How to clean an Infected Computer using “SCRAPE”

1)If you have been using avast!, this is most likely NOT a virus infection, but a spyware infection!  The best antivirus programs in the world stop approximately 95% of virus’, and 70% of spyware.  We have been relying on Microsoft Windows Defender for years now, but that program has become worthless, and all it does is slow your machine down.  We actually remove Defender from all of our systems.  We have found that some users will be re-infected until properly protected.  The best protection that money can buy is avast! Pro and Malwarebytes Pro combined.  Over 95% of systems, protected this way, do not come back.

2) You no longer have to browse maliciously to get infected. Every website can be compromised. The number 1 monetary fund for every organized crime syndicate and terrorist organization in the world is infections on our computers. Do NOT bank with an infected machine. They are downloading your browser cache and keylogging everything you do. Any password can now be compromised.

3) I work with the folks at Bleeping Computer. They are usually at the top of the heap with removal procedures. I always research the infection that is found and if I get a hit at Bleeping Computer, I always go there 1st.  Lawrence Abrams is a genius.  He wrote “rkill”, which is usually a critical step in the infection removal process.
4) You will not be able to remove an infection that is memory resident. They have a self defense mode that enables them to stay even when the code is deleted from the hard disk.  Hence “rkill” and the avast! boot-time scan!

5) Removal will require a combination of events / programs to be effective (rkill, Malwarebytes, SAS, ComboFix, etc.)   J.R.’s infection “Scrape” document is a rough guideline when you do not know exactly what infection you are dealing with.  This process can be modified after investigation and research into your infection.  Most Rogueware infections have many hooks, and continue to phone home and download additional code and consistently morph right in front of your eyes.  Therefore, we use “write protected” USB flash drives for the initial steps, like rkill and ComboFix, so the network cable can be removed to prevent phoning home.

 

SCRAPE (use at your own risk, depending upon infection, some systems never work again!)

1)Disable system restore and page file (independently verify pagefile.sys is gone)

2)Disable system hibernation (independently verify hyberfil.sys is gone)

3)Run avast! Boottime Scan (Thorough) or avast! Rescue / Bart CD

Possible false positives can occur in Page file and Hibernation file, and is OK just to delete these. These false positives are normally due to remnants of virus / spyware definitions (DAT files) from programs such as Windows Defender, etc.

4)Run rkill.exe

If executable file type is disabled then

Download one of the available executable types from source

-Rkill.exe

-Rkill.com

-Rkill.scr

-eXplorer.exe

-iExplore.exe

#all are the same program renamed to bypass executable file restrictions

5)  Run ComboFix.exe (XP and Vista and Seven 32-bit only) (look at files created on infection day! Many times this is the only way to find those pieces)

6) Run ATF Cleaner (Empty All)

7) Run CCleaner (Cleaner Only)

8) Run Malwarebytes (Full Scan)

9) Run SuperAntiSpyware (use the portable version, as Malwarebytes Pro and SuperAntiSpyware have been known to conflict with each other, much the same as multiple antivirus programs do!))

10) Run HijackThis (see’s things nothing else here does)

11) Run CCleaner if needed for booting with registry errors (Registry Only, repeat until clean)

12) Re-enable system restore and page file

13) May need to run a System File Checker – For XP open cmd (sfc /purgecache, sfc /scannow)   and you may need to provide the Windows  installation media – For Vista and 7 open cmd as admin (sfc /scannow) and does not use install DVD.  Some technicians will do a repair install at this point, if needed, and not run the System File Checker.

 

Sincerely,

J.R.  Guthrie

President

Advantage Micro Corporation

520-290-0595

JR@Advantage77.com

“avast! is the best antivirus bar none! We haven’t had a virus spread through an avast! protected network in 8 years!”

3 comments for “How to clean an Infected Computer using “SCRAPE”

  1. J.R. Guthrie
    March 15, 2013 at 4:38 PM

    This is not an exact science, and these steps are usually modified, after the infection type is determined, and researched.

    If you don’t change what your doing, then the results are always the same!

  2. music lessons
    February 23, 2012 at 2:04 PM

    My spouse and i were very happy Jordan managed to complete his inquiry from the precious recommendations he grabbed while using the web site. It’s not at all simplistic just to choose to be giving away techniques other folks might have been trying to sell. We really keep in mind we have got the writer to give thanks to because of that. The entire explanations you have made, the simple web site navigation, the friendships you can give support to foster – it is mostly wonderful, and it is aiding our son in addition to the family believe that the topic is interesting, and that is exceedingly pressing. Many thanks for all!

  3. Football
    February 19, 2012 at 8:48 AM

    Excellent items from you, man. I’ve take note your stuff previous to and you are just too great. I actually like what you’ve acquired here, really like what you are saying and the way wherein you are saying it. You make it enjoyable and you continue to care for to stay it sensible. I cant wait to learn far more from you. This is actually a tremendous website.

Leave a Reply

Your email address will not be published. Required fields are marked *