August 9th, 2008, 01:07 AM
A Detailed Malware Removal Guide
Hi everyone! I wanted to contribute to the forum and thought this might be of use to many of the people who are having trouble removing malware from their computers. This is pretty much "Nuke 'em All" approach that I use to clean out heavily infected systems. I usually do this first then check for anything that may have been left behind. It's much easier to clean out the mass of infections than to pull them out one issue at a time (and most infections aren't noticeable if they're created properly). I currently work in PC repair and this procedure works for me in all but the very worst cases (I would say all but a few times in the last year of virus removals. Much of that may be due to the fact that I hadn't been aware of all these progams and didn't have a proper procedure down). If anyone has anything to add, feel free to post corrections and recommendations.
These are the recommended programs for this procedure (these are all free programs):
(I will post links later but most of these can be found on www.Download.com, www.Bleepingcomputer.com, and www.majorgeeks.com)
Super Antispyware (www.superantispyware.com)
Norton Removal Tool
McAfee Removal Tool
#Note: If you are using these programs, I recommend removing them because the settings sometimes end up getting messed up by the malware or removal of malware and end up blocking internet access and/or updates for the other software we are installing.
*Step 1 - First Things First*
If possible go into normal Windows mode and follow these steps:
1. Put all the programs listed at the beginning of the tutorial on the desktop.
a. If possible install AVG, Spybot, Super Antispyware, SDFix, Rogue Remover, and CCleaner. (AVG and Super Antispyware need to be installed in Normal Windows Mode.)
b. If you cannot install these programs yet, wait until Step 2.
2. Turn off system restore
a. Right click on "My Computer"
b. Select "Properties"
c. Select "System Restore" tab
d. Check the "Turn off system restore" box
3. Disable Services and Startup programs
a. Open msconfig ( Start>Run>Msconfig )
b. Click the "Services" tab
c. Check the "Hide Microsoft Services" box.
d. Click the "Disable all Button"
e. Click the "Startup" tab
f. Click the "Disable All" button
g. Click "Ok"
h. Allow msconfig to restart the computer.
*Step 2 - Safe Mode (Removing the worst of it)*
1. Go into Windows "Safe Mode with Networking" (Press F8 after the BIOS screen during startup)
2. Disable "System Restore" as you did in Step 1. (For some reason disabling this in Normal Mode does not always disable in Safe Mode. Not sure if it matters but I do it anyway.)
3. If you were unable to install Spybot, SDFix, Rogue Remover, and CCleaner in Normal Mode, install them now if possible.
4. Run Smitfraud Fix
a. Select option 2
b. You can allow it to clean the registry if you want but we will do that later anyway.
5. Run Combofix
a. Be careful not to click inside the window while combofix is working as it may freeze the system.
b. If Combofix reboots the system, go back into Safe Mode after the reboot.
6. Run SDFix
a. SDFix install by default to C:\SDFix
b. Click on the "RunThis.bat" file
c. When SDFix reboots the system, allow the PC to boot into Normal Mode and finish its cleaning.
*Step 3 - Normal Mode/Safe Mode (Removing the rest of it)*
#Note: These scans may be run in Safe Mode if there are problems running them in normal mode. I would recommend running them in Safe Mode if possible.
#Note: If you do not have internet access at this point go to Step 4 (3,4,5,6). If this doesn't solve the problem, run the scans you can and you may remove the malware blocking access. After you have access run the updates on all the software and rescan the PC.
#OPTIONAL: Run McAfee or Norton Removal Tools. This will allow AVG to run properly as well as keep these programs from blocking internet connectivity.
1. If you were unable to install any of the software earlier try again now.
#Note: If AVG still has trouble installing go to Step 4 (1) and reset the registry permissions first then proceed from here.
2. Run CCleaner (this will remove junk files so the virus scans will be shorter as well as remove some virus programs hiding in the temp folders.
a. Select the "Prefetch Data" box in addition to the boxes checked by default (malware hides there sometimes).
b. Click "Run Cleaner" button.
3. Run Rogue Remover (this program only checks for specific malware and runs in seconds so I run it first)
4. Run AVG, Super Antispyware, and Spybot (in any order or multiple at once if your PC can handle it.
5. If you have internet access run some reputable online scans such as Housecall (http://housecall.trendmicro.com/), Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner), and Panda Activescan (http://www.pandasecurity.com/switzer...ns/activescan/)
*Step 4 - Repairing the damage done (Malware removal has the tendancy to leave behind broken links and changed settings. This should repair most of the damage)*
1. Reset the registry permissions
a. Run "Subinacl.msi"
b. Create a text document called "Reset.txt" in notepad.
C. Paste the following into the text file:
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
d. Save and rename the file to "Reset.cmd" (If you cannot change the extension to ".cmd", go to "Folder Options" in the Control Panel or in the "View" menu in any Explorer window and select the "View" tab. Uncheck the "Hide extensions for known file types" box.)
e. Put this file in the same directory that "Subinacl.msi" installed to.
f. Click on the "Reset.cmd" file.
2. Clean the registry (this should get rid of popups during startup that indicate missing files such as .dll files)
a. Run CCleaner
b. Select the registry icon on the right side
c. Scan for and fix issues
#Note: CCleaner is not the best registry cleaner but it is free and already installed. Feel free to use any legitimate registry cleaner.
3. Repair Windows Update
a. Run Dial-a-Fix and select all the check boxes.
b. Run the program
4. Run Winsock XP fix to reset the Winsock and Hosts file settings
5. Check proxy settings (To make sure malware didn't set routing through a proxy)
a. Go to Start>Control Panel>Internet Options>Connections tab
b. Click the "LAN Settings" button
c. Uncheck the box in the "Proxy Server" section or change the proxy settings to the proxy you normally use.
6. Check your DNS
a. Go to Start>Connect To>Show all connections (or Start>Control Panel>Network Connections)
b. Right click on the network adapter you use for internet access
c. Select "Properties"
d. Select "Internet Protocol (TCP/IP)"
e. Click the "Properties" button
f. Make sure the DNS server IP address is the same as provided by your ISP or is set to automatic. (I prefer using OpenDNS servers [184.108.40.206 and 220.127.116.11] because they are usually more secure than the ISP DNS servers)
This should solve most infections. Other anti-virus/anti-spyware software can be used in addition to these free solutions but those I posted have worked very well for me. If you still think there may be junk on your system, I recommend installing free trials of reputable paid software such as Eset's NOD32, Kaspersky, and eEye's Blink and scanning with each (You can only properly use one anti-virus program at a time so uninstall each before you install a new one).
That's about it. I hope this is helpful. Let me know if I have something wrong or am missing anything.
August 9th, 2008, 03:10 AM
Before I say anything critical about your post, I'd like to thank you for adding content to the forum and I'd like to be the first to encourage you to continue. If you wouldn't mind, I'd like to add my opinion to one or two points.
If you're truly going for a "nuke 'em all" approach, I'd add multiple other antivirus and antispyware programs. I use appx. 10-12 antivirus/antispyware programs from boot CD that "borrows" space at the end of the partition to download definitions, then proceeds to scan outside of Windows entirely. (Safe mode is of course the next best option, and system restore points would need to be disabled in any case as you noted). This allows the programs the maximum possible freedom to remove all infected files. I recommend running that many programs simply because every single one finds something the others did not. Afterwards I also like to run HijackThis to manually clean up any obvious viral code (anything that looks really official but has randomly generated characters at the end, such as system32.dll.adsklno72). You may also wish to check C: or the Program Files folder for folders with names that contain randomly generated characters. Ctrl+C (copy) the name of the folder, delete it, then open up regedit and scan the registry for other entries by the same name. Delete each one until you've gone through the entire registry. I commend you for adding in Windows fixes for cleaning up the mess left in the aftermath! Most people forget that part.
Originally Posted by CyberB0b
Kudos to you sir.
August 9th, 2008, 03:45 AM
Thanks keezle. I did mention at the end using other virus removal programs. I kind of wrote this for people without the knowledge or ability (their machine is infected) to create a boot CD with AV programs (like creating a BartPE ISO). I agree that I should have put in HijackThis, explaining researching unfamiliar files and doing a visual scan of unfamiliar programs. I usually use these procedures after everything else is done as a final go-over and if things still aren't working right. Rootkit removal with F-Secure, Rootkit Revealer and others is something else I didn't mention. I will append this tutorial with your input when I have a minute to write it all up.
August 9th, 2008, 11:29 AM
Well, that seems pretty comprehensive but I find it interesting that I go about it in a different sequence.
The first thing I run is CCleaner to get rid of useless files and some malware.
1. Spybot , A-Squared and Ad-Aware.
2. Traditional AV
3. Specialist removal tools
But, if the machine has been compromised (owned) then it is reformat and reinstall. After all, every user has backed up their personal data and used nLite or vLite to create the latest slipstreamed version of their OS; haven't they?
OK, perhaps I should explain. My sequence tends to reflect the type of problems I usually encounter in my particular location and environment.
If I come across something that I recognise as spy/adware that needs a specific removal tool I will go after that first.
Most of the stuff I encounter is pretty mundane adware/spyware and the more specialist tools for these annoyances seem to do a more comprehensive job than mainstream AVs (I mean the three in #1)
I notice that HijackThis! has been mentioned? For the non-technical I would recommend using this site:
Just copy and paste the log and they will analyse it for you. For the "unknowns" you need to Google them. If that shows nothing, then find the file, and submit it to these:
If those don't work, then your malware author is "ahead of the game".
Last edited by nihil; August 9th, 2008 at 06:14 PM.
August 12th, 2008, 05:28 PM
Thank you for your contribution.
Take this into account for my part.
I get calls like this all day however I am NOT allowed to use third party programs as you described above and only use the AV companys program that I work for.
Its kind of sad that I cannot point clients in the right direction because of politics.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
August 13th, 2008, 02:42 AM
Perhaps you could casually mention this site?
"...to give correctly is to give them what they need from us, for it would not be skillful to bring gifts to anyone that are in no way needed."
*Einstein Would Be Proud*
August 13th, 2008, 05:12 AM
One tool I didn't see meantioned is called RegCleaner, I find it a very usefull program it can be found at the link below, it is an older program and the newest version I've unfortunately been unable to get to work in Vista, It condenses things from the registry in a nice easy to read fashion with assocaited programs and even will give you the location of all keys associated with the entry. Another nice feature is that it has an Add/Remove programs tab that will display EVERYTHING even the stuff that windows will not display in its Add/Remove Programs utility. It also has a Startup tab and when you remove things from the startup (msconfig) it doens't require a reboot and doesn't give you that retarded warning message after you do reboot .
also with using SmitFraudfix, I've found that AV programs go nuts when this program is ran, so its best to disable them before running it.
also I do see a few programs I've never heard of or used, so thanks for them I will definately be giving them a try on my next broke @55 computer I get to fix .
PASSWORD: I dont have one
August 13th, 2008, 10:06 AM
You should be able to use HijackThis! remember that it shows questionable stuff that may or may not be malware. Typical AV products ignore these.
I get calls like this all day however I am NOT
allowed to use third party programs as you described above and only use the AV companys program that I work for.
The two virus lookup sites should be OK as well, as Panda supports them both.
Also, some malware requires specialist tools like combofix and smitfraudfix.
CCleaner and RegCleaner should also be OK as they are really just housekeeping tools.
August 13th, 2008, 10:23 AM
Nihil - Hijack this is now part of Trend Micro, you are not allowed to use it.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
August 13th, 2008, 11:39 AM
since when? I downloaded v2.02 from Download.com tonight.. and not forgetting Trend micro them selves.. http://www.trendsecure.com/portal/en...kthis/download you can still d/l 1.99 from several sources... the Analyser sites are still supported.. So I think it is still a a valid tool... IF YOU KNOW WHAT YOUR LOOKING AT..
Originally Posted by Cider
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
By billy786 in forum The Security Tutorials Forum
Last Post: June 21st, 2008, 07:51 PM
By alakhiyar in forum The Security Tutorials Forum
Last Post: December 17th, 2006, 10:31 AM
By jinxy in forum AntiVirus Discussions
Last Post: June 2nd, 2004, 01:33 AM
By thehorse13 in forum AntiVirus Discussions
Last Post: May 23rd, 2003, 01:35 PM
By khakisrule in forum The Security Tutorials Forum
Last Post: July 10th, 2002, 02:34 PM