- Joined
- May 13, 2023
- Messages
- 13
Rules of the road
THIS IS NOT FOR INFECTION HELP! PLEASE MAKE YOUR OWN THREAD!
THIS IS MEANT FOR BEGINNERS BE NICE!
Information and Scope
AboutTHIS IS NOT FOR INFECTION HELP! PLEASE MAKE YOUR OWN THREAD!
THIS IS MEANT FOR BEGINNERS BE NICE!
Information and Scope
Hello! This thread was created by request and support from a few member of the forums.
I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN.
I have worked for several tech companies and previously I was working for a mid level enterprise as a domain administrator for around 2000 end points between 13 offices.
My personal take on virus removal is that it should be free for those most in need and I very much will write this guide in accordance with my belief that someone is tearing there hair out and just want there computer to work again. The tools I will link and provide are free and I and others in the industry have used to completely disinfect machines.
HOWEVER I also firmly believe that if a product worked for you you should pay for it to support the developers and the science and skill that went in to the program. The world of security software is a mean place with brilliant minds. However from what I have seen "Free" outweighs "Paid" in most peoples minds when dealing with antivirus/malware tools.
If you like something you should buy it. So that the father of 3 can help pay his bills and has the drive to keep making whatever product that saved your ass better. That's the pure & simple.
Now that you know a bit about me we can move on to some other stuff.
Scope
The scope of this guide will be limited to the end user environment. This guide DOES NOT cover enterprise level environments, however it MAY brush on higher level best practices and mitigation techniques.
I intend to cover how to properly remove a virus, malware, root/boot kits and junk-ware from a compromised PC in a basic friendly low impact manner that is easily understood by the average user. This guide will cover normal operating systems in normal environments, each example will be explained under the assumption that you know nothing about security or intrusive programs and have only the most basic software knowledge and user skill.
This approach is meant to cater to the masses and not in anyway meant to demean or imply that a user needs to be handled in this manner.
I will add that this guide is not a place for arguments and I will only accept constructive criticism. Even the most skilled PC builders, programmers, network engineers and users may not know a-lot about security and best practice. That is TOTALLY FINE! That is NOTHING YOU NEED TO BE ASHAMED OF!!!!! Please understand that you may be able to take away something from this guide. I am not here to bump heads with SecOPs or other Operations managers which I am sure exist on this forum.
This guide is meant for the average user. I may omit expanded details or parts of security practice on purpose because the "watered down" explanation is easier to digest. There are always nay sayers and if you would like a specific question asked you can PM me. Not including something usually has a purpose and doesn't necessarily mean I don't know the material.
I will say somethings in this guide some of you will NOT agree with. I am fine with that. I may even make someone upset. I do NOT mean to do this. Please understand my history in my "About" section. I have handled a-lot of machines and different technologies. The information provided herein is a reflection of best practice, facts, personal experience and industry accepted techniques. Multiple resources will be provided to backup certain information.
Getting Started
Lets start with the most controversial point in organizations and business that IT staff have with what this guide is about. Time, money and effort.
A virus removal is not as common place as you may think in the professional industry. It is more a pain in the ass for walmart than it is for you the end user. In most cases if you are speaking with a real IT pro the answer to the question "Can you fix my computer?" is usually just format it and reinstall the OS. This is because;
A: It is far more cost effective if you are paying someone to have them simply wipe it and removal all doubt.
B: It is the ONLY sure fire way to remove w/e infected your system in most cases.
C: Virus removals can do more harm than good.
D: It is far less time consuming in most cases.
Virus removals for the end user are usually more simple than you think. However understand that in the security industry this is very much a fight fire with fire method. Security software is a mean beast. The process can VERY MUCH leave your system in a worse or unusable state, As you can see by this guide it is also very involved if done properly.
Attempting to remove an infection of any type without the right tools can result in not effectively removing the infection and compromising the security of the OS MORE because of the settings and files that need to be manipulated to properly disinfect it.
That's some pretty scary stuff but now we can shed some light on some good news. If you are reading this chances are you are not nearly as infected as you think you might be. The software might be bothersome and annoying even hard to close or impossible to delete. However most users will not run into serious infections.
I am 100% certain anyone reading this (except from an academic standpoint) is probably frustrated out of there minds with the problem they are currently facing. HOWEVER, with that said most everyday infections are very common and easily re-mediated without the risk of damaging the core OS or user data. Even better news if you can read this guide from the infected machine in question you are better off than most.
Regardless of infection type or severity level there is hope of a clean system and I will cover how to properly avoid it later. Your reasons for choosing the route of disinfection are your own. I will not judge those that do not do the easier path of re-installation; I am also fully aware an OSR is not always the easiest solution depending on circumstance. You should also make sure not let anyone else judge you on it. Disinfection is very much a skill and I will try and help you manage it by yourself.
Lets move on
Definitions
Lets start with Definitions! Not AV Definitions silly what are we talking about when we say boot kit, add-on, malware? Do they even sell encyclopedia security? This section is going to break down the difference between them all and hopefully teach you the fundamentals of infection for better or for worse knowing is half the battle and if you really want to save your PC than knowing what you need to do is one of the biggest parts of the battle.
Shooting a fly with a tank damages more than the fly and we should always understand that in most cases the cure can be worse than the disease. So lets make sure we apply band-aids before we use penicillin.
Malware:
- Malware like the article suggests is a blanket term for many types of infectious programs. When you say I have "malware" you aren't exactly wrong regardless of what program is causing issue, however you aren't really helping yourself or the person trying to help you get rid of it.
I will break down some of the more common groups below to help you help yourself narrow down the type of problem you have. There are also multiple sub-groups to the primaries listed below but a general knowledge will suffice in most circumstances so I will not be getting into them in this guide.
Junkware:
- Junkware as of late has been the term most used to supersede the old terminology adware. This kind of infection is usually what causes popups in browsers and on your desktop usually by way of installing themselves along with legitimate packages you download from legitimate sites like Java, or Adobe Reader. This is the most common type of "Infection" a user complains about. Java for example has "bundled" toolbars etc for years and download.com by CNET is notorious for spreading bundled installers. I get alot of my junkware samples from them.
Virus:
- A Virus is a term that is usually used for what is actually pretty rare these days in the field of users. The definition of virus has carried alot of different meanings in the past and has changed significantly over the years as security researchers and programmers started to need different "groups" for malicious software to gauge intent and infection rate among other things. Today when dealing with a "Virus" most people in the know assume the Virus is of malicious intent and activly destroys or manipulates user data in a negative way. Such as Trojans or Ransomware or keyloggers. There are some very nasty viruses that are difficult to contain, isolate and remove because they are polymorphic in nature IE they change.
Boot/Root Kit(s):
- A RootKit is a special type of incredibly powerful infection. Rootkits are incredibly hard to cope and deal with because they have the ability to cloak themselves completely or mask themselves as legitimate system processes making detecting one difficult. Rootkits are infections that circumvent the security protocols of the machine and various security software.
Rootkits are used as a foot in the door for other kinds of infections ranging from malware to virus infections and almost any other kind of conceivable infection. True to its name the root kit usually gives complete privileged access of your computer to the attacker, be it remote control of the program or the machine and hardware itself.
On the same branch is the Bootkit. The bootkit like the rootkit has the ability to grant the attacker complete administrative access while remaining hidden and undetectable by most normal means.
The Primary difference in Bootkits is that they are infecting the machine on a very deep level on the hard drive usually interrupting the boot process itself hence the name. Bootkits are capable of defeating even the most robust antivirus software and built in security because bootkits themselves are usually loaded before most of the OS files during the boot process before you even get to the desktop.
Bootkits and there connected files can be the most destructive to remove and hardest to find given there nature.
Software and Background
In this section we will briefly go over the software being used and why we chose this software as opposed to other options. This is more of an academic type of post that will clarify the more important "WHY" when it comes to removal. It is important to understand that in order to effectively remove or have the best chance too remove a virus you must have the proper tools. The software listed below is based on several key points. Those mostly being.
- Free
- Easy to use
- Minimal user interaction
- Update friendly
A Porsche is fast and will get you to work sooner than an 18 wheeler but if your hauling tractors to work the 18 wheeler is better suited. This is no different in the security world applications are built for a specific purpose for the most part and because of the nature of heuristic code engines some software will do better than others even if it is the same area of interest.
Software List
- Threat Restraint
- Rkill
- TDSS
- bootkitremover
- MBAR
- Roguekiller
- EEK
- MBAM
- Sophos VRT
- HitmanPro
- ADWCleaner
- JRT
- Powerliks
- Combofix
- TWEAK
- REVOuninstaller
- Ccleaner
Examples
Above is the list of software this guide will cover and what you will be using to disinfect the machine in question. Now; we will go more into why we separate them into groups in the next section. Here I will explain weakness and strength between software types and programs so you can understand why there are so many.
A common question is why don't we have a 1 all solution paid or otherwise that can handle all of well...all of this. The answer is simple.
You can't.
Every virus removal tool is different in some way. Some are able to detect things others can not. Above are the groups of different software. For example EEK is a broad spectrum scanner. However EEK cannot detect rootkits as well as programs specifically designed to remove rootkits like TDSS. Likewise Programs like TDSS are completely incapable of detecting malware, it simply isn't programmed for it.
Software in the same category also behaves differently. Hitman is very good at detecting browser issues and cookies. However Sophos isn't so great at browser infections but is better at scanning core system folders.
The AV world is full of these kinds of checks and balances which makes proper removal more of a skill than a click of a few buttons. Nothing is 100% and you must rely on the differences the tools have to increase your chances of success.
- Running scans in order
Running scans in the correct order might be something you are unfamiliar with. I will try to break down the basic concept as to why this is important to you. For the most part it boils down to permissions. Be it actual NTFS permissions or actual Privilege. Digging deeper you should ALWAYS attack an infection in this order.
- Threat restraint
- Root/Boot Kits
- Virus Scans
- Mal/Junkware scans
- Repair
However sometimes more things have been touched and damaged and for these we use repair software last to correct the remaining issues after a full removal.
Identification and Resources
Define
One of the most difficult parts of a virus infection is trying to figure out what you are dealing with. This can be impossible to know for certain but there are a few tell tale signs that can tell you how soon you need to deal with the problem. Below I outlined some very basic markers.
-Boot/Rootkit.
- Machine is running very slow with no sign of infection
- Machine starts VERY slowly
- Machine Blue screens for almost no reason
- Machine BSODS or locks up during virus scans
- Machine runs slowly and has programs running during startup
- Machine won't let you open task manager
- Machine won't let you open AV software
- Machine will play audio when there shouldn't be
- Machine has pop ups at the desktop
- Browsers homepage has changed or changes
- Browser locks you out when opening new tabs
- Machine has a lot of programs open during startup that won't close
- Machine shows a lot of software that ask you to pay for it
- Machine displays pop ups telling you you have a virus
- Machine asks you to call a tech support number
Examples
Below are some really common scams and malware making its way around.
- MypcBackup
- Driver installer/download programs
- Fake Antivirus software
- Speed up tune up and cleanup software
- Mindspark toolbars and software
- Slimware utilities software
- Phone call scams telling you your unit is infected
- Email scams with PDF invoices saying you have a package at USPS, UPS, FedEX waiting for you
Ransomware
Ransomware deserves its own section. Here are the common signs.
Anything or program that tells you your files have been locked or encrypted is ransomware.
Address it
IMMEDIATELY unplug your system from the internet and shut it down.
Take it to a professional. This is not a simple procedure or technique. You SHOULD NOT attempt to handle this infection on your own. I SERIOUSLY beg you to take your machine to a local shop to be worked on. It may be possible (although very SLIM) for them to decrypt your data using one of the tools that have been released for the crackable versions.
I am deliberately skipping over risk assessment and disinfection. You NEED to take this to a professional. If you have no important data or pictures on the machine format it immediately. It's already over.
Sources
If you are still unsure if you are infected or have an issue you can always take it to a local shop for diagnosis. However there are a few trustworthy online resources you can use to see what you have.
Should I Remove It?
Should I remove it is a meta based system were users submit there "votes" on a piece of software. Based off of the reaction Positive/Neutral/Bad you can decide if it is something you should keep.
Herdprotect
Herdprotect is a cloud based virus scanner that uses multiple company definitions and engines to determine if you are infected. They also have a pretty handy knowledge base. Simply search for your program or file and see what it comes back with.
Virustotal
Virus total is a google sponsored AV front end. You can search for programs, check shady website URLs or upload a file you aren't sure about. Like herdprotect it uses multiple AV software to come to a conclusion.
Getting Prepared
Before we get started we need to get you ready to run some of the tools I have prepared for you. The below instructions mostly pertain to Windows 7 and 8. By default Windows 10 already comes with the programs you need installed for all of my tools to work.
You will Need
.NET 4.5 and 4.6
We need the .NET frameworks installed because this software has the instructions needed for powershell. Powershell is what we will be using to download the tools you need.
It is best to do them in order so here are the links.
.net 4.5
Download Microsoft .NET Framework 4.5.2 (Web Installer) for Windows Vista SP2, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2008 SP2 Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2 from Official Microsoft Download Center
.net 4.6
Download Microsoft .NET Framework 4.6.1 (Web Installer) for Windows 7 SP1, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2 from Official Microsoft Download Center
Now that we have .NET all caught up. We need to make sure that we install the Latest version of Power shell. We will need atleast 5.0 to make sure the script works correctly. Power shell is Part of the Microsoft Management Framework and like .NET should be installed in order.
Management Framework 4.0
https://www.microsoft.com/en-us/download/details.aspx?id=40855
Management Framework 5.0
Download Windows Management Framework 5.0 (Superceeded by WMF 5.1 RTM version: http://aka.ms/wmf5download) from Official Microsoft Download Center
If you think you might have what you need already we can double check. Search for power shell on your computer and open it. Once opened put in the following command.
Code:
$PSversiontable
If you have the right version (5.0) it will look like this.
The version number MUST start with 5.
Next we need to allow execution of scripts from other machines. To do this search for powershell right click on it and start as administrator.
Then type the following and hit enter.
Code:
Set-ExecutionPolicy RemoteSigned
Powershell will then warn you and ask you how you would like to continue.
Press "A" without quotes and hit enter to allow execution of scripts.
You are now ready to unzip the script attached to this post.
All of the tools downloaded require as of the time of this posting about 610MB
IF A TOOL FAILS TO DOWNLOAD IT MAY NEED TO BE UPDATED PLEASE REPORT IT!!
IF A TOOL FAILS TO DOWNLOAD IT MAY NEED TO BE UPDATED PLEASE REPORT IT!!
After you have unzipped the script. Right click on it and select "Run with Powershell" to start downloading the tools.
It will go through some prompts and checks. Just follow the directions in the script. Once complete it should look a little something like this.
You are now ready for the next step.