|
Hello Netizens of TeamLiquid,
Introduction:
Since being temp banned for 2 days in TL, I was thinking of making something productive or a way that would help out people, since the only skill that I currently have is of a technical support that tries to manual remove malicious file why not make a guide on how to do it, amirite? So here we will all be discussing on how to manually check for malwares using folder options and other tools in the internet.
Having a hard time with your computer? It’s not working or functioning like it should? Getting a lot of pop-up windows from different websites like gambling, porn and the likes? The amount of slow down is making you crazy and all the stuff that will make you say “FFFFFFUUUUU…….”
Then no need to worry folks, I’m here to provide step-by-step instructions on how you can check your computer for malwares aka viruses, spywares and stuff that makes your computer shamalaydingdong!
First part: File Arrangement
For us to manually check for malicious files in your each folder we need to arrange them in order. So the first thing we need to do is open any folder in your Windows.
Here is a screenshot and instructions of how to do it:
Go to tools > folder options > view tab >
Now on the View Tab, untick or select the following in the list:
Select: Show Hidden Files and Folders
Uncheck: Hide extension for Known File Types.
Uncheck: Hide protected operating systems (just say yes when a message comes up)
Uncheck: Use Simple File Sharing
Note: Simple File Sharing: this will add new tabs in a file such as security and for folders it will be share/security tabs. We will need this to remove the viruses manually, also note that some files are fucking persistent that it’s really frustrating to remove. We will discuss that later.
So there you go and it’s very simple right? The malwares which are hidden in system32 will show itself naked and desperate to be raped Jae Dong Style. But be wary, in my days of tech supporting some malwares we call rootkits are as hard as “going man to man sex” to remove or show itself. (We will also discuss on how to remove this rootkits in a different area or later)
This part right now is arranging so that it will be very simple to remove all the malwares in your system32, windows or %temp% folders, or other folders that is potentially infected by the crazy-ass malware.
You open system32, windows or which ever folder the malware is hiding. (Viruses can virtually hider anywhere in your computer which is a bitch to handle at times) Click on Views which is circled in the screenshot and click on “Details”
Details: It will show you the date that a file was created or modified, meaning, if a virus hit your computer in August 1, 2009. Then there’s an exact file that will say created/modified in August 1, 2009 which will be the malware itself.
Next is right click > Arrange Icons By > Modified
Then do this again and click on “Show in Groups”
Here is what your system32 or windows folder will exactly look like:
Isn’t great that you have arranged the files for easy disposal? Check it out, and you’d find that all the files created today, last week and last month are in arrange per category. This is very vital in removing all those nasty whinny malwares made by those assholes somewhere in their basement.
Part 2: What does a Malicious Software/File aka Malware look like?
You’re going balling and chicks dig how awesomely arranged the files in your computer are. I mean you must be one of the people who have psychotic tendencies since you’ve become an e-clean freak. Kidding aside, if you don’t know how a malware looks like let me help you with that.
Identifying a Malicious File.
1) It doesn’t have a Version or a Manufacturer -> Yes sir when you check out a certain file (.exe, .dll or extensions usually used by malwares) then there is a big possibility that it’s a MOFO! But, If your not quite sure if you really want to remove it then ask help for Google. (Now it sounds like noob advice, but the thing here is we are going to ask help for each websites) So for example, you found a file in your system32 called “CanNoWoopass.dll” notice the amount of maliciousity it has in its name. Now, if you check it in google and it provides you a “No Matches Found or No Documents found containing “CanNoWhoopass.dll” then you can happily remove it . Then also there is another part in which there are thousand of search results, and basically you don’t know who to listen to since one website says it’s a mofo then the other website tells you that “it’s perfectly safe”. Well, if one website say’s that it’s perfectly safe then don’t remove it! It’s plausible that the file is being used by a legit program, therefore if you remove it then big chance of fail.
Recommended websites that will tell you if it’s legit or not
• Prevx
• BleepingComputers
• Processlibrary
• And a whole lot more
Note: Sorry if I’m not specific with the websites but just read through how to check them out and you’ll be fine.
2) Easiest way of checking out for malwares: If there are multiples lets say a thousand or hundreds of them. Then check this out:
Check out this screenshot:
As you can see, when you highlight a certain file it should come up with a version and manufacturer. But right now, we can all say that this motherfucker has gots to go since: 1) doesn’t have a manufacturer 2) ambiguous name and 3) looks like it’s the viruses that got me on the date that I was getting a lot of pop up from IE.
Usually, there will all stay and hatch themselves in the system32, but there are lots of malwares that stick themselves in different areas of your computer.
Check some of the following directories for double checking or we can use autoruns by windows to detect .exe or .dll files being used by the virus:
%temp% <- type these in the run command
System32
Windows
Windows/Temp
Program Files
Documents and Settings\All Users\Application Data
Note: Again, if I missed out with some of the folders that the malware can be hiding please provide. Then again, malwares can also make their own folders so watch out.
Also, they are really nasty creatures that lurk anywhere in your computer.
Part 3: Removing the Malwares in your computer:
Now that you know how to check them out in your computer, I am going to suggest sometime for you to meditate because this is the worst and most tedious job in all the parts. It’s like the battle between good and evil, one versus a thousand, it’s frustrating at times but if you’ve done the 2nd part correctly in which you know where the little mofo’s are coming from, then it will be very easy and smooth.
First of All, you have to disable all services of windows, in order to simplify that, you just need to go to safe mode. Safe Mode, all services and some exe files will not run this mode. Usually, this is the best time to remove these malwares in your computer. Of course, this tutorial is not about removing them through scanning with an Anti-Virus program, but with your own skills and wit. (I know for a fact that Anti-Viruses sometimes fail big time in removing all the malwares in your computer)
So here we go:
You found one malicious file in system32 and when you try deleting it in safe mode it just shows you “access denied”. So it’s using resources in the computer that’s why it’s so darn slow. Then, you had an epiphany, what is no-one can run these damns files. You try it out if it via means of the following:
Right-click on the file > go to properties > then click on security tab:
Click on Advance then untick the “Inherit from parent the permission entries… blah blah blah..” and click remove > ok then ok again.
Then after doing that you will that there are no more accounts that is using the file, restart the computer again in safe mode then try deleting that file. If that doesn’t work the first time try doing this:
Go and right-click on the file > go to properties again then click on security tab and click on add button. Type there administrator (or which ever account you are using) then click add, ok and ok again. After that put a tick mark on Full Control on administrator, then try deleting the persistent a-hole and that should work.
Well, unfortunately you really have to do this all over and over until you have removed all the malicious files in your computer. After that, you can just say bye bye to those bitches and be a happy starcraft player once again.
The tools of the trade:
The Nuke:
Combofix: why the hell, I’m calling this the nuke because you use it under your on discretion. Man, there were times that after using it’s awesome tigerness, the computer works like it was a new born baby, then again if this thing also makes you crazy at times since it does damage the system when the update is fucked. (usually the file has a database of malicious files that needs to be removed) well, some people usually update the wrong file and viola! FUC (Fucked UP Computer). So please, if you’re pretty sure about it then go and blow them with this.
There are also variant’s like noob-killer (I think that’s the name), SDFix and other’s that has the same process in malware removal but this is the big momma of them all.
Note: Combofix is better used in safe mode ^_^
The Scanner:
Autoruns: This is used to check what processes are running in the background of your computer. Meaning, if a malware attack is in progress then Autoruns should be able to pick it up for you. Great thing about using this is that, it actually sees the file and provides information about what manufacturer and version that file is. So, if you see a little fucker with not information about version or manufacturer then go ahead and make its day.
The Observer/Science Vessel
Gmer: This application is used to detect hidden rootkits in your computer. It’s usually used if you are so sure that all the malware’s in the computer are removed but still it runs like it’s being anally tortured or something. So if I were you, better run this first before going through the process of manual checking and removal.
Btw, some malwares can detect the presence of these godly weapons so if incase you can run them. Change them to another name with a different extention like .com rather than .exe aight?
Also, if ever you find a hidden rootkit in your computer (sometimes combofix can find them but sometimes not so much luck, then gmer is the tool to use) just right click the directory in read then click on disable service. That should work awesomely!
Note: if you have other tools that you used in removing malwares please provided to me in this thread and I will gladly put it in OP.
This should be my first ever official contribution to the website; If I ever learn new skills in computers then I’ll try to provide more guides or anything that will entertain you people.
Footnote: Please provide me any feed back if I made a mistake on this and that, or if you want to add up some more steps that will be very beneficial to these threads.
Also, if you have a malware on your machine asked for R1CH not me (because I know deep in my heart my knowledge is nothing more than a speck in his universe)
GG’s everyone!
Edit: just found out this is my 666 post! 
Edit2: sorry if there are a lot of grammatical errors, if you can't understand some parts of it let me know so I can changed it. Thank you!
Update:
Provided by DeerDance
1. rule DONT USE IE go for Opera or Firefox
2. use some goddamn antivirus, try avira or avast both are free avast dont got that damn pop up that avira has...
3. never ever ever run any exe that comes from unknown source... for example codec you get when you browse some porn, or some anticheat for some crappy russian CS server...
4. always be ready to reinstall and always have back up of important stuff
Provided by citi.zen
One suggestion is to simply go to view>choose details>tick "company" and "description" to go through the sys32 list faster.
|
I can now download porn with no stress of infecting my computer, thank you
|
Goddamn! that was great, can you ban him for 4 days now and see if he can come up with something even more awesome?
|
On September 09 2009 12:46 nttea wrote:
Goddamn! that was great, can you ban him for 4 days now and see if he can come up with something even more awesome?
Lol thats funny, but damn man, where were you last year when i had a virus so bad i had to reboot to factory settings!!! Thanks for the guide really useful info. I might do one like this, anything people really want?
|
Potentially very useful. Everyone give this forum goer a pat on the back, we need more like him around!
|
United States3824 Posts
Nice writeup, way to work in the right direction.
|
I would like to know if R1CH approves of this first 
But it does seem really down pat, nice work.
|
This approach is like trying to kill an Ultralisk with Probes. Though it may take a long time, it will eventually work. You just need a lot of Probes.
edit: P.S. all silliness aside, nice job with the guide, this is actually quite useful!
|
Thanks a lot! Gonna check this out soon.
|
This should help everyone's porn adventures be safe and insured.
|
before i try this, jw, does this apply to vista as well?
|
Seriously, ban him for another two days please!! :D:D
|
BEST FUCKING GUIDE EVER
The malwares which are hidden in system32 will show itself naked and desperate to be raped Jae Dong Style. But be wary, in my days of tech supporting some malwares we call rootkits are as hard as “going man to man sex”
|
With the downloading porn part I do have some known websites that will not infect your computer with virus but you have to PM me
btw, if ever you feel that there is a virus on your computer always check system32 because they like staying there.
yes, also applicable in vista
|
wow, its nice guide and I learned some new stuff but going that way is absofucking ridiculus...
1. rule DONT USE IE go for Opera or Firefox
2. use some goddamn antivirus, try avira or avast both are free avast dont got that damn pop up that avira has...
3. never ever ever run any exe that comes from unknown source... for example codec you get when you browse some porn, or some anticheat for some crappy russian CS server...
4. always be ready to reinstall and always have back up of important stuff
thats all, eventually if you visit lot of lot of lot of lot of porn and some warez sites, or other naughty sites, you will get some malware anyway, but reinstalling XP once every year is fine for me...
|
thanks deerdance! added in the OP
|
One suggestion is to simply go to view>choose details>tick "company" and "description" to go through the sys32 list faster.
|
United States42691 Posts
Sorry to bump this but I appear to have the Vista Antivirus 2010 virus. My system slowed right now and was bombarded with virus warnings and demands that I download and buy the software to clean up the thousands of viruses I apparently have. I was intelligent enough to recognise that the warnings were the virus but failed at solving it. My basic technique was to bring up task manager, go to process, open containing folder, end process tree then delete av.exe which was the file that was causing it all. Doing that did stop the virus but it also fucked my computer up. Every time I tried to run everything it asked me what program I wanted to open it with, despite the fact that I was attempting to run .exe files. I have thus been forced to restore the virus and seek more knowledgable assistance.
My problem now is that it's probable that whoever wrote the virus is aware that cocky computer illiterate people like myself will be competent enough to recognise the virus when they see it but incapable of removing it themselves. They will therefore google it, download the first thing they find and run it in their arrogant assumption of their own victory over such an obvious virus. I'd rather not do this because I don't know what I'm doing and don't know who or what to trust.
And that of course brings me to tl, where there's an expert on everything and someone will have dealt with this problem before. I followed the steps here up to the safe mode which my computer refused to boot in (hit F8, nothing happened, tried again, nothing happened). The problem has been dealt with in the short term. All the files I think are virus ones have lost all run permissions and the virus itself has been end processed. So in theory it's still there but dormant with no way of turning itself back on. But the fact I can't delete it because it's in use suggests otherwise.
I've scanned the virus files several times with both sophos and AVG (uni makes me have sophos and the comp came with AVG) but sophos gets an error on them and AVG thinks they're clean.
|
@ KwarK
LOL, the guy that wrote this Bogus "AntiVirus" does update his damn Malware....
Try going to "Safe Mode with Networking" then download Gmer first. Try running that to remove the rootkits first, then go forth in try removing the malwares by updating your AntiVirus.
(Discretion: It's been a very, very long time since I've handled a malware case: around 5 months ago so meaning I'm not that good/ or really rusty in troubleshooting)
I hope R1CH backs me up on this
If ever, check your AntiVirus package if they have free tech support.. they'd probably remotely control your computer to remove this piece of shit.
EDIT: Just chatted with one of my fellas that still working at the AV company and told me that their free online scanner does wonders as of the moment:
CLICK ME <--- Run this on your computer and let's see what happens!
GoodLuck!
|
I don't know anything more about anti-malware than the next guy, but I did see a guide on how to remove this malware: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010.
In case the virus blocks you from visiting BleepingComputer, I put copy-pasted the guide into the spoiler:+ Show Spoiler +Automated Removal Instructions for XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 using Malwarebytes' Anti-Malware:
1. For the first part of this removal guide you will need to use a different computer than the infected one. This is also a tricky rogue to remove, so please follow the instructions carefully. If you are concerned about whether or not you can do this, do not be, as I have made these instructions easy to follow for people of any computer expertise.
2. From another computer, please download Malwarebytes' Anti-Malware, or MBAM, and the reg files from the following locations and save it to an external media such as an external hard drive or a USB flash drive. We will then use the external drive or flash drive to to transfer these files to your infected computer. If you do not own a USB flash drive, you can get one from any local or online computer store for a small price. An example of a good and cheap one can be found at Newegg. The files that you should download onto this device are:
Malwarebytes' Anti-Malware Download Link - Everyone should download this
FixExe.reg - Everyone should download this
3. Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected your computer so it can access them.
4. On the infected computer make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.
5. Now open the drive that corresponds to the removable media that you copied the programs from step 2 onto. Once open, double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.
6. Now you should be able to run the mbam-setup.exe file that you saved on your removable media in step 2. Double-click on this file to install MalwareBytes' on to your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If you already have MalwareBytes' installed, simply launch it now and continue to step 8.
7. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
MalwareBytes Anti-Malware Screen
8. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 related files.
9. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
MalwareBytes Anti-Malware Scanning Screen
10. When the scan is finished a message box will appear as shown in the image below.
MalwareBytes Anti-Malware Scan Finished Screen
You should click on the OK button to close the message box and continue with the XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 removal process.
11. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
12. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
MalwareBytes Scan Results
You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
13. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
14. You can now exit the MBAM program.
Your computer should now be free of the XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 programs. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
|
Good luck, let me know if you have issues. MalwareBytes is your best friend and I prefer Avira to AVG (it's free too) due to their interface.
|
nice guide, I remember one of my college profs teaching the same thing, he said its more useful than the subject he's teaching, but he also remove some things in the registry related to the virus, I forgot why sorry...
uhm also, some viruses disable task manager and folder options, you may want to add how to enable them again using regedit or other ways, sorry to I'm too lazy to do it inside school
|
Fake antivirus software is something known as smitfraud. They are actually very annoying to get rid of with malware bytes and other antispyware software. You may want to download Smitfraud Fix, available at http://siri.geekstogo.com/SmitfraudFix.php . It is what we use (along with GMER) to get fix these problems at work.
|
Uh, one more bump. 
I just got this hit yesterday. Basically the same thing as kwark, but for Vista. I spent most of yesterday and today trying to do some of the steps found here: http://www.teamliquid.net/forum/viewmessage.php?topic_id=67148.
But I couldn't get anything running every time I tried to load a webpage on IE for an online scan it wouldn't let me and just redirect me to the malwares fake website. This happened with programs too my antivirus and no other programs would not load saying "program".exe could not be executed because it was infected and the malware would then shut it down. Couldn't even get task manager up. Basically I had pop-ups non stop and things telling me to register for the fake antivirus thing and that someone was attacking/hacking me.
I just did a system restore to three days earlier and it seems to be working fine now. Simple question am I safe or it the virus still here, just not visible? All I could manage to do is do a system restore. Doing a full computer scan now, but its going to take a while to finish. Any help is appreciated.
|
I just did a system restore to three days earlier and it seems to be working fine now. Simple question am I safe or it the virus still here, just not visible? All I could manage to do is do a system restore. Doing a full computer scan now, but its going to take a while to finish. Any help is appreciated.
If you reformatted, you're good. Not sure exactly what you mean, I don't do computers too well.
I got the Vista Antivirus thing as well, I decided not to fuss about it and just reformatted to Windows 7 (from Vista). It created a Windows.old folder with all my old things, is the virus still there? Or did it not take the files which had the virus in them? I just looked, there's a system32 folder in there, but I didn't want to poke around. Should I pull my files off, then delete it? Or am I safe to keep it?
|
|
|
|
|
|
EPT![[image loading]](http://i31.tinypic.com/16lfif9.jpg)
![[image loading]](http://i25.tinypic.com/vg7f68.jpg)
![[image loading]](http://i26.tinypic.com/v6kw88.jpg)
![[image loading]](http://i25.tinypic.com/14kxmqq.jpg)
![[image loading]](http://i27.tinypic.com/20k4uaq.jpg)
![[image loading]](http://i27.tinypic.com/2s7wh74.jpg)
![[image loading]](http://i26.tinypic.com/28u1q3c.jpg)
![[image loading]](http://img.bleepingcomputer.com/combofix/en/cf-icon.jpg){kind=icon}
![[image loading]](http://removal-tool.com/wp-content/uploads/2008/10/antivirus2010.png)
