TechDex Development & Solutions
live minder, lead generation, trend analysis, market research, internet marketing, seo, social media, keyword analysis


RSS Feed| Blog Home | Log In | View As Guest  | Archives |

Blog Search

How To Successfully Remove Rombertik Malware

How To Successfully Remove Rombertik Malware
Posted by Dexter Nelson: Friday, May 8, 2015 (11:01 PM)

Hey everybody, I wanted to make a quick post about the dreaded Rombertik Malware that everyone is talking about.


For those that don't know what it is, it's malware that was first discovered by Cisco that basically destroys a computer's hard drive and master boot record if it is detected.


How it does this is pretty unique, and I won't go into the specifics here, however you can get all the details from SC Magazine's post here >>.


This post is to share how I was successfully able to remove it on both a windows 7 and a windows 8 computer, and share the results.


So, when I first heard about it, I was concerned like anyone else, but being a programmer, engineer and PC repair guy, it behooved me to learn how to safely remove it, so what I did was intentionally infect two back up computers and got to work.


I have plenty of hard drives laying around and the good news is that I only ruined one of them on my fist go-round - the other two were successful.

NOTE: The software I used is listed below for download. Get them before you start following the steps. I also highly recommend that you print out this article or view it on a separate computer.


Software List:


1. CCleaner


2. Malwarebyte's Antimalware


3. Advanced SystemCare 


4. Windows Defender (See the links in Step 1)


Ready?

Here is my process.


1. I first downloaded a repair disc iso from Microsoft.

For Windows 7, you can do it here >>.
For Window 8, you can do it here >>


2. I used an iso burner to create a disk for both.


The one I use is called IMGBurn. It's free to use, pretty lightweight and you can download it here >>.


Now, before I walk through the process, it's important for you to understand why I failed the first time.


One of the tricks that Rombertik uses is to load itself into memory so that when you boot, even if it's safe mode/safe boot, it will load itself. If you know how to defeat that trick, removing it becomes a lot easier.


Now here's the catch...


YOU HAVE TO DO ALL OF THIS BEFORE YOU SCAN!


Rombertik will only do it's thing if, during one of it's automatic checks, it detects that it has been detected, so it is very important that you do the preparations before you do full scan.


With your repair disk handy, here is the first step.


3. Change your boot option to boot from your ROM drive or Flash Drive.


You want to do this so that you can repair your master boot record just in case. Some manufacturers will customize boot options, so if ou're on Windows 7 or earler, you may have to check with your manufacturer on how to boot to your BIOS Setup Utility.


In Windows 8/8.1 you'll find that Tom's Hardware has a good guide on how to do it. Click here to read that article.


This next step is also important!!!


4. Create a bootable Windows Defender offline DVD or Flash Drive. Most efficient malware programs will often time scan and delete known malware programs. Rombertik is no exception.


You can download the 32 bit or 64 bit version here >>.


So now you should have a bootable repair disk, as well as a bootable Windows Defender disk.


5. While your computer is still on, disable all start up items and scheduled tasks. This will make your next boot minimal or a safe boot. Read the next step BEFORE YOU SHUT DOWN YOUR COMPUTER.


6. BEFORE YOU TURN BACK ON YOUR COMPUTER! You'll need to wipe your memory and paging file, then do a cold boot.


Earlier I mentioned that the reason I failed the first time is because Rombertik loaded into memory, so a warm boot (just a regular boot essentially) didn't remove that information and the virus did it's damage.


Wiping the memory and paging file on shutdown, then doing a cold boot fixed that problem, and don't worry, your disabled items should remain disabled - this isn't a factory reset.


Let me explain this so that you understand.


On Windows, the Paging File is used (Virtual Memory Paging File) like a scratch pad to store information when physical memory is used up. So let's say a program is using up too much memory (RAM), Windows will store the least used information into a page file to free up your RAM.


Disabling your Page File can lead to system problems, however, it's not worse than the alternative (your hard drive and master boot record being destroyed), so we're going to disable it and delete the pagefile.sys file and re-enable it after Rombertik is gone.


*** This requires that you access your Local Security Policy - Read this tutorial to learn how to do that.


RAM is automatically cleared at shutdown, so all that's left to do is a cold boot.


But first...


Place your bootable Windows Defender DVD into your drive!


Once you've done that, shut down your computer so that your page file is wiped. Don't reboot... shut it down.


After it's shut down, we're going to do a cold boot.

Remove all of your power sources. If you're on a laptop, this includes your battery.


Hold in the power button for 30 to 60 seconds.


THIS IS IMPORTANT - leave your computer off for 2 minutes.


Let me explain.


Most computers today use DDR3 memory - why's that important?


It's important because each cell in your physical memory retains a small charge and it keeps data stored in your memory.


You want this data to not be there when you power back up your computer. With your computer powered off though, that charge leaks out and whatever data is stored will be gone.


Depending on your computer's age, this can take up to 45 seconds to a minute.


A cold reset will drain any remaining power left over from your shut down, and without any power sources attached, the memory in your computer won't stay charged, and any data is lost.


You'll have a completely fresh and cold boot with no previous data stored - including anything stored by Rombertik.


7. Plug back in your computer or laptop and boot to your Windows Defender DVD.


Even without a page file you should be able to boot safely from a disk and run it. Both the computers I tested on only had 4 gigs of RAM - DO A FULL SCAN!


Depending on the size of your hard drive, this can take a few hours but it's well worth it.


8. After your scan completes and you remove anything that was found (don't quarantine as Rombertik has a defense against that too), swap out your Windows Defender DVD for the repair disk.


9. Boot to the repair disk and go into safe mode/safe boot.


10. In safe mode you will want to do a clean up and malware scan.


The tools I use for this is CCleaner and Malwarebyte's Antimalware.


CCleaner has a tool that will show you all start up items including scheduled tasks as well as doing very good job of cleaning up your registry and hard drive.


As unlikely as it is if you followed the steps above, you want to check to make sure nothing has made it's way back into your startup, including scheduled tasks.


Make sure they are removed and then do a clean up run.


Then do a full scan with Malwarebyte's Antimalware.


11. WITH THE REPAIR DISK STILL IN YOUR DRIVE reboot your computer to it, but this time you're going to enter command prompt mode. Just follow the same steps as before, but instead of safe mode, select the command prompt option.


12. When you are in the command prompt you have two commands.


a. bootrec.exe /FixMBR
b. bootrec.exe /FixBoot 


The first command will fix any corrupted MBR (which Rombertik specifically goes after).


The second command will write a new boot sector (which Rombertik also goes after).


13. After both of those are done, remove your repair disk, and reboot your computer to Windows normally.


Now, keep in mind your changes in the first steps will give you a clean boot.


At this point, check for any updates and install them, but before you reboot you want to look at your scan logs from your scans.


I took the time to make sure that there weren't a ton of files and folders that Rombertik left behind.


One of it's defenses is to create hundreds of file to throw you off. It can be a daunting task, but you have to make sure that everything is gone.


14. Two more tasks to do before you reboot.


The program I use to keep my registry clean and system optimized is IOBit's Advanced System Care (PRO version). When you open it up, uncheck Registry Defrag, Vulnerability Fix, and Disk Optimization, and run a full scan and let it fix whatever it finds.


15. Last task! Turn back on your pagefile (reverse the process in the step you used to turn it off), go back and re-anable a normal boot (Press WIN+R and enter msconfig.exe and press enter).

Then reboot normally.


SUMMARY:


In both cases where I was successful in removing Rombertik, those were the exact steps that I took.


As I said, I failed the first time because I failed to clear the memory and I made the mistake of scanning first.


My tests were pretty specific, so I'll say this - even though this worked for me on a 7 and 8 box, it may not work for everyone, but it is worth a try.


If it worked for you, please leave a comment below and let me know.


Best of luck everyone!

Admin
User: Admin 
Member Since: 1/1/2009 
Number of Posts: 143 
Message Admin
--
Dexter Nelson
TechDex Development & Solutions
http://www.techdex.net

Facebook: http://www.facebook.com/dexter.nelson
Twitter: http://twitter.com/dexterwebn

Leave A Reply


Post A Comment


Most Commented Stories
  1. Windows Media Player Crashes Playing MP4 Files (Solved) (662)
  2. Saggy Pants Cost Green Day Singer His Plane Seat (183)
  3. Ounce By Ounce Gold Takes Off (166)
  4. Occupy Protesters Rally Around Wounded Iraq Vet (82)
  5. SOLVED EXE Files Wont Run Cant Run EXE Files (30)
  6. TechDex SMART Mobile Design (21)
  7. Live Minder Case Study 1 (18)
  8. TechDex DirectToDesktop direct2client technology (16)
  9. Updated How To Get Indexed in Yahoo (14)
  10. Live Minder Trend Analysis Statistics Day 4 (13)

Top 10 Stories
  1. How to Increase the WordPress Maximum Upload File Size
  2. Apple Claims Their New iPad Pro Will Replace The Laptop
  3. Secunia PSI 3.0 Stuck on Determining Which Files to Scan SOLVED
  4. How To Successfully Remove Rombertik Malware
  5. Using Dark Post Profits 2.0 To Increase Software Sales
  6. Best Free Ad Blocking Software Review
  7. Free Commercial Real Estate Service And Real Estate Script
  8. Are Earthquakes Causing Global Climate Change
  9. Understanding What Caused The Border Crisis
  10. AT&T trumps Google with first gigabit internet in Raleigh




® Live Minder © TechDex Development & Solutions.
live minder, lead generation, trend analysis, market research, internet marketing, seo, social media, keyword analysis

Powered by TechDex CGI Blog.