A Detailed Malware Removal Guide

Printable View

August 9th, 2008, 01:07 AM
CyberB0b

A Detailed Malware Removal Guide

Hi everyone! I wanted to contribute to the forum and thought this might be of use to many of the people who are having trouble removing malware from their computers. This is pretty much "Nuke 'em All" approach that I use to clean out heavily infected systems. I usually do this first then check for anything that may have been left behind. It's much easier to clean out the mass of infections than to pull them out one issue at a time (and most infections aren't noticeable if they're created properly). I currently work in PC repair and this procedure works for me in all but the very worst cases (I would say all but a few times in the last year of virus removals. Much of that may be due to the fact that I hadn't been aware of all these progams and didn't have a proper procedure down). If anyone has anything to add, feel free to post corrections and recommendations.

*SOFTWARE*

These are the recommended programs for this procedure (these are all free programs):
(I will post links later but most of these can be found on www.Download.com, www.Bleepingcomputer.com, and www.majorgeeks.com)

Combofix
Smitfraud Fix
SDFix
AVG
Spybot
Super Antispyware (www.superantispyware.com)
Rogue Remover
CCleaner
WinsockXP Fix
Dial-a-Fix
Subinacl.msi

Optional software:
Norton Removal Tool
McAfee Removal Tool
#Note: If you are using these programs, I recommend removing them because the settings sometimes end up getting messed up by the malware or removal of malware and end up blocking internet access and/or updates for the other software we are installing.

*Step 1 - First Things First*

If possible go into normal Windows mode and follow these steps:

1. Put all the programs listed at the beginning of the tutorial on the desktop.
a. If possible install AVG, Spybot, Super Antispyware, SDFix, Rogue Remover, and CCleaner. (AVG and Super Antispyware need to be installed in Normal Windows Mode.)
b. If you cannot install these programs yet, wait until Step 2.

2. Turn off system restore
a. Right click on "My Computer"
b. Select "Properties"
c. Select "System Restore" tab
d. Check the "Turn off system restore" box

3. Disable Services and Startup programs
a. Open msconfig ( Start>Run>Msconfig )
b. Click the "Services" tab
c. Check the "Hide Microsoft Services" box.
d. Click the "Disable all Button"
e. Click the "Startup" tab
f. Click the "Disable All" button
g. Click "Ok"
h. Allow msconfig to restart the computer.

*Step 2 - Safe Mode (Removing the worst of it)*

1. Go into Windows "Safe Mode with Networking" (Press F8 after the BIOS screen during startup)

2. Disable "System Restore" as you did in Step 1. (For some reason disabling this in Normal Mode does not always disable in Safe Mode. Not sure if it matters but I do it anyway.)

3. If you were unable to install Spybot, SDFix, Rogue Remover, and CCleaner in Normal Mode, install them now if possible.

4. Run Smitfraud Fix
a. Select option 2
b. You can allow it to clean the registry if you want but we will do that later anyway.

5. Run Combofix
a. Be careful not to click inside the window while combofix is working as it may freeze the system.
b. If Combofix reboots the system, go back into Safe Mode after the reboot.

6. Run SDFix
a. SDFix install by default to C:\SDFix
b. Click on the "RunThis.bat" file
c. When SDFix reboots the system, allow the PC to boot into Normal Mode and finish its cleaning.

*Step 3 - Normal Mode/Safe Mode (Removing the rest of it)*

#Note: These scans may be run in Safe Mode if there are problems running them in normal mode. I would recommend running them in Safe Mode if possible.

#Note: If you do not have internet access at this point go to Step 4 (3,4,5,6). If this doesn't solve the problem, run the scans you can and you may remove the malware blocking access. After you have access run the updates on all the software and rescan the PC.

#OPTIONAL: Run McAfee or Norton Removal Tools. This will allow AVG to run properly as well as keep these programs from blocking internet connectivity.

1. If you were unable to install any of the software earlier try again now.
#Note: If AVG still has trouble installing go to Step 4 (1) and reset the registry permissions first then proceed from here.

2. Run CCleaner (this will remove junk files so the virus scans will be shorter as well as remove some virus programs hiding in the temp folders.
a. Select the "Prefetch Data" box in addition to the boxes checked by default (malware hides there sometimes).
b. Click "Run Cleaner" button.

3. Run Rogue Remover (this program only checks for specific malware and runs in seconds so I run it first)

4. Run AVG, Super Antispyware, and Spybot (in any order or multiple at once if your PC can handle it.

5. If you have internet access run some reputable online scans such as Housecall (http://housecall.trendmicro.com/), Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner), and Panda Activescan (http://www.pandasecurity.com/switzer...ns/activescan/)

*Step 4 - Repairing the damage done (Malware removal has the tendancy to leave behind broken links and changed settings. This should repair most of the damage)*

1. Reset the registry permissions
a. Run "Subinacl.msi"
b. Create a text document called "Reset.txt" in notepad.
C. Paste the following into the text file:

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

d. Save and rename the file to "Reset.cmd" (If you cannot change the extension to ".cmd", go to "Folder Options" in the Control Panel or in the "View" menu in any Explorer window and select the "View" tab. Uncheck the "Hide extensions for known file types" box.)
e. Put this file in the same directory that "Subinacl.msi" installed to.
f. Click on the "Reset.cmd" file.

2. Clean the registry (this should get rid of popups during startup that indicate missing files such as .dll files)
a. Run CCleaner
b. Select the registry icon on the right side
c. Scan for and fix issues
#Note: CCleaner is not the best registry cleaner but it is free and already installed. Feel free to use any legitimate registry cleaner.

3. Repair Windows Update
a. Run Dial-a-Fix and select all the check boxes.
b. Run the program

4. Run Winsock XP fix to reset the Winsock and Hosts file settings

5. Check proxy settings (To make sure malware didn't set routing through a proxy)
a. Go to Start>Control Panel>Internet Options>Connections tab
b. Click the "LAN Settings" button
c. Uncheck the box in the "Proxy Server" section or change the proxy settings to the proxy you normally use.

6. Check your DNS
a. Go to Start>Connect To>Show all connections (or Start>Control Panel>Network Connections)
b. Right click on the network adapter you use for internet access
c. Select "Properties"
d. Select "Internet Protocol (TCP/IP)"
e. Click the "Properties" button
f. Make sure the DNS server IP address is the same as provided by your ISP or is set to automatic. (I prefer using OpenDNS servers [208.67.220.220 and 208.67.222.222] because they are usually more secure than the ISP DNS servers)

This should solve most infections. Other anti-virus/anti-spyware software can be used in addition to these free solutions but those I posted have worked very well for me. If you still think there may be junk on your system, I recommend installing free trials of reputable paid software such as Eset's NOD32, Kaspersky, and eEye's Blink and scanning with each (You can only properly use one anti-virus program at a time so uninstall each before you install a new one).

That's about it. I hope this is helpful. Let me know if I have something wrong or am missing anything.
August 9th, 2008, 03:10 AM
keezel

Before I say anything critical about your post, I'd like to thank you for adding content to the forum and I'd like to be the first to encourage you to continue. :) If you wouldn't mind, I'd like to add my opinion to one or two points.

Quote:

Originally Posted by CyberB0b

*SOFTWARE*

These are the recommended programs for this procedure (these are all free programs):
(I will post links later but most of these can be found on www.Download.com, www.Bleepingcomputer.com, and www.majorgeeks.com)

Combofix
Smitfraud Fix
SDFix
AVG
Spybot
Super Antispyware (www.superantispyware.com)
Rogue Remover
CCleaner
WinsockXP Fix
Dial-a-Fix
Subinacl.msi

Optional software:
Norton Removal Tool
McAfee Removal Tool
#Note: If you are using these programs, I recommend removing them because the settings sometimes end up getting messed up by the malware or removal of malware and end up blocking internet access and/or updates for the other software we are installing.

If you're truly going for a "nuke 'em all" approach, I'd add multiple other antivirus and antispyware programs. I use appx. 10-12 antivirus/antispyware programs from boot CD that "borrows" space at the end of the partition to download definitions, then proceeds to scan outside of Windows entirely. (Safe mode is of course the next best option, and system restore points would need to be disabled in any case as you noted). This allows the programs the maximum possible freedom to remove all infected files. I recommend running that many programs simply because every single one finds something the others did not. Afterwards I also like to run HijackThis to manually clean up any obvious viral code (anything that looks really official but has randomly generated characters at the end, such as system32.dll.adsklno72). You may also wish to check C: or the Program Files folder for folders with names that contain randomly generated characters. Ctrl+C (copy) the name of the folder, delete it, then open up regedit and scan the registry for other entries by the same name. Delete each one until you've gone through the entire registry. I commend you for adding in Windows fixes for cleaning up the mess left in the aftermath! Most people forget that part.

Kudos to you sir.
August 9th, 2008, 03:45 AM
CyberB0b

Thanks keezle. I did mention at the end using other virus removal programs. I kind of wrote this for people without the knowledge or ability (their machine is infected) to create a boot CD with AV programs (like creating a BartPE ISO). I agree that I should have put in HijackThis, explaining researching unfamiliar files and doing a visual scan of unfamiliar programs. I usually use these procedures after everything else is done as a final go-over and if things still aren't working right. Rootkit removal with F-Secure, Rootkit Revealer and others is something else I didn't mention. I will append this tutorial with your input when I have a minute to write it all up.

Thanks again.
August 9th, 2008, 11:29 AM
nihil

Well, that seems pretty comprehensive but I find it interesting that I go about it in a different sequence.

The first thing I run is CCleaner to get rid of useless files and some malware.

Then:

1. Spybot , A-Squared and Ad-Aware.

http://www.emsisoft.com/en/software/free/

2. Traditional AV

3. Specialist removal tools

But, if the machine has been compromised (owned) then it is reformat and reinstall. After all, every user has backed up their personal data and used nLite or vLite to create the latest slipstreamed version of their OS; haven't they? :D

EDIT:

OK, perhaps I should explain. My sequence tends to reflect the type of problems I usually encounter in my particular location and environment.

If I come across something that I recognise as spy/adware that needs a specific removal tool I will go after that first.

Most of the stuff I encounter is pretty mundane adware/spyware and the more specialist tools for these annoyances seem to do a more comprehensive job than mainstream AVs (I mean the three in #1)

I notice that HijackThis! has been mentioned? For the non-technical I would recommend using this site:

http://www.hijackthis.de/

Just copy and paste the log and they will analyse it for you. For the "unknowns" you need to Google them. If that shows nothing, then find the file, and submit it to these:

http://virusscan.jotti.org/
http://www.virustotal.com/

If those don't work, then your malware author is "ahead of the game".
August 12th, 2008, 05:28 PM
Cider

Thank you for your contribution.

Take this into account for my part.

I get calls like this all day however I am NOT allowed to use third party programs as you described above and only use the AV companys program that I work for.

Its kind of sad that I cannot point clients in the right direction because of politics.
August 13th, 2008, 02:42 AM
C:\Saw

Perhaps you could casually mention this site? ;)
August 13th, 2008, 05:12 AM
moxquito

One tool I didn't see meantioned is called RegCleaner, I find it a very usefull program it can be found at the link below, it is an older program and the newest version I've unfortunately been unable to get to work in Vista, It condenses things from the registry in a nice easy to read fashion with assocaited programs and even will give you the location of all keys associated with the entry. Another nice feature is that it has an Add/Remove programs tab that will display EVERYTHING even the stuff that windows will not display in its Add/Remove Programs utility. It also has a Startup tab and when you remove things from the startup (msconfig) it doens't require a reboot and doesn't give you that retarded warning message after you do reboot :).

http://www.worldstart.com/weekly-dow...cleaner4.3.htm

also with using SmitFraudfix, I've found that AV programs go nuts when this program is ran, so its best to disable them before running it.

also I do see a few programs I've never heard of or used, so thanks for them I will definately be giving them a try on my next broke @55 computer I get to fix :).
August 13th, 2008, 10:06 AM
nihil

Quote:

I get calls like this all day however I am NOT allowed to use third party programs as you described above and only use the AV companys program that I work for.

You should be able to use HijackThis! remember that it shows questionable stuff that may or may not be malware. Typical AV products ignore these.

The two virus lookup sites should be OK as well, as Panda supports them both.

Also, some malware requires specialist tools like combofix and smitfraudfix.

CCleaner and RegCleaner should also be OK as they are really just housekeeping tools.
August 13th, 2008, 10:23 AM
Cider

Nihil - Hijack this is now part of Trend Micro, you are not allowed to use it.

...
August 13th, 2008, 11:39 AM
Und3ertak3r

Quote:

Originally Posted by Cider

Nihil - Hijack this is now part of Trend Micro, you are not allowed to use it.

...

since when? I downloaded v2.02 from Download.com tonight.. and not forgetting Trend micro them selves.. http://www.trendsecure.com/portal/en...kthis/download you can still d/l 1.99 from several sources... the Analyser sites are still supported.. So I think it is still a a valid tool... IF YOU KNOW WHAT YOUR LOOKING AT..
August 13th, 2008, 11:55 AM
Cider

Yes I know it is a valid tool but I suppose from managements perspective is that, how can I ask for a Hijackthis log. The customer will see trend and would say to himself, why dont I jsut buy Trend?
August 13th, 2008, 12:46 PM
nihil

@ moxquito

This one is supposed to work with Vista:

http://www.pcworld.com/downloads/fil...scription.html

I have only used it with Win 2000 myself.
August 14th, 2008, 12:05 AM
Und3ertak3r

Quote:

Originally Posted by Cider

Yes I know it is a valid tool but I suppose from managements perspective is that, how can I ask for a Hijackthis log. The customer will see trend and would say to himself, why dont I jsut buy Trend?

Hmm.. well looks like management needs to look at it's marketing approach..
but then HJT is not a tool to leave in the hands of any user.. they have a bad habit of thinking everything HJT lists is bad.. and they remove it.. thinking that they know more than you...
August 14th, 2008, 09:25 AM
nihil

Quote:

The customer will see Trend and would say to himself, why don't I just buy Trend?

Errrr,

1. Trend don't sell HJT
2. Trend don't ship HJT with their products.
3. Trend don't support HJT.
4. HJT doesn't interface with any Trend products.

Having said that, I don't think that tier 1 helpdesk for an AV product should be messing around at that level of detail, and certainly not encouraging customers to run something as dangerous as HJT unsupervised. You really don't have the time for that?
August 14th, 2008, 09:44 AM
Cider

Well even after all those comments, we have a number of malware cases pending at the moment and now one of the 3rd level technichans has asked for a HJT log.

One person says no cant use it, the other asks for it?

lol!
August 14th, 2008, 12:05 PM
nihil

Cider,

This is a difficult one to call. On the one hand if there is new malware out there you want to find out about it. On the other hand the customer will probably not be too impressed that your product didn't detect/prevent it.

You have to consider the legal angle here? If you go to a site and it secretly loads some adware/spyware crap on your machine then you would detect that and offer to remove it (or just block it). However, there is still a fair amount of crapware that comes bundled with some P2P, application, or fancy screensaver. You have logged on as administrator and installed that without reading the small print. Even getting caught by loading warez may go undetected, unless it is known malware like a backdoor or trojan.

You do need to be very sure of your ground before branding some of this stuff "malware"

Most modern security suites have the option to scan for "potentially unwanted programs", "warnings" or whatever, but this seems to be turned off by default? perhaps your first move should be to advise the customer to turn it on, update, then do a full scan after rebooting into safe mode.

I suspect that you have something of a local problem over there in SA? given that your bandwidth is severely restricted.............. people will be less inclined to patch their OS and applications if they still seem to be working OK? Now, where you have an exploit using a vulnerability, you cannot really expect your security suite to spot that, as the vulnerability is a part of how the software is apparently supposed to work.

Quote:

One person says no can't use it, the other asks for it?

Which one is the more technically competent? :D
August 14th, 2008, 02:08 PM
Cider

That is exactly right Nihil - People dont patch their OS because they will use there monthly cap up. I know witht he blaster or sasser (the one which shutsdown) can be stopped by patching windows.

Try explain that to a customer :)

I am getting alot of this Windows antivirus 2008/9 with clients. I cant give them spybot but it always lands up as they installed another AV and it detected it, no problem.

I used Spybot on the machine here in the office and it cleaned and fixed it ...
August 14th, 2008, 03:27 PM
nihil

Hmmmm,

I am told that Windows Defender will do the job. Haven't tried it yet as I haven't managed to obtain a copy of the scumware :( Normally I would describe it as "scareware" but this one has deliberate or inadvertent flaws in it that could result in your machine being owned. Trojan behaviour in my book.

http://www.microsoft.com/windows/pro...r/default.mspx

I would suggest you use the following script (once you are happy that it is Antivirus XP or Antivirus 2008):

"I am terribly sorry to hear about that Sir/Madam, and can tell you that Microsoft are aware of the problem. They have issued a free solution and will doubtless issue a patch for their operating systems in due course......... you do keep your operating system up to date don't you?" :lildevil: Then just send them to the link above.

You had better get clearance, and do not suggest it to someone running Windows 2000 (WD doesn't support it) or XP before SP2.

Do point out that security suites cannot distinguish some sorts of attack because they are operating system or application related, and cannot be distinguished from legitimate activity. ;)
August 15th, 2008, 12:45 AM
Und3ertak3r

Quote:

Originally Posted by Cider

That is exactly right Nihil - People dont patch their OS because they will use there monthly cap up. I know witht he blaster or sasser (the one which shutsdown) can be stopped by patching windows.

...

HOLY CRAP...

Sasser and MSBLASTER patches were part of SP2..(RPC and DCOM services) I thought many AV's didnt work with Pre SP2 now?

beside I have almost forgotten the last Blaster/Sasser infection I had seen..

If peop[le are concerned of their ISP caps.. then.. why not get the SP's on CD from MS.. or cheaper.. sometime PC Mags carry the officila MS SP CD on their cover...

The Idea of a any retailer, whatever it is, is to offer the client solutions..
Q: "hey i need a hole in the wall" -- A:"I will sell you a drill"

in this case if the client isn't running a patched system you can not sell them the full solution... it is like selling a parachute with only half the nylon sheeting..
YOU HAVE TO OFFER THE FULL SOLUTION..
If your company is selling and supporting a product.. you want the product look the best.. so if it means finding a way of providing the MS patches to provide minimum protection then so be it..

sort of shoots many AV providers in the foot.. not checking for basic level of patching.. bit like a car without a fuel gauge..

I spent part of this week training a group of salespeople ..not in sales but PC use.. biggest problem.. they would click on EVERY SINGLE POP UP and READ EVERY SINGLE EMAIL OPENING EVERY ATTACHMENT.. while we were locking down their local mail and blocking many questionable sites.. we didn't want to block Webmail.. so we had to train them .. was it easy? NO these guys are salesmen.. the dumbest of the dumb.

My point.. the biggest vulnerability was, is, and will continue to be.. the USER
August 15th, 2008, 08:39 AM
Cider

True True

I will look into maybe sending out say SP2 + SP3 with our software. Im not usre of the legal implications though.
August 15th, 2008, 11:07 AM
nihil

Yes, you need to have Microsoft's permission, but, as Undies~ suggested, you can generally get the official SPs on computer magazine cover CDs, which have Microsoft's blessing.

Also bear in mind that your customers really need to keep up with all the OS and application patches.

Quote:

Sasser and MSBLASTER patches were part of SP2..(RPC and DCOM services) I thought many AV's didnt work with Pre SP2 now?

Yes they do................. remember a fair number of outfits are still running Windows 2000 and the AVs install and update on those machines as well. If anything, I would have thought that it was the other way around?

New AV will work with old SP, but old AV may not work with new SP......... something to do with what method the security product uses to hook the kernel?

Incidentally, in another thread I mentioned the "Race to Zero" competition at BlackHat 16. This was where you had to obfuscate old malware and get it past the latest versions of AVs.

One team got all 10 out of 10 and the malware list included "Stoned" (a 20 year old DOS boot sector virus) and Sasser. So, if you were not patched, it would get you :eek:

Maybe I should dig out my copy of "stoned".......... trouble is I only have my collection of that era on 5.25" :D