The Gang of Five
The forum will have some maintenance done in the next couple of months. We have also made a decision concerning AI art in the art section.


Please see this post for more details.

How To Manually Remove Malware

landbeforetimelover · 1 · 1981
« previous next »
Pages: 1

landbeforetimelover

  • Member+
  • Littlefoot
  • *
    • Posts: 8495
  • Littlefoot
    • View Profile
    • http://www.thelandbeforetime.org
on: February 04, 2010, 01:20:51 AM
Well, I thought I'd give an in-depth tutorial on how to deal with pesky malware.  Malware is basically everything malicious including Viruses, Spyware, Adware, Worms, Trojan Horses, and Hijackers.  There's a little secret to removing these things pretty easily.  Now this won't work on the SUPER DUPER bad one's, but this will remove about 95% of all malware.  I just had a client come in with "SuperNodAntiVirus" or something like that.  The thing was a real b****.  But this method was able to get it off.  I was surprised actually.  Anyway, on with the tutorial.

1.  Back up your system.  You can really screw something up if you do the wrong thing here, so make sure you perform an entire system backup before doing this!

2.  Download AutoRuns.  AutoRuns is a more advanced version of MSConfig.  It's very useful when stopping malware from booting with the computer.  After downloading, put it on the desktop of the infected computer.

3.  Boot into Safe-Mode.  In Safe-Mode, most malware won't load enough to be able to stop your attempts to remove them.  You can boot into Safe-Mode by hitting the F8 key before the Windows boot screen (where it says "Windows XP" or another OS).

4.  Open the AutoRuns folder and start Autoruns.exe.  Once the program is started, check the following under the Options menu:

     *Include empty locations
     *Verify Code Signatures
     *Hide Signed Microsoft Entries

Press the F5 key to refresh the lists

5.  Now comes the hard part.  Now you have to figure out where the little sucker/s are hiding.  Look under the Logon and Services tabs first.  It'll usually be under there.  But make sure to look elsewhere too.  Delete anything that looks suspicious.  You can only delete startup PROGRAMS.  You can't delete registry entries that easily.  But before you delete these suspicious things, WRITE DOWN THE DIRECTORY where they're at so you can manually delete them later!!!!!!!!!!!!!  Now I'm sure you're wondering how you know what to delete.  Look in the directory that it's in.  Is it under the "Program Files" directory?  If so, it's probably a legitimate program.  Also look for if the program is verified.  Beware that many Intel programs are NOT verified.  I wouldn't delete anything that says it's Intel.

6.  Now it's time to delete the sucker/s.  Reboot your computer normally.  The malware should appear gone.  If it's not, repeat steps 3-5 and remove more suspicious stuff.  If it does appear to be gone, navigate to the directory/directories that you wrote down and manually delete the files.  Once this is done, the malware should be GONE!

This is a general report of my master laptop by the AutoRuns program.  It doesn't have a lot on it, so it's a perfect example.  Don't worry if this looks confusing.  It's a lot more user friendly in the regular mode of the program:

<blockquote class='code_blockquote'><dl><dt>Code:  on  </dd></dl><code>"HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup"   ""   ""   ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup"   ""   ""   ""
"HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon"   ""   ""   ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"   ""   ""   ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown"   ""   ""   ""
"HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff"   ""   ""   ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff"   ""   ""   ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"   ""   ""   ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"   ""   ""   ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown"   ""   ""   ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown"   ""   ""   ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell"   ""   ""   ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"   ""   ""   ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"   ""   ""   ""
+ "AVG9_TRAY"   "AVG Tray Monitor"   "(Verified) AVG Technologies"   "c:\program files\avg\avg9\avgtray.exe"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"   ""   ""   ""
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"   ""   ""   ""
"C:\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"   ""   ""   ""
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load"   ""   ""   ""
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"   ""   ""   ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"   ""   ""   ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"   ""   ""   ""
+ "Google Update"   "Google Installer"   "(Verified) Google Inc"   "c:\users\appdata\local\google\update\googleupdate.exe"
+ "RocketDock"   ""   ""   "c:\program files\rocketdock\rocketdock.exe"
+ "WordWeb"   "WordWeb Thesaurus/Dictionary"   "(Verified) WordWeb Software"   "c:\program files\wordweb\wweb32.exe"
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"   ""   ""   ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce"   ""   ""   ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx"   ""   ""   ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run"   ""   ""   ""
"HKCU\SOFTWARE\Classes\Protocols\Filter"   ""   ""   ""
"HKLM\SOFTWARE\Classes\Protocols\Filter"   ""   ""   ""
"HKCU\SOFTWARE\Classes\Protocols\Handler"   ""   ""   ""
"HKLM\SOFTWARE\Classes\Protocols\Handler"   ""   ""   ""
+ "linkscanner"   "Safe Search pluggable protocol"   "(Verified) AVG Technologies"   "c:\program files\avg\avg9\avgpp.dll"
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"   ""   ""   ""
"HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"   ""   ""   ""
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"   ""   ""   ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"   ""   ""   ""
"HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers"   ""   ""   ""
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers"   ""   ""   ""
+ "AVG9 Shell Extension"   "AVG Shell Extension"   "(Verified) AVG Technologies"   "c:\program files\avg\avg9\avgse.dll"
+ "WinRAR"   ""   ""   "c:\program files\winrar\rarext.dll"
"HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers"   ""   ""   ""
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers"   ""   ""   ""
"HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers"   ""   ""   ""
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers"   ""   ""   ""
+ "WinRAR"   ""   ""   "c:\program files\winrar\rarext.dll"
"HKCU\Software\Classes\Directory\Shellex\DragDropHandlers"   ""   ""   ""
"HKLM\Software\Classes\Directory\Shellex\DragDropHandlers"   ""   ""   ""
+ "WinRAR"   ""   ""   "c:\program files\winrar\rarext.dll"
"HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers"   ""   ""   ""
"HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers"   ""   ""   ""
"HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers"   ""   ""   ""
"HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers"   ""   ""   ""
"HKCU\Software\Classes\Folder\Shellex\ColumnHandlers"   ""   ""   ""
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers"   ""   ""   ""
"HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers"   ""   ""   ""
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers"   ""   ""   ""
+ "AVG9 Shell Extension"   "AVG Shell Extension"   "(Verified) AVG Technologies"   "c:\program files\avg\avg9\avgse.dll"
+ "WinRAR"   ""   ""   "c:\program files\winrar\rarext.dll"
"HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers"   ""   ""   ""
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers"   ""   ""   ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers"   ""   ""   ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers"   ""   ""   ""
"HKCU\Software\Microsoft\Ctf\LangBarAddin"   ""   ""   ""
"HKLM\Software\Microsoft\Ctf\LangBarAddin"   ""   ""   ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"   ""   ""   ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"   ""   ""   ""
+ "AVG Shell Extension"   "AVG Shell Extension"   "(Verified) AVG Technologies"   "c:\program files\avg\avg9\avgse.dll"
+ "WinRAR shell extension"   ""   ""   "c:\program files\winrar\rarext.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"   ""   ""   ""
+ "AVG Safe Search"   "Safe Search for Internet Explorer"   "(Verified) AVG Technologies"   "c:\program files\avg\avg9\avgssie.dll"
"HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks"   ""   ""   ""
"HKLM\Software\Microsoft\Internet Explorer\Toolbar"   ""   ""   ""
"HKCU\Software\Microsoft\Internet Explorer\Explorer Bars"   ""   ""   ""
"HKLM\Software\Microsoft\Internet Explorer\Explorer Bars"   ""   ""   ""
"HKCU\Software\Microsoft\Internet Explorer\Extensions"   ""   ""   ""
"HKLM\Software\Microsoft\Internet Explorer\Extensions"   ""   ""   ""
"Task Scheduler"   ""   ""   ""
+ "\GoogleUpdateTaskUserS-1-5-21-1865384281-1464315999-2808358729-1000Core"   "Google Installer"   "(Verified) Google Inc"   "c:\users\appdata\local\google\update\googleupdate.exe"
+ "\GoogleUpdateTaskUserS-1-5-21-1865384281-1464315999-2808358729-1000UA"   "Google Installer"   "(Verified) Google Inc"   "c:\users\appdata\local\google\update\googleupdate.exe"
+ "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask"   ""   ""   ""
+ "\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask"   ""   ""   ""
+ "\Microsoft\Windows\Media Center\PvrScheduleTask"   ""   ""   ""
+ "\Microsoft\Windows\Media Center\SqlLiteRecoveryTask"   ""   ""   ""
X "\Microsoft\Windows\User Profile Service\HiveUploadTask"   ""   ""   ""
+ "\Microsoft\Windows\Windows Media Sharing\UpdateLibrary"   ""   ""   ""
"HKLM\System\CurrentControlSet\Services"   ""   ""   ""
+ "avg9emc"   "AVG E-Mail Scanner"   "(Verified) AVG Technologies"   "c:\program files\avg\avg9\avgemc.exe"
+ "avg9wd"   "AVG Watchdog Service"   "(Verified) AVG Technologies"   "c:\program files\avg\avg9\avgwdsvc.exe"
+ "Cepstral License Server"   "Concurrency License Server for Cepstral Voices"   "(Not verified) Cepstral, LLC"   "c:\program files\cepstral\bin\cepstrallicsrv.exe"
"HKLM\System\CurrentControlSet\Services"   ""   ""   ""
+ "AvgLdx86"   "AVG AVI Loader Driver"   "(Verified) AVG Technologies"   "c:\windows\system32\drivers\avgldx86.sys"
+ "AvgMfx86"   "AVG Resident Shield Minifilter Driver"   "(Verified) AVG Technologies"   "c:\windows\system32\drivers\avgmfx86.sys"
+ "AvgTdiX"   "AVG Network connection watcher"   "(Verified) AVG Technologies"   "c:\windows\system32\drivers\avgtdix.sys"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Drivers32"   ""   ""   ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32"   ""   ""   ""
"HKCU\Software\Classes\Filter"   ""   ""   ""
"HKLM\Software\Classes\Filter"   ""   ""   ""
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance"   ""   ""   ""
+ "QTSrc"   ""   ""   "c:\windows\system32\aveqt.dll"
+ "RealAudio Decoder"   ""   ""   "c:\windows\system32\averm.dll"
+ "RealMedia Source"   ""   ""   "c:\windows\system32\averm.dll"
+ "RealMedia Splitter"   ""   ""   "c:\windows\system32\averm.dll"
+ "RealVideo Decoder"   ""   ""   "c:\windows\system32\averm.dll"
"HKLM\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance"   ""   ""   ""
"HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance"   ""   ""   ""
"HKLM\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance"   ""   ""   ""
"HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute"   ""   ""   ""
"HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute"   ""   ""   ""
"HKLM\System\CurrentControlSet\Control\Session Manager\Execute"   ""   ""   ""
"HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand"   ""   ""   ""
"HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension"   ""   ""   ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"   ""   ""   ""
"HKLM\Software\Microsoft\Command Processor\Autorun"   ""   ""   ""
"HKCU\Software\Microsoft\Command Processor\Autorun"   ""   ""   ""
"HKCU\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)"   ""   ""   ""
"HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls"   ""   ""   ""
+ "avgrsstx.dll"   "AVG Resident Shield Starter"   "(Verified) AVG Technologies"   "c:\windows\system32\avgrsstx.dll"
"HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman"   ""   ""   ""
"HKCU\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe"   ""   ""   ""
"HKCU\Control Panel\Desktop\Scrnsave.exe"   ""   ""   ""
"HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath"   ""   ""   ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart"   ""   ""   ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries"   ""   ""   ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries"   ""   ""   ""
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors"   ""   ""   ""
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders"   ""   ""   ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages"   ""   ""   ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages"   ""   ""   ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages"   ""   ""   ""
"HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order"   ""   ""   ""
"C:\Users\AppData\Local\Microsoft\Windows Sidebar\Settings.ini"   ""   ""   ""
</code></blockquote>

Notice that the only program that's not verified is Capstral?  That's because it's a company that's not very well-known, so they're not verified by Microsoft.  They create speech synthesis programs.  Just look at the programs that aren't verified carefully and you'll soon find the culprit (There's no culprit on my laptop at the moment).

Well, I hope this helps some of you.  Please make sure you know what you're deleting before you delete it though.  Unfortunately, CastleCops is down so I can't point you to any resources at the moment.  I'm still trying to find a new directory of common startup programs so I won't delete anything I need. :(

EDIT:
I should mention that this method will NOT work on a computer infected with Rootkits.  To remove Rootkits, try this FREE software:

http://www.antirootkit.com/software/Panda-...otkit-Tucan.htm

If you try this method and you really can't get the sucker off of there, try scanning for Rootkits.
« Last Edit: January 22, 2021, 05:01:01 AM by landbeforetimelover »

Pages: 1