The first thing to know is that if your computer has one infestation that you know about, it probably has five or more that you don’t know about. There are many places to start when removing infections from a computer. Having said that; I will tell you the most likely places to start depending on what is happening with the computer in question. The first thing is to make a determination as to what is currently happening. We will go with the choice of the removing one of the toughest infections that I have seen. That should make thing interesting…

The most frustrating infection to remove; are the ones that take hold of your computer to the point that you cannot log on. You have absolutely no control of the computer at all. This infection may sometimes infect “Safe Mode” so that you cannot do anything there either, talk about tough! Let start with; how to regain control of the computer in order to remove this type of infestation. Since you cannot access your computer; this will be almost impossible if you try to take care of this in the conventional way. Ok, now for the unconventional way… First remove the hard drive from the computer then place it in a USB External Drive enclosure so that you can attach it to another computer (via USB) to view the drive contents and to make modifications to it. If you do not have a USB enclosure you can boot the infected computer from a Bart PE CD then use a USB Flash drive to copy the data to the drive. Next we will want to delete all the restore points found in the folder  named "System Volume Information". To complete this task we will need to have a few tools handy to gain access to the operating system when we put the drive back into the computer from which it was removed. One such tool is a batch file that I created that will run a script to re-enable Task Manager repeatedly. This will give you the ability to gain access to Task Manager so that you can kill some suspect processes that have infiltrated the computer. The download for this fix can be found here: Task Manager Enable.

What we will do with this batch file is to insert it into the startup processes so that the OS will automatically run it when we restart the computer. This works on OS versions up to XP, Vista and Windows 7 protects these areas. The instructions are as follows:

1. Open the drive in the external USB drive enclosure or the USB Flash Drive in Windows Explorer.
2. Make a folder on the infected drive for the files to be copied into (Ex. Task Manager)
3. Extract the downloaded Task Manager files into this folder.
4. Open the folder where you extracted the files then create a shortcut to the batch file TaskmgrFix.bat. (right-click on TaskmgrFix.bat then select Create Shortcut)
5. Open Documents and Settings->All Users->Start Menu->Programs->Startup (In some cases this may need to do this to the main users startup folder also)
   
6. Copy the TaskmgrFix.bat shortcut to this folder.

What we have done here is to allow this batch file to be run continually whenever the computer started in the users profile. You will need to copy the shortcut to the startup folder of the profile that gets logged onto when the infected computer is restarted. You can actually copy it to every profiles startup folder on the computer just to be safe. What will happen when the computer is restarted is that the batch file will run continuously repeatedly resetting the registry so that you can gain access to Task Manager. Once you have gotten into Task Manager then you can start to shut down processes that are suspect till you have some control over the computer. I also do this same procedure with a program called SmitFraud, it is a root kit remover. After gaining some control, in Task Manager you may need to Start a new task called Explorer to get the screen you are use to seeing. Go to Start->Control Panel->System then go to the System Restore tab to turn off System Restore, this will help keep the infection from reactivating itself.

After completing these tasks you should now have a foothold on the computer  and can now replace the drive and boot from the infected computer. You should do one more thing when you restart the computer. Now, this is very important!!! If you do not reset Internet Explorer to its installed defaults you may only be kidding yourself about the infection removal and it may simply reappear (Ref: IE Attacks). Resetting IE will disable all add-ins and delete all settings. I would suggest not using IE for anything other than  getting Windows Updates and accessing sites that will not run correctly with other browsers (Bad Sites, Shame on you!!!), I like to use Mozilla’s FireFox browser; it is more secure (Even more so by adding AdBlock and NoScript add-ons) and these type of infections do not attach themselves very well to it (Ref: IE vs. FireFox). To further secure IE on corporate computers is to use the Windows host file to disallow any sites except windowsupdate.com and some ftp and https sites; thus taking IE out of the picture for future infections. Also go to Scheduled Task in Control Panel to delete any unknown or suspicious tasks. You might need to delete some tasks from task manager to keep infected files at bay while you claen it. 

Now you should be able to install other infection removal and cleaner tools such as CCleaner, MalwareBytes, SuperAntiSpyware and AVG. Once you install these infection removal tools you should update them and run them all at the same time (or at least Malwarebytes and SuperAntiSpyware, AVG will kick in when needed.) to remove any other infections and/or threats. After you have regained control of this computer you should remove all the shortcuts that were added to the startup folders. Remember to disable any suspicious programs from starting up. You can use CCleaner or MSConfig for this (I find CCleaner much cleaner to use). You should also update the OS with Windows Updates, use the Custom selection to install all additional or optional software (Ref: Common Mistakes and Misconceptions). After removing this type of infection all the other types should be a piece of cake… and remember to clean up the startup folders!

 

Verified and Tested
By Ralph James
Randem Systems, Inc
Feb 5, 2010 Updated March 29, 2010

ALL SUPPORT IS VIA THE SUPPORT BOARD.
http://www.randem.com/cgi-bin/discus/discus.cgi