HOW TO REMOVE VIRUSES AND OTHER COMPUTER DETRITUS

[TanisNikana]

Many of you here seem to be relying on your anti-virus program to remove viruses, and then you're coming to me dismayed about why it doesn't work. From now on, no one will be able to ask me to remove viruses. Do it yourself.

That said, here's how to do it yourself.

A few crucial points before we begin.

1. All anti-virus programs are garbage, and they often fail to remove the entire infection. Do not trust your anti-virus.

2. You will need tools. You will need Process Explorer (http://download.sysinternals.com/Files/ProcessExplorer.zip), you will need Autoruns (http://download.sysinternals.com/Files/Autoruns.zip), you will need cacls (which is already present on your computer), and you will need GMER(http://www.gmer.net/gmer.zip).

3. Download those tools before you begin.

4. Google is your friend. If you see an unfamiliar file and don't know what to do with it, if you see a symptom and don't know how to fix it, if you don't know what these tools do... catching a pattern? If you don't know, look it up.

Now then, notes about what each tool does in turn.

Process Explorer displays a list of everything that is running on your computer right now. Process Explorer is your friend. To get the maximum functionality out of Process Explorer, use the menu: go to View, Lower Pane View, DLLs, and if it's not already checked, Show Lower Pane. You will need this view to find anything but the most basic viruses.

Autoruns creates a list of everything that starts up on your computer when you boot up. To get maximum functionality from Autoruns, use the menu: Options, Hide Microsoft and Windows Entries, and Verify Code Signatures. You will need these settings to find any viruses at all.

cacls is already on your computer. To use cacls, (XP: select Run... from the start menu and type cmd, then type cacls) (Vista: type cmd into your search box, and select it from the menu, then type cacls). cacls maintains access control lists; file permissions, if you will. The idea behind cacls is to deny access rights to virus files, so that no part of your computer can read the virus files.

cacls takes the following form:

Code: [Select]

cacls filename /p guest:nThis denies rights to any file with the name filename. I'll elaborate on this further down.

GMER detects rootkits, hidden secret files. It doesn't delete them or handle them in any way, it merely lists them. With the list, you can then use cacls or just a plain old delete, if the computer allows it.

On to detection sequences. I'm going to use a very simple example: a virus called "Antivirus 360". If you have a computer you don't mind infecting, preferably not a critical computer that has everything you need, you can follow along with the removal steps below. As for getting the virus yourself, offensivecomputing.net has it. The directions for a test sample of the virus can be found within. You'll need to create an account, register and all that jazz, and electronically sign an agreement knowing you're going to download a virus and that you understand the risk and harm in doing so.

Antivirus 360, however, is a very weak virus with no risk or harm. The goal of Antivirus 360 is to scare you into obtaining your credit card numbers, by presenting you with very long lists of viruses that don't properly exist.

I'll be removing this virus on my recently infected Eee with the version I got from offensivecomputing.net. Note that these instructions are for any virus, not just this one.

The first step is to open up Process Explorer and to locate any dangerous files. In this case, the file is A360, spawned by explorer.exe. It's kind of obvious: the fake security shield, obvious filename, and the path (C:/program files/A360/A360.exe). Kill this process by right clicking on A360.exe, and selecting "kill". All traces of the virus appear to be gone, but we've just scratched the surface.

With the virus out of active memory (as in, "not running right now"), we can go ahead and delete it. Open up a Windows Explorer window, and navigate to C:/program files/A360/, and delete A360.exe. That wasn't so hard, was it?

Now, A360.exe will keep coming back. There are a couple more files to be on the lookout for. Back to Process Explorer, I found that under explorer.exe, there were two DLL files that don't belong: mDrGbhEX.dll and QfggRXdS.dll.

The rules for finding virus DLL files are fairly simple: if you can't pronounce it, if it doesn't have a description or an author, if it shows up in purple, or if it uses weird caps like the two examples above, it is a virus.

Removing these two DLLs is a fairly simple process. Run cmd (it's listed up top in the cacls section), and use the following to get to the windows\system32 folder:

You'll usually start out somewhere like C:\Documents and Settings\MiriaRose\>. Use these commands to move about in the structure:

cd.. - Go one folder up. (One folder up is the difference between C:\Documents and Settings\MiriaRose\ and C:\Documents and Settings\.)

cd foldername - Go into the folder with that foldername. (From C:\>, typing cd windows will take you to C:\Windows\. Typing cd windows\system32 will take you to C:\Windows\system32.)

Once you're in the windows\system32 folder, the two virus files can be found within, mDrGbhEX.dll and QfggRXdS.dll. However, if we try:

Code: [Select]

del mDrGbhEX.dllit fails, because of "Access is denied", or "The specified module is in use". Either error message can be fixed with the use of cacls. As you've seen above, cacls can be used to deny rights to files. If I were to:

Code: [Select]

cacls mDrGbhEX.dll /p guest:n
cacls QfggRXdS.dll /p guest:nthe computer would prompt me to see if I really wanted to, I type Y, and then it says "processed file: mDrGbhEX.dll." Doing that for both files, they're now absolutely useless. However, they're still running. Best way to kick them out of the computer is to reboot.

One reboot later, Windows comes up with two error messages: "Error: cannot access mDrGbhEX.dll." and "Error: cannot access QfggRXdS.dll." This is normal, and encouraged. The virus is gone, but there's one more thing to do, and that is to kill these error messages.

Open Windows Explorer, and find the windows\system32 folder. Delete mDrGbhEX.dll and QfggRXdS.dll. They are gone now.

Open Autoruns, and let it scan. Check the whole list over for entries whos names are mDrGbhEX.dll and QfggRXdS.dll. Uncheck those lines and close Autoruns. When something is unchecked in autoruns, that something won't start up anymore. (If you're careful, very careful, Autoruns is a fine way to make your computer boot faster.)

Now there is absolutely no trace of Antivirus 360 on the computer. For harder viruses, you'll have to use your brain, and the tools and methods I've demonstrated here. Enjoy!

[MiriaRose]

Thanks!

This means I won't have to go through the tedius process of redownloading my antivirus on my other computer, then?

[JeffT]

Agreed with the techniques in this post. Back when I did computer support, I would use tools like autoruns to remove the "hooks" that malware uses to launch. There became too many malware that the spyware scanners and other tools became less effective at doing anything.

I don't use any anti-virus programs for the same reason. They are nearly useless, but the worse ones cause many problems of their own. Many of my support incidents were problems caused by "security" software that would block the file sharing that the users either previously set up, or wanted to set up.

The only way to really be sure, is to reinstall the operating system. In theory, malware can disguise its presence (these techniques are known in the general sense as "rootkits") by actually taking over tools like autoruns and hiding themselves. Whether cleaning it up using these tools is sufficient vs. reinstalling the operating system, is a case-by-case judgment call, but I will nearly always recommend reinstalling to be safest. When I did computer support, I billed by the hour, and usually felt that my customers would not be happy with me escalating a, say, 2-hour job into a 10-hour job just on the off chance that there was a rootkit, so I would always try to avoid reinstalling the operating system. But if you really want to be safe? Do it.

The other half of this is not getting infected in the first place. Again, the common wisdom of using anti-virus is similarly irrelevant here. Most malware nowadays has very low anti-virus coverage. The most important thing to do is vigilantly keep all software installed constantly up to date. If you wait even a few days after a vulnerability in software is discovered and you don't update, you're taking a huge risk. The most important thing to keep up to date is the operating system itself, any web browsers, and all plugins and add-ons to those browsers. This includes things like Flash, Shockwave, Java, QuickTime, and Adobe Reader.

If a vulnerability is discovered in a software and the vendor doesn't fix it, you have to stop using that software until they do.

Can you list all the software installed on your computer, including plug-ins and add-ons to those programs? If not, then you're probably not taking the steps you need to prevent getting infected by malware.

The easiest tool to help with this is the Secunia Personal Software Inspector, which scans all software on a computer against Secunia's large and constantly up-to-date database of vulnerabilities and software. As a bonus, it's freeware.

[tofutakeout]

*steals all possible information she will need from this* 0_0 Thank you very much. I Never asked for help with viruses(I didn't know I could) but I've been needing help anyways. <3

[TanisNikana]

The only way to really be sure, is to reinstall the operating system.

I have seen a few nasties which can overwrite the motherboard firmware.