Featured Tool – Anti-Malware Tookit

I came across a great tool today for malware removal – The Anti-Malware Toolkit is a program that contains a collection of applications available to download to help a user clean their computer and keep it in excellent running condition.  Many of the tools it downloads I already use to clean up malware infestations – now their avaialble in one easy to use utility.  Find our More or give it a try at http://wiki.lunarsoft.net/wiki/Anti-Malware_Toolkit

Removing WinAntivirus Pro Malware

Yesterday I was presented with another opportuntiy to remove malware from a client computer – It was infected with a number of items however WinAntivirus Pro was the trickiest of this bunch.  Currently my malware removal steps typically are as follows:

Boot into Safe mode and Run SmitFraudFix.exe
If prompted reboot into normal mode and Login as the SAME user you ran it above (usually local admin)

Boot into Safe mode and Run SDFix.exe
Reboot into normal mode and Login as the SAME user

Download and Run RogueRemove Free Edition from MalwareBytes (this is the key to removing some of the trickier items as of Late)

Run TrendMicro Housecall – I do this even if I have local antivirus or an AV of choice – Usually I end up running this and follow it up with a Sophos Antivirus install once the system is mostly clean.

*Most malware these days resets security policy to lock users out of things such as running regedit, changing IE settings, or getting into key areas.

In this case the malware locked me out of IE Options – I was able to launch Internet Explorer in Safe mode from Start, Programs, Accessories, System tools and disable any suspicious addons.  Then open IE in normal mode and Goto Tools, Internet Options, Advanced, and perform the reset option – This resets the entire IE setup to default factory settings – I reccomend this with any malware infection.  This solved my lock down issues but more often it’s a registry setting that prevents you from accessing something.

Often I will also run WinsockFix as this resets the TCP IP stack and removes anything that might be tied into my network stack. (this may be redundant as some of the above tools do some of this as well – I’d rather over do it)

Once things seem clean I will often do a system file check by going to Start, Run and typing “SFC /scannow” – you will need your XP disk handy – this checks your core system files to ensure they are not modified or corrupt.

Finally I download Dial-A-Fix and run the complete range of utiltiies with the exception of flushing the software cache.  This fixes windows installer and windows updates as well as several other aspects of the windows system.

At one point in the process I reran rogue remove and it kept finding a C:\WAP6 folder on my hard disk – I went and looked manually and found there was actually a hidden folder.  In my case the malware actually removed administrator rights from the folder so I was unabled to retake ownership, change permissions or modify the folder either by traditional means or using CACLS in the command line.

As a last ditch effort to get permissions back on the folder I reset NTFS permissions on the entire drive (be careful of this as it will overwrite any custom permissions you have setup).

To do this goto start, run, and type “cmd”
In the command windows type “CD C:\WINDOWS\SECURITY\TEMPLATES”
Verity that “Setup Security.inf” exists in the folder
Type “SECEDIT /CONFIGURE /CFG “SETUP SECURITY.INF” /DB WAISAW.SDB /VERBOSE”
Wait for the process to complete and reboot your system.

You should now be able to rerun Rogue Remover and complete the cleanup of the malware folder.

These steps are by no means comprehensive for a cleanup but are meant to give ideas – In general I reccomend that a system have all software reloaded after a malware infection – with the sophistication of malware these days we can never be sure it is completely gone and even when a user thinks their system is fine there may be code hidden away capturing bank information or credit card data.

Malware Removal Tool – SmitFraudFix Updated

The malware removal Tool “smitfraudfix” has been updated to v2.334 – This tool to be used with Windows XP and Windows 2000 has saved more than a few computers for clients, friends, and relatives recently.  Grab the Updated Download Here