Great video I pretty much do the same but I use security taskmgr and unlocker to remove the files and then of course autoruns to remove the auto start entries from the registry.

In your video you forgot a few things, usually AV2009 will create a x:\program files\av2009(or something like that) directory that should be removed. And I would put more weight into running a quick virus scan(like malwarebytes) after manual removal to get rid of any nasty registry entries or orphaned virus files that would be almost impossible to clear with any reasonable amount of time. The last thing you want to customers calling you back saying their antivirus is still popping up with virus found messages, even though there isn’t any active viruses the scanner will still flag a virus even if its not completely all their.

New Jersey Computer Repair, Your right. It usually does leave something in Program Files. When I got this from my client it did. For this example, I located it on the desktop so I could easily infect it and kept it for example use. But your right, any other time Id need to go into Program Files.

I enjoyed the podcast. I’m glad to see someone else get rid of a virus every now and again. Thanks!

The first couple times I dealt with this infection I would use process explorer to suspend the process because it would keep popping up again…I didn’t realize that there were scheduled tasks setup to relaunch the virus. After I suspended it I would then use unlocker to delete files on reboot

The “keyfinder” is reported as a virus – but it is NOT a virus.

Nice podcast. You explained it really well. This will definitely save time when removing small viruses as you do not have to install an antivirus.

Thanks for the podcast! I was trying to explain a friend how to do exactly that, but doing this over skype, not being able to actually point her in the right direction proved to be HARD. Hopefully she’ll manage now, with your help!

Bryce,

Very nice video. I tend to follow about the exact same steps. I just wanted to leave a comment for anyone fighting any of the various Scareware apps such as Antivirus 2009, Spyguard 2008, MS Antispyware 2009, or Antivirus 360. All of the programs stem from the trojan Virtumonde which is a rootkit.

My wifes laptop was recently (friday) infected with MS Antispyware 2009. After doing just about exactly what Bryce did, I still some funny activity such as Malwarebytes not running and firefox randomly closing. I ran ComboFix which detected the dll files from the rootkit. ComboFix at this point wants to reboot in order to delete the malicious DLL’s.

After a reboot and ComboFix trashing the DLL’s I was able to run Malwarebytes and finishing cleaning the laptop.

I hope this helps someone in the future.

Bryce, I have just found this site and I have to say, it is refreshing to find someone on the same knowledge level. I would enjoy chatting with you further if you could e-mail me sometime. caleyDOTw AT gmail DOT COM

Great work on the video and the website, I have learned from areas on this site and in return wish to share some knowledge of mine in this area. You are missing a lot of info on techniques that modern malware might incorporate; perhaps too much to include in the video. I just wanted to point out a few things if you and your readers will bend your ear.

Wow, I’ve not known anyone but myself to check the file modified dates in \windows and system32. But two things: 1. Also check system32\drivers, you can flush out some malware that installs itself as a driver here a lot easier than peering into the registry or via a 3rd party util. 2. Some malware, while having a file with the most recent date, will create copies of itself with random date/time stamps or those matching other windows core files. It can be time consuming but you can cross reference each malware file you find via the time/date stamp method by then sorting by size and checking file size down to the byte.

Also, many times malware can modify a core windows file (e.g. userinit.exe) or replace it entirely with it’s own code. SFC may be of some help, other times you’ll find yourself comparing file versions (I’ve never seen malware spoof company info in the file though I would expect to anyday.

Of course the previously mentioned program files is a given.

But then there’s the registry. Even autoruns.exe won’t find the Windows value in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems which can sometimes contain some malware spoof like basesrv64.dll or some other such nonsense, many times putting a 32 or 64 on the end of an otherwise legitimate file name as seen in other areas.

Additionally there is one easy way to constantly reinfect. The default value of HKCR\exefile\shell\open\command is “%1″ %* normally, (%1 runs the file, %* passes any parameters you pass to the exe) can be replace by say “%1″ “C:\windows\system32\killer.exe” %* or anything like that. This way, each time you (or windows) starts a new EXE, the killer app is launched. This can also happen with .COM, .CMD, .BAT, and .REG files for importing which normally contain regedit.exe %1 as a value… among other keys. You can prepare a registry file to merge containing default entries for these keys, but again if either the exefile or regfile key is infected you are SOL unless you load the registry from another machine, a linux boot cd, or winpe based boot cd (which is how I prefer to work if time allows, so that I don’t have anything hidden from normal tools via rootkit.) Also worthy of note is that reglite from resplendence has an amazing ability to see things rootkits and other restricted keys unlike any other 3rd party registry editor. Regdelnull is a good util to use in a batch file and……

Well there’s just so much to cover with the registry….

Bryce… are you 100% sure you don’t have to restart the computer after turning off system restore in order for the computer to delete the past “snapshots” of the computer? that’s what I do, turn system restore off, then reboot, then after the reboot turn it back on.

And great video podcast!! enjoy your site very much!