Flying Penguin's DIY Spyware Removal

[EvilHorace]

I'm having problems on my now oldest laptop again. It had one of those rogue fake anti-virus things on it a couple months ago but yesterday another bad one showed up.
I couldn't do much of anything but did get it to do a system restore which then stopped its nasty behavior (and got rid of the icon in the systray) yet I know the PCs not yet 100% clean.
I was unable to run Malwarebytes which in itself tells me there's a problem so to do that (according to their website info), I renamed the exe file to winlogon which fools the rogue BS and then allows it to scan. It says to do a quickscan which found several things but the BS stuff was still fighting, not allowing a reboot on its own and wanting to change startup files (many) so I manually shut it off to reboot. Malwarebytes still wouldn't start w/o renaming so I'm now doing a full scan. This is the latest free version btw, worth buying the full version, better?

So, doing a search on how to remove the rogue "antivir solution pro" program (which was somehow installed, or at least had an icon in the systray, never let it activate however), besides Malwarebytes, there are other free programs that claim to get rid of this nasty bugger.

Should I try ComboFix next or do the whole proceedure listed at FPs spyware removal page? (looks rather time consuming but if that's what I have to do......)

[FlyingPenguin]

Detections are no better with the paid version, so no there's no reason to buy it. All the paid version does is add on-demand malware protection (background scanning), but at the cost of a hefty performance hit.

Actually from what you are describing I would HIGHLY recommend running ComboFix. It's the only thing that can take out some of the newer organized crime rootkits.

Download it here: http://www.bleepingcomputer.com/downloa ... s/combofix

If possible, try to run it from "Safe Mode with Networking" (networking is required because Combofix will need to download a few things from the Internet). If you can't get into Safe Mode then run it from regular mode, but either way you need Internet access.

If Combofix won't run (as soon as you run it you should immediately beep and a gray window should pop up with some info about making sure you downloaded ComboFix from a safe location) then rename it ComboFixTEMP.exe or ComboFix.com and try it again.

Allow it to update if necessary and allow it to install the Microsoft plugin it will require. Once it starts doing it's scan, walk away. This could easily take an hour on an older PC.

If it "detects rootkit activity" and requires a reboot before starting the scan I would highly recommend you run ComboFix a 2nd time after it finishes and make sure that the 2nd time ComboFix does not give you the same warning. There's a new rootkit out that just puts itself back after ComboFix finishes. I ran into that one the other day and there's just no way of removing it right now.

After ComboFix does it's thing, run MalwareBytes just to clean up the crap left over. I would do the Full scan to make sure you get any malware installers that might be left behind.

If ComboFix doesn't clean it out then don't waste any more time. Backup your data, DBAN the drive to make sure there's no boot sector trojan (single pass is sufficient), and do a fresh install of the OS.

Hope this helps...

[EvilHorace]

Combofix ran all night yet nothing happened after it installed some MS add-on. I then shut it down, seeing all sorts of bogus program names (pop-ups) wanting to run at startup and they never stop popping up either until you kill the machine. I'm trying Malwarebytes again in safe mode (does at least do that) but it's not looking good. When it does boot into XP normally, it's painfully slow in getting there. Maybe a repair install? I hate the idea of completely redoing it (fresh install).

[FlyingPenguin]

Lost cause if Combofix can't fix it. A repair install won't help since it will keep all your registry settings, including the hooks to the rootkit.

You could try running Trojan Remover and Hitman Pro which both have some rootkit detection abilities. They will also fix DNS spoofing and TCP/IP stack interception which is likely also going on and may be preventing Combofix from working.

My gut feeling, though, is that it's a lost cause.

If you do ultimately perform a fresh install, do yourself a BIG favor and image the drive using Acronis, Drive Snapshot, etc. If something like this happens again, you can restore the image instead of performing a full install.

[EvilHorace]

I've run the programs above, each finds and removes stuff but Windows desktop programs including network drivers load painfully slow and I get a couple RUNDLL errors. This morning I thought I was close, everything loaded up, went online, no probs going anywhere but then I ran Superantispyware, found removed more stuff and now it just seems to hang loading the programs that run in the tray, including network drivers.
It does load safemode with networking so I can easily copy the files I want to keep but I just hate the thought of redoing the OS once I find that PCs system disc (havent seen it in ages but it's here somewhere.)

[normalicy]

I've found that running Combofix at the end of it all can do wonders. It's like Malwarebytes gets rid of some stuff that stops it from working properly.

[EvilHorace]

Finally was able to run Combofix last night and it finished in a reasonable amount of time too, giving me a page of results. I wanted to print it but the printer's now offline (not loaded) on that machine. Before that, tryed iTunes and had no sound.
So, today it's not loading network drivers and I'm running Malwarebytes (full scan) again.

After it rebooted earlier, no RUNDLL errors so maybe there's hope? One of those programs listed above (with a 30 day free trial) does a quick scan when the PC boots and for the first time didn't report any trojans (was finding some everytime before) so that's looking better.

Initially, that PC wouldn't even browse to a site that said "combofix" via google w/o redirecting to other sites totally not related so whoever created that sneaky s*** seemingly thought of that too. Same with Malwarebytes.

update, Ran Malwarebytes this morning, found NOTHING for the first time yet it's now booting up painfully slow.

[normalicy]

Sneaky doesn't even describe it. They know exactly what you're gonna do to get rid of their stuff & then they update it.

If it's that bad off, you may as well ditch the install though. Or at least start preparing to. I don't know I'd be able to trust it to ever be completely clean at this point.

[FlyingPenguin]

Evil, make sure the painful slowness isn't due to some other issue. Check the System Event log.

You may have some weak or bad sectors on the hard drive. Try Spinrite level 2 if you own it or let windows do a sector scan.

It is really sounding like you should do a clean install. There's no way of ever being sure if you're totally removed whatever rootkit was in there.

[EvilHorace]

I checked the device manager and there all many yellow !'s in front of network adaptors and sound too (the thing no longer goes online, not in safe mode with networking either) so apparently the processes of removing all that damaged those drivers.
Short of not networking or sound, the PC behaves normally. Any hope or clean install time?

One of those programs I used (maybe Combofix) created a recovery console option when booting and apparently it's used to repair. I get a C:Windows prompt (like a Dos prompt) but I don't know how to use it or IF that might help. Any ideas, experience?

[FlyingPenguin]

You can try re-installing your drivers, but you'll just never be sure if the PC is totally clean. I wouldn't do any online banking on it.

[EvilHorace]

The network driver issues after virus removal is apparently common:

http://www.google.com/search?q=after+vi ... en___US323

But as for not ever being sure the PCs clean, you're then saying that after all this that if ever infected, basically it's never going to be right w/o doing a OS re-install job.

I'm sure the machine would simply run better, like new once I did (or do) all that but the only times I've ever needed to re-install an OS was after changing hardware (like a motherboard) and it didn't go well, requiring an OS re-install (been many years now). It then seems like these days, once you get something, you're screwed keeping the OS as-is (trying to fix it).

[GuardianAsher]

I've been told it's overkill (and I admit it probably is).

Personally, I do a fresh Windows install about every six months or so. OS degradation is a real problem for me. I experiment with a lot of software, and I install/uninstall a lot of games on a regular basis. After about six months or so, my computer begins to noticeably slow down, so I just wipe and restore a fresh install image, do Windows Updates, re-image, and go on with my life. There's nothing like a fresh installation of Windows. 10-15 boot up time? Why thank you, I think I will partake in that.

Of course, this is all made much easier by a few different things. First off, I keep all of my personal folders (desktop, my docs, favorites, etc) on a second hard drive. When I reinstall Windows, I just point it to the other folders and it's as if nothing ever changed. And of course I keep backups of everything on my home server, and triplicate backups of the most important stuff on my external. 5TB of storage!

But I digress, I'm getting off topic. One of the things I meant to say was, yes, with as advanced as malware has become, you can never be 100% sure that your system has been completely cleaned after an infection, especially with rootkits. And this also falls under the OS degradation topic as well. Even after you've cleaned up the malware, there's still going to be traces, riddled all over your hard drive and registry. It's just impossible to get every single little trace.

And as for the expensive part, think of it this way. Would you rather spend the time and minimal amount of money now to wipe and reinstall to make sure your system is clean, or would you rather spend the large amount of time and probably larger amount of money trying to get your money back after it's been stolen from you because that last rootkit on your system stole your credit card number?

Now I'm not saying that there isn't some software you can't reliably remove. Security Tool comes to mind. It's a single EXE and a couple of autorun files that hide in your Application Data folder. If you can get access to that, you can nuke it without even using any type of anti-malware software. I'm not saying it's not a good idea to scan afterwards, since the Security Tool is probably not the only thing there, but it can be removed. I'm mostly referring to the nasty rootkits that are out there. When we come across a rootkit in the store, we usually just suggest we do a reinstall on the computer, just to be sure. We charge the same price, and the customer is usually happy.

[FlyingPenguin]

Evil: The problem is that as screwed up as that system was, I don't think you can ever be 100% certain it's clean.