Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » How To Clean An Infected Computer?
April 1, 2009 13:49 How To Clean An Infected Computer? #403
Top
umelec

Avatar

Administrator
Join Date: 30.3.2009
Posts: 61
How To Clean An Infected Computer....
by Randy D. Stafford

1) First you will want to download respective version of AVG and install it.

For Windows XP, Vista & 7 (32 & 64 bit)

• AVG 2012 Free Edition / Paid Products

For Windows 2000 or newer

• AVG 9/8.5 Free Edition / Paid Products

After you install them, you MUST update AVG so you will have the latest virus database (In case Internet connectivity issue follow this article). If you don't update AVG and you are infected with the latest parasites, you will not be able to effectively detect and clean them from your computer, so remember to update, update, update. The same applies for your operating system – released updates addresses security holes in the system which could allow the malware to come back. Some of the updates even remove specific infection on system files. You can visit the Windows Update website to check for the available updates for your system.

Now that you have downloaded, installed and updated AVG, operating system (and other utilities, if installed)... Print this so you can refer to it later and disconnect your computer from the Internet. This is an important step and will remove one way that a malware may use to re-infect your computer.


2) Turn off System Restore

Refer to following article: How To Remove An Infection From The System Volume Information Folder


3) Carefully Look at Windows Add/Remove programs for suspicious programs

• Many of the spyware threats actually install into your system just like a regular program. Many may appear to be utilities that you may think are helpful but in reality aren't. Look for add-an toolbars, while toolbars like those provided by Google, MSN, Yahoo and other are great utilities, there are many more that aren't and if in doubt check it out to see if ones you have are parasitic. Another common exploit are the Search helpers, WinTools, Gator products, IE Helper, Comet Cursor and many others just to name a very few. Peer-to-Peer (P2P) programs are another common source for these and even the ones that don't come with spyware themselves are a high security risk that may lead to your system being infected or to spread infections like these. Remove all suspicious programs, if you accidentally remove the wrong item, you may always re-install them later.


4) Run Disk Clean-Up

• This actually comes with Windows and has been installed by default since Windows 98. You can find it by clicking the Start Button and then going to Programs / Accessories / System Tools / Disk Clean-up. I recommend selecting all of its options except the ones for Office Setup Files and Compress Old Files if you have them. While you may select those if you wish, they aren't as important. This will clean up all of the temporary files so your testing will go faster, and may also delete any spyware that may hiding there if the spyware isn't already running. To clear systems that have System Restore you will need to select the second tab and click the button for clearing this.


5) Run AVG

Refer to following article: How To Run A Full Computer Scan


These procedures should have cleaned most cases of infection that you will find. Yes I said MOST because there are some infections that are very hard to detect and remove. Generally, if you have one of these, you will need the assistance of an expert to help you get rid of it.

When you believe you are finished, remember to turn System Restore back on if you had turned it off.




Windows Tip

Windows itself, by default, hides certain files, system folders or file extensions from the user to make it easier to navigate. If you have to find an infected file or just one you are looking for, this can cause you to not find it. If you wish you may change this to show all of the files on your computer follow article: How To Display Hidden Files And Folders.


How to find an embedded infection

AVG detects infections in archives as well. Since AVG can't determine if you created the archive or if it was a parasite that created it, they leave these alone so you may have a chance to recover uninfected files from the archive and then you simply delete the archive when done. Infections that are inside of an archive aren't a direct threat to your system unless the file gets extracted to allow it to run. AVG Technologies have chosen this method because it is safer for your data that the archive may contain.

For someone that is new to looking for these embedded infections, it can be a little confusing with the way that AVG will list the file because it also must include the archive file name that contains it in the full path/filename. The following is an example that I made up to highlight the info so you will know which filename to look for so you may either extract files and or delete the correct file. I will color code these for you, but AVG will not.

AVG will give you a name like...

C:\Windows\Temp\InfectedArchive.cab:\InfectedFile.exe

The location of the file is in C:\Windows\Temp
The archive that contains the infection is InfectedArchive.cab
And the actual infected file inside of the archive is InfectedFile.exe

Note the :\ that separates the archive from the file it contains.
After you have recovered any files inside of the archive that you may want to keep (other than the infected one that is) just simple delete the whole archive.. in this example the file to delete would be InfectedArchive.cab

It looks harder than it really is.. just remember the file you want to look for is named just before the last :\.

Most of the time, you won't have any files to recover inside of the archives. The only time this isn't true is if it is an archive that you had created yourself. If you didn't create it.. just delete and move on.


Rootkits

One of utilities which can be used for analysis is GMER. I'm not going to get into the use of GMER here since that is covered below a bit and in more details on the GMER website. You can download GMER from http://www.gmer.net ... please read what info they have on their site for a better understanding on how to use the utility as well as looking at the examples they have provided. Even more information about rootkits can be found on the RootKit Revealer webpage that Microsoft has at http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Gmer - !!!! IT IS A TOOL FOR ANALYSIS - REMEMBER THAT NOT EVERY FOUND ITEM IS INFECTION !!!! Like any tool, if used improperly it can also do damage so be very careful with it. - More information in other post below.
July 31, 2009 07:54 Gmer Utility #9455
Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Remember to be careful - Use These Steps At Your Own Risk.
- Download the Gmer utility from this website:
http://www.gmer.net/

- Extract it and then rename the GMER.EXE file to other name (if an archive was downloaded)
- Run GMER

( by renaming GMER.EXE to another filename, a malware rootkit can't hide as easily from it )

If you are asked for output of Gmer full scan, use "Scan" button and follow the last part of this post.

If the first quick scan has found a rootkit service:
Example:
Service system32\drivers\gxvxcvpbvtumncstfvticowxrierpmyrdhrpp.sys (*** hidden *** ) gxvxcserv.sys <-- ROOTKIT !!!

- Then choose the ">>>" tab and then the "Services" tab
- Find the service(s) labeled in red, right-click on them and then choose disable/delete
- restart computer and run Gmer again

If the first quick scan found nothing, please use the "Scan" button to start a full scan.

If the following lines are shown in the scan results:
.text ntoskrnl.exe!IofCallDriver
.text ntoskrnl.exe!IofCompleteRequest

- stop the test, then right-click on them and choose "Restore code"
- close and re-run Gmer again

If there is some similar line(s) shown (with the ROOTKIT mark) in the scan
result:
File
C:\Windows\System32\drivers\gxvxcttwqpxcctxtbiqqbgilpidyndmyxtmhr.sys 46592 bytes executable <-- ROOTKIT !!!

- choose the ">>>" tab and then select the "Files" tab
- in the file manager find and then highlight the file(s) and the click the "Delete" button ( you probably should backup the file first by using the "Copy" button to back up the files first just to be on the safe side ) then remove them using the "Delete" button.
- restart computer and run Gmer again

If some rootkit service is detected again and again after following the above steps, or it is not possible to delete it from within Gmer (the Delete option is grayed-out), please follow these steps:
- open Registry Editor (menu Start -> Run -> enter "regedit" and confirm OK)
- find this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

- find the mentioned rootkit service name in the list, right-click on it and choose "Permissions"
- click on "Add" button, in the form enter "Everyone" and click "Check Names"
- confirm the changes by clicking OK, OK...
- now it should be possible to right-click on mentioned service and choose "Delete"
- restart computer and run Gmer again

If the rootkit is still not removed or you have some other suspicions, please provide us with the Gmer scan output:
- after the testing is finished, click the "Save" button
August 1, 2009 11:04 Windows Registry Corruption #9713
Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Windows has an area in the registry that is normally used to help debug program issues but also has other uses. Sometimes malware will add a registry entry to this Window's registry key so that when you try to run AVG or another protection software, the malware or other program is actually run instead. In these cases, the registry entries that may have been made must be manually removed in order that AVG can work properly.

Please open the Windows Registry Editor
- open menu Start -> Run -> enter "regedit" and confirm OK

When the Registry Editor is open, find this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

* sub-keys for 64bit processes can be located:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options


Right click on the main key name and select Export to make a backup before you make any changes.

Check that none of the sub-keys have names like any of AVG's processes or files (all AVG processes):

avgam.exe
avgcfga.exe (64bit)
avgcfgex.exe (32bit)
avgcmgr.exe
avgcsrva.exe (64bit)
avgcsrvx.exe (32bit)
avgdiag.exe
avgdiagea.exe (64bit)
avgdiagex.exe (32bit)
avgdumpa.exe (64bit)
avgdumpx.exe (32bit)
avgemc.exe
avgemca.exe (64bit)
avgemcx.exe (32bit)
avgfrw.exe
avgfws.exe
avgfws8.exe
avgfwwiz.exe
avgidsagent.exe
avgidsmonitor.exe
avgiproxy.exe
avgmfapx.exe
avgnsa.exe (64bit)
avgnsx.exe (32bit)
avgrsa.exe (64bit)
avgrsx.exe (32bit)
avgscana.exe (64bit)
avgscanx.exe (32bit)
avgsrmaa.exe (64bit)
avgsrmax.exe (32bit)
avgstrma.exe (64bit)
avgstrmx.exe (32bit)
avgsysta.exe (64bit)
avgsystx.exe (32bit)
AVGToolbarInstall.exe
avgtray.exe
avgui.exe
avgupd.exe
avgwdsvc.exe
fixcfg.exe


Other applications which should not be present under usual circumstances:
explorer.exe

If you find any lines that include those in them, remove that line from registry. Do not remove other lines for other programs unless you know for certain that they should not exist.
April 29, 2010 06:26 AVG Rescue CD #85117
Top
jirka82

Avatar

Administrator
Join Date: 19.6.2009
Posts: 3892
You can use the AVG Rescue CD for removal of serious infections. AVG Rescue CD allows you to find rootkits effectively, replace protected files and so on. Please check this post for more information.