Thread: Got a virus dont know what to do.

heh. Man, I LOVE wrestling with viruses, they're fun to obliterate. No, really, I'm serious. If you want to learn how to handle this kind of stuff, then read on. However, be forewarned that IF YOU DO NOT KNOW WHAT YOU ARE DOING, THEN DO NOT DO ANYTHING BELOW. Get a professional or more experienced individual to do this, or stick to reformatting. You can easily neuter your Windows install if you slip up!

Having said that, you are all thusly warned and class is now in session. Sit down, and listen carefully.

If ya already reformatted then this is all moot, but generally speaking most viruses can be stopped with a combination of HijackThis, ProcessExplorer, RootkitRevealer and a healthy dose of both patience and beer. Here's a breakdown of what the apps do, for the uninitiated:

HijackThis: Be careful with this one, it gives you the power to identify and destroy ANYTHING that differs from the base install of your OS, for better or worse. In other words, run a System Scan and look at what's listed. If you have no idea what the fuck you're looking at, don't touch it. Most of the things that show up are obvious, but others are less obvious. There's a handy "Info on selected item" button that explains stuff, as well as what happens when you select that item and pick "Fix checked", but I strongly reiterate: don't touch what you don't understand. You could blow away legit services and apps. Here's an example of the output, taken from a random website, so you can see what it shows you and just how detailed it is:

Code:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myownstartpage.net/?cm=74...ibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-18 Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: eBoostr Control Panel.lnk = C:\Program Files\eBoostr\eBoostrCP.exe
O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\HWU8DD\HWU8DD.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - file:///F:/win/setup/iaieplay.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162128039313
O17 - HKLM\System\CCS\Services\Tcpip\..\{6633CBE8-3890-4A45-A7F5-A53E4D14EE89}: NameServer = 85.255.113.94,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A5EEB9A-372E-44F5-BD72-E95D9A3CEB8B}: NameServer = 85.255.113.94,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD974369-5C11-4A7C-A9D7-E853A0F9065F}: NameServer = 85.255.113.94,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{C992CCC9-CD86-4E93-8133-12909ED81C7F}: NameServer = 85.255.113.94,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{C99B63DA-608F-4C72-9A7B-F8C55593A860}: NameServer = 85.255.113.94,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{E68F8BBB-0660-4576-97A2-7AD88A6AF441}: NameServer = 85.255.113.94,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.234
O22 - SharedTaskScheduler: djuka - {ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - Unknown owner - C:\Program Files\eBoostr\EBstrSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

ProcessExplorer: This is a standard tool for me that I pretty much run almost all the time. It's like the Task Manager on steroids and augmented with space-age cybernetics to be a process and handle hunting/killing machine. In short, you can know anything and everything about every single process running on your system. You can do simple things like kill processes (faster than the Task Manager can, sometimes) and see the full path of every running process... and more advanced things like searching by filename to see what processes are using what DLLs, handles and resources. Knowledge is power, friends.

RootkitRevealer: This is a basic tool that reveals anything hidden from the Windows API, which is how rootkits function. You may see a few "legit" entries in here, most commonly the stupid SafeDisc shit.

For both of the last two tools, their webpages have extensive information on their usage. Read them too.

As for the task of hunting viruses, malware and other annoying bullshit, first you'll need to investigate the running processes and see if there's any executables not accounted for. This is best done after a clean boot, close any and every single application you can to clean up the output so you can scan faster.

Simple Executable-Based Viruses/Malware
it's less likely nowadays that you'll see viruses/malware running as an executable, but if your problem child is found this way, your cleanup will be much faster. Generally speaking, you just need to blow away the process(s), find how it's being launched (generally speaking, from the Registry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run , but this is what HijackThis is for: it tells you this info) and kill its methods of being relaunched. Problem solved.

IExplore Injection Viruses/Malware
The next most common method is the virii that are DLLs which get injected into Internet Explorer through various methods. Virtually all of these kinds of viruses nowadays exist in multiple copies and are self-replicating: as soon as it detects one of its DLLs being deleted, it INSTANTLY creates another one in the same folder. This happens when the virus has multiple DLLs and all are injected at the same time.

Fighting these guys requires three steps: first, close any and all IExplore.exe processes; second, find the injection points and delete them; then lastly, you need to delete every single DLL involved. Missing even a single one can lead to an immediate reinfection when you next run Internet Explorer. Before you do anything else, you need to identify the virus's filename(s). With most of these kinds of viruses, they tend to have 4-6 random letter names (e.g. asdog.dll) and are in the System32 folder. If you know for a fact your infection was recent, load up Windows Explorer, go to the System32 folder, set the view to Detail, then sort by Date Modified descending to put the most recent files at the top of the list. You should see the DLLs, and any data files they created, at the top. Write down the DLL's filenames and keep this window handy. Next, close out IE completely, then fire up ProcessExplorer. Go to the Find menu and select "Find Handle or DLL" then type in, one at a time, the names of the DLLs you identified as the virus and make sure NOTHING comes back in the search results. This means absolutely no processes are touching the files anymore, and this is what you want because you can now delete them. Go ahead and delete the files now, including any data files they made, then start HijackThis and do a System Scan. Look for any references to the DLL. You'll probably see them in the "O2 - BHO" section (Browser Helper Object), but you might see them in other places too, such as "O20 - Winlogon Notify". Check anything referencing the DLLs then select "Fix Checked" to purge the entries. Next, open up the Registry Editor, go to the very base node of the registry then search for the DLL names, one by one. Even though HijackThis often does a good job of eliminating these references, you may find a few leftover CLSID entries. If you find ANY references to the DLL, then browse up a few levels and look for a GUID, which looks like this: {00000010-0000-0010-8000-00AA006D2EA4} You'll then want to search for this GUID instead, deleting the keys and subkeys that are named after the GUID. Once the GUID is eliminated, continue searching for the DLL name until it no longer exists. Do the same for any other DLLs or EXEs. This will effectively fully uninstall the virus.

Reboot your PC, open up Windows Explorer and go back to System32 and make sure no new files appeared after reboot. They probably won't, but if they do you missed files, clean those up and repeat until nothing new appears after a reboot. At that point, launch IE and pay attention to the System32 folder still. If nothing reappears, you're clean!

However, if when you searched in ProcessExplorer, you found references to the DLL in question, then you'll need to kill those individual threads to release the handle. Scroll to the file in question and double-click it. Go to the Threads tab, then start stepping through each of the threads, double-clicking them one by one and reading the stack list. The first part of each line is the file it's loaded from, such as "mscorwrks.dll!CoInitializeCor+0x6117" indicates that the file mscorwrks.dll is in use here. If you see any stacks that list the DLL you're trying to find, select it then press Kill to blow away the thread. Repeat this for anything referencing the DLL, then search again until the DLL no longer comes up in the searches.

Explorer Injection Viruses/Malware
These function similarly to the IE ones, but are almost always far, far more robust and much harder to kill. In most cases, these kinds of viruses have taken me as long as four non-stop hours of hacking and fighting to outsmart and eliminate them, so fighting these is definitely not for the weak of heart or impatient. Again, these work via injection into Explorer, but because Explorer is baseline to everything in Windows, you have a much harder fight ahead of you. When fighting these pains in the ass, make sure to close out every last process that isn't the core of the OS or mandatory to operate the PC. This will make your hunt slightly easier. Next, using the same technique as in the last section, identify the virus's filename(s). These are usually in System32, too, but also check your root and temporary folders and look for any unexpected folders in "C:\Program Files" and "C:\Program Files\Common Files" that might be related. You'll definitely need to know exactly who your enemy is to pull this off.

Next, you're going to go on a hunt to kill every single handle open against the EXE(s) and DLL(s), as per the last paragraph of the previous section. It's not so simple as blowing away Explorer, cause you need it handy to do your work and it'll likely relaunch itself in some situations anyways. Provided this goes smoothly and you eliminate the references, you'll want to then use HijackThis to kill every reference in there. Next, do the same search in the Registry Editor for the DLL/EXE name(s), but be much more careful and aware of what you're deleting, as now you're likely to touch things directly affecting Explorer itself and you can cause serious, irreparable damage to your installation if you mess up here. When searching for the GUID, be sure to only delete folders that match the GUID, and only delete subkeys that reference the GUID. After this, you should be able to safely delete the virus's files. Reboot and see if they're still being loaded. If not, you win!

If you get access denied errors while trying to kill certain threads within Explorer, though, it's gonna be harder to defeat. Typically, at this point the virus is not only doing its intended purpose, but it's also monitoring the registry and file system, watching for any changes to the things which affect its ability to be loaded. If you try deleting the CLSID entry for the virus while it's running, for example, it'll simply recreate the entry before you've browsed away from the folder! This is one of the cases where killing Explorer's process will be helpful: it should release the handle in question, so you can proceed with the rest of the cleansing. To delete the files at this point, do this from the command line instead of Windows Explorer, so as to prevent the virus from relaunching itself.

I think the worst virus I had to deal with recently was so deeply rooted in the file system that I was unable to delete the son of a bitch until I blew away the RPC service, thus forcing the reboot countdown and killing all processes so I could go delete the virus file finally. THAT was entertaining, talk about racing the clock. :P

---

This should cover most of the scenarios y'all see with viruses and malware. If you have any questions, ask away.