virus removals

[Cris Ortega]

Hello all.

Recently I've had clients as well as family back home dealing with Ransomware, like the FBI virus for example.
Sometimes these are so bad that they don't even let me log in to Safe Mode, as it has been the case for me, especially on Windows Vista Computers.

I'd like to know what methods you use and bounce ideas off the group so I can learn of a more efficient way to remove any of these kinds of extremely annoying viruses.

Here is the process that I usually go with. Any insights would be appreciated.

I currently use Malwarebytes.org and run a full scan of a computer to fully remove all infections. On average, a scan takes me 90 to 120 minutes.
Malwarebytes rarely misses any infections, but in the case that it does, I run Hitman Pro, the free version, which scans only the most commonly infected directories. This has worked for me 100% of the time.

[I should note that if a computer is so badly infected that I cannot even get into Windows Safe Mode, i take the HDD out and scan it on my own laptop w an external sata/ide usb dongle and run malwarebytes]

Once the computer is stable, I install either avast! or AVG Free [the latest versions available]. I then instruct the client how to use their computers more safely by avoiding bad websites, and being cautious about downloading files and email extensions from both known and unknown contacts.

Thank you for reading.

Cris Ortega

"You miss 100% of the shots you don't take"
-Wayne Gretzky

[Connor Becker]

I don't have much experience with MalwareBytes, but so far I haven't seen many other antivirus programs detect it consistently.  I usually manually look through common places that viruses like to hide (the user's AppData folder tree, X:\ProgramData, for example), but the last time I battled an FBI variant, I couldn't find it anywhere.  But I thought up a trick that might work (for me at least on Windows 7+).

 

Assuming there's another administrator account or you can get into safe mode, you can exploit the fact that (at least in my experience), the FBI virus affects only the user account that contracted it.  First, if there's no other administrator account and the administrator password is unknown (as is the case on many home computers), go into safe mode, make another administrator user account, and make sure fast user switching is enabled.  Then, reboot into normal mode, log into the affected account and press control-alt-delete.  On Windows 7 at least this brings up a list of options, one of which is to switch users; click it and log into the administrator account you made earlier (or an existing one if available).  Run the Windows Process Explorer.  When you're in that, go to the File menu and select "Show Details for All Processes" with the shield; this will cause it to reopen as an administrator level process, showing all processes and their child-processes--even those of the other FBI afflicted user account.  You should be able to look through that list for anything sketchy, especially rundll.exe instances.  Hovering over an entry in the list will reveal the command that was issued to run it, as well as the full path and filename of the program.

 

This should give you the location of the running virus; take note of that, kill the process, and go delete its files.  In my last battle (don't know if it's generally the case) it had a .reg file with it, revealing that it had altered the registry.  Using the information in the file, as well as searching the registry for the filename of the virus, I fixed or deleted the entries that it had modified or added, namely it had replaced explorer.exe as the user's shell (also check for startup entries).  Doing all of this should clean up the virus *and* its effects, which is important as well.

 

This method should work for other ransomware viruses as well, and on any Windows version on which you can get to fast user switching without whatever the ransomware is blocking.  For example, in Windows XP Home Edition, the default action on control-alt-delete is to bring up the task manager, which the FBI virus swiftly hides from view, so this method wouldn't work without changing that default action as well (can't think off the top of my head how to do that, but I'm sure it can be done and then switched back when finished).  If there's not an unaffected account, this method also requires safe mode, which as you mentioned is sometimes somehow locked, making this method inaffective in those situations.

 

You're right though, making sure they have an updated antivirus isn't enough, you have to make sure that they understand that some programs can creep past their antivirus and infect their system anyway; that it can be caused by their browsing habits, whether they knowingly or unknowingly go to sites that spread the virus.

[tvons...@afterhourscr.com]

Hello Chis,

Although I am no longer an AHCR employee, I ran into this "FBI virus" several times during the 4-6 months I prided myself as an AHCR Technician. What I did was go to c:\appdata\roamingprofiles\.....and that is usually where the virus installed itself. I would delete all the files (can't remember what they were called), but you can usually tell by the install date what should be removed! Delete those files......run CCleaner....then run Malwarebytes.....if Mbam comes up clean you should be good!

My very first AHCR service call was for this very problem!....and I NEVER got a call back on it....so my fix must have worked....just sayin'......good luck....good vibes....and say "hello" to J.P. for me!!!!

[tvons...@afterhourscr.com]

I should also note that indeed you do need to boot into 'safe mode' and if you can't, try a couple more times.....it has worked for me! And also, if you CAN'T boot in 'safe mode' it is time to re-format the HDD! Which means you should take the drive out, bravely plug it into your laptop, back-up all their important files, and re-install the O.S.!!!! 

Good luck to ya!

Todd Von Schulze | Network Administrator

Brighton District Library | 100 Library Drive | Brighton, MI 48116

(w) 810-229-6571, ext 205 | (c) 734-732-2061

[jga...@afterhourscr.com]

Run ERD Comander and use the standalone system sweeper. You will need to download the newest definitions for Microsoft Essentials I believe.  You are supposed to be able to ping the server for new definitions from inside the program, but it doesn't work...at least not the times I've used it.  Simply stick it on a flash drive and select it from there.  After you've scanned and it removes it and you reboot it there are still issues you can try malwarebytes, but I've found the one-two combination punch of Microsoft System Sweeper and Kaspersky Rescue Disc to do the trick.

[Kevin Cody]

Greetings:

Most ransomware I have encountered tends to be removable by Malwarebytes, run/installed from a usb thumb drive.

In the case of severely blocked systems, booting from Hirens Boot CD (cd or thumb drive) will allow you to

safely backup the data to an external drive. I highly recommend the Hirens disk as a vital tool for computer techs.

Cordially,

Kevin L. Cody

[Ryan Telfer]

Occasionally, you will run into a variant that runs even in Safe Mode or that has affected all of the profiles/the user only had one profile. One method I have used to deal with that situation is I always carry a thumb drive with Ubuntu installed on it, I can then boot the computer from the livecd and mount the windows drive and hunt down the file, as was previously stated, it usually hides itself in the appdata/roaming folder and then its just the small challenge of figuring out which file in there seems like it doesn't belong. It usually has either a random name or it steals its name from something else that makes it stick out like a sore thumb like flash.exe etc. Once its cleaned, I usually recommend the customer create a second profile and migrate if they only have one, just so there is an alternative to use in the future.

[astap...@afterhourscr.com]

Viruses like the notorious Ransomware / Homeland Security / ICE varieties will affect the boot sector.  You need to boot up with something like Kaspersky Rescue Disk that will allow you to run scan during boot process.  Always works for me.

[dwi...@afterhourscr.com]

For ransomware such as the FBI virus, I've been using HitmanPro for several years. It has a bootable version called "kickstart" which has been invaluable in removing any malware that loads before the OS.

[BADDM0f0213]

donot download fake adobe players or any media player that pops up on a website...

go into safe mode if possible ,run malwarebytes or rkill , reboot test to see if ransome ware is still holding your pc hostage, if so you may have to repeat malware and antivirus cleaning...run registry cleaner after malware and antivirus, then se if ransomeware is gone,worst case senario is reformat and reinstall op system...

there is another way to fix devices aswell pc's if there is a restore point created ,and devices ,need factory reset...

i have solved this many times over last year or two...

hope this helps..

[Roger Hopkins]

Usually when I hit a bad malware infection like this I don't even try to boot into Safe Mode. At that point you usually can't be sure whether the virus is hiding in the background or not, and it's better to be safe than sorry! I will boot up using either Mini-Windows XP on Hiren's Boot CD or UBCD4Win (a similar XP boot cd). There are also Windows 8 PE boot cds floating around now that you can use. Once I have the computer booted into what I am 100% sure is a clean environment, I will usually manually look around the hard drive for it. I look in all the usual places viruses like to hide, which varies by OS and architecture, but in general:

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Startup

C:\ProgramData\Microsoft\Windows\Start Menu

Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Registry on 64-Bit Systems: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Task Scheduler

If the computer boots into Windows fine, you can check all these places and more really quickly by running Autoruns for Windows, free from Microsoft TechNet. This will show you everything that automatically loads in one big list, along with other dll files, codecs, etc.

If the malware has attached itself to the browser, usually HitMan Pro will take care of it.

After I'm done I'll usually do a virus scan with MalwareBytes or some other tool, but by that time usually I've already removed the virus and it's just for verification's sake.

[dbr...@afterhourscr.com]

I have been using Malwarebytes and Hitman Pro in very small instances will it not detect a virus.

Usually I will manually look for it. The exception being rootkits, which hide very well.

When it comes to rootkits I have been using TDSSKiller by Kaspersky which is free to use. As a last resort, I will wipe the drive and reinstall an OS for a very stubborn virus.

Dora Bright

[Randy Lee]

C:\users\username\appdata\local\temp on windows 7 is where a lot more of recent viruses like to hide.

Basically, the user will have symptoms and you'll run malwarebytes and it'll tell you it's removed some virus, x, and you should be all set. You restart the computer and it's back. In the user's temp folder or one of the other users, if you sort the items inside the temp folder to "type" and find anything labeled as an application (.exe extension), it's probably remnants of the virus.

[Stacy French199]

Boot up with a liveCD whether it is linux, WIN 7, 8, or 10 and run scans from the livecd. Try Gandalfs or similar. This method can get rid of most unwanted items.

[Dennis Costea]

Realistically, speaking from a "security perspective" the idea of removing ransomware sounds like a "bear trap" of a subject, because how can anyone truly know it has been removed completely?  This should be the biggest concern!

I admire the use of alternative Boot discs and browsing around to manually remove suspicious files, however if the ultimate goal is "doing things right" then a complete re-image of the infected system should really be considered!  Granted, removing an instance of ransomware, winning the client's temporary confidence and being invited back for repeat business later is fine, but hoping NOT to be called back for the same version of ransomware in two weeks is a risk.

To use the word "ultimate" again may sound a bit repetitive, but here it goes!  The ultimate goal of ridding the customer of the issue with total confidence and advising them on steps to insure important files are not ever "lost" or compromised (held "ransom") again.  Things like keeping important files on external USB media AND not connecting it to the computer when "less safe" website are being visited or downloads made, or the computer used for purely recreational purposes - such as playing a DVD movie "borrowed" from a neighbor, that MAY NOT only be a DVD movie...

It would be to After Hours Computer Repair's advantage to be remembered as the, 'Yea, I had ransomware once and after following the AHCR Technician's recommendations, it is no longer a concern for me.' service!  Consider the repeat customer's call for new business on another issue better than a repeat instance of the same issue (if possible).