A Detailed Malware Removal Guide
Hi everyone! I wanted to contribute to the forum and thought this might be of use to many of the people who are having trouble removing malware from their computers. This is pretty much "Nuke 'em All" approach that I use to clean out heavily infected systems. I usually do this first then check for anything that may have been left behind. It's much easier to clean out the mass of infections than to pull them out one issue at a time (and most infections aren't noticeable if they're created properly). I currently work in PC repair and this procedure works for me in all but the very worst cases (I would say all but a few times in the last year of virus removals. Much of that may be due to the fact that I hadn't been aware of all these progams and didn't have a proper procedure down). If anyone has anything to add, feel free to post corrections and recommendations.
*SOFTWARE*
These are the recommended programs for this procedure (these are all free programs):
(I will post links later but most of these can be found on www.Download.com, www.Bleepingcomputer.com, and www.majorgeeks.com)
Combofix
Smitfraud Fix
SDFix
AVG
Spybot
Super Antispyware (www.superantispyware.com)
Rogue Remover
CCleaner
WinsockXP Fix
Dial-a-Fix
Subinacl.msi
Optional software:
Norton Removal Tool
McAfee Removal Tool
#Note: If you are using these programs, I recommend removing them because the settings sometimes end up getting messed up by the malware or removal of malware and end up blocking internet access and/or updates for the other software we are installing.
*Step 1 - First Things First*
If possible go into normal Windows mode and follow these steps:
1. Put all the programs listed at the beginning of the tutorial on the desktop.
a. If possible install AVG, Spybot, Super Antispyware, SDFix, Rogue Remover, and CCleaner. (AVG and Super Antispyware need to be installed in Normal Windows Mode.)
b. If you cannot install these programs yet, wait until Step 2.
2. Turn off system restore
a. Right click on "My Computer"
b. Select "Properties"
c. Select "System Restore" tab
d. Check the "Turn off system restore" box
3. Disable Services and Startup programs
a. Open msconfig ( Start>Run>Msconfig )
b. Click the "Services" tab
c. Check the "Hide Microsoft Services" box.
d. Click the "Disable all Button"
e. Click the "Startup" tab
f. Click the "Disable All" button
g. Click "Ok"
h. Allow msconfig to restart the computer.
*Step 2 - Safe Mode (Removing the worst of it)*
1. Go into Windows "Safe Mode with Networking" (Press F8 after the BIOS screen during startup)
2. Disable "System Restore" as you did in Step 1. (For some reason disabling this in Normal Mode does not always disable in Safe Mode. Not sure if it matters but I do it anyway.)
3. If you were unable to install Spybot, SDFix, Rogue Remover, and CCleaner in Normal Mode, install them now if possible.
4. Run Smitfraud Fix
a. Select option 2
b. You can allow it to clean the registry if you want but we will do that later anyway.
5. Run Combofix
a. Be careful not to click inside the window while combofix is working as it may freeze the system.
b. If Combofix reboots the system, go back into Safe Mode after the reboot.
6. Run SDFix
a. SDFix install by default to C:\SDFix
b. Click on the "RunThis.bat" file
c. When SDFix reboots the system, allow the PC to boot into Normal Mode and finish its cleaning.
*Step 3 - Normal Mode/Safe Mode (Removing the rest of it)*
#Note: These scans may be run in Safe Mode if there are problems running them in normal mode. I would recommend running them in Safe Mode if possible.
#Note: If you do not have internet access at this point go to Step 4 (3,4,5,6). If this doesn't solve the problem, run the scans you can and you may remove the malware blocking access. After you have access run the updates on all the software and rescan the PC.
#OPTIONAL: Run McAfee or Norton Removal Tools. This will allow AVG to run properly as well as keep these programs from blocking internet connectivity.
1. If you were unable to install any of the software earlier try again now.
#Note: If AVG still has trouble installing go to Step 4 (1) and reset the registry permissions first then proceed from here.
2. Run CCleaner (this will remove junk files so the virus scans will be shorter as well as remove some virus programs hiding in the temp folders.
a. Select the "Prefetch Data" box in addition to the boxes checked by default (malware hides there sometimes).
b. Click "Run Cleaner" button.
3. Run Rogue Remover (this program only checks for specific malware and runs in seconds so I run it first)
4. Run AVG, Super Antispyware, and Spybot (in any order or multiple at once if your PC can handle it.
5. If you have internet access run some reputable online scans such as Housecall (http://housecall.trendmicro.com/), Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner), and Panda Activescan (http://www.pandasecurity.com/switzer...ns/activescan/)
*Step 4 - Repairing the damage done (Malware removal has the tendancy to leave behind broken links and changed settings. This should repair most of the damage)*
1. Reset the registry permissions
a. Run "Subinacl.msi"
b. Create a text document called "Reset.txt" in notepad.
C. Paste the following into the text file:
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
d. Save and rename the file to "Reset.cmd" (If you cannot change the extension to ".cmd", go to "Folder Options" in the Control Panel or in the "View" menu in any Explorer window and select the "View" tab. Uncheck the "Hide extensions for known file types" box.)
e. Put this file in the same directory that "Subinacl.msi" installed to.
f. Click on the "Reset.cmd" file.
2. Clean the registry (this should get rid of popups during startup that indicate missing files such as .dll files)
a. Run CCleaner
b. Select the registry icon on the right side
c. Scan for and fix issues
#Note: CCleaner is not the best registry cleaner but it is free and already installed. Feel free to use any legitimate registry cleaner.
3. Repair Windows Update
a. Run Dial-a-Fix and select all the check boxes.
b. Run the program
4. Run Winsock XP fix to reset the Winsock and Hosts file settings
5. Check proxy settings (To make sure malware didn't set routing through a proxy)
a. Go to Start>Control Panel>Internet Options>Connections tab
b. Click the "LAN Settings" button
c. Uncheck the box in the "Proxy Server" section or change the proxy settings to the proxy you normally use.
6. Check your DNS
a. Go to Start>Connect To>Show all connections (or Start>Control Panel>Network Connections)
b. Right click on the network adapter you use for internet access
c. Select "Properties"
d. Select "Internet Protocol (TCP/IP)"
e. Click the "Properties" button
f. Make sure the DNS server IP address is the same as provided by your ISP or is set to automatic. (I prefer using OpenDNS servers [208.67.220.220 and 208.67.222.222] because they are usually more secure than the ISP DNS servers)
This should solve most infections. Other anti-virus/anti-spyware software can be used in addition to these free solutions but those I posted have worked very well for me. If you still think there may be junk on your system, I recommend installing free trials of reputable paid software such as Eset's NOD32, Kaspersky, and eEye's Blink and scanning with each (You can only properly use one anti-virus program at a time so uninstall each before you install a new one).
That's about it. I hope this is helpful. Let me know if I have something wrong or am missing anything.