Rogue Antivirus Removal Help

Situation: Someone I know has asked me to check and try to cleanup their Dell (Windows XP Home) Laptop PC. The symptoms that they described matches a Rogue Antivirus (A 'You have an infected system' type window kept popping up and finally the person clicked install to stop the window from popping up.).

My plan:

1. Image the Hard Drive to DVD(s) so that the family pictures are not lost (The family pictures are described as the only important data on the hard drive.).

2. Boot with the Kaspersky Rescue CD, update the malware definitions, scan & remove malware. If the hardware is not compatible with the Kaspersky Rescue CD, I will use the AVIRA Rescue CD instead. I want to clean from a bootable anti-malware CD so that I can remove (or at least cripple) any "stubborn" malware before trying to clean from Windows.

3. Install MBAM, update, scan and clean.

4. Install SuperAntiSpyware Free, update, scan and clean.

5. If the Malware blocks the installation of MBAM or SAS, I will boot to Safe Mode and use DrWeb CureIt to scan and remove Malware.

Please comment on the above methodology and recommend improvements.

The PC's owner is not sure if they still have the Dell Restore CD. There may be the Dell Hidden partition that I can restore from. I will not get the PC in my possession until this evening.

I have almost no experience in cleaning an infected PC. I know that the best way is to just format and re-install, but the PC's owner wants me to try to clean it up first. I need the experience anyway.

Thanks in Advance.

 

You can try this website for tools and advice http://www.bleepingcomputer.com/

 

UBCD4WIN has all those antivirus removal tools and more on it. Plus it has file recovery applications.

Apart from it being a bit of a pain in the a$$ to build, the CD is ideal for these situations.

 

Oh and be careful with Combofix. Use at last resort, if all else fails.

 

SuperAntiSpyware Free has a bunch of Windows repair ('reset to Windows default') options under the preferences tab. Are these the same type of repairs that ComboFix would do?

 

Those SAS tools are good for restoring functionality after an infection. A lot of those rogues will disable Taskmanger/Control Panel and other things you would use to terminate the bad guy.

Combofix is very sucessful against Viruses/rogues elements. But it autocleans - what it deems to be a problem. It won't give you the option "Do you wish to remove so and so file?" So you run a chance of it by mistake stripping out something that could cripple the system. Quite a lot of the other specific tools for removal are the same. It's safer to use the conventional AV scanners first.

Is there anything specifically now not working?

 

A good but long read: https://www.wilderssecurity.com/showthread.php?t=252253

 

I deviated from my plan last night.

I first scanned (no cleanup) with the AVIRA Rescue CD (Scanning from memory with Linux as the OS). It seemed weird that it only reported four (4) Trojans, 3 in Documents and Settings\…..\Temp(?) and 1 in the DSL Service Provider’s program folder.

I made an attempt to install Kaspersky’s AVP Tool. The installation locked-up (probably malware blocking it).

I then scanned (Safe Mode) with DrWeb Cureit. Cureit appeared to have Quarantined files in Norton’s Quarantine and found one “possible” Trojan which I chose to Quarantine. The oddest thing appeared to have happened during the scan: It looked like something may have caused the scanner to skip the Windows Folder. I can’t say for sure but that is what I think happened.

A disk error was reported during the DrWeb Cureit scan and upon restart chkdsk was initiated and numerous file errors were repaired. Upon reboot the malware was still entrenched and the PC was even slower.

Next: I booted with Puppy Linux, mounted the C: drive and created three directories under C: (‘User 1’s Stuff’, ‘User 2’s Stuff’ & ‘PupBurn Temp’). I then went to User 1’s MyDocuments folder, chose “select all” and copied to the “User 1’s Stuff” directory. I repeated the same for User 2. Then I opened the program PupBurn, selected the PupBurn Temp directory for a burn buffer, inserted a blank DVD+R, selected the two User Stuff directories for burning, chose finalized DVD and then clicked on “Burn”. All MyDocuments files were successfully backed up to DVD.

I scanned this DVD (containing MyDocuments) on another PC with a-squared free (maximum heuristics), Microsoft Security Essentials and SuperAntiSpyware Free with no reports of malware.

Tonight: It’s time for Dell’s “Crtl-F11” (After a few more attempts (for training) at malware cleanup).

 

Here's what I have done since the last Post:

1. Performed a full scan and clean with the Kaspersky Rescue CD. It cleaned several Trojans. It looked like the Trojan was new because on Kaspersky's website it showed a date of January 23, 2010 for the Trojan being added to their malware definitions.

2. Performed a full scan with SAS (SuperAntiSpyware) portable version. I saw a lot of registry entries but I wasn’t sure if it was from malware or from the previous failed attempt of installing the Kaspersky AVP tool. Since SAS has a custom scan option, I left the registry entries (for later possible cleanup) and only cleaned the “peanuts” stuff (cookies).

3. I booted to Windows which was still slow but all of the fake virus alerts/messages were absent.

4. I installed MBAM (Malwarebytes AntiMalware) and did a quick scan without updates. It detected and removed some registry entries which were related to the support of fake virus alerts/messages.

5. I did a “sfc /scannow” from the command line to try to get rid of an error message (missing system file) that occurred after each boot. This error message “may” not have been related to the malware. The system file check did not get rid of the error message.

6. This morning I did the Crtl-F11 and restored, did a “partial PCDecrapify”, installed SP3 and installed all Critical Windows Updates. The PC is significantly faster now. I will do some “touch-up” work tonight (i.e., install MBAM, SAS, Sandboxie, Antivirus, etc.).