I Do not Understand

Hi Guys,

Recently I cleaned a PC with the scareware "MS Removal Tool" here's what occured + my Questions?

Boot to safe mode try SAS portable, it removed 2 disable task mgrs., upon reboot "MS Removal Tool" still present.

Okay! so we have something, not quite removable by SAS.

Next Emsisoft (updated) rescue, with deep scan, which removed several trojans. Upon reboot Ms Removal Tool still present.

Next Hitmanpro finds adware & reboot MS Removal Tool still active..

Try "Stream Armor" no help
HJT - I see nothing strange

F-secure finds "gen.variant.kazy & rootkit tdss.ar, but won't remove. Waste of my time.

Dr Web - waste of time.

TOTAL WASTE OF TIME - Boot disc like Avira rescue cd, or Bitdefender bootable CD. Scan & fail to remove.

Finally in SafeMode, ClamWin, MBAM, SAS, HitMan, & ??. I reboot & it's gone!
__________

Is there a more efficient way to remove malware, than the above? How about "combo-fix", should that be my first choice (XP, Vista, & 7), or other suggestions. Or is this welcome to the security world, cleanup??

Rico

 

Nice read here: http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool

Gerard

 

nice one

 

I've read that prior to posting here: I'm curious as to the pecking order, or power, to remove malware is:

AV rescue discs - Avira rescue CD etc. Seem to find a few things, then reboot & you still have the same problem.

HitManPro - Has never cured an active infection, for me

MBAM & SAS - better than most

HJT - Long time analyze scan, del bad gus still infected

Stream Armor - research the list, del `useful
_________________

So what's useful for cleanup ?
_________________

I've got to figure if "MS Removal Tool" survives the above, then it's a hidden process, that allows 'MS removal Tool" to survive the reboot.
_________________

Sophos - only finds not recommended for deletion, hidden process.
_________________

My FAV's so far are (GO TO) are MBAM , SAS & eset.c o m/onlinescan
_________________

What can I add to this arsenal? I forgot to mention DR Web is useless, & Emsisoft Emergency Deep Scan disappoint.

Thanks
Rico

 

Did you remove or rename using those Boot CDs? Which one found the scareware in Safe Mode?

 

Depends on experience but you need to stop the process then remove the rouge, but for the norm I'd recommend most people get into safe mode and follow the bleeping computer guide.

Looks like F-Secure found the rouge through a generic detection. Some rouges, fraud tools also drop tdss, the last fake defrag I came across was dropping a tdl mod so that could of happened here also.

Glad your sorted

 

Why in safe mode

Also: MBAM would have protected you if it was running in real time. But if already infected MBAM is the only tool you need to get rid of it using it as posted here:
http://forums.malwarebytes.org/index.php?showtopic=81102

Gerard

 

1st time booting the machine, tried "R-kill" <not allowed to run>, likewise SAS portable. So off to safe mode.

In safe mode Emsisoft <updated> found "exploit.html.cve-2010!Ik & trojan.suspectcrc!Ik

<reboot> still infected with MS Removal Tool -

<reboot> to S.M - Fsecure's AS finds gen.variant.kazy & rootkit tdss.ar But does not offer removal. I guess you need to buy the product for removal.

<<Forgot R-kill would work in SM, was necessary for the above attempts above in SM>>

I then saw Task MGR. a process chtzxg.exe tried killing it it kept re-appearing, after googleing it. I used MBAM's File ASSasin. Before the reboot to remove chtzxg.exe ran

clamwin 0 found
hitman 0 "
MBAM & SAS 0 found

I also found webroot, which was loading, a file & was not the AV/AS in use, used webroot removal tool.
_____

Reboot & no sign of MS Removal. File associations gone, documents & settings + my documents - were hidden files. The reg merge to restore file association failed, or worked only for the current windows session. I then used file Hippo updater & found MANY programs to update, which gave the user his programs back.
_____

What disappoints is: Emsisoft emergency rescue 'Deep Scan' SAS portable, plus AV's linux rescue CDs, & HJT. Wy bother with these if you reboot & they fail to remove the scareware?

_____

What would you do: <scenario> Boot to windows task mgr you can' get loaded, before the rogue. All including portables won't run from flash drive.

What tools etc do you go for??
_____

Prior to returning the box I also ran several rootkit scanners blacklite & s russian one (not KAV) can't think of its name. Plus several online AV's & one last Panda cloud full scan. All clean

 

@ Rico

That "russian one" would be RkU = RootKitUnhooker, yes ? If so it's good

What about ?

It wouldn't do any harm to try aswMBR - http://public.avast.com/~gmerek/aswMBR.htm

Also - List of Anti-Rootkits - http://www.kernelmode.info/forum/viewtopic.php?f=11&t=10&sid=f5b93965b530e4095d2ab55c31212e60

You could remove the drive & hook it up to another comp & scan from there.

 

Safe mode is 'diagnostic' mode, looking for problems is easier because only core components are loaded.

 

Hi All,

Clone Ranger - nett <russian for no> it was VBA, they have an AV rescue disk, and a separate "Rootkit" scanner.

I'll check out your links. Thanks!

Any other crime fightin programs I should consider?

Rico

Have you seenThis

 

Well, for a start, most AV's fail to remove or even detect rogues. So running rescue discs is pointless.
As for Rkill, how many times did you run it ? I believe, you may need to run it up to 20 times ( in some severe cases ) before it works.
HJT is no longer used on malware removal forums, other programs like OTL are used instead.
Personally i would not waste any time on trying to remove malware myself.
There are many forums who have people who do this for fun, they are seriously good. Properly trained.
Its much easier to just restore a pc to a previous image Or reinstall windows using recovery discs etc
The most important thing for me is prevention and backing up data

 

Hi Mick,

Explains my frustration with rescue discs. Kind of sad AV's cant protect against Rogues, like there the most popular, bad software going.

Did not know that! Thanks I'll give it a try.

Why am always last to be told!

The infections I see are from our club (3000+ members) who don't know a monitor from a keyboard. I enjoy removing malware, it's like a puzzle for me.

How about 'COMBOFIX' is this still relevant or passe?

Any particular malware forums you particularly like?

Any other crime fightin software of interest?

Thanks
Rico

 

Combofix is one of the most used tools used to remove malware, along with OTL and many others.
While OTL requires a trained person to tell you what to remove,and will so easily, combofix will itself remove malware, and also cure/replace infected system files. Under supervision it can easily remove malicious system files (rootkits )
Combofix is a brilliant tool, that should be used only by trained people

As for forums, i recommend

http://www.geekstogo.com/forum/topic/2852-malware-and-spyware-cleaning-guide/
A clear guide, from registering, running OTL, etc

http://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register

 

Thanks Mick
Rico