I got lazy and paid for it. Let me explain.

A friend brought me his Windows XP workstation loaded with malware. I removed the malware with SuperAntiSpyware and MalwareBytes (since he didn’t want to buy any antivirus) in safemode. Once the first round of scans and removals were completed I rebooted. Bam! BSOD! Windows XP was looking for a dll, no name of course, just a dll.

Anyway in the end I had to reinstall Windows XP, very embarrassing to say the least.

So, I’ve created a checklist to use before I remove any malware in the future.

Follow the steps below before you remove any malware:

Backup important personal files – These files are usually located in c:\Documents and Settings\ (for Windows XP) and C:\Users\ (for Windows Vista). You may backup these files to CD\DVD or to an external hard drive.

Enable System Restore – System Restore can return your critical Windows system files to a previous point in time (when your PC was working).

Enabling system restore for Windows XP

1. Right Click My Computer
2. Click Properties
3. Click the System Restore Tab
4. Choose the hard drives that you would like system restore to monitor

Enabling system restore for Windows Vista

1. Right Click Computer
2. Click System Protection
3. Under Available Disks make sure you system disk is check. This will most likely be C:\

Create A Restore Point.

Creating a Restore Point for Windows XP

1. Click Start
2. All Programs
3. Accessories
4. System Tools
5. System Restore
6. Select Create a Restore and then click next
7. Give the restore a description
8. Click Create
9. It should say the restore point was created
10. Click Close

Creating a Restore Point for Windows Vista

1. Right Click Computer
2. Click System Protection
3. Click the Create Button
4. Give your restore a description

Backup your registry – Even though System Restore backs up your registry it’s still always a good idea to manually back it up. Follow the steps below to back up your registry.

1. Click Start (or for Vista click the windows globe at the bottom left)
2. All Programs
3. Accessories
4. Command Prompt
5. Type Regedit and click enter
6. Once the Registry Editor Opens click Computer
7. Click File and then Click Export
8. Choose a place to store the registry backup and give it a name
9. Wait a few moments for the backup to complete.

Locate your Windows System Disc – Just in case your system files get infected with a worm you’ll want to have your Windows system disc handy. You can verify the integrity of your system files by running a simple command in your command prompt. To load your command prompt:

1. Click Start (or for Vista click the windows globe at the bottom left)
2. All Programs
3. Accessories
4. Command Prompt
5. Insert your windows system disc
6. Type-in sfc /scannow
7. Let the System File Check complete.

So, what is Vundo and how do you get infected with it?

Vundo is a pernicious Adware Trojan that is usually installed into your windows pc (Windows 2000, Windows XP, or Windows Vista) via an outdated Java Runtime Environment. Vundo, also known as Virtumonde and Virtumondo creates random letter DLL’s in C:\windows\system32 (tyeyavv.dll for example) that inject themselves into the winlogon.exe process as well as the explorer.exe process. Since Vundo injects itself into winlogon.exe removal can be very hard because winlogon.exe is in use almost every second.

The biggest problem with Vundo is not necessarily the removal process, but it’s actually the detection process since Vundo creators make hundreds of variants a day in an effort to evade detection (which seems to be working unfortunately).

What does Vundo do anyway?

Vundo displays unblockable popup and popunder ads even when users are not actively browsing the internet. Vundo has also been known to display fake system alerts that try to scare a user into buying a fake antivirus application. Vundo is essentially a platform for delivering scams to your PC on a massive not-stop scale.

How to remove Vundo using free software - My Vundo Removal Kit.

Removing Vundo for free can be a little tough since there are so many Vundo variants and every free program has a different detection database and heuretics algorithm.

When I encounter Vundo and a client does not want to pay for any software I “break out” my free Vundo removal kit. This kit is currently comprised of:

-MalwareBytes AntiMalware (malwarebytes.org)

-SuperAntiSpware (superantispyware.com)

-VundoFix (from atribune.org)

-UnDLL (from eset.com)

To start the Vundo removal process:

1. Backup any personal data to CD, DVD or flash drive.
2. Download and install MalwareBytes Anti-Malware.
3. Load MalwareBytes Anti-Malware and click the update tab and then click update to receive the latest updates.
4. Download and install SuperAntiSpyware.
5. Load SuperAntiSpyware. SuperAntiSpyware will ask you if you want to check for new rules and definitions. Choose yes.
6. Close SuperAntiSpyware.
7. Download VundoFix.
8. Download UnDLL.
9. Reboot your PC in Safe Mode.
10. While in safe mode load MalwareBytes Anti-Malware and perform a full scan.
11. When the scan is complete click show results.
12. Remove any checked items.
13. Reboot if MalwareBytes asks you to.
14. Enter Safemode again.
15. Load SuperAntiSpyware.
16. Click Preferences and click the scanning control tab.
17. Check on “Terminate memory threats before quarantining”.
18. Close preferences and click the “Scan your computer ” button.
19. Select “Perform Complete scan” and click next
20. Let the scan complete and remove anything it finds.
21. Next, we’ll finish up the Vundo detection and removal process by using VundoFix
22. Open VundoFix and click the “Scan for Vundo” button.
23. If any Vundo infections still remain click the “Fix Vundo” button.
24. At this point Vundo has most likely been neutralized.
25. Reboot your pc.
26. You should be Vundo Free now.
27. Download and install the latest copy of the Java Runtime Environment and keep it updated.
28. Do yourself a favor and Purchase Spyware Doctor with AntiVirus
    (one license protects 3 PC’s). It’s the only antivirus that I’ve tested this year to successfully detect and remove almost every variant of Vundo with very little effort.

If you think any Vundo Trojans have been missed in c:\windows or c:\windows\system32 then you scan submit those files to virustotal.com for analysis. If the file you submit comes back as a possible infection then you may forcibly remove it using UnDLL. If your still getting popup ads then you may want to run a HiJackThis scan and email me the log file or just install Spyware Doctor with AntiVirus.

SpyShredder is Rogue Anti-Malware (fake software). SpyShredder has 2 purposes.

1. Make you buy it for 9.95
2. Steal your Identity

This SpyShredder starts scanning at login and displays numerous fake results. When the scanning is complete, SpyShredder will ask you to register it in order to clean the infections. Don’t ever register this program. Registering this program is another way to say “pay for this program with a credit card so that we can steal your identity”

You can remove SpyShredder with Spyware Doctor or MalwareBytes

Wow! My client from last night has had his PC for 3 days and he already has a rogue anti-privacy application installed. AdvancedCleaner is scareware.

AdvancedCleaner loads rather quickly at bootup and immediately starts displaying fake scan results that basically say…”Hey, I’ve been lookin at some porn!”.

My client’s wife was rather perturbed after seeing this application popup while she was sitting with her daughter. I explained to her that the application displays fake scan results (Adult Content Found) and would needed to be removed with real anti-malware software. MalwareBytes toasted AdvancedCleaner with ease.

Last night I had a client with a rather large malware infection on his PC. The client previously stated that if I could fix the issue in 1.5 hours or less he would hire me. Of course, I said I could!

90% of the malware was easily removed with malwarebytes anti-malware and then I loaded Avira AntiVirus version 8 (avg once again failed to install…man…avg needs a new installer).

Avira AntiVirus found what MalwareBytes did not…a nasty little bug called TR/Trash.gen. Trash.gen I think was some sort of vundo infection. It was located in system32 and had a file format of xxxxxxxx.dll. This Trojan was locked…very locked and could not be removed with any av/am scanner.

When I encounter Trojans that are as protected as this one I have 3 options that will allow me to manually remove locked malware. I will create some quick YouTube vids to show you how to use each of these tools tonight.

1. FileAssassin tool inside of MalwareBytes Anti-Malware
2. Pocket KillBox
3. UBCD4Win

Choice 1 and 2 work about 90% of the time, and choice 3 has worked 100% of the time. I used UBCD4win on last night’s call to get rid of TR/Trash.gen.

Locked / protected malware represents one of the biggest threats and challenges to the anti-malware community (both for anti-malware producers and users).

If you have any other tools to remove locked files please shoot me a comment on this post.

MalwareBytes Anti-Malware has been upgraded to version 1.12. MalwareBytes is my number one anti-malware tool…still!

AntiVirProtect is new Rogue is being actively distributed on Google Groups (that’s where we got it from on our VM). Please do not confuse this with AntiVir which is a legit antivirus from Avira.

AntiVirProtect is loaded from a Zlob Trojan and cannot be easily removed. Like all fake anti-malware AntiVirProtect displays false scan results. To remove these results they want you to purchase the program with a credit card. Don’t. Purchasing this program effectively says “steal my identity please”.

To remove AntiVirProtect you can use MalwareBytes Anti-Malware or SmitFraudFix.

Well, it’s not your typical rogue anti-malware, but it was pretty effective in making my clients wife pretty PO’d at her husband. Why? Privacy Watcher displays fake alerts or reports saying that you have visited a lot of porn (or adult sites) as they call it. As always in order to remove this false evidence of porn browsing you need to register Privacy Watcher.

Don’t. Privacy Watcher is a fake anti-malware application (aka – rogue antimalware). You can easily remove it with these free applications:

SmitFraudFix

MalwareBytes Anti-Malware or MalwareBytes Rogue Remover.

Malware hides in only a few spots (typically). The folders below should be manually scanned with an anti-virus (kaspersky or Windows OneCare) and an anti-malware application (malwarebytes’ anti-malware) on a daily basis.

In Windows XP:

C:\Documents and Settings\

C:\Windows

In Windows Vista:

C:\Users

C:\Windows

Most of the very malicious malware resides in C:\windows\system32

As a IT consultant I need to move from appointment to appointment. Scanning the folders above with manual scans allows me to clean up the infections quickly instead of waiting to scan the entire PC. Once the manual scans are complete and the malware from those folders has been neutralized I set their on-access scanners to clean and then quarantine anything left (if there is anything left…there usually isn’t).

I had a client yesterday that said he was heavily infected and wanted to know if I could remove the infections in 2 hours or under. Of course, I told him yes

Upon starting his pc (Windows XP) his explorer was crashing and restarting ( which is very indicative of Vundo ).

I installed malwarebytes anti-malware 1.08 and performed an update. After the update was complete I rebooted in safemode and proceded to do 2 quick scans.

The first scan found 71 instances of malware, most of them were hard to remove vundo infections. MalewareBytes Anti-Malware removed 90% of the infections right away, the other 10% had to be removed after a reboot.

My client was cleaned in 1 hour and 5 minutes….truly amazing piece of anti-malware.