Sunday, 11 August 2013

Delta-Search removal HOWTO

I do consider myself an experienced pc user, and what I mean by that, is that I should know better that when visiting popular websites which offer "free" downloads, you will have yourself infected with disgusting malware programs, or even worse with those annoying tool-bars which popup ads all the time. I can't remember what I was downloading because I don't use windows that much, and I always browse in "safe mode". But anyway, here's a short and simple guide how can you get rid of this shit.

1. When installed open  up a task manager and try to kill any suspicious process (PCSpeedOptimizer, BrowserDefender, names like that). Notice that I use word "try" :)

2. From control-panel remove any delta-search-toolbar, PCSpeedMaximizer, or any other similar program.

3. Now this is all browser specific refer to your browser's instructions how set up default search engine, homepage etc. If you are using Chrome open Settings tab, then look for "On Startup" and click "Set pages", remove any delta-search entries. Then look for "Manage search engines" and remove any delta-search related websites.

4. Download sdelete "Secure" erase utility from Microsoft. (similar to shred on unix). Open your extraction tool with root privileges. That is, search for your program in windows menu (or click Windows key) and look for it. I for example have Winrar, so I look for it, and the right click and select "Run as administrator".
Extract only sdelete.exe to C:\Windows\System32, we need this file to be in this directory, because this is the place "PATH" environment variables uses when it looks for executable files. Anyway, if this doesn't make any sense to you skip to step 5.

5. Etract Sdelete.zip with Winrar (or whatever you have) to any directory you want, (My Music, Downloads, My Secret Porn Stash) whatever.

6. Reboot your pc, during windows boot up press f8 to enter Safe Mode. Select Safe Mode with Command prompt. We don't need any GUI or networking.

7. Now you will be presented with command prompt, we will need only a few basic commands such "dir", "move", "cd", rd". If you have any problems, type "help" and you will be presented with a list of commands, and explanations.

8. If you have done step 4. Type "sdelete" and you should see usage information and syntax. If not, navigate to directory where you have saved sdelete.exe, and execute: "move sdelete.exe C:\Windows\System32"
Now basically remove any files and directories which were created by this malware. I have found the following directories used by this malware:

C:\Program Data\BrowserDefender\
C:\Program Files\PC Speed Maximizer\
C:\ Program Files\Smart Driver Updater\

(I'm not a malware expert, but you can guess that these programs create additional files in /temp or any other directory, but nonetheless removing files in these directories seems to fix the problem)

Navigate to C:\Program Data\BrowserDefender by executing "cd C:\Program Data\BrowserDefender ".
I know that those of you who have not used command prompt and are not used to work without GUI, this may take a long time, but trust me it is worth the effort, so you will have to type everything by hand. Now simply use sdelete to remove any file. For example: "sdelete.exe -p 50 DE105.tmp" "-p" switch specifies the number of passes when overwriting file (you can type any number you want, but the higher the better just to be sure). You can think of this as ultimate fucking annihilation of a file.

9. Done removing files? Okay, type "regedit" this will bring windows registry manager. These malware programs create many registry entries, so the easyiest way is to find  them. Click on My Computer, then ctrl+F or edit-find. Now search for entries which are named (or contain strings) "delta-search" "Pc Speed" "Smart Driver". I also found out entry named "BabylonSolutions" remove that as well. When done press f5.

10. If you have removed all files and registry entires, you should know have got rid of this malware. To exit safe mode, type: ctrl+alt+delete and reboot.

If this malware still persists, open task manager and right click on any suspicious process, and "Open File Location", this will show any resources used by this process. Enter safe mode any remove those files with sdelete.

P.S I know that this guide may seem a little more difficult than what you expect, rather than simply downloading some "malware removal tool" and letting it go. But trust me, don't install malware to remove another malware. Don't trust any "PC Speed Optimizer, PC Booster"  or any other bullshit you find, these programs are no better than malware.

Anyway let me know if this guide helped or if you have any questions regarding this solution. I just got this removed few hours ago on win 7, so I thought maybe other people would find this useful or atleast I would have to post something on my blog which hasn't been used in a while...