Attempting to clean a virus/malware infected PC

[jerzdawg]

Windows 7 SP1 - fully updated (with the exception of 2 optional updates that fail)

 

Virus/Malware was the typical hijack screen that says you broke copyright or watched underage xxx content, pay X dollars etc. 

 

Everything has been cleaned using Spybot, CC Cleaner, Security essentials etc.  Everything is clean, no errors or anything.  Error message when attempting to start the Security Center Services in control panel.  I looked up the error message and it seems like I need WMI service to run that service.  When I attempt to start WMI, I get an error message.  Turns out the entire folder is gone (c:\windows\system32\wbem\repository)

 

Attempted to run Windows WMI fix (it fails), attempted a fun manual scripts I found online and everyone of them fails (I think thats because they are expecting DLL or MAP files to be in this directory to fix).

 

Is there anyway to "install" the WMI service from scratch, I am close to just reinstalling but trying to get this person to back up their files will waste too much of my time.

[+Warwagon MVC]

Maybe try the eset service repair tool

 

http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

 

I would rescan that system with

 

Malwarebytes

tdsskiller

Himan pro..

 

I've heard spybot isn't very good any more and I wouldn't trust any MSE scan results.

[Dot Matrix]

My rule of thumb for malware: Nuke it from orbit. Since you appear in control of the HDD, I'd just nuke it and start over (after backing up your data, if need be).

 

EDIT: Heck, you might even just be able to repair it with install media.

[sc302 Veteran]

Here is my shotgun approach
Tdsskiller
Combofix
Hitman pro
Malwarebytes
Eset online scanner
Mse

[bassfisher6522]

Is Hitman Pro free? 

[sc302 Veteran]

for enough time to run a scan and repair.  It is free for 30 days.

[StrikedOut]

Found this,

1) Start the computer and press F8 on boot up and select Safe Mode.

2) In the start menu type "cmd" (without quotes) and on the top search result, right click the program icon and choose Run as administrator

3) Type "net stop winmgmt" (without quotes) and press Enter to make certain the WindowsManagementInstrumentation (WMI) service is not running.

4) Open a Windows Explorer and locate the path to C:\ windows\system32\WBEM\ folder and rename the Repository folder to something else like RepositoryOLD (right click and choose 'Rename Folder').

5) Reboot and restart as normal.

6) In the start menu type "cmd" (without quotes) and on the top search result, right click the icon and choose Run as administrator

7) Type "net stop winmgmt" (without quotes) and press enter to stop the WMI service.

8) Type "winmgmt /resetRepository" (without quotes) and restart the computer.

from here, http://social.technet.microsoft.com/Forums/en-US/11d6d64e-543b-40cd-a0f6-ba97c3806fbb/wmi-corrupt-how-to-reinstallrepair?forum=itprovistasetup

Worth a try.

[Riggers]

If all else fails try the manual rebuild shown at the very bottom of this technet page (under the red writing)

 

http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx

[sc302 Veteran]

You could always bring the computer to me...

[techbeck]

For malware that is so entrenched in Windows, would be the best bet to backup, wipe, and start over.  Chances of you getting every little piece of infected files off your system is low.

[CougarDan]

KillZA (FoolishIT) for WMI/Firewall regfixes (program is designed to remove older version of ZeroAccess but the fixes are still valid)

Tweaking (Tweaking.com)  for WMI purge and creation.

 

 

The programs you mentioned are junk for the most part when it comes to removing viruses.  I'd recommend:

 

aswMBR

Roguekiller

Hitman Pro (avoid activating unless necessary, use for detection and manual removal.  Save the activation for when nothing else works)

[jerzdawg]

Found this,

1) Start the computer and press F8 on boot up and select Safe Mode.

2) In the start menu type "cmd" (without quotes) and on the top search result, right click the program icon and choose Run as administrator

3) Type "net stop winmgmt" (without quotes) and press Enter to make certain the WindowsManagementInstrumentation (WMI) service is not running.

4) Open a Windows Explorer and locate the path to C:\ windows\system32\WBEM\ folder and rename the Repository folder to something else like RepositoryOLD (right click and choose 'Rename Folder').

5) Reboot and restart as normal.

6) In the start menu type "cmd" (without quotes) and on the top search result, right click the icon and choose Run as administrator

7) Type "net stop winmgmt" (without quotes) and press enter to stop the WMI service.

8) Type "winmgmt /resetRepository" (without quotes) and restart the computer.

from here, http://social.technet.microsoft.com/Forums/en-US/11d6d64e-543b-40cd-a0f6-ba97c3806fbb/wmi-corrupt-how-to-reinstallrepair?forum=itprovistasetup

Worth a try.

Thanks all.. Ill try this tonight when I get home.  I'm mostly convinced all traces are gone, now I am more focused on getting WMI installed and running again, yes its easy to just reinstall, but then you dont learn anything.

[StrikedOut]

yes its easy to just reinstall, but then you dont learn anything.

One of, if not my most preferred way to learn.

[Praetor]

i always first to a system restore before the system got infected; it's fast then to run several anti-malware solutions. If that fails then combofix solves it (with other anti-malware solutions); if it's too infected then a backup and full restore fixes for good, but that takes allot of time.