Recently I have had a laptop to clear up that had been infected with “Anti-malware Doctor“.  Normally I would just recommend rebuilding the machine i.e formatting the drive and reinstalling windows, the problem with this approach was the user had several photos/documents & files that they had not backed up and would not like to lose them.

The Problem

This software completely takes over the machine, there was nothing that could be done under the user account, the CPU was constantly pegging at 100% usage and it would not allow any executables to run.


Below are the steps that I took to clean the machine.

At first I logged into another user account, and on a CD I had this little utility, rkill.com which identifies and kills running processes.  After a good while where it could run it managed to kill the following:

C:\windows\system32
egedit.exe

C:\windows\system32
undll32.exe

C:\windows\Temp\_ex_08.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe

After these had been killed it allowed the PC to run as normal.

Cleanup

I then quickly installed  Malware Bytes – Anti Malware software, and I updated the software with all the latest files and then immediately ran a Quick Scan.

Once this has completed it had found well over 80 items installed that should not of been there.  It cleaned these off then recommended a reboot, after the reboot had completed I then ran a full scan of the system, this again found around a dozen other items that were removed.

After the software had cleaned all the malware off the system, I decided to clean out the temp directory, before you do this ensure that you have the setting enabled to Show Hidden Files and Folders.

To do this open My Computer, click on the Tools menu then select Folder options (Windows XP) Click on the view tab then in the advanced settings you will see the option.  Once you have clicked the radio button to show hidden files and folders click ok to leave the options window.

Then delete everything (shift-delete, don’t put it in the recycle bin) from C:\Documents and Settings\Username\Local Settings\TEMP, I say this as there were a lot of dubious looking files in there, for example a lot of files relating to _ex_08.exe mentioned above.

They had purchased and wanted  Kaspersky Anti Virus software installed.  I installed this for them and as soon as it started, it found a ROOT Kit, which it removed, then rebooted and started another full scan, it then found a few more small items, it cleared all of these last items out.

After this as a precaution I rebooted the PC and then completed a full malware and antivirus scan once more, just to ensure that there is nothing left around.  I ensured that the automatic updates were running so when the machine started they will always get the latest updates so they can be protected, I am always a bit shocked when users disable the automatic updates of anti virus software.

The final task was to install the latest windows updates, but I found that I could not connect to any web pages, it was somehow setup to use a proxy server once I un-ticked that box all was well again.

To check the settings goto Tools -> Internet Options -> Connections Tab -> LAN Settings and un-tick the box for Use a proxy server.  This had to do be done for all the users.

After all the Windows updates were installed, everything was well, and the laptop was delivered back to them, with a copy of all their pictures burned to DVD.

Recommendations

I did make some recommendations, that they leave the automatic updates on and to purchase a external drive so they can back up the PC at regular intervals if they do not want to lose any data from the machine.  One option is the Hitachi portable drive I have reviewed recently, you can read that review here

The software and utilities I used can be uploaded upon request.