Remove infected locked files and more

I am fighting with a friend from work’s personal computer and have removed many virus/malware/etc off of it so far. Something is still a little fucked with it, but I made some good progress. I’ve learned of a few handy little freeware programs in the process and I thought I’d share.

First off is Advanced Process Manipulation, a lightweight program that acts as a more advanced version of task manager. You can see all the running processes and also what DLLs they are using (and therefore protecting). You can end the whole process or just unload certain DLLs on each process. Pretty handy for finding what files a process is tying up.

Next we have the Locked Files Wizard, which is another small program that is incredibly handy. It allows you to pick protected Windows files and rename, delete, move, and replace them. The only really handy (and best way not to fuck up your copy of windows) use for this is to replace corrupt/infected system files with a copy of good files off another computer. I thought she had some infected system files, namely comctl32.dll, so I replaced the file with this program.

I discovered a couple free anti virus programs that made AVG look like crap (admittedly not difficult). Avira seems to have positive reviews, so I tried that out and it was not bad. ClamWin Portable was also quite handy. It can be installed and updated to a single folder and is easily copied to a flash drive and can be ran from there on another computer. Of course, Spybot is always a great help too.

There is a nice little guide here that gives methods for removing protected files, and links to many more utilities like above. So, if what I’ve listed above doesn’t work for you check it out.

If you have any more suggestions for nice freeware utilities/software, or helpful suggestions for when “just rebuild it” isn’t the best option, feel free to comment and add your thoughts.

-Dave out

Advertisements

4 thoughts on “Remove infected locked files and more

  1. Saving an infected computer is quite an accomplishment. I’ve never heard of someone being able to do it before. Did the surgery take? Or was his computer reinfected?

    Also CCleaner is good.

  2. This was for a friend that is not a computer person, nor is her husband or 6 year old daughter. I don’t think “use linux” would help them. Considering I don’t even use it. =P

    Actually, I did manage to recover the PC. I used many different programs to narrow down and destroy the harder to catch malware. I was quite annoyed that Kaspersky’s “rescue disk” did not seem to work well with Bart PE (the program it was designed to work with).

    The RAM disc was limited by the software at 96mb, and was not enough to properly load Kaspersky. The software would load and run, but the definition files were not all there. It’s funny too, because it would find two last infections but was unable to label them nor remove them.

    I ended up giving up on the rescue disk when I though of something I should have done from the start. I put the HDD in another computer and scanned it (as a D: drive) with the kaspersky that was installed on that Windows box. It found the two last infections and killed them. But that also broke explorer.exe in the process. 😦

    The malware had made it so explorer.exe thought it needed a component of comclt32.dll that was created by the infection (and no longer existed). So it would not run. I could get into windows somewhat and run a command prompt though.

    I decided to try installing SP3 on the PC, I figured that would rebuild and replace the bad system files, and it did. After that the PC would boot, everything seemed to run properly and Avira guard ran properly again as did the updater (the malware was not allowing the active “guard” service to run before and the updates would fail too). It is pretty standard for malware to interfere with AV software. Kaspersky wouldn’t even install on that PC while it was infected.

    I can’t say for certain that the PC is 100% perfect now, but considering with all the programs I used I removed a total of 200+ trojans, key loggers, malware, tracking cookies, etc, etc, and it is running properly again, I’d say that’s pretty good.

    Of course, a total rebuild of the PC would have been best. But she did not have a recovery disc nor an OEM copy of Windows XP. I did D/L a torrent of an .iso of windows xp home, that was going to be my last resort (using the serial key from the sticker on her pc), but by the end of things the PC started to work well again, so I left it.

    I left Avira antivirus on there for her. And told her to not worry about buying one for now. I can’t honestly say that I love it’s interface, but I’ve read good things about it’s detection rate (as far as free AV software goes). And considering that she had absolutely no AV software on that box, it should be about 1000X better than that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s