Lollipop   

Welcome to PcCare.com

Home Support Self Help
Free Virus Removal


Continue following the below steps until each of the virus removal programs have executed and removed your computer's viruses.


Step 1:
Download and create a virus removal cdrom from Kaspersky Rescue Disk 10. If your computer is too infected, use a friends computer. Kaspersky downloads a file named kav_rescue_10.iso, this file must be copied to a cdrom or usb drive. Closely follow cdrom creation instructions, just copying the .iso download image to a cdrom drive and pressing write will not result in a bootable cdrom (See bootable cdrom/dvd creation). After cdrom/dvd creation your infected computer must be booted using it (See boot from cdom). Download any virus updates (not necessary if you just created it) and run it's antivirus utility.

Step 2:
Check yours systems Security Event log, Start->Computer->Right Click->Manage->Event Viewer->Windows Logs->Security->Audit Failure->Check for message "Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error ("Device\HarddiskVolume2\Windows\System32\drivers\NisDrvWFP.sys").if any are found, keep a list of them, they should be repaired or renamed in the next step.



Step 3:
Boot from the operating System disk shipped with your computer. See Boot from cd or dvd.
Run Microsoft's System File Checker in offline mode-> sfc /scannow /OFFBOOTDIR=c:\ /OFFWINDIR=c:\windows

SFC normally repairs any damaged files, if not open file %windir%\Logs\CBS\CBS.log. The error messages contain text similar to this Package_30_for_KB936330~31bf3856ad364e35~x86~~6.0.1.18000.936330-187_neutral_GDR"


Step 4:
For any files which couldn't be repaired , download/locate a replacement file. Note, not all damaged files can be replaced using Microsoft utilities. Third party software installed on your system requires removal and re-installation. Some of the files listed in this step and one above, may be viruses. To disable them , rename the file while still booted from cdrom. If the rename prevents your system from restarting normally, boot back from cdrom and rename file back to it's original value.


From your system's operating system dvd, provided at purchace time


Download latest and previous service packs. Service Pack Center


Then visit Microsoft Update Catalog  and type in the knowledge base number from above step. KB936330 and download the update containing the corrupt dll or exe.


Sigcheck run with -i option also displays which catalog a file was deployed in. sigcheck -h -i ntdll.dll

Step 5:
If you can restart and download files on the infected computer, install and update the following free trial virus removal programs:


Malwarebytes Press Update tab and "Check for updates" button before scanning.


Superantispyware When prompted to always check for updates, answer yes.


Step 6:
If your unable to run or download any programs, restart your pc in Safe Mode with Networking. Download/run above anti virus programs.


Step 7:
If "Safe Mode with Networking" failes, download above anti virus products using a different computer, one not infected with a virus. Just download, do not run the install. Copy the software to a flash drive or cdrom. Insert your newly created flash drive/cdrom into your infected computer and restart your pc in Safe Mode. Note, this time without networking. Install and run anti virus programs from your flash/cdrom drive. MalwareBytes may report some errors, however, the program should complete successfully.



If you are unable to locate your Operating System cdrom and you have an old Windows XP cdrom, create a free UBCD4Win boot disk. It contains a large number of virus fighting tools and uncovers most malware. In, particular, run AvPersonal and spybot, their icons can be found on UBCD4Win task  bar. IMDisk, an alternative to UBCD4Win permits remote access to an infected computer. Be sure to download all current updates before running and always perform a full scan. Once these anti-viruses have uncovered and quarantined your virus, open a dos window and run.

Last: If the above steps have cleaned your computer and your current anti-virus license has expired, install Microsoft Essentials. It's free.



If your unable to boot or the above steps failed to remove your virus, restore the MBR master boot record: Boot record repair and Vista boot sector repair.

Repairing registry permissions

 

If the above steps fail, continue on with steps below:

 

Windows PE is free and can be downloaded with the Windows AIK. Windows PE. Pe doesn't run all windows programs, however, it does run a few free products which are likely to uncover your virus: Microsoft® Windows® Malicious Software Removal Tool . /strong>

 

 

Sigcheck.exe, a file verification utility returns different results when running under PE or the native operating system. SigCheck.exe references files in directory C:\Windows\System32\catroot2 to discover corrupted files, however when run under PE, it uses PE catroot directory, resulting in misleading results. Be sure to point the

-c command line argument to the matching catroot2 folder.

 

Sata drivers can be loaded once pe boots, execute drvload x:\drivername.inf

 

Microsoft windows malicious software removal tool is packaged in a file resembling windows-kb890830-v3.3.exe. When you boot your infected workstation from your pe cdrom, the system drive will point to the cdrom drive instead of c:\. This has the undesireable effect of causing windows-kb890830-v3.3.exe's extraction to your cdrom drive. To prevent this, append the extract option:  windows-kb890830-v3.3.exe /x, and extract to your c: drive. the extracted executable is called mrt.exe, run mrt.exe from the command line.

 

If after running these products, you still have a virus, see section "How to remove these infections manually" of this manual 9 step process.

 

 

Even after removing the virus with the Windows Malicious Software removal tool, some of the registry keys may have been overwritten by the virus, use the below steps to correct:

 

If Windows Malicious software discovers viruses, but you still can't run programs

and receive messages like Contro Panel rundll32.exe application not found, run the 9th utility (EXE File Association Fix )on this webpage: http://www.dougknox.com/xp/file_assoc.htm it resets the registry keys to allow program execution.

 

If your system logs you off immediately when you try to logon "Loading you personal settings" and "Logging off" right away, follow these steps: http://www.pcreview.co.uk/forums/thread-424416.php

To replace a corrupt dll or exe, see Downloading computer Drivers.  

Certificate verification

 

Visit Microsoft's Malware protection center for detailed list of viruses and recovery procedures.

 

You may have to perform this procedure mulitple times, Some malware can

re-install themselves.

 

Diconnect your computer from the network, or run tcpview and remove any

suspicious connections. This will prevent the virus from installing more

malware as your fixing it.

 

Download and install Process Explorer  or download the full suite of
Microsoft's Sysinternals tools here.  
 
Here's what to look for with Process Explorer
  • Have no icon
  • No description or company name
  • Unsigned Microsoft images
  • Live in windows directory
  • are packed
  • Include strange urls in their strings
  • Have open tcp/ip end points
  • Host suspicious dll's or services
  • Check for dll's hosted by rundll32 -> look for purple color
  • Menu->view->show lower pane->check
  • Menu->view->Lower pane view->dlls->check
  • Check dlls's hosted svchost.exe or exe's running as windows services
  • Check system.exe drivers.

 

List of required startup programs ( BleepingComputer ).

 

If your malware opens popups, drag them to process explorer to determine it's host process.
 
If your not sure whether a process is malware, select it and Menu->process->Search Online.
 
Menu->Options->Difference highlight duration->set to 9
 
Menu->Options->Configure highlighting
  • Take note of color for packed images (usually purple), viruses tend to pack themselves to prevent anti-virus from looking up urls and things.
  • Take note of the new objects, usually light green. It may indicated a virus starting and stopping as your working.
  • Orange processes are job processes, and are not useful for debugging viruses.

Menu->Options->Verify signatures->checked

  • Procexp will verify every process and dll for valid signatures. check for any marked as a Microsoft product without a valid signature.
  • The verification process requires nework access, to see if the cert had been revoked, If you disabled your network, will will need to re-attache.
  •  

Menu->View->select columns->verfied signer->check

 

 

If the virus displays a popup, you can drag the popup over Process Explorer and it will highlight the owning process.

 

If you see a process that is suspicious, Menu->Process->Search Online

  • Some viruses change their names, when you run the search online you won't get any data back for it.

 

Malware sometimes hides in dll's hosted by rundll32. You must check these, the rundll32 process will show up as a Microsoft process and will be digitally signed by Microsoft, but the dll it's hosting is malware. If you hover your mouse over the rundll32, it will display the dll it's hosting and the company name and signer. Viruses will not usually have any info for this. If you double click on it and look at the image tab, it will show us as not verified.

 

Services can run in their own process or run under svchost.exe. Those services are hosted as dll's not processes. Malware uses svchost to blend in with the other services on the system.

 

Double click on any process and open the strings tab. You can check the image for suspicious strings. Purple images which are packed will not have any identifiable strings, however if you look all the way at the bottom, there's an in memory radio button. Search the file for http, www, .com  find malware urls

 

Dll view is also a feature to help find malware hiding in a dll. Select a process and press the view dlls button. Any packed dlls' will show up in purple

 

The system process in procexp hosts all the system drivers. If you select system and look at the dll list, it will show you all the loaded drivers. Same checks as above, check for the description field having data, if it's from Microsoft, check if it's digitally signed.

 

 

What to do with Malware processes

 

Don't terminate them, they will restart. Instead suspend them. Note, this might cause a system hang for svhhost processes. The process or dll will turn gray.

 

Record the full path to each malicious exe and dll

 

When all the processes are suspended, then kill them.

 

As your suspending and killing processes, look for any startup, bright green. Viruses usually install nanny processes to restart themselves.

 

Use autoruns to clean up any startups. It has a better interface then Hijackthis.

Goto options and say verify signatures and hide signed microsoft entries. AFter you've turned off all the malware entries, do a refresh to check if anything has come back. Some malware watches the reg keys and puts itself back. If you can't figure out how it's getting put back, use procmon to trace what process is restoring it.

 

Run autoruns after a normal boot, and then after a safe boot. Save the log entries

from each. Then use autoruns to compare the results.

 

You should delete all the malware exe and dll's.

 

 

 

 

 

Rootkits are spyware that hide themselves. They can even infect user mode processes. They hide files, tcpip connections, drivers anything can be hidden from view of all the utilities you ran above.

 

RootKit forum: www.rootkit.com

 

 

Microsoft advanced debugging tools

 

To remove rootkits, use more than one tool:

 

System virginity tester 

 

GMER

 

Dark Spy anti-rootkit 

 

FSecure Blacklight

 

 

 

After you've run all the above tools, always run sigcheck 

 

sigcheck -e -u -s c:\

 

  • Be especially alert about any files in c:\windows directory
  • Investigate all unsigned images
  • Delete any files you can't verify. it doesn't matter what extension is on the file, viruses sometimes use .bmp or any other extension, however inside the file there's an exe header and windows will execute it. So if sigcheck shows you a file with a weird extension, like.txt, it may very well be a virus and should be deleted.

 

If you can't delete a file, because it's in use, try renaming it.

If you can't rename it, use Movefile to schedule it for removal on the next boot.

 

ex: movefile malware.exe ""

 

If it still won't clean up, pull the drive and move to another pc to delete.

 

For hard to dellete registry keys, run regdelnull

 

regdelnull -s hklm\software

 

It searchs the registry for embedded nulls, replaces them with an asterisk and lets you delete them.

 

For more info, watch Advanced Malware Cleaning by Mark Russinovich
For manual detection and cleaning: Spyware Filehunter  
DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. PcCare.com will not be held responsible if changes you make cause a system failure.

Please review our Terms of Service and Privacy statement before initiating service or using this site. Microsoft® and the Office logo are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. PcCare Site Map. About Us

PcCare.com is owned and operated by TechnoChill Inc.