[HOME]9:12 AM November 25, 2016

My Procedures For Getting Rid Of Any Malware

I originally wrote this when the most dominate malware around where those fake anti-virus programs. They are fake anti-virus programs that block your system and try to bully you into paying for a scanner to remove the so-called virus it finds. In reality, it is probably the only virus on you system.

Then came the scareware messages claiming to be from law enforcement agency, locking your system with the message that you have something illegal on your system. Pay up or go to jail.

Now, in my case at least, the main problems seem to be PUPs or Potentially Unwanted Programs like toolbars and web browser hijackers.

Most people get these by installing programs without paying attention to the install screens and unchecking the options for additional software. Another way is when people get their browser hijacked (usually by the previous mentioned method) and get taken to a new search page that displays ads claiming that there are problems with the computer, or promises to speed up the system or the Internet. Another culprit I suspect is these, "You Got To See What This Celebrity Is Doing With That One!" type videos on Facebook.

I have to adapt my procedures according to the situations. Here are my latest.

First I use Ccleaner www.piriform.com/ccleaner , not just to clean up temp files but to go to the Tools menu and then the Startup options. Then I disable any start up items, extensions and Scheduled Tasks that I think are not needed. Only experience and/or a good search engine can tell you what to keep or not. Mainly get rid of toolbars, their updaters, optimization programs, any program promising to speed up your system or to prevent future problems. And registration cleaners.

Then I would download, install, update, and run the following:

  • Malwarebytes - www.malwarebytes.com
  • AdwCleaner https://toolslib.net/downloads/finish/1/
  • tdsskiller- www.bleepingcomputer.com/download/tdsskiller/
  • SuperAntiSpyware - http://www.superantispyware.com/index.html

    And if I suspect a serious infection or rootkit then combofix.

  • ComboFix - www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please note: Combofix will not work on Windows 8.1 and Windows 2000. And more likely not Windows 10.

    If you can't run the scans in normal Windows, try Safe Mode

    Safe mode is a version of Windows with a bare minimum of resources loaded to help you fix Windows.

    The three main ones to be concerned with here are:

  • Safe Mode - no Internet or network support
  • Safe Mode with Networking - Safe Mode with internet and networking support
  • Safe Mode with Command Prompt - no network, no internet, no graphical interface, although you can just type explorer.exe at the command prompt to get the task bar and start menu to appear.

    I always go for Safe Mode with Networking gives you Internet access in safe mode, comes in handy for updating anti-virus and anti-malware programs.

    To start up in Safe mode if your computer originally came with XP, 7 or Vista: Restart your computer and keep pressing the F8 key on your keyboard. It's a bit tricky but when done right you will be taken to a screen that gives you the Windows Advanced Options Menu.

    If you have a Windows 8 or 10 computer: Restart your PC. When you get to the sign-in screen, hold the Shift key down while you select Power button. Click on Restart. Then select Troubleshoot > Advanced options > Startup Settings > Restart. After your PC restarts, you'll see a list of options. Select 4 or F4 to start your PC in Safe Mode. Or if you'll need to use the Internet, select 5 or F5 for Safe Mode with Networking.

    We can all thank Microsoft for making such a simple procedure a lot more complex.

    With Windows XP you would be presented with option to system restore. Your choice. When presented with the login screen choose your account. A info box will pop up eventually giving you the option to continue using safe mode or use system restore. Click yes to continue in safe mode. Clicking No will start up the system restore wizard that will allow you to reset your computer to an earlier point hopefully before the infection.

    First lets reset the browsers, even the ones you don't use. You might need a cleared out browser to download the previous mentioned scanners.

  • Chrome: Go to Settings menu either looks like 3 dots stacked on top of each other or 3 lines, top right hand corner . Settings > scroll to the bottom and in blue letters Show advanced settings > then scroll to bottom again and click on the Reset settings button. In the small box that open click on Reset. And your done.

  • Firefox:: Type about:support in the web address or url bar > then click on Refresh Firefox.. button top right hand corner, then Refresh Firefox in the little box that open after.

  • Internet Explorer: Control Panel > Internet Options > Advanced tab > Reset button > Check Delete personal settings > Then reset. You'll get a little box open that shows you the progress it's making. When finished just click on the Close button. It will become active when finished. It will then ask you to restart IE or in some cases you might have to restart your computer. When you start up IE again after you'll get a recommended settings box open. I usually just check the Use recommended security and compatibility settings.

  • Opera: After all these years, a complete reboot starting with version 15, currently up to 41.0 and still no reset option. If they have it, it is so will hidden that even I can't find it.

    Need some pictures to guide you try: www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/

    I use to recommend deleting all temporary files using a program called CCleaner - http://www.piriform.com/ccleaner . But there is a virus called SMART HDD that hides all files on your hard drive and then tries to convince you that your drive is damaged. It copies all the shortcuts from the Start Menu . Shortcuts are saved in folder %Temp%\smtmp folder and are needed to restore the Start menu icons. So I don't delete these files until everything is cleared out. I just didn't like wasting the time it takes for any scanner to check hundreds even thousands of garbage files.

    If you can't or don't want to download any third party cleaner try cleanmgr. Just type it and hit enter in the search or run bar. It opens Windows own Disk Cleanup utility. Should work with most versions of Windows.

    Then on to the scanning.

    First download and run Malwarebytes. One of the first things I do is click on the SETTINGS button across the top and then down the left hand side menu click on Detection and Protection. Then make sure Scan for rootkits is checked. Then click on DASHBOARD across the top and check on the blue Update >> option in the Database Version segment. Let it update. Then click on the big blue Scan Now button.

    Let it finish. This scan can take up to 30 minutes or longer. When it's finished it will show you the Threat Scan Results. At this point I like to mark everything for deletion. So make sure everything is checked. If you have a lot of items listed bit they are not all checked just put a check by the word Threat, this automatically checks everything on the list. Then click on the large Remove Selected button.

    It should automatically start deleting everything after that. You'll be taken to a screen where it shows 0 threats quarantined but that number will eventually climb to match the actual number of threats found. After you'll may get a message to restart your computer, let it do it if prompted.

    I like picture guides to: http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial

    Next, AdwCleaner.

    This scanner I run next now owned my Malwarebytes, is pretty straight forward. Just open and click on the Scan button. It's a lot quicker than Malwarebytes. When it's finished scanning just click on the Clean button. This one always requests a restart after scanning. Make it so. Accept any prompts.

    Then, tdsskiller

    Update if you can, Accept the end license agreements the click on the Start scan button. It's quick and will give you the option to delete anything it finds. Restart may be requested.

    Then finally SUPERAntiSpyware

    When you get to their site, click on the link to the Portable Version. Don't let the Portable name fool you. Usually portable software refers to software designed to install on something like a flash drive. This version, you download the installer, copy the installer to a flash drive, copy to the infected system and run it from there. It supposed to contain all the latest updates so you don't have to worry about updating it on a computer with no Internet access.

    First click down in the lower right hand corner where it says Click here to check for updates. Then toward the top left, click on Scan This Computer. At this point, you can do a Quick scan or Complete Scan. Again delete anything it finds.

    If SafeMode Doesn't Work - Use Boot CD/DVDs

    Normally I would go into Safe Mode and remove it from there. But lately it seems to be a trend for these viral programs to be able to start up even in safe mode, it was only a matter of time.

    The only way around it is to use a Boot CD/DVD. My experience with these in the past have been Hit-or-Miss. Most anti-virus boot CD/DVDs are based on one anti-virus program or another. In the past I use to use UBCD4Windows. Problems now, it hasn't been updated in awhile, it's based on Windows XP, you need a copy of Windows XP because you have to compile the CD yourself from it.

    If you still want to fool around with it. http://ubcd4win.org/

    A few other anti-virus boot cd:

  • AVG Rescue CD Bootable AVG Antivirus CD / USB http://www.avg.com/us-en/download.prd-arl
  • Avira Antivir Rescue Disk www.avira.com/en/download/product/avira-antivir-rescue-system
  • Dr.Web LiveDisk http://www.freedrweb.com/livedisk
  • BitDefender Rescue CD http://download.bitdefender.com/rescue_cd/latest/
  • Kaspersky Rescue Disk 10 https://support.kaspersky.com/viruses/rescuedisk#downloads
  • Here's a more extensive updated list, as of Nov 2016: https://www.lifewire.com/free-bootable-antivirus-tools-2625785

    Then comes the tricky part, booting of the CD/DVD.

    These links give you some idea how to boot of a CD/DVD/USB drive. Unfortunately, Microsoft has complicated this issue as well by developing Secure Boot. You'll need to do some research and see how to disable it in the BIOS / UEFI of your computer. Otherwise you will not be able to boot of an external device.

    here are some links to give you some idea what to look for.

  • http://www.tenorshare.com/guide/how-to-boot-from-cd-usb.html

  • https://askleo.com/how_do_i_boot_from_cddvdusb_in_windows_8/

  • https://lifehacker.com/5991848/how-to-boot-from-a-cd-or-usb-drive-on-any-pc

  • www.hiren.info/pages/bios-boot-cdrom

  • http://xphelpandsupport.mvps.org/how_do_i_enable_cdrom_support_i.htm

  • www.windowsreinstall.com/articles/bios/

    Most computers will give you an option like Hit F2 or F12 for boot menu. Different computers will have different setup keys. It's usually on the first screen that displays the computer logo when you first turn it on. On my Acer Win7 desktop, I have to use the Delete key to go into the BIOS and F12 for the boot menu.

    If your lucky, your computer may be already be set up to boot of your CD/DVD drive. :-)

    So, download the rescue CD/DVD/USB image of your choice. Burn of the image. ISO images need to be burned of properly. Try using this simple program to do so: Imgburn - www.imgburn.com/

    Boot of the image in question and just follow through from there. The first thing you want to do is try to update it. Even if you can't update it try to run a scan anyway. It might not clean your system up completely but it might break the virus to get enough control of the system to do further scans.

    For the more technically inclined.

    Sometimes an extra step or two are needed to clean out a system. In these cases, here are a few suggestions.

    Try to isolate the name of the infection and do some research online too try and get the right data to remove it. Sometimes there are scanners designed to remove only a specific infection.

    You can manually check for suspicious files and processes using Autoruns - http://technet.microsoft.com/en-us/sysinternals/bb963902 and HijackThis - http://filehippo.com/download_hijackthis/

    I recommend Autoruns first.

    Using these requires a bit of knowledge and understanding. It doesn't automatically delete anything but shows you just about everything that is running on your computer giving you the option to manually delete anything you don't want running.

    If all else fails you can try a system restore. It's a last resort to me but I managed to fix one laptop by using it. If you do get back to a non-infected point, you may still want to run a few scans just to be sure.

    Fix .EXE Association

    Another trend that I've noticed other than the Starting Up In Safe Mode thing, is that these malware programs change the exe association.

    When you double click on a file like a picture it may have a .jpg extension, indicating it's a JPG picture format. The jpg extension tells the computer to open up your default picture viewer.

    Newer malware changes your default program startups so that every program you try to open initiates the startup of the malware program. So if you manage to successfully delete a malware program then all your programs will not start up because when you try to open one, it asks you to associate or chose a program to open it with.

    So now you have to fix the EXE file association.

    I have the fixes for XP, VISTA, and WINDOWS 7. I have them burned on a CD so I can just copy them over to the computer in question and merge them into the system of the infected system.

    Just copy and paste the following into notepad, call it fix_exe.reg The name is not important, changing the .txt extension to .reg is.

    Open up notepad, copy and paste the following info to it. Then click on save as and make sure to change the file types option to all file. Save the file name and put .reg at the end of the name. The copy the file to the infected system and double click on it. It will ask you to confirm. Make it so.


    Windows XP - copy and paste between the lines


    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"

    [HKEY_CLASSES_ROOT\.exe\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"

    [HKEY_CLASSES_ROOT\exefile]
    @="Application"
    "EditFlags"=hex:38,07,00,00
    "TileInfo"="prop:FileDescription;Company;FileVersion"
    "InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open]
    "EditFlags"=hex:00,00,00,00

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runas]

    [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
    @="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shellex]

    [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
    @="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
    @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"


    Windows Vista - copy and paste between the lines


    Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]


    Windows 7 - copy and paste between the lines


    Windows Registry Editor Version 5.00

    [-HKEY_CLASSES_ROOT\.exe]

    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"

    [HKEY_CLASSES_ROOT\.exe\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"

    [HKEY_CLASSES_ROOT\exefile]
    @="Application"
    "EditFlags"=hex:38,07,00,00
    "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
    00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
    32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
    00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open]
    "EditFlags"=hex:00,00,00,00

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runas]
    "HasLUAShield"=""

    [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runasuser]
    @="@shell32.dll,-50944"
    "Extended"=""
    "SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"

    [HKEY_CLASSES_ROOT\exefile\shell\runasuser\command]
    "DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}"

    [HKEY_CLASSES_ROOT\exefile\shellex]

    [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers]
    @="Compatibility"

    [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility]
    @="{1d27f844-3a1f-4410-85ac-14651078412d}"

    [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"

    [-HKEY_CLASSES_ROOT\SystemFileAssociations\.exe]

    [HKEY_CLASSES_ROOT\SystemFileAssociations\.exe]
    "FullDetails"="prop:System.PropGroup.Description;System.FileDescription;System.ItemTypeText;System.FileVersion;System.Software.ProductName;System.Software.ProductVersion;System.Copyright;*System.Category;*System.Comment;System.Size;System.DateModified;System.Language;*System.Trademarks;*System.OriginalFileName"
    "InfoTip"="prop:System.FileDescription;System.Company;System.FileVersion;System.DateCreated;System.Size"
    "TileInfo"="prop:System.FileDescription;System.Company;System.FileVersion;System.DateCreated;System.Size"

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids]
    "exefile"=hex(0):

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"


    Windows 8 or 10


    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\exefile] @="Application" "EditFlags"=hex:38,07,00,00 "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\ 00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\ 32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\ 00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon] @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open] "EditFlags"=hex:00,00,00,00

    [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runas] "HasLUAShield"=""

    [HKEY_CLASSES_ROOT\exefile\shell\runas\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runasuser] @="@shell32.dll,-50944" "Extended"="" "SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"

    [HKEY_CLASSES_ROOT\exefile\shell\runasuser\command] "DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}"

    [HKEY_CLASSES_ROOT\exefile\shellex]

    [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers] @="Compatibility"

    [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility] @="{1d27f844-3a1f-4410-85ac-14651078412d}"

    [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler] @="{86C86720-42A0-1069-A2E8-08002B30309D}"

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page] @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}] @=""

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}] @=""


    Some extra links:

    http://forum.thewindowsclub.com/windows-tips-tutorials-articles/33985-fix-exe-files-won-t-open-windows-7-a.html

    www.thewindowsclub.com/fix-unable-to-open-exe-lnk-files-windows-7

    Delete All Restore Points

    Finally delete all the old restore points but only after you are convinced the system is clean. Click on Start button > Control Panel >System > Advanced System settings > System Protection tab > Configure... > Delete > OK

    This will delete all old points that still may be infected and you can use the Create... button to create a new clean restore point.

    Some Ransomware Related Links That May help You

    Just a note: To date I have not had to deal with a case of Ransomware.

    Ransomware seems to be on the rise. It infects your system then encrypts your files (like scrambling your files and putting a very strong password on it) and then tries to blackmail you into paying them to unlock your system for you. Getting rid of the virus should be easy enough getting your files back, another story. Breaking encryption, even for pros, could take days, months or even years. It's, unfortunately, not like in the movies with a few key clicks in a few seconds.

    Most Important Thing To Do: DON'T EVER PAY. If you do, then it only encourages them to do it more. This is where it's important to have backups of your important files. It's usually recommended to format or reset your computer, restore your files from backup and move on. If you don't have backups I have a list of a few resources that may help you but otherwise, treat your system like your hard drive crashed and you lost everything, and move on.

    www.nomoreransom.org/

    www.makeuseof.com/tag/will-petya-ransomware-crack-bring-back-files

    www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key

    www.bleepingcomputer.com/news/security/petya-ransomwares-encryption-defeated-and-password-generator-released

    www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom

    https://davescomputertips.com/free-ransomware-decrypter-tools/?utm_source=wysija&utm_medium=email&utm_campaign=Weekly+Recap+Newsletter

    https://nakedsecurity.sophos.com/2016/04/26/ransomware-in-your-inbox-the-rise-of-malicious-javascript-attachments/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=998d20d88b-naked%252Bsecurity&utm_medium=email&utm_term=0_31623bb782-998d20d88b-418523889

    A program that may help you recover some files. www.shadowexplorer.com

    Your best bit is to try not get infected anyway. Don't open attachments from unknown emails. I've gotten a few emails with attachments claiming to be invoices, bills, undelivered parcels, etc. Even on Facebook be careful what links you click on.

    This link is for the download of a PDF file with some useful info. If link doesn't work, go to the link above from nakedsecurity.sophos.com and scroll to around the middle of the page. https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en

    Programs to try and block ransomware. Having an updated anti-virus will help some to.

    This one is Free. - www.mcafee.com/us/downloads/free-tools/interceptor.aspx

    This one you have to pay for - https://www.winpatrol.com/winantiransom/