and Windows Defender (both free).

If all that fails I'd format and be done with it. Some of this crap is just impossible to remove and its getting worse.

Or you could try www.aec.cz (http://www.aec.cz)
I'd avoid IObit's Advanced Windows Care at all costs. Use MalwareByte's Antimalware .... it's from them that IObit steals their database from anyway.

Then, once MBAM does its work, let SuperAntiSpyware get its back.

Back in the old days, Spybot & Adaware were the team to deal with. Nowadays, it's MBAM & SAS.

I use a combination depending on the infection, one of the most common these days seems to be the pesky fake antivirus stuff. If I can get into Safe mode I use combo fix & roguekill first, then mop up with a rescue CD such as F-secure rescue (yes it's slow but very good!)

Once the system is up & running again clean up & delete the renamed infected files & run a scan with Malwarebytes or Superantispyware just to be on the safe side. Not had a re-infection yet with this process, well not through a fault of my own anyway! Customer who don't update antivirus or insist on free ones, oh yeah! :D