The Official Malware/Antivirus Thread - Need help or general advice? Read this first!

[Bearcat]

This thread provides information on malware removal, links to malware removal tools, and recommendations & links to anti-virus software. The intention of this thread is to provide quick and accurate support for malware-related issues and questions.

Many people here are willing to provide assistance if you're having computer problems, and this thread is not meant to discourage people from asking for help.... but, please read the information provided first, or else there's a good chance you'll be sent here, here, or here . We aren't Geek Squad, so while we won't grossly overcharge you for information and advice, we also aren't responsible for anything you do to your computer.

Also, feel free to make suggestions on the content of this post, and I'll try to keep it up to date.

Research

A lot of information can be found at this EliteKiller link, including...

• Links to recommended malware scanning & removal tools, including the Rogue Removal Kit (which includes combofix), malwarebytes (aka MBAM), and Hitman Pro.
• A link to HiJackThis, which creates a log of registry entries, running services, etc; that can be posted here for additional support.
• Reviews, recommendations, and links to antivirus software, on-demand scanners, and online scanners.
• Information on firewalls and unsecured networks, as well as malware/virus prevention.

Malware Removal

If you think your computer is infected, the EliteKiller link provides a thorough solution. Simply put...

Quote:

Originally Posted by mikeyis4dcats.

Step 1 go here http://www.elitekiller.com/malware.htm and read up

Step 2 download the Rogue Removal Kit http://www.elitekiller.com/files/rogueremoval.zip

Step 3 unzip the Kit, read the instruction file and run the tools in the order given.

Step 4 Thank me in about 3 hours for fixing your shit.

The Rogue Removal Kit is is a zipped file that includes malwarebytes, CCleaner (a registry cleaner that will also delete temporary files), Combofix, Hitman Pro, and HiJackThis (HiJackThis is optional, see below). The instructions guide you through running these tools in Safe Mode With Networking; then running malwarebytes and an online scanner in Normal Mode.

Some people don't recommend running Combofix unless you're fairly certain you need to use it, but I've never heard of people having major problems with it. Here's a list of symptoms to Vundo infections, which may help determine if you need to run Combofix. You can also look here to see instructions with screenshots on how to use Combofix.

Taken from the readme in the Rogue Removal Kit:

Quality Online Virus Scanners: (all scanners offer detection and removal)

F-Secure
NOD32
Bitdefender

Quality Free Anti-Virus Software:

Panda Cloud
Microsoft Security Essentials
Antivir
Avast!
AVG


My two cents on downloading anti-malware software...

• Download it from another computer if possible, or from Safe Mode With Networking on the infected machine.
• Verify you are downloading from a legit source and are not being redirected to a site where you'll end up downloading more malware. If you click on any links above, verify the link in the bottom left before clicking on it, then after clicking the link verify that's where you were taken in the address bar.
• The elitekiller article mentions downloading the software to a USB drive. Do not download the software to a USB drive on the infected machine if you're not in Safe Mode, or else you risk infecting the USB drive and other computers you connect the drive to in the future.

Other Helpful Tips & Tools

Rkill will kill processes that may be preventing scanners from completely removing malware.

To get into Safe Mode With Networking, press F8 every couple of seconds while the computer is starting (before the Windows splash screen). If you see the Windows splash screen, you will need to try again. The safe thing to do is log into Windows, restart, and try pressing F8 several times before seeing the Windows splash screen. Alternatively, my advice that falls into the category of “what I'd do if it was my own computer, but wouldn't tell someone to do it if I worked in tech support” would be, if you didn't get into Safe Mode the first time and you're at the Windows splash screen, hold down the power button until the computer turns off. When you start the computer again, it should automatically ask you if you want to go into Safe Mode With Networking.

If you get a Blue Screen of Death after selecting Safe Mode With Networking, read the following posts on how to fix it:
http://blog.didierstevens.com/2006/06/22/save-safeboot/
http://blog.didierstevens.com/2006/0...ring-safeboot/
http://blog.didierstevens.com/2007/0...th-a-reg-file/


Still infected, or just want to make sure everything is okay?

HiJackThis is a tool that will create a log file that can be analyzed by geeks to see what is running on your computer. Install and run HiJackThis (preferably in Safe Mode With Networking), and select 'Do a system scan and save a log file'. You can then copy/paste the output to this thread, and with any luck, someone will stop by and let you know what you can delete. You can then checkmark the items in HiJackThis and click 'Fixed checked'.

If you don't get a quick response here or would rather do it yourself, you can also go to http://hijackthis.de/, which is an online analyzer for your HiJackThis log. Simply copy and paste the log into the text box and click the Analyze button. During my testing of the site, I found it wasn't perfect, especially when a proxy was setup (the visitor rating would be 'extremely nasty', but the site itself would say it was safe)... but, it's at least a good tool that can significantly shorten the time it takes to analyze the log, and it gives you an idea of which entries you can delete or at least Google/post here for further research.

You can also look at the responses to HiJackThis posts in this thread to get an idea of what is safe and what should be removed.


Windows Performance

A good starting point to knowing what processes and services are running on your computer is a HiJackThis log. There's also a lot of information that's only a Google search away.

To manage the process that start when Windows starts, use msconfig (Start button -> Run... -> msconfig -> Startup tab). This is a good resource on startup processes, and it includes a large database of startup processes with information on whether they're required to run Windows or if it's okay to uncheck them. You basically want processes that are in c:\Windows checked, and you can generally uncheck processes in c:\program files (but there are exceptions, like your antivirus), but do some research (Google, the provided links, this thread) if you're not sure. Adobe, Apple (including qttask, Boujour, AppleUpdater, etc), and any messenger program (unless you have it sign you in at startup) are always the first ones to get unchecked on my computer.

Services can be a little tougher to manage, because it's usually a much longer list, and it's not as simple as flipping them on or off. This is a great resource for managing Windows services (Start button -> Run... -> services.msc). Simply choose your version of Windows and then click on the Service Configuration link. It presents the default setup, a safe setup (what most people can use without any consequences), a tweaked setup for faster startup, and a bare bones setup for the super geek. There's also a Tweaks page for stuff like Adding/Removing programs and System Restore.

[Dayze]

Quote:

Originally Posted by chasedude

I had a laptop that was running really hot and fans at full blast. I installed process explorer on it to view my cpu usage and found my lexmark printer software was using 50% of my cpu when doing nothing. I assumed that that program had a memory leak and needed dumping. After the uninstall it now runs cool and quiet. I still blow the air through the exhaust port on my cpu occasionally too with the compressor. Alot of dust can collect on the cooling fan in laptops too.

cool; I'm running an HP wireless printer that never gets used.

if one were to turn off a printer from a process standpoint, would they be able to print if need be? so like, turn it off since 99% of time we never use it, but if we did need to - still be able to print?

[DaFace]

Quote:

Originally Posted by chasedude

So Avast has lost the ability to access the net now?

Yup. But that's it. Everything else is peachy. I can manually update it by downloading the file from Avast, and that works fine. Scans come up clean. I can't use the web shield (since that works as a proxy that sends all HTTP communications through Avast), but that and updating are really the only issues.

[Fish]

Quote:

Originally Posted by DaFace

On a random Avast side note, any of you ever had it lose its ability to access the internet? I got a little minor gremlin a week or so ago. I removed it immediately, and it really didn't do anything, but somewhere in the removal process something got screwy. Avast won't update, and if I turn the web shield on, all my browsers are blocked.

I've done a full uninstall/reinstall, all of the typical scanners come up clean, everything seems fine, etc. Hosts file is fine. Hijack this doesn't seem to have anything out of the ordinary. Everything works fine except that one program. I almost don't even care (it's just my media center pc), but it's got me stumped.

Hmmm.. That's weird.. never heard of such a thing.

You might try Avast's uninstaller app... http://www.avast.com/uninstall-utility

Usually when they release their own uninstall app, it's because the Windows one isn't sufficient in some cases. I'd uninstall through windows, then run the Avast uninstall and let it clean up anything the Windows uninstaller might have missed. Then reinstall newest version. You might try and uninstall/reinstall with another admin account too. Determine if it might be a user setting specific to your account.

[DaFace]

Quote:

Originally Posted by KC Fish

Hmmm.. That's weird.. never heard of such a thing.

You might try Avast's uninstaller app... http://www.avast.com/uninstall-utility

Usually when they release their own uninstall app, it's because the Windows one isn't sufficient in some cases. I'd uninstall through windows, then run the Avast uninstall and let it clean up anything the Windows uninstaller might have missed. Then reinstall newest version. You might try and uninstall/reinstall with another admin account too. Determine if it might be a user setting specific to your account.

Yeah, I tried that. Haven't done it from safe mode, which I've seen suggested on other forums. I'll try it from a different account as well, just to say I did.

It's kind of a weird issue. It doesn't really matter that much, but it's certainly perplexing.

[chasedude]

Quote:

Originally Posted by Dayze

cool; I'm running an HP wireless printer that never gets used.

if one were to turn off a printer from a process standpoint, would they be able to print if need be? so like, turn it off since 99% of time we never use it, but if we did need to - still be able to print?

Print spooling is about the only process windows uses to handle print jobs and it only starts when you send a job through the queue. Most of the problems created today are the additional software loaded with most home deskjets.

The services I had problems with from my lexmark software wouldn't let me close the process. My only solution was to uninstall it.

I miss the old days when all you had to do was install a driver and done. Too much unnecessary software bogging down the system only creates problems in the end.

[Fish]

Google Image Poisoning and FakeAV attacks

FYI on Google Image Poisoning.... which is the general cause for the FakeAV popups that so many people have issues with.

These FakeAV programs are rather tricky, in that they're not easily classified, and they never work the same. Therefore, your various AV/Spyware/Malware scanners might not think that it's malicious behavior at the time of infection.

The FakeAV attacks seem to come in 3 flavors of increasing complexity:

1) "The Nag". Terminate the process and delete the file. Doesn't care that you run other programs.

2) "The Pain in the Ass". Doesn't let you run any exe because it latches into the .exe file registry keys. We have an inf that reverts the registry change, then we terminate and delete the exe.

3) "The Real Pain in the Ass". Does the same as number two, but has the additional side effect of fudging permissions all over the system. It screws them up so bad that you can't run any of your applications anymore. When computers get these, we usually just reimage them. But they can be salvaged if it's worth a bit of work to you.

If you've experienced these, here's why you got it, and here's how to prevent it in the future.

Full article: http://isc.sans.edu/diary/More+on+Go...oisoning/10822

Another very In-depth article with additional info: http://blog.unmaskparasites.com/2011...earch-results/

Quote:

For last couple of weeks we received quite a bit of reports of images on Google leading to (usually) FakeAV web sites.
Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Google’s image search seem to be plagued with malicious links. So how do they do this?

The attackers compromise a number of legitimate web sites. I have noticed that they usually attack Wordpress installations, but any widely spread software that has known vulnerabilities can be exploited.
.
.
.
.
.
Now, when a user searches for something through the Google image search function, thumbnails of pictures are displayed. Depending on the automatically generated content in step 3), number of links to the web page and other parameters known to Google, the attacker’s page will be shown at a certain position in the results web page. The exploit happens when a user clicks on the thumbnail.
Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background. This is where the “vulnerability” is.

The user’s browser will automatically send a request to the bad page which runs the attacker’s script (the one set in step 1). This script checks that the request’s referrer field and if it contains Google (meaning this was a click on the results page in Google), the script displays a small JavaScript script.

This causes the browser to be redirected to another site that is serving FakeAV.

As we can see, the whole story behind this is relatively simple (for the attackers). There is a number of things to do here to protect against this attack, depending if we are looking at servers or clients. For a standard user, the best protection (besides not clicking on images) is to install a Mozilla Firefox addon such as NoScript. Google could step up a bit as well, especially since this has been going on for more than a month already and there are numerous complaints on Google’s forums about this. Since there are so many poisoned images they could maybe modify the screen that displays the results so it does not include the iframe – that will help in first step only, since if the user lands on the malicious web page there is nothing Google can do really.

Here's the link to NoScript. The thing about NoScript though, is that it can be overkill in many situations, and requires you to fine tune it or add exceptions to make some of your normal websites function properly. This normally just consists of navigating to your trusted websites and telling NoScript to allow an exception for that site. But for some people, I imagine it could be confusing. If you have any questions about it, post em in here....

[Stanley Nickels]

We're having a whale of a time dealing with less-computer-literate folks installing Mac Defender or Mac Protector. Making things worse, those trojans pop-up gay porn, of all things, then present the user with a virus warning. The worst part about this is trying to explain to someone how the program got there; their admin password HAD to be entered, but they draw no correlation between the installing of an anti-virus and the subsequent porn/virus "infection". Ugh.

[Fish]

Quote:

Originally Posted by Stanley Nickels

We're having a whale of a time dealing with less-computer-literate folks installing Mac Defender or Mac Protector. Making things worse, those trojans pop-up gay porn, of all things, then present the user with a virus warning. The worst part about this is trying to explain to someone how the program got there; their admin password HAD to be entered, but they draw no correlation between the installing of an anti-virus and the subsequent porn/virus "infection". Ugh.

Seriously?

First off.... never ever ever give complete idiot users admin rights. That's just asking for headaches.

You could install ClamXAV on the machines. It's free, and effective. It's very easy to use, just tell it what to actively monitor. You can configure it to monitor the User folders, the normal startup and launch folders, etc. if you don't want it to scan the entire drive.

[Stanley Nickels]

Right now we're simply removing the program, and reassuring them their computer is in no danger (while politely implying that they were the idiots that did this). Removal is easy: Activity Monitor- Force Quit; Remove from Applications; Remove from Login Items; Safari-Preferences-uncheck Open "Safe" Files.

[rocknrolla]

Thank you, This thread freaking saved me soooo much time.

[Mr. Plow]

One of my employees downloaded the "Clean This" virus. What I thought was going to be difficult to get rid of turned out to be fairly easy.

Got into Safe Mode. Ran MBAM. Found 6 Trojans. Deleted them. Rebooted and back in business.

Just now rerunning MBAM in Normal Mode. Then I'm going to run MS Security Essentials.

[KurtCobain]

My computer wont turn on. it goes to the hp invent page then the moniter says innput out of range and the computer doesnt seem to be doing anything but the fans are runing. help please?
Posted via Mobile Device

[Fish]

Quote:

Originally Posted by KurtCobain

My computer wont turn on. it goes to the hp invent page then the moniter says innput out of range and the computer doesnt seem to be doing anything but the fans are runing. help please?
Posted via Mobile Device

Usually that means the video card is set to a resolution that the monitor can't support.

Reboot it. Right after the hp invent page, keep tapping F8. This will bring up a DOS menu. Select Safe Mode.

If it boots, go to Device Manager. Uninstall your video card, and reboot the computer. Then reinstall good video card drivers.

[KurtCobain]

Quote:

Originally Posted by KC Fish

Usually that means the video card is set to a resolution that the monitor can't support.

Reboot it. Right after the hp invent page, keep tapping F8. This will bring up a DOS menu. Select Safe Mode.

If it boots, go to Device Manager. Uninstall your video card, and reboot the computer. Then reinstall good vIideo card drivers.

f8 is doin no good. it only lets me get into setup (f10) from the invent page nothing else works. thanks tons btw
Posted via Mobile Device

[Fish]

Quote:

Originally Posted by KurtCobain

f8 is doin no good. it only lets me get into setup (f10) from the invent page nothing else works. thanks tons btw
Posted via Mobile Device

Did you keep tapping the F8 key? You might have to start clicking it before the Invent screen goes away. Sometimes the timing is hard if you've never done it before.