1)If you have been using avast!, this is most likely NOT a virus infection, but a spyware infection! The best antivirus programs in the world stop approximately 95% of virus’, and 70% of spyware. We have been relying on Microsoft Windows Defender for years now, but that program has become worthless, and all it does is slow your machine down. We actually remove Defender from all of our systems. We have found that some users will be re-infected until properly protected. The best protection that money can buy is avast! Pro and Malwarebytes Pro combined. Over 95% of systems, protected this way, do not come back.
2) You no longer have to browse maliciously to get infected. Every website can be compromised. The number 1 monetary fund for every organized crime syndicate and terrorist organization in the world is infections on our computers. Do NOT bank with an infected machine. They are downloading your browser cache and keylogging everything you do. Any password can now be compromised.
3) I work with the folks at Bleeping Computer. They are usually at the top of the heap with removal procedures. I always research the infection that is found and if I get a hit at Bleeping Computer, I always go there 1st. Lawrence Abrams is a genius. He wrote “rkill”, which is usually a critical step in the infection removal process.
4) You will not be able to remove an infection that is memory resident. They have a self defense mode that enables them to stay even when the code is deleted from the hard disk. Hence “rkill” and the avast! boot-time scan!
5) Removal will require a combination of events / programs to be effective (rkill, Malwarebytes, SAS, ComboFix, etc.) J.R.’s infection “Scrape” document is a rough guideline when you do not know exactly what infection you are dealing with. This process can be modified after investigation and research into your infection. Most Rogueware infections have many hooks, and continue to phone home and download additional code and consistently morph right in front of your eyes. Therefore, we use “write protected” USB flash drives for the initial steps, like rkill and ComboFix, so the network cable can be removed to prevent phoning home.
SCRAPE (use at your own risk, depending upon infection, some systems never work again!)
1)Disable system restore and page file (independently verify pagefile.sys is gone)
2)Disable system hibernation (independently verify hyberfil.sys is gone)
3)Run avast! Boottime Scan (Thorough) or avast! Rescue / Bart CD
Possible false positives can occur in Page file and Hibernation file, and is OK just to delete these. These false positives are normally due to remnants of virus / spyware definitions (DAT files) from programs such as Windows Defender, etc.
If executable file type is disabled then
Download one of the available executable types from source
#all are the same program renamed to bypass executable file restrictions
5) Run ComboFix.exe (XP and Vista and Seven 32-bit only) (look at files created on infection day! Many times this is the only way to find those pieces)
6) Run ATF Cleaner (Empty All)
7) Run CCleaner (Cleaner Only)
8) Run Malwarebytes (Full Scan)
9) Run SuperAntiSpyware (use the portable version, as Malwarebytes Pro and SuperAntiSpyware have been known to conflict with each other, much the same as multiple antivirus programs do!))
10) Run HijackThis (see’s things nothing else here does)
11) Run CCleaner if needed for booting with registry errors (Registry Only, repeat until clean)
12) Re-enable system restore and page file
13) May need to run a System File Checker – For XP open cmd (sfc /purgecache, sfc /scannow) and you may need to provide the Windows installation media – For Vista and 7 open cmd as admin (sfc /scannow) and does not use install DVD. Some technicians will do a repair install at this point, if needed, and not run the System File Checker.
Advantage Micro Corporation