Warning: The following method for unlocking harddrives will delete all stored data
I am not responsible for any lost data, do not follow this procedure unless you want to delete all data from the harddrive.
Note: there are more advanced methods of unlocking HDDs that claim to save stored data
1) Boot into the Ultimate Boot CD (UBCD)
Download at:
http://www.ultimatebootcd.com/
2) UBCD->HDD->Diagnosis->MHDD 4.6 (or whatever the latest version on the UBCD is)
3) Run the following commands:
FASTERASE
(you will be asked to enter a password, pick whatever you want)
(FASTERASE will take a long time to run, it is erasing all data on your HDD)
(after FASTERASE finishes you will see that the HDD is no longer BUSY)
DISPWD
(choose to enter the user password then type the password you just chose)
Congrats, your HDD should now be unlocked.
For information on HDDs check out:
http://hddguru.com/
Wednesday, October 26, 2011
MBR Rootkit Detection
Additional Background on the MBR:
http://en.wikipedia.org/wiki/Master_boot_record
Detecting Master Boot Record (MBR) rootkits can be difficult. Oftentimes an infection will intercept calls to read the MBR and return the MBR prior to infection rather than the actual one.
There are many tools which can be run within Windows that claim to detect MBR rootkits but I have seen false negatives more than once in practice and like to do the following:
Boot into a Ubuntu Live CD or Parted Magic (really anything with a half-decent terminal should work)
Open the Terminal:
sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >>mbr.txt
Now if you open mbr.txt you have your MBR and don't need to worry that the infection gave you a fake MBR.
Example of infected MBR:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312371200 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 1203331323, sectors 103464193 (volumes > 32 MB) , physical drive 0xd2, reserved 0x4e, dos < 4.0 BootSector (0x0)
This particular computer was infected with the TDL4 rootkit.
The way that this MBR differs from a clean one can be seen here:
physical drive 0xd2, reserved 0x4e
Usually in this area the MBR would have:
physical drive 0x7e
For this example the clean MBR looked like this:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312373248 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 309755, sectors 2147991229 (volumes > 32 MB) , physical drive 0x7e, dos < 4.0 BootSector (0x0)
Please note that the above example may not be representative of the MBR on any given machine; clean or infected. If you are unsure whether an MBR is infected then my suggestion would be to save the mbr.bin as a backup and to then run fixmbr from the Windows Recovery Console and see if there are any differences (if you have multiple operating systems installed fixmbr may result in you only being able to boot Windows until you restore the MBR to its previous state).
http://en.wikipedia.org/wiki/Master_boot_record
Detecting Master Boot Record (MBR) rootkits can be difficult. Oftentimes an infection will intercept calls to read the MBR and return the MBR prior to infection rather than the actual one.
There are many tools which can be run within Windows that claim to detect MBR rootkits but I have seen false negatives more than once in practice and like to do the following:
Boot into a Ubuntu Live CD or Parted Magic (really anything with a half-decent terminal should work)
Open the Terminal:
sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >>mbr.txt
Now if you open mbr.txt you have your MBR and don't need to worry that the infection gave you a fake MBR.
Example of infected MBR:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312371200 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 1203331323, sectors 103464193 (volumes > 32 MB) , physical drive 0xd2, reserved 0x4e, dos < 4.0 BootSector (0x0)
This particular computer was infected with the TDL4 rootkit.
The way that this MBR differs from a clean one can be seen here:
physical drive 0xd2, reserved 0x4e
Usually in this area the MBR would have:
physical drive 0x7e
For this example the clean MBR looked like this:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312373248 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 309755, sectors 2147991229 (volumes > 32 MB) , physical drive 0x7e, dos < 4.0 BootSector (0x0)
Please note that the above example may not be representative of the MBR on any given machine; clean or infected. If you are unsure whether an MBR is infected then my suggestion would be to save the mbr.bin as a backup and to then run fixmbr from the Windows Recovery Console and see if there are any differences (if you have multiple operating systems installed fixmbr may result in you only being able to boot Windows until you restore the MBR to its previous state).
Sunday, July 3, 2011
Safe and Reliable Data Backup Solution
To backup data using this procedure you will need the following:
1) External storage media to transfer files to (ie: external hdd)
2) Parted Magic Boot CD
(download from: http://partedmagic.com/doku.php?id=downloads )
3) Parted Magic Backup Script
(download from: http://www.mediafire.com/?a6a5ppd507qnca9 )
Procedure:
1) Burn a Parted Magic Boot CD using a program like Active ISO
(http://download.cnet.com/Active-ISO-Burner/3000-2646_4-10602452.html )
2) Boot your computer from the Parted Magic Boot CD (you may need to go into BIOS and change preferred boot order)
3) Download the Backup Script and then extract it to the Desktop (location is arbitrary but the Desktop will be used in this tutorial)
4) Open up the Terminal and type the following to start the script:
cd Desktop
./Backupscript-partedmagic.sh
The script should now start and provide you will instructions for backing up your data
Troubleshooting:
Issue:
The terminal says permission is denied to open the script.
Solution:
In the terminal type:
chmod a=wxr Backupscript-partedmagic.sh
Issue:
The terminal says the file was not found.
Solution:
Make sure you are in the correct directory where the script is located
You can change directories in the terminal with the "cd" command
Issue:
The script cannot mount my hard drive.
Solution:
Given that your operating system is not working there is likely an issue with the filesystem for your partition. The best way to recover data from it is to use a program called Photorec (also found on Parted Magic). If Photorec doesn't help you (I will post a tutorial on it soon) then you may need to see a professional data recovery service. Feel free to message me if you aren't sure.
Notes on the script:
-This script will help you backup files from any computer that can boot off of Parted Magic to external media.
-It works off of a preset blacklist. It will copy all files on your computer except for those on my blacklist (which includes things such as Windows or Program Files)
-This script will work best on a computer that is plugged into the internet via an ethernet cord (wireless will work as well but you have to manually configure it)
-The network transfer option in the command requires you to type a command to mount a network drive.
Example:
mount.cifs //markbackup.somedomain.com/backup /media/mtpt -o user=mark, pass=pass
(that isn't a real backup server but the syntax should be correct)
1) External storage media to transfer files to (ie: external hdd)
2) Parted Magic Boot CD
(download from: http://partedmagic.com/doku.php?id=downloads )
3) Parted Magic Backup Script
(download from: http://www.mediafire.com/?a6a5ppd507qnca9 )
Procedure:
1) Burn a Parted Magic Boot CD using a program like Active ISO
(http://download.cnet.com/Active-ISO-Burner/3000-2646_4-10602452.html )
2) Boot your computer from the Parted Magic Boot CD (you may need to go into BIOS and change preferred boot order)
3) Download the Backup Script and then extract it to the Desktop (location is arbitrary but the Desktop will be used in this tutorial)
4) Open up the Terminal and type the following to start the script:
cd Desktop
./Backupscript-partedmagic.sh
The script should now start and provide you will instructions for backing up your data
Troubleshooting:
Issue:
The terminal says permission is denied to open the script.
Solution:
In the terminal type:
chmod a=wxr Backupscript-partedmagic.sh
Issue:
The terminal says the file was not found.
Solution:
Make sure you are in the correct directory where the script is located
You can change directories in the terminal with the "cd" command
Issue:
The script cannot mount my hard drive.
Solution:
Given that your operating system is not working there is likely an issue with the filesystem for your partition. The best way to recover data from it is to use a program called Photorec (also found on Parted Magic). If Photorec doesn't help you (I will post a tutorial on it soon) then you may need to see a professional data recovery service. Feel free to message me if you aren't sure.
Notes on the script:
-This script will help you backup files from any computer that can boot off of Parted Magic to external media.
-It works off of a preset blacklist. It will copy all files on your computer except for those on my blacklist (which includes things such as Windows or Program Files)
-This script will work best on a computer that is plugged into the internet via an ethernet cord (wireless will work as well but you have to manually configure it)
-The network transfer option in the command requires you to type a command to mount a network drive.
Example:
mount.cifs //markbackup.somedomain.com/backup /media/mtpt -o user=mark, pass=pass
(that isn't a real backup server but the syntax should be correct)
Thursday, June 30, 2011
How to: Clone a VM for VirtualBox
The following is the command for cloning a .vdi virtual hdd for VirtualBox
Mac OS/Linux:
Open the terminal
Type:
VBoxManage clonehd source.vdi target.vdi
Example:
Suppose you have a virtual machine with a hdd called: "virtualhdd.vdi"
"virtualhdd.vdi" is located on /Users
You will make a clone of this hdd called: "clone.vdi" on /Users
You will type:
VBoxManage clonehd /Users/virtualhdd.vdi /Users/clone.vdi
Alternatively you could do:
cd /Users
VBoxManage clonehd virtualhdd.vdi clone.vdi
For Windows the command is the same but you must navigate cmd into the directory that contains VBoxManage
Mac OS/Linux:
Open the terminal
Type:
VBoxManage clonehd source.vdi target.vdi
Example:
Suppose you have a virtual machine with a hdd called: "virtualhdd.vdi"
"virtualhdd.vdi" is located on /Users
You will make a clone of this hdd called: "clone.vdi" on /Users
You will type:
VBoxManage clonehd /Users/virtualhdd.vdi /Users/clone.vdi
Alternatively you could do:
cd /Users
VBoxManage clonehd virtualhdd.vdi clone.vdi
For Windows the command is the same but you must navigate cmd into the directory that contains VBoxManage
How to Fix: .exe files won't open on my computer
Hello,
Exe files not opening properly is an issue that occurs commonly after malware removal.
The cause of this problem commonly is an issue in the Windows Registry
First thing you need to do is get into regedit
You can usually still open it by running it as administrator
Once regedit is open navigate to:
HKEY_CLASSES_ROOT\exefile\shell\open\command
the value for (Default) should be (material inside of the quotes): " "%1" %* "
Alternatively I have a simple script below that should correct the default value. To create this right click on the desktop and go to new then click text document. Open the text document and copy in the following (material inside of the quotes)
:
"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"
then save the file as: fix.reg
Open the file and when it asks you if you want to merge the registry click yes
This should fix most issues with opening exe files. If this does not help you verify that your registry value is (material inside of the quotes) " "%1" %* " and or send me msg. Sometimes if you try to fix this issue too early you need to go back and remove malware from the computer first
Mark
Exe files not opening properly is an issue that occurs commonly after malware removal.
The cause of this problem commonly is an issue in the Windows Registry
First thing you need to do is get into regedit
You can usually still open it by running it as administrator
Once regedit is open navigate to:
HKEY_CLASSES_ROOT\exefile\shell\open\command
the value for (Default) should be (material inside of the quotes): " "%1" %* "
Alternatively I have a simple script below that should correct the default value. To create this right click on the desktop and go to new then click text document. Open the text document and copy in the following (material inside of the quotes)
:
"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"
then save the file as: fix.reg
Open the file and when it asks you if you want to merge the registry click yes
This should fix most issues with opening exe files. If this does not help you verify that your registry value is (material inside of the quotes) " "%1" %* " and or send me msg. Sometimes if you try to fix this issue too early you need to go back and remove malware from the computer first
Mark
ABP + NoScript = Safer Browsing
Web browsing is the primary vector for malware infection.
By making your web browsing experience safer you can significantly reduce your overall risk of infection
One way you can do this is by using the Ad Block Plus and NoScript addons for Mozilla Firefox:
NoScript essentially works by blocking all scripts except those from whitelisted domains (ones you give the ok to)
-It will by default only allow scripts to run on very few websites and it is up to you to decide which ones you think are safe
->Admittedly this gets annoying especially when you first start but if you want an extra layer of protection it is worth it
Ad Block Plus works by creating a blacklist of advertisements on the web
-The danger with advertisements is that some vendors do not regulate content well and sometimes serve so called "malvertisements" which will attempt to infect your computer. If you simply block advertisements then your risk of getting a malvertisement will go down.
->I have seen computers that have been infected by malvertisements served from a variety of ad networks on a range of websites. I believe there was actually a malvertisement on the New York Times main website a while back.
->The drawback of Ad Block Plus is that it might block advertisements that you are interested in viewing. You can disable it on pages of your choice
So when looking at the two together:
-NoScript will minimize your risk significantly and only run scripts on websites of your choice
-Ad Block Plus serves as something of an extra layer of protection for websites you chose to run scripts on. If such a website is in a position where it will infect you it is probably due to a malvertisement so Ad Block Plus would likely protect you in those cases.
**Note**
Running ABP and NoScript together is not guaranteed to make your computer impervious to browsing attacks. Common sense is still your best tool and should not be neglected.
By making your web browsing experience safer you can significantly reduce your overall risk of infection
One way you can do this is by using the Ad Block Plus and NoScript addons for Mozilla Firefox:
NoScript essentially works by blocking all scripts except those from whitelisted domains (ones you give the ok to)
-It will by default only allow scripts to run on very few websites and it is up to you to decide which ones you think are safe
->Admittedly this gets annoying especially when you first start but if you want an extra layer of protection it is worth it
Ad Block Plus works by creating a blacklist of advertisements on the web
-The danger with advertisements is that some vendors do not regulate content well and sometimes serve so called "malvertisements" which will attempt to infect your computer. If you simply block advertisements then your risk of getting a malvertisement will go down.
->I have seen computers that have been infected by malvertisements served from a variety of ad networks on a range of websites. I believe there was actually a malvertisement on the New York Times main website a while back.
->The drawback of Ad Block Plus is that it might block advertisements that you are interested in viewing. You can disable it on pages of your choice
So when looking at the two together:
-NoScript will minimize your risk significantly and only run scripts on websites of your choice
-Ad Block Plus serves as something of an extra layer of protection for websites you chose to run scripts on. If such a website is in a position where it will infect you it is probably due to a malvertisement so Ad Block Plus would likely protect you in those cases.
**Note**
Running ABP and NoScript together is not guaranteed to make your computer impervious to browsing attacks. Common sense is still your best tool and should not be neglected.
Wednesday, June 29, 2011
Trick for speeding up virus removal
Premise: Deleting files is faster than scanning them (especially multiple times)
You can speed up virus removal by running a program such as CCleaner before running any scanners. CCleaner removes a large number of useless and potentially infected files. By decreasing the total number of files that your cleaning programs have to go through you will decrease the length of scans. The more scans that you plan to run the more time you will save if you choose this approach.
Make sure to check the recycle bin before running, some people like to leave surprisingly important stuff in there.
Mark
You can speed up virus removal by running a program such as CCleaner before running any scanners. CCleaner removes a large number of useless and potentially infected files. By decreasing the total number of files that your cleaning programs have to go through you will decrease the length of scans. The more scans that you plan to run the more time you will save if you choose this approach.
Make sure to check the recycle bin before running, some people like to leave surprisingly important stuff in there.
Mark
Wednesday, February 9, 2011
Malware Removal Guide (Vista/Windows7)
Hello,
This is a basic guide for removing malware from an infected computer.
Goal:
To restore the computer back to its previous working condition or better.
Rationale:
When malware infects a computer it can do two main things to your files:
1) Delete or modify files
2) Create files
Most of the guides you will read on the internet will tell you to remove malware using some sort of program that will scan and delete malicious files. I would argue that the solely scanner based approach is incomplete because it does next to nothing to restore deleted or modified files to their condition prior to infection. Running scanners alone usually works fine but system restore
Step 1: System Restore
It is fairly common advice to hear that you should delete your system restore points before cleaning a machine. This is usually a mistake.
System restore, when run from the recovery console, is one of the fastest, most effective, and lowest risk ways to start removing malware from a computer. (this is for vista/7 only, If you have Windows XP move to step 2)
Note: System Restore WILL ABSOLUTELY NOT alter any of your personal files.
Note: System Restore will however revert/uninstall any programs that were installed after the restore point date.
How to run system restore from the recovery console:
1) Make sure your computer has been turned off
2) Hit the power button on your computer and immediately after start lightly tapping F8 (2-3 times a second) on your keyboard. You should see a black screen with a list of options. If your computer starts up normally (you have to do this fast enough that you do not see the Windows logo) it means you did not press the button soon enough.
3) Use your arrow keys to navigate to the 'Repair Your Computer' tab. Press enter
4) Your computer will now start booting into the Recovery Console (this will look fairly similar to a normal Windows startup).
5) Once your computer has booted into the recovery console you will see a prompt asking you to select 'keyboard input method' and you just need to hit 'Next'.
6) If you are prompted to log onto a user account please do so (choose your own).
7) A window will appear called 'System Recovery Options'.
8) Now click once on 'System Restore' (note that it can take awhile for the system restore window to open).
9) After 'System Restore' opens click 'Next' and select a restore point before the malware infection and click 'Finish'
Note: Basically you want the most recent restore point before the infection because system restore will run faster but you can chose any point you want
Note: If your computer has no restore points or if none of your restore attempts (I wouldn't bother trying more than 3) are successful (you know it is successful if you see a prompt that says system restore has finished that asks you to restart you computer) then just move onto step 2
10) After the system restore has run start your computer up and log into your user account and see if it looks like the virus is still there -->you should see a message that the computer has had system restore run
Note: After system restore your computer may appear to be malware free. If this is the case for you, it is still very important to continue to go through the steps in this guide. System restore does not always completely remove a virus. The goal of running system restore is to damage the virus and revert and restore your computer's system files.
Step 2: Combofix
1) Download Combofix from the following link:
http://www.bleepingcomputer.com/download/combofix/
2) Disable your antivirus program's real-time protection (don't worry you can turn it back on soon!)
3) Run Combofix (it will do everything itself basically)
Note: Combofix may want to restart your computer to remove some of the malware so make sure you have closed all other programs that you opened. Please take messages from Combofix seriously.
Note: After you have completed this guide please remove Combofix by running 'Combofix /uninstall' from the windows 'Run' box (you hit the Windows Key and R at the same time to make it show up)
Step 3: Malwarebytes Anti-Malware (MBAM)
1) Download MBAM from the following link:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
2) Install MBAM
3) Update virus definitions (under the update tab)
4) Run a full scan (make sure that it scans your hdd)
5) Remove any infected items
Step 4: Kaspersky Virus Removal Tool (KVRT)
1) Download KVRT from the following link:
http://www.kaspersky.com/antivirus-removal-tool?form=1
2) Install KVRT
3) Make sure you check all boxes under the list of options for KVRT to scan
4) Run a scan and remove infected items
5) Hit 'exit' after the scan to unistall KVRT
Step 5: Running your antivirus program
You should install or reinstall (if necessary) antivirus software that you plan to use to keep your computer clean.
Here are a few free antivirus options:
1) Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
2) Avast (http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html)
3) Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html)
After you have the antivirus program of your choice installed on your computer and updated run a full scan of your computer.
Your computer will most likely be free of malware at this point. However if you would like to run additional scans here are some options:
Microsoft Security Essentials
Spybot Search and Destroy
Kaspersky Rescue Disk (http://support.kaspersky.com/viruses/rescuedisk?level=2)
Step 6: Preventing future infections
Here are some notes/advice that I recommend you follow:
-only have 1 antivirus program installed on your computer with a real-time scanner (you can keep Malwarebytes Anti-Malware because it is designed to work with other anti-virus programs)
-make sure your antivirus program is up to date and running
-make sure you are using an up to date browser (preferably Mozilla Firefox or Google Chrome)
-make sure you have done all of your Windows Updates
-make sure you have the latest version of Adobe Flash (https://www.adobe.com/software/flash/about/)
-make sure you have the latest version of Java installed (https://www.java.com/en/download/installed.jsp)
-make sure your Adobe Reader is up to date
-if you are unsure if a website is safe: Check it with WebOfTrust (https://www.mywot.com/)
****Additional Safety Precautions****
1) Make an image backup of your computer before you start the malware removal process
Use Ghost4Linux from PartedMagic Live CD from the Ultimate Boot CD (http://www.ultimatebootcd.com/)
2) Create a system restore point before running each virus scan
3) Review the results of malware scans before you delete infected items
****Note****
Due to the huge variance in malware, this guide may not be the best way to treat your computer, so please use at your own discretion.
For example many viruses will try to disable system restore and or safe mode so you cannot use them
If you have any questions please comment, send me a message and/or visit malware removal forums such as:
http://www.spywareinfoforum.com/
http://www.bleepingcomputer.com/
Thanks,
Mark
This is a basic guide for removing malware from an infected computer.
Goal:
To restore the computer back to its previous working condition or better.
Rationale:
When malware infects a computer it can do two main things to your files:
1) Delete or modify files
2) Create files
Most of the guides you will read on the internet will tell you to remove malware using some sort of program that will scan and delete malicious files. I would argue that the solely scanner based approach is incomplete because it does next to nothing to restore deleted or modified files to their condition prior to infection. Running scanners alone usually works fine but system restore
Step 1: System Restore
It is fairly common advice to hear that you should delete your system restore points before cleaning a machine. This is usually a mistake.
System restore, when run from the recovery console, is one of the fastest, most effective, and lowest risk ways to start removing malware from a computer. (this is for vista/7 only, If you have Windows XP move to step 2)
Note: System Restore WILL ABSOLUTELY NOT alter any of your personal files.
Note: System Restore will however revert/uninstall any programs that were installed after the restore point date.
How to run system restore from the recovery console:
1) Make sure your computer has been turned off
2) Hit the power button on your computer and immediately after start lightly tapping F8 (2-3 times a second) on your keyboard. You should see a black screen with a list of options. If your computer starts up normally (you have to do this fast enough that you do not see the Windows logo) it means you did not press the button soon enough.
3) Use your arrow keys to navigate to the 'Repair Your Computer' tab. Press enter
4) Your computer will now start booting into the Recovery Console (this will look fairly similar to a normal Windows startup).
5) Once your computer has booted into the recovery console you will see a prompt asking you to select 'keyboard input method' and you just need to hit 'Next'.
6) If you are prompted to log onto a user account please do so (choose your own).
7) A window will appear called 'System Recovery Options'.
8) Now click once on 'System Restore' (note that it can take awhile for the system restore window to open).
9) After 'System Restore' opens click 'Next' and select a restore point before the malware infection and click 'Finish'
Note: Basically you want the most recent restore point before the infection because system restore will run faster but you can chose any point you want
Note: If your computer has no restore points or if none of your restore attempts (I wouldn't bother trying more than 3) are successful (you know it is successful if you see a prompt that says system restore has finished that asks you to restart you computer) then just move onto step 2
10) After the system restore has run start your computer up and log into your user account and see if it looks like the virus is still there -->you should see a message that the computer has had system restore run
Note: After system restore your computer may appear to be malware free. If this is the case for you, it is still very important to continue to go through the steps in this guide. System restore does not always completely remove a virus. The goal of running system restore is to damage the virus and revert and restore your computer's system files.
Step 2: Combofix
1) Download Combofix from the following link:
http://www.bleepingcomputer.com/download/combofix/
2) Disable your antivirus program's real-time protection (don't worry you can turn it back on soon!)
3) Run Combofix (it will do everything itself basically)
Note: Combofix may want to restart your computer to remove some of the malware so make sure you have closed all other programs that you opened. Please take messages from Combofix seriously.
Note: After you have completed this guide please remove Combofix by running 'Combofix /uninstall' from the windows 'Run' box (you hit the Windows Key and R at the same time to make it show up)
Step 3: Malwarebytes Anti-Malware (MBAM)
1) Download MBAM from the following link:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
2) Install MBAM
3) Update virus definitions (under the update tab)
4) Run a full scan (make sure that it scans your hdd)
5) Remove any infected items
Step 4: Kaspersky Virus Removal Tool (KVRT)
1) Download KVRT from the following link:
http://www.kaspersky.com/antivirus-removal-tool?form=1
2) Install KVRT
3) Make sure you check all boxes under the list of options for KVRT to scan
4) Run a scan and remove infected items
5) Hit 'exit' after the scan to unistall KVRT
Step 5: Running your antivirus program
You should install or reinstall (if necessary) antivirus software that you plan to use to keep your computer clean.
Here are a few free antivirus options:
1) Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
2) Avast (http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html)
3) Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html)
After you have the antivirus program of your choice installed on your computer and updated run a full scan of your computer.
Your computer will most likely be free of malware at this point. However if you would like to run additional scans here are some options:
Microsoft Security Essentials
Spybot Search and Destroy
Kaspersky Rescue Disk (http://support.kaspersky.com/viruses/rescuedisk?level=2)
Step 6: Preventing future infections
Here are some notes/advice that I recommend you follow:
-only have 1 antivirus program installed on your computer with a real-time scanner (you can keep Malwarebytes Anti-Malware because it is designed to work with other anti-virus programs)
-make sure your antivirus program is up to date and running
-make sure you are using an up to date browser (preferably Mozilla Firefox or Google Chrome)
-make sure you have done all of your Windows Updates
-make sure you have the latest version of Adobe Flash (https://www.adobe.com/software/flash/about/)
-make sure you have the latest version of Java installed (https://www.java.com/en/download/installed.jsp)
-make sure your Adobe Reader is up to date
-if you are unsure if a website is safe: Check it with WebOfTrust (https://www.mywot.com/)
****Additional Safety Precautions****
1) Make an image backup of your computer before you start the malware removal process
Use Ghost4Linux from PartedMagic Live CD from the Ultimate Boot CD (http://www.ultimatebootcd.com/)
2) Create a system restore point before running each virus scan
3) Review the results of malware scans before you delete infected items
****Note****
Due to the huge variance in malware, this guide may not be the best way to treat your computer, so please use at your own discretion.
For example many viruses will try to disable system restore and or safe mode so you cannot use them
If you have any questions please comment, send me a message and/or visit malware removal forums such as:
http://www.spywareinfoforum.com/
http://www.bleepingcomputer.com/
Thanks,
Mark
Subscribe to:
Posts (Atom)