In this video podcast I’ll show you my process for removing a virus without using an antivirus scanner. Im make use of Process Explorer, Hijack This and Autoruns and give you some tips on spotting viruses. The purpose of this video is for experienced technicians to see someone elses process and for beginners to learn how its done.
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.
Great video I pretty much do the same but I use security taskmgr and unlocker to remove the files and then of course autoruns to remove the auto start entries from the registry.
In your video you forgot a few things, usually AV2009 will create a x:\program files\av2009(or something like that) directory that should be removed. And I would put more weight into running a quick virus scan(like malwarebytes) after manual removal to get rid of any nasty registry entries or orphaned virus files that would be almost impossible to clear with any reasonable amount of time. The last thing you want to customers calling you back saying their antivirus is still popping up with virus found messages, even though there isn’t any active viruses the scanner will still flag a virus even if its not completely all their.
I had that problem with the antivirus 2009 where it kept popping up. I didnt know that it could schedule itself. I Learned something new today…Thx!
New Jersey Computer Repair, Your right. It usually does leave something in Program Files. When I got this from my client it did. For this example, I located it on the desktop so I could easily infect it and kept it for example use. But your right, any other time Id need to go into Program Files.
Thank you Bryce, I enjoyed the demonstration. I’ve used Process Explorer and Autoruns for a while now and always found them useful.
Have a great new year!
I enjoyed the podcast. I’m glad to see someone else get rid of a virus every now and again. Thanks!
It’s interesting to see how other people have essentially come to use the same techniques based on their own experimentation and experiences.
One thing I’ve never gotten into though was process explorer, so I might have to give that a looksee.
The first couple times I dealt with this infection I would use process explorer to suspend the process because it would keep popping up again…I didn’t realize that there were scheduled tasks setup to relaunch the virus. After I suspended it I would then use unlocker to delete files on reboot
Personally I always scan in safe mode so it cleans out everything without having to worry about resident memory or access denied issues.
Majestic
Very cool stuff. I enjoyed how detailed it was. Pet peeve is when folks don’t include enough info when they make videos or write articles etc…, but this was well done!
Thanks Bryce!!!
The “keyfinder” is reported as a virus – but it is NOT a virus.
Nice podcast. You explained it really well. This will definitely save time when removing small viruses as you do not have to install an antivirus.
Manually removal is the way to go. For me it seems to go faster if you just nip it in the butt yourself.
Thanks for the podcast! I was trying to explain a friend how to do exactly that, but doing this over skype, not being able to actually point her in the right direction proved to be HARD. Hopefully she’ll manage now, with your help! :)
Hi! I love this site. Thanks so much for all your information. I find it so helpful. I have a tech support business in Calgary, Alberta Canada and do a lot of spyware and virus removal. I’ve been using Malwarebytes and SDFix and Combofix, which are quite effective. I like AVG but find it doesn’t do to well with some of the worst spyware. It’s better in tandem with some of the more potent anti-spyware.
Anyway this video really helps me put together and take anti-malware to a higher level.
Thanks again!
Bryce,
Very nice video. I tend to follow about the exact same steps. I just wanted to leave a comment for anyone fighting any of the various Scareware apps such as Antivirus 2009, Spyguard 2008, MS Antispyware 2009, or Antivirus 360. All of the programs stem from the trojan Virtumonde which is a rootkit.
My wifes laptop was recently (friday) infected with MS Antispyware 2009. After doing just about exactly what Bryce did, I still some funny activity such as Malwarebytes not running and firefox randomly closing. I ran ComboFix which detected the dll files from the rootkit. ComboFix at this point wants to reboot in order to delete the malicious DLL’s.
After a reboot and ComboFix trashing the DLL’s I was able to run Malwarebytes and finishing cleaning the laptop.
I hope this helps someone in the future.
Bryce, I have just found this site and I have to say, it is refreshing to find someone on the same knowledge level. I would enjoy chatting with you further if you could e-mail me sometime. caleyDOTw AT gmail DOT COM
Excellent podcast Bryce. Keep up the good work. I think these podcasts are a fantastic addition to the site. Well done.
Great work on the video and the website, I have learned from areas on this site and in return wish to share some knowledge of mine in this area. You are missing a lot of info on techniques that modern malware might incorporate; perhaps too much to include in the video. I just wanted to point out a few things if you and your readers will bend your ear.
Wow, I’ve not known anyone but myself to check the file modified dates in \windows and system32. But two things: 1. Also check system32\drivers, you can flush out some malware that installs itself as a driver here a lot easier than peering into the registry or via a 3rd party util. 2. Some malware, while having a file with the most recent date, will create copies of itself with random date/time stamps or those matching other windows core files. It can be time consuming but you can cross reference each malware file you find via the time/date stamp method by then sorting by size and checking file size down to the byte.
Also, many times malware can modify a core windows file (e.g. userinit.exe) or replace it entirely with it’s own code. SFC may be of some help, other times you’ll find yourself comparing file versions (I’ve never seen malware spoof company info in the file though I would expect to anyday.
Of course the previously mentioned program files is a given.
But then there’s the registry. Even autoruns.exe won’t find the Windows value in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems which can sometimes contain some malware spoof like basesrv64.dll or some other such nonsense, many times putting a 32 or 64 on the end of an otherwise legitimate file name as seen in other areas.
Additionally there is one easy way to constantly reinfect. The default value of HKCR\exefile\shell\open\command is “%1” %* normally, (%1 runs the file, %* passes any parameters you pass to the exe) can be replace by say “%1” “C:\windows\system32\killer.exe” %* or anything like that. This way, each time you (or windows) starts a new EXE, the killer app is launched. This can also happen with .COM, .CMD, .BAT, and .REG files for importing which normally contain regedit.exe %1 as a value… among other keys. You can prepare a registry file to merge containing default entries for these keys, but again if either the exefile or regfile key is infected you are SOL unless you load the registry from another machine, a linux boot cd, or winpe based boot cd (which is how I prefer to work if time allows, so that I don’t have anything hidden from normal tools via rootkit.) Also worthy of note is that reglite from resplendence has an amazing ability to see things rootkits and other restricted keys unlike any other 3rd party registry editor. Regdelnull is a good util to use in a batch file and……
Well there’s just so much to cover with the registry….
continued…
Also, a great trick to remove files loaded by winlogon.exe (from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify) is to terminate winlogon.exe because sometimes you can’t remove the file handles in place to the malware. Unfortunately terminating winlogon.exe will crash your system with a blue screen. So first, terminate smss.exe, THEN terminate winlogon.exe, and problem solved. Better terminate explorer.exe too for it’s handles to other potential malware, and might as well use a 3rd party file manager.
You can get around all file/directory/registry permissions by using a WinPE based boot CD, but if you don’t want to go that route, you can try my own completely free no-ad/no-nags app GetSystem.exe from FoolishIT.com which launches an application under system rights. It can also launch explorer.exe as a shell. System rights are essentially better than administrator rights, ignoring permissions for one thing… Note my website is probably down right now I just revamped it, moved it, etc. etc. but try back later.
As for the person commenting on using safe mode, in my experience that’s only good for stopping network activity. Some malware will implant itself as a service of course, but sometimes it will also start in safe mode (yes services can start in safe mode, for a list of which ones do, check HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal and HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network for Safe mode with networking. These are pointers to the service names back in HKLM\SYSTEM\CurrentControlSet\Services.
That’s about all I have time for at the moment. Just some things to think about. Keep up the great work!
Bryce… are you 100% sure you don’t have to restart the computer after turning off system restore in order for the computer to delete the past “snapshots” of the computer? that’s what I do, turn system restore off, then reboot, then after the reboot turn it back on.
And great video podcast!! enjoy your site very much!