Thursday, January 8, 2009

So Am I Infected Or Aren't I Infected?!

There I was, staring at a large window taking up most of the screen. The window was titled, "Spyware Guard 2009" and it was scanning the workstation for viruses, Trojans, rootkits, and walware. A results window showed a growing list of Windows system files that were infected. A handy progress bar at the bottom of the window crept up to the 32% completion mark...

WHAT A BOGUS LOAD OF MISLEADING RUBBISH!

Seriously folks, how do people fall for this stuff? It took me a full hour to disinfect the machine of this "Spyware Guard" nonsense.

A NOTE: Geek Squad and hokey computer stores charge way too much to disinfect machines and oftentimes leaves infection remnants behind that leads to easier infections down the road. The worst of the worst "Computer Geeks" scare people into believing that the only true way to clean their uncleanable machine is to format/reinstall which adds more money to their pocket.

DON'T BE A VICTIM!!

Here's the steps I took to clean the machine. Most of these were best results through trial & error that I found by disinfecting other workstations from the likes of this and the ever-revised "Antivirus 2008 - XP - 2009" infections.

  1. Use a thumb drive to transfer onto the machine's C:\ drive a program called "COMBOFIX.EXE" from www.bleepingcomputer.com/combofix/how-to-use-combofix
  2. Rename the file to d.exe or similar. Don't bother trying to run the program - the infected machine's resources are being hogged and some of these nasties are smart enough to block the program from running at all
  3. Run "msconfig" - START > Run > msconfig and hit ENTER
  4. Click on the "Startup" tab and search for any entries for Spyware Guard or the like and untick its block to keep it from running at startup (this won't actually stop it from running. It gives you a slim window to do step 6 below - remember you ARE INFECTED!)
  5. Reboot the machine
  6. As SOON as you are able click on START > RUN and type as fast as you can C:\d.exe (or whatever you renamed COMBOFIX.EXE)
  7. If you are quick (and lucky) Combofix will start and after a long, long wait it will ask for permission to reboot because rootkits have been found
  8. Let Combofix reboot your machine and wait a long, very long time as files are deleted
  9. Once Combofix is completed you can move to step 10. If your desktop isn't showing you can reboot your machine or you can hit CTL+ALT+DEL and open Taskmanager. Click on FILE > New Task and type C:\Windows\explorer.exe to run
  10. YOU ARE STILL INFECTED - I repeat YOU ARE STILL INFECTED - Continue on
  11. Get on the Web and Google for MALWAREBYTES over at malwarebytes.org
  12. Download mbam.exe from the site. Install it and allow it to update and run
  13. Choose to do a thorough search and and allow it to remove the rest of the nastiness
  14. Delete your renamed Combofix.exe from the machine

Your machine is now clean...


Deion "Mule" Christopher
Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)