Malware detected, Kaspersky can't delete, Tips on removal Options

[Don Pelotas]

1. First you take a look at where the malware is located, if it is in system restore (system volume information), then disable system restore and do a scan, everything is deleted when doing this (disabling SR):

IMPORTANT NOTES:
You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK. You can of course enable system restore again if you wish.


1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK, reboot and do the scan which should be clean now.

If you use ME:

1. Click Start, Settings, and then click Control Panel.
2. Double-click the System icon. The System Properties dialog box appears.

NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

3. Click the Performance tab, and then click File System.
4. Click the Troubleshooting tab, and then check Disable System Restore.
5. Click OK. Click Yes, when you are prompted to restart Windows.

Once you have cleaned the virus or other problem from the computer, you can of course enable system restore again if you wish,.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If the malware is not located in system restore, then boot into safemode and do a scan from there:

Windows 98/Me
Restart the computer.
Just after the POST diagnostics and memory count, start pressing the F8 key
On the Startup Menu, choose Safe Mode

Windows 2000
If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on.
When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
Press Enter. The computer then begins to start in Safe mode.
When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

Windows XP

If Windows XP is the only operating system installed on your computer, booting into Safe Mode with these instructions.
If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

Sometimes disabling system restore before the scan in safemode is needed.

2. If you have trouble accessing Kaspersky.com or other well known security sites .

Then you could try to download Zonedout & Hoster from funkytoad.com, free & doesn't need to be installed. You can use Hoster to restore the original Microsoft hostfile via it's GUI, ZonedOut you can use to check the restricted & trustedzone for entries put there by malware and remove them.

Another tip when cleaning a pc is to use the free CCleaner to clean the temporary internetfiles, this is often where trojandownloaders are installed and you can save both time & effectively delete anything here simply by using this cleaner, you can download here (all builds, both with & without toolbar).

If you open the hostfile in notepad (C:\WINDOWS\system32\drivers\etc\HOSTS), it will look like below if you have not added anything yourself:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

3. If safe mode deletion fails .
Should safe mode deletion of the malware fail or if you are fighting a really hard to destroy malware (e.g a rootkit) then an offlinse scan is recommended. For this porpouse the 6 line of kaspersky products has the ability to create a so called rescue disk to perform a scan. The rescue disk will boot your pc into an isolated enviromment, in this enviromment the files from your local windows installation aren't loaded at startup so the malware is inactive.

Here you can find a simple guide on how to create a rescue disk using the kaspersky anti-virus, BartPE and a windows xp cd with integrated service pack 2

After the rescue disk is created reboot your system and access the system BIOS. This can be achieved by pressing a key right after the system powers up. The key is usually Delete or F1 depending on your vendor. (See Mainboard manual for details).

Once you enter the system bios go to a section called Boot sequence (again this section is specific to your hardware), there set the cd-rom as the first boot device. Confirm your settings (usually the key for that is F10) and put your rescue disc into the CD/DVD Drive.

The BartPe interface should now load and you can start Kaspersky Anti-virus. The interface is similar to the one of the installed kaspersky product.
Since performing a Full system scan can take a very long time if you have a lot of archives you should enable the limiting of the scan by filesize (skip if object is larger then), a value like 20 MB should be enough to detect malware that might be active.

Once the scan is complete reboot your pc and remove the Disk.

4. To use the Windows XP Recovery Console:

The Windows XP Recovery Console allows you to:

Use, copy, rename, or replace operating system files and folders.
Enable or disable service or device startup when you next start your computer.
Repair the file system boot sector or the Master Boot Record (MBR).
Create and format partitions on drives.
Here's how to use the Recovery Console:

Insert the Windows XP CD into your CD-ROM drive, and then restart your computer.
On the menu that appears, click Install Windows XP.
Press R to repair the selected Windows installation.
When you use the Recovery Console, you will be prompted to enter the Administrator account password. If you enter an incorrect password three times, the Recovery Console will close. If the database that contains user account information for your computer is missing or damaged, you will not be able to use the Recovery Console.

After you enter your password and the Recovery Console starts, type exit to restart the computer. The Recovery Console has some other limitations. For details, see Microsoft Knowledge Base article 314058: Description of the Windows XP Recovery Console.

This post has been edited by Don Pelotas: 22.12.2007 00:10

[p2u]

Ever had the problem that you couldn't open any files types like .exe, .txt, etc. after your anti-virus program deleted some nasties from your system? You can download a BAT file (zipped) that will restore all of the "default" associations that XP ships with. The BAT file can be downloaded HERE.

You can also fix separate file association problems by downloading the files indicated.

Batch File Association Fix (Restore the default associations for BAT files)
CAB File Association Fix (Restore the default associations for CAB files)
CHM File Association Fix (Restore the default associations for CHM files)
COM File Association Fix (Restore the default associations for COM files)
CPL File Association Fix (Restore the default associations for CPL files)
Directory Extension Fix (Restores defaults to HKCR\Directory)
Drive Association Fix (Restores default settings for hard drives)
EML File Association Fix (Restores defaults for EML files)
EXE File Association Fix (Restore default association for EXE files)
Folder Association Fix (Restore default associations for File Folders)
GIF File Association Fix (Restore default associations for GIF Files)
HLP File Association Fix (Restore default associations for HLP files)
HTA File Association Fix (Restore default associations for HTA Files
HTM/HTML Associations (Restore the default associations for htm/html files)
ICO File Association Fix (Restore the default association for ico files)
INF File Association Fix (Restore the default assocation for INF files)
Internet Explorer Desktop Icon Fix (Restore the default behavior for the Desktop IE icon)
JPE/JPG/JPEG Association Fix (Restore the default associations for jpe/jpg/jpeg files)
LNK (Shortcut) File Association Fix (Restores Default Shortcut Behavior)
MPG/MPEG File Association Fix (Restores default associations for MPG/MPEG files)
MSC File Association Fix (Restore default associations for MSC files)
MSI File Association Fix (Restore default associations for MSI files)
MSP File Association Fix (Restore default associations for MSP files)
REG File Association Fix (Restore default associations for REG files)
SCF File Association Fix (Restore default associations for SCF files)
SCR File Association Fix (Restore default associations for SCR files)
TXT File Association Fix (Restore default associations for TXT files)
TIF/TIFF File Association Fix (Restores default associations for TIF/TIFF files)
URL File Association Fix (Restores default associations for URL - Internet shortcuts)
VBS File Association Fix (Restores default associations for VBS files)
ZIP Folder Association Fix (Restores default associations for ZIP Folders - REG File)

Source: Doug Knox at dougknox.com.

WinSockFix will offer a last resort if your Internet connection is corrupted due to removed or invalid registry entries. It can often cure the problem of lost connections after the removal of Adware components or improper uninstall of firewall applications or other tools that modify the XP network and Winsock settings. If you encounter connection problems after removing network related software, Adware or after registry clean-up; and all other ways fail, then this might be your solution.
It can create a registry backup of your current settings, so it is fairly safe to use.
The Winsockfix Utility will:
* Detect your current Operating System
* Release the IP address, taking you "Offline"
* Reset the TCP stack using Netsh.exe (Windows XP only)
* Delete the current Registry TCP and Winsock Values
* Import new "Working" Registry Values
* Backup any Current "Hosts" file
* Replace the "Hosts" file with a default one
* Reboot the Computer

Of course you will have to set all your network parameters again as if you'd just installed XP.

P.S.: I suggest the moderators of the German, Spanish and Italian forums to copy this post and make it a stick-up. This has already been posted on the Russian forum since we have been seeing more and more of this lately.

Paul

This post has been edited by p2u: 16.06.2007 12:03