Infection Removal and Prevention Guide

Discussion in 'Computer Tutorials & FAQs' started by Rydian, Jun 25, 2011.

Jun 25, 2011
    • Member

    Rydian Resident Furvert™

    Member Since:
    Feb 4, 2010
    Message Count:
    27,886
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Infection Removal Guide

    This guide will cover basic infection removal.
    • If you have an infection you'd like to remove...
      • Please follow the Setup and then Removal posts.
        If that doesn't fix it, look at Advanced Removal.

    • If you want to learn how to stop future infections...
      • Check out the Infection Prevention Guide lower in this post.

    1. Intro/T.O.C.
    2. Setup
    3. Removal
    4. Advanced Removal


    Setup
    WARNING! Spoilers inside!



    Removal
    WARNING! Spoilers inside!



    Advanced Removal
    WARNING! Spoilers inside!



    Infection Prevention Guide

    This guide will show you how to prevent infections in the first place.



    1. Intro/T.O.C.
    2. Program List
    3. Future Prevention
    4. F.A.Q.

    Program List
    WARNING! Spoilers inside!



    Future Prevention
    WARNING! Spoilers inside!



    F.A.Q.
    WARNING! Spoilers inside!
    Last edited by Rydian, Feb 9, 2013
    R4Liam likes this.


    • Member

    Hakoda New Member

    Member Since:
    Feb 2, 2008
    Message Count:
    2,133
    Location:
    San Jose, CA
    Country:
    United States
    Nice update to the previous guide. Very simplistic and should help a lot more users.

    I personally wouldn't have thought Microsoft's Malicious Software Removal Tool was actually any good. Nevertheless, I've never actually tried it.

    I also find it hard to believe that others thought the previous guide was complicated to follow. I found it simple and direct in any case.

    Thanks Rydian. Bookmarked.
    • Member

    Berthenk Epitome of Awesomeness

    Member Since:
    May 16, 2008
    Message Count:
    1,314
    Country:
    Netherlands
    Last rkill link is dead.
    • Member

    Rydian Resident Furvert™

    Member Since:
    Feb 4, 2010
    Message Count:
    27,886
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Hakoda: The issue was people would see the sheer size of it and get scared off before they even tried it (or worse, lie and say they did it when they didn't).

    Berthenk: Thanks, replaced that one and added two of the renamed ones they recently did.
    • Member

    Sora de Eclaune The Famicom-Eyed Beast of the West

    Member Since:
    Feb 15, 2011
    Message Count:
    2,682
    Location:
    123 Fake Street
    Country:
    United States
    This is a real interesting guide here. My friends will need this.


    Off topic, but the title of this topic reminds me this Not Always Right post....
    • Member

    tlyee61 le dancing Tyranitar~

    Member Since:
    Jul 7, 2010
    Message Count:
    486
    Country:
    United States
    HELP!! I downloaded Format Factory and it gave me a virus! Now, my homepage redirects to Ask.com search engine. I tried all of the steps except for 5 and am going to try it soon. It isn't fixed yet!! [IMG]
    • Member

    Rydian Resident Furvert™

    Member Since:
    Feb 4, 2010
    Message Count:
    27,886
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    That's not a virus, it's just some crapware. Check the addons for your browser and remove any Ask ones.

    And pay attention to installers in the future.
    http://www.youtube.com/watch?v=tBMuxGZQb5M
    • Member

    Nimbus sudo /usr/bin make-me-a-coffee --nosugar --cream=1

    Member Since:
    Nov 1, 2009
    Message Count:
    915
    Location:
    Probably being lazy.
    Country:
    United Kingdom
    I wondered about this.

    Granted I am a Linux user, and haven't run into any Viruses since I started using it ages ago, but I had an idea pertaining to Windows users. Sort of an if-all-else-fails solution.

    Should a section be added pertaining to the use of Live Anti-Virus/Spyware/Malware CD's? I think it would be a great addition to this guide. I use these sorts of things all the time when family and some of my friends have viruses that just wont die, and more often then not a Live CD does the trick.

    Granted they rarely are able to do anything outside of Delete or Ignore an infected object, but some can attempt to heal them. They often run on top of a Linux environment meaning the virus cant do much of anything to avoid detection and whatnot.

    It's really up to whoever maintains this thread, I personally don't have the time to write up a guide on using Live CD's for this purpose, but I really believe it would be a good addition.
    • Member

    Rydian Resident Furvert™

    Member Since:
    Feb 4, 2010
    Message Count:
    27,886
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    The previous guide had info on that, but that has multiple drawbacks, and checking how Avast's boot-time scan works now, it's better. If a machine is infected to the point that it will no longer boot, then different measures are better.
    • Member

    Infinite Zero Almost!

    Member Since:
    Apr 25, 2010
    Message Count:
    2,922
    Location:
    California
    Country:
    United States
    It fixed thelaptop!!!! yayy [IMG]
    • Member

    Arch Feline New Member

    Member Since:
    May 7, 2007
    Message Count:
    228
    Country:
    United States
    I followed the steps up to running Malwarebytes. 2 Registry Keys for Microsoft Active Update are marked as infected and a file for RECYCLER. I am concerned about what happens to Microsoft Active Update if I remove the keys and I am thinking that I could enter the correct string if someone could tell me what it is. Does RECYCLER have anything to do with the Recycle Bin? Is RECYCLER anything that I need?

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612} (Trojan.Agent) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612} (Trojan.Agent) -> No action taken.

    c:\RECYCLER\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> No action taken.


    I went to the Microsoft page http://msdn.microsof...y/ms815104.aspx which I quote below. It looks as thought I just delete those entries in the registry, do the below and Active Setup can take off from there. Is this right? but what is the content zone?



    Active Setup

    User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Approved Controls\Internet Explorer
    Description

    Designates the Active Setup ActiveX control as administrator approved.
    This control enables a form of setup in which a small number of files are initially downloaded from the Web to start the Setup process. Active Setup is designed to recover the setup process if a connection is interrupted.
    If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run.
    If you disable this policy or do not configure it, this control will not be designated as administrator approved.
    To specify how administrator-approved controls are handled for each security zone, carry out the following steps:
    1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security.
    2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.
    3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level.
    4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
    • Member

    Rydian Resident Furvert™

    Member Since:
    Feb 4, 2010
    Message Count:
    27,886
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Sorry about the delay, have been busy IRL.

    It looks like Active Setup was only used for IE 4-6, so if it exists on more modern machines then it looks like it was an attempt by older infections to get in, in any case it can be removed by malwarebytes, you shouldn't need to do anything else.

    Recycler is a hidden folder that contains the contents of the recycle bin, it looks like something that tried to hitch a ride on a flash drive was removed, feel free to clear it out, but then turn on the viewing of hidden and system files in windows, and look at any flash drives you have to see if there's any .INI files in the root (especially autorun.ini) that you weren't previously aware of, if there are tell us.
    • Global Moderator

    Bortz No film in this camera

    Member Since:
    Dec 2, 2007
    Message Count:
    8,467
    Location:
    USSR
    Country:
    United States
    I have a MacBook Pro, i usually dont have any problems, but i was just wondering if you had tips, advice for us?
    • Member

    impizkit Lazy Lurker

    Member Since:
    Apr 6, 2010
    Message Count:
    943
    Country:
    Australia
    Apple doesnt have infection problems, yet.
    • Member

    Rydian Resident Furvert™

    Member Since:
    Feb 4, 2010
    Message Count:
    27,886
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Actually Apple's had infection problem for a while. They just don't want you to know about it. Hell, there was even a trojan in a torrent for iWork 09, so they've had viruses and such going around for a while now. You know those fake AV programs windows is so famous for getting? Macs have them too now. Ever seen the pwn2own hacking contest that's part of the cansecwest? Well, in 2008 the mac was hacked in 2 minutes.

    The people who don't do anything because they believe there's nothing for macs are often the people walking around as part of a botnet.

    Keep your OS updated, keep your browsers updated, keep your browser plugins (flash and java especially) updated, keep media things like quicktime updated, and use an AV/protection program that has an active guard (not a one-scan type system).

    EDIT: Typo.
    1 people like this.
    • Global Moderator

    Bortz No film in this camera

    Member Since:
    Dec 2, 2007
    Message Count:
    8,467
    Location:
    USSR
    Country:
    United States
    thanks Rayd. I actually have a pretty powerful low profile anit virus program installed by my college. I must say, its nice even if it is a bit overboard.
    • Member

    sprogurt New Member

    Member Since:
    Dec 13, 2006
    Message Count:
    375
    Country:
    United Kingdom
    Few more things to add, even before rkill if you can:
    1. Run Ccleaner (http://www.piriform.com/ccleaner), many times I've had to run scans which removed quite a few viruses from temporary files.
    2. Keep Java updated (unless you need it on a certain version for a certain reason).
    3. Scan with multiple anti viruses (not at the same time obviously). (http://www.av-comparatives.org/ is always a good place to check how many anti viruses perform.)
    Personal favorites of mine have to be:I'd strongly recommend against AVG, McAfee and Norton products and would uninstall them using their unistallers which can be found:
    • Member

    Hatchetball New Member

    Member Since:
    Sep 26, 2010
    Message Count:
    326
    Location:
    Mississippi
    Country:
    United States
    Combofix should be noted far before any of these other programs :/
    It does the job of all of them better, faster, more brutal, and easier. it literally does everything for you.
    All you have to do is save it to the desktop, boot in safe mode, and run the Combofix.exe -
    (You might have to click Yes 2-3 times... but really if anything is wrong with your computer, there won't be when it's finished.)
    Plus when it is done you will know as it displays a very detailed txt file with every-single thing it just did. Deletions, findings, registy errors, everything.
    No need to run your AV at all. (massive time saver)
    I've been using it for a while now to fix computers and it has not failed me one time - and has saved me thousands of hours as a computer tech.

    Norton, AVG, Avira, Avast, Kaspersky, F-Secure, Bitdefender, and Mcafee are horrible. Even Panda Cloud is better than all of them, combined. Comodo should be the only recomendation on here :/
    Rkill barely works.
    Deleting Hosts is beyond not-needed and should not even be considered during troubleshooting.

    Hijack This
    • Member

    Rydian Resident Furvert™

    Member Since:
    Feb 4, 2010
    Message Count:
    27,886
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    2008 called, they want their malware-removal instructions back.

    You have no idea what combofix actually does, do you? It only does a few certain things, and while it does those few things well it's outdated and looks to be replaced with RogueKiller in the future since it fixes a few more things (checking it out a bit myself now before putting it in any guides).

    Assuming that your exe associations aren't removed (which I see almost daily now) and that you don't have an infection actually running that's aware of combofix and will refuse to let it start (again, quote common), and tons of other things. Modern malware strains specifically target removal tools and set themselves as resident and refuse to let new things run (outside of critical system tools), which is why multiple things are needed.

    Combofix is not considered an infection remover anymore (mainly due to being outdated). It's specifically used AFTER removal, in order to correct settings and such that malware changes.

    Since combofix has stopped getting updated however, it no longer accurately targets the bulk of what's done by new infections (thus all the instructions here on fixing things yourself). In it's place Malwarebytes has done a reasonable job of resetting things, but it looks like RogueKiller is going to be the new combofix.

    As does any AV or malware-removing program worth it's salt...

    Assuming the problem IS malware and not a virus. Yes most problems people have nowadays are not due to viruses (rather malware that people mistake for viruses), but viruses are still an issue, and an AV is also often a preventative measure. In addition, AVs are often silently disabled by malware, so they should be run afterwards to get anything they may have missed during the period they were disabled.

    I've been doing this shit for years, and while in the past combofix was great, it barely does anything against NEW malware, because it intends to fix changes that aren't the issue now, and does nothing for new changes (because they weren't an issue back then).

    If you're judging how well an anti-virus removes malware, yeah. Just like antibiotics won't kill the common cold. Malware removal is a tricky business due to how quickly it changes (I've seen entirely new tactics pop up and become the norm in a spam of two months), which is why the tools used to remove it change and evolve... and using outdated tools isn't very good unless you're dealing with older malware (which is still rather common, don't get me wrong).

    That depends on what you think it actually does (as you've shown you're not really familiar with what tools actually do what). It has a single specific purpose, and it does it well.

    Just last week I ran across a computer with a HOSTS file that had been modified for malicious purposes. It used to be way more common and use of it for redirection IS fading out, but it's still there. It is not a required file, and things that use it will recreate it afterwards if needed. If a person literally requires the file, then they'd know.

    Mainly as a diagnostic step. Relying on it for the actual removal isn't wise... however it's a good all-around cleanup tool.

    Dude honestly, it's like you're going into a discussion about future space fuels saying things like "Hey guys you should really look into this 'gasoline' stuff!"

    It WAS in the OLD guide, but it's dead now.
    • Member

    Hatchetball New Member

    Member Since:
    Sep 26, 2010
    Message Count:
    326
    Location:
    Mississippi
    Country:
    United States
    They update it all the time o.o
    Either way, you're hilarious and I enjoyed your brutality. +1 Rydian :D

SPONSORED LINKS
 

Share This Page