<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Tip and Tricks to Get Malware Removal Tools to Work - 2012

Published on
11,209 Points
4,809 Views
4 Endorsements
Last Modified:
Approved
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below.

1. Malware is blocking your specific application's name.


Since many of the common tools have fixed names - they may be blocked by the malware. Try renaming the applications executable name from (MalwareBytes example) 'mbam.exe' to 'virus.com'
Occasionally this will work and you can launch your executable as a malicious .com file type. Be sure to set it back when you are done

2. Malware is blocking all applications.


It is more common for malware to block all applications (and tell you that you are infected - while it itself is the infection). Try this: log off the current user. Now, log back in and press 'Ctrl'+'Alt'+'Del' repeatedly until you get the task manager. If you get it in time the malware will load after you have brought the task manager up. If you are familiar with the names that are non-malicious you should be able to easily identify the malware. Usually named with random numbers and letters from 8 – 14 characters long (fjh2efhn9.exe) You can end the process and search for the file – then delete it. While the primary infection may be gone I strongly recommend you download and run a tool like MalwareBytes to clean up the remnant files and registry entries.
You may be successful in bringing up the task manager, but as soon as the malware loads it may terminate the task manager. If that occurs I recommend pulling the hard drive out and cleaning up the infection with the hard drive attached in an external enclosure on another machine.

3. Malware has broken the .exe file type


If when you go to launch an executable file you receive the dialog box ‘open file type with’ that means the malware has removed or changed the registry entry the tells Windows how to open executable files. The following is a registry fix that will correct that. Please note that changing entries in the registry is dangerous and can potentially corrupt your Windows install (although I have never had a problem with this entry)

Open notepad and type, or copy and paste the following:
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Open in new window


Save the file as ‘Exe-fix.reg’ and run the file. This will restore the executable files to working condition.

4. Current variants of malware may hide all of the files on your computer.


There is an easy command you can run to unhide these files. Open the command prompt: ‘Start’ > ‘Run’ > ‘CMD’ and hit ‘enter.  Now type in the following command: ‘attrib –h C:*.* /s /d’
This will unhide all files and folders on your C:\ drive. Repeat if necessary on other drive letters. Type attrib /? If you would like to see other options. The ‘*.*’ indicates all files as it is ‘wildcard file name . wildcard file type’.
We have found that the malware that hides the files on the computer also moves the ‘Start Menu’ items. The Start Menu items are typically moved to the user’s local temp folder. You can reach this by typing ‘%temp%’ in the title bar (where you usually see C:\Users\User Name\). Most often the files are in a folder  beginning with the letters ‘S’ or ‘SE’. Search those few folders and you should be able to find and restore them.

Conclusion

Malware is constantly evolving and finding new ways to block people from being able to remove them. I am positive I will be adding to this in the future or writing more articles with new tips and tricks regarding the future variants of malware. I am always open to input as to what others have found works as well! If you have any input, commnets, or suggestions, please leave them in the comment section below!
4
Comment
Author:MPCP-Brian
5 Comments
LVL 10

Author Comment

by:MPCP-Brian
Forgot to mention one of the most basic strategies!
Try logging in as a different user. Some infections affect one user, others all.
0
LVL 38

Expert Comment

by:younghv
1. I am curious to know why anyone would recommend (or use) any of these various manual methods when there are several automated tools available to block the malware processes and allow the various tools/scanners to function.

Have you ever tried using:
RKill: http://www.bleepingcomputer.com/download/anti-virus/rkill
RogueKiller: http://www.geekstogo.com/forum/files/file/413-roguekiller/ 
or
TheKiller: http://maliprog.geekstogo.com/explorer.exe

Suggesting manual methods (which are very prone to mis-typing) would not seem to be in the best interest of most people trying to solve malware problems.

The tools I've listed have been tested and vetted by many thousands of users and (IMO) are a far better method to use.

2. Manually creating a .reg script carries even more possibility of error (as you mention), so why not simply link to the various tools - again - vetted and proven through long use? This is only one of many examples: FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)

3. You recommend pulling the hard drive and scanning it from another computer ("Slave Scan"), but there are two very serious considerations before attempting that:
a. Windows File Protection service is NOT running, so you could end up deleting a critical system file that will not be automatically replaced by the OS. This action could cause a BSOD when you replace the hard drive and attempt to re-boot.
b. Since the OS is not running while you do this, the rogue processes aren't either. Since the scanner cannot see the (random) file names that would be generating the rogue processes during a normal boot, it will not be able to take the proper action.
0
LVL 47

Expert Comment

by:rpggamergirl
I concur to younghv's well stated comment.
There are a few tools out there that do this, they are pre-cleanup tools like FixNCR.reg, RogueKiller, TheKiller, RKill etc., similar tools but some does more than others as in the case of Thekiller and RogueKiller.

All you need is TheKiller as the pre-cleanup tool. All the things you mentioned including hidden files, and those smtmp folders(moved startmenu shortcuts) in the temp folders, no need for searching and restoring files etc., plus a lot more is covered with this tool.

Besides slaving(which is not a good option as younghv had stated) maybe you should also mention what to do with infections like bagle which will not allow any attempt of renaming any security scanners or files.

And there are also those ZeroAccess rootkits which also stop security scanners from running and it isn't a case of broken .exes.
0
LVL 10

Author Comment

by:MPCP-Brian
Younghv and rpggamergirl,
   I appreciate your comments do believe they have vailidity. There are situations in which a manual approach can still be beneficial. One example is working remotely - assuming the tools you mentioned are not loaded previously. It can occasionally be easier to manually work through it than it is to find a way to get the tools mentioned loaded.

If you are reading this article and you are not confident in your knowledge it is best to stick to the executables and pre-build scanners mentioned. If you feel comfortable or you are like me(a low level IT tech) and you can repair any damage you may inadvertently cause feel free to get your hands dirty.
0
LVL 10

Expert Comment

by:Arman Khodabande
Yeah using automated apps are useful ...
But reading such kinds of articles adds to the knowledge of basic users and provides better understanding of what these utilities do...
I myself like to do the thing manually  although it may be a longer and harder way...  :D
Manual Malware fighting is my favorite...
(And I have a great respect for younghv and rpggamergirl, the leaders of this topic areas)

Anyway this is a good article
Thanks
0

Featured Post

Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Join & Write a Comment

If you, like me, have a dislike for using Online Subscription anti-spam services, then this video series is for you. I have an inherent dislike of leaving decisions such as what is and what isn't spamming to other people or services for me and insis…
This is Part-2 of Learning to use the Power of Mailwasher Pro so if you haven't watched Part-1 yet, I urge you to do so before watching this video. Click this link to watch Part-1 (https://www.experts-exchange.com/videos/56638/Learn-to-use-the-POWER…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month