Captain Colonoscopy
2[H]4U
- Joined
- Feb 19, 2004
- Messages
- 3,861
It is my intention for this post to be a general purpose guide for people needing help with malware removal. The steps listed below, when done correctly and in order, should clean your computer of all but the most egregious malware. This guide assumes that you do not necessarily have the ability to pull your hard drive and slave it to another computer for the first round of scanning. Also, this guide will ONLY reference applications that are free to download and use for personal use. I'll add screen shots and more detailed steps as time and motivation permit.
1) Download and Install Removal Tools! The following anti-malware apps are generally accepted as the best FREE removal tools right now. This list may change or it may not. If you think something should be on here that isn't please let me know.
- CCleaner - http://www.filehippo.com/download_ccleaner/ - Useful tool for cleaning out all the crap that has built up on your computer from general use. This helps to decrease the amount of files that are scanned and can greatly speed up scanning.
- Malwarebytes Anti-Malware - http://www.filehippo.com/download_malwarebytes_anti_malware/ - One of the best removal tools out there right now.
- SuperAntiSpyware - http://www.filehippo.com/download_superantispyware/ - Another great removal tool
- SuperAntiSpyware Portable Scanner! - http://www.superantispyware.com/portablescanner.html - This is the same SAS scanner and removal engine in a portable formfactor that does not require installation on the infected system. Haven't had a chance to use this in the wild yet but looks promising.
- Spybot Search & Destroy - http://www.filehippo.com/download_spybot_search_destroy/ - Yet another good removal tool. Also useful for "inoculating" your web browsers against future attacks. New version seems to be able to clean temp files that CCleaner sometimes misses and some malware that Malwarebytes missed the last time I used it.
- ComboFix - http://www.combofix.org/ - This is a great tool for cleaning up a system that is messed up to the point you can't run MBAM or anything else. After running this you should still run the other tools to clean up the left-overs.
- RootRepeal - http://rootrepeal.googlepages.com/ - Rootkit removal tool. Run this when you can't get any other tool to run or install.
- TDSSKiller - http://support.kaspersky.com/faq/?qid=208283363 - Rootkit removal tool from Kaspersky. Pretty snazzy if you ask me.
- Avira AntiVir Personal - http://www.filehippo.com/download_antivir/ - Really good free anti-virus application. Has somewhat annoying ad that pops up reminding you of all the fantastic other stuff you get it you would just buy it already. I've found this confuses and scares less savvy users that think it may be one of those fake-AV trojans.
- Microsoft Security Essentials - http://www.microsoft.com/Security_Essentials/ - Microsoft's free Anti-Virus/Anti-Malware program. Has gotten great reviews and I've been using it on systems instead of Avira. Doesn't catch everything but neither does Symantec, McAfee, Sophos, ESET, Avira, Avast, Panda, Trend, etc . . .
- Symantec UnHookExec.inf - http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99 - Tool to reset shell\open\command registry keys
- rkill - http://download.bleepingcomputer.com/grinler/rkill.com - Tool to try and kill any processes associated with running malware/rogue AV applications. Sometimes you have to run it several times before it will finally kill anything. Very useful if you can't get MBAM os SAS to run. Here is a link to a renamed version in case the regular rkill won't run: http://download.bleepingcomputer.com/grinler/iExplore.exe
- Avira AntiVir System Rescure CD - http://www.avira.com/en/support/support_downloads.html - Linux Boot CD that has Avira AntiVir anti-virus/anti-malware software with latest definitions preloaded. Download and burn to a CD and boot your computer from it to do some scanning and removing action.
- Windows Defender Offline! - http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline - Microsoft boot disk with new version of Windows Defender anti-virus/anti-malware scanning engines. Should be fairly good but have not tested it in the wild.
- Sophos Anti-Rootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html - Free RootKit scanning and removal tool from Sophos. Makes you register to download but you can put in bogus information and it will still let you download.
- Norton Power Eraser! - http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default - Appears to be like Symantec's version of ComboFix. Not had a chance to use it in the wild but testing by another forum member suggests it is powerful. "Eliminates deeply embedded and difficult to remove crimeware that traditional virus scanning doesn't always detect."
- FixWin - http://www.thewindowsclub.com/repair-fix-windows-7-vista-problems-with-fixwin-utility - Free tool to reset task manager, desktop, shell stuff. Good for if you find your UI is a bit hosed up after removal all your computer herpies. This is for Windows Vista and Windows7 only. Does not appear to support Windows XP.
2) Turn OFF System Restore! Malware likes to hide in System Restore and come back from the dead after a reboot. If you really want to you can turn it back on AFTER you have removed all infections from your computer. Depending on how many restore points you have this can take anywhere from 1-15 minutes to complete. Don't freak out if your system becomes unresponsive while it clears out all that garbage.
- Right-Click your "My Computer" or "Computer" icon and then select "Properties" from the menu that pops up.
- Click on the "System Restore" tab. Check the box that says "Turn off System Restore on all drives. Click on "Apply" and wait a few minutes, then click on "OK" to close the window.
3) Install and run CCleaner! Install CCleaner and run that pig!
- Check all the boxes for things to clean EXCEPT the "Wipe Free Space" one, that takes forever. Warning: This will wipe out all of your custom folder settings and saved passwords in IE/Firefox and clear out your start menu history. Click on the "Run Cleaner" button and click okay when it asks if you really want to do this. If your computer has multiple user accounts on it then you will want to run CCleaner when logged in as each user to clean out their temp files, too.
- Start the Registry Cleaner and run two passes with it. I usually choose the option to backup the registry and save to the c: drive somewhere, just in case.
- Go to the Tools\Uninstall section and start looking for goofy crap that shouldn't be there. Uninstall all the MyWebSearch toolbars and screensavers and other garbage you have no idea what the crap it is. I've found some crapware can be uninstalled from CCleaner that fail to remove themselves from Add/Remove Programs.
- Go to Tools\StartUp and delete or disable all the obvious bad crap. If you're not sure what is good and what isn't try googling it or just leave it alone and the malware removal tools should remove it anyway.
4) Install and Run Removal Tools! Install Malwarebytes, SuperAntiSpyware and Spybot Search & Destroy. Run the update process for each of the programs. If you don't have an Anti-Virus application or you're using something that sucks then you should consider installing Avira AntiVir Personal or Microsoft Security Essentials.
- Boot into Safe Mode without networking
- Run Malwarebytes Anti-Malware. Set options for full system scan and go grab a beer, preferably a lager, this could take a while. Once it is finished it will give you a list of the malware it found and you can then remove it. After it is finished you will need to restart your computer.
- Boot back into Safe Mode and run SuperAntiSpyware. Do the full system scan and grab another beer. When it is finish follow the prompts to remove the crap and restart your computer again.
- Boot into Safe Mode one more time and run Spybot Search & Destroy. Run the inoculation thingy. Then do the search for crapware. If it asks you for permission to clean out temp files let it do that and then finish the scan. While the scan is running feel free to have another beer, this one's on me. When it is done you can follow the prompts to remove the badware. If it says it needs to do a boot time scan to finish removing some junk then let it do it and restart your computer. If you do the start up scan you'll have to wait until it finishes before you can log into your computer again. NOTE: By default Spybot installs the "Tea Timer" application. Some people like this tool as it alerts you to when an application is trying to make registry changes to your computer and will give you the option to cancel or allow the change. If you find yourself prone to getting infected with nasty computer herpies then you should probably leave this application alone and let it do it's thing. If you don't like it you can disable it from the advanced options in Spybot.
- Run your Anti-Virus program, do a full system scan. If you don't have one then I would strongly suggest you install Avira Anti-Vir. If the pop ups bother you that much I've heard that there are ways to disable them, try searching the googler for a possible solution.
5) Run CCleaner Again! Boot into windows and login like you normally would. Run CCleaner again and the registry cleaner again. Sometime removing malware will leave a bunch of crap laying around and you need to clean it up.
6) Enjoy the Freshness That is Your Cleaned Computer! Your computer should now be free of infections. If you continue to have problems then it is time to backup your important data and wipe/re-install the Windows.
If you cannot run or install any of the tools listed above - Then you should try using the Avira System Rescure CD to boot your computer from and run a scan that way. Another option would be to try one of those fancy new Rootkit Removal applications. One such tool is RootRepeal! I don't have any personal experience with this software but there is a guide on the MalwareBytes Forums for using it and others on these forums have attested to its effectiveness in cleansing the computer herpes.
- Guide: http://www.malwarebytes.org/forums/index.php?showtopic=12709
- Download: http://rootrepeal.googlepages.com/
Hopefully you found this post useful. Happy Hunting!
1) Download and Install Removal Tools! The following anti-malware apps are generally accepted as the best FREE removal tools right now. This list may change or it may not. If you think something should be on here that isn't please let me know.
- CCleaner - http://www.filehippo.com/download_ccleaner/ - Useful tool for cleaning out all the crap that has built up on your computer from general use. This helps to decrease the amount of files that are scanned and can greatly speed up scanning.
- Malwarebytes Anti-Malware - http://www.filehippo.com/download_malwarebytes_anti_malware/ - One of the best removal tools out there right now.
- SuperAntiSpyware - http://www.filehippo.com/download_superantispyware/ - Another great removal tool
- SuperAntiSpyware Portable Scanner! - http://www.superantispyware.com/portablescanner.html - This is the same SAS scanner and removal engine in a portable formfactor that does not require installation on the infected system. Haven't had a chance to use this in the wild yet but looks promising.
- Spybot Search & Destroy - http://www.filehippo.com/download_spybot_search_destroy/ - Yet another good removal tool. Also useful for "inoculating" your web browsers against future attacks. New version seems to be able to clean temp files that CCleaner sometimes misses and some malware that Malwarebytes missed the last time I used it.
- ComboFix - http://www.combofix.org/ - This is a great tool for cleaning up a system that is messed up to the point you can't run MBAM or anything else. After running this you should still run the other tools to clean up the left-overs.
- RootRepeal - http://rootrepeal.googlepages.com/ - Rootkit removal tool. Run this when you can't get any other tool to run or install.
- TDSSKiller - http://support.kaspersky.com/faq/?qid=208283363 - Rootkit removal tool from Kaspersky. Pretty snazzy if you ask me.
- Avira AntiVir Personal - http://www.filehippo.com/download_antivir/ - Really good free anti-virus application. Has somewhat annoying ad that pops up reminding you of all the fantastic other stuff you get it you would just buy it already. I've found this confuses and scares less savvy users that think it may be one of those fake-AV trojans.
- Microsoft Security Essentials - http://www.microsoft.com/Security_Essentials/ - Microsoft's free Anti-Virus/Anti-Malware program. Has gotten great reviews and I've been using it on systems instead of Avira. Doesn't catch everything but neither does Symantec, McAfee, Sophos, ESET, Avira, Avast, Panda, Trend, etc . . .
- Symantec UnHookExec.inf - http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99 - Tool to reset shell\open\command registry keys
- rkill - http://download.bleepingcomputer.com/grinler/rkill.com - Tool to try and kill any processes associated with running malware/rogue AV applications. Sometimes you have to run it several times before it will finally kill anything. Very useful if you can't get MBAM os SAS to run. Here is a link to a renamed version in case the regular rkill won't run: http://download.bleepingcomputer.com/grinler/iExplore.exe
- Avira AntiVir System Rescure CD - http://www.avira.com/en/support/support_downloads.html - Linux Boot CD that has Avira AntiVir anti-virus/anti-malware software with latest definitions preloaded. Download and burn to a CD and boot your computer from it to do some scanning and removing action.
- Windows Defender Offline! - http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline - Microsoft boot disk with new version of Windows Defender anti-virus/anti-malware scanning engines. Should be fairly good but have not tested it in the wild.
- Sophos Anti-Rootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html - Free RootKit scanning and removal tool from Sophos. Makes you register to download but you can put in bogus information and it will still let you download.
- Norton Power Eraser! - http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default - Appears to be like Symantec's version of ComboFix. Not had a chance to use it in the wild but testing by another forum member suggests it is powerful. "Eliminates deeply embedded and difficult to remove crimeware that traditional virus scanning doesn't always detect."
- FixWin - http://www.thewindowsclub.com/repair-fix-windows-7-vista-problems-with-fixwin-utility - Free tool to reset task manager, desktop, shell stuff. Good for if you find your UI is a bit hosed up after removal all your computer herpies. This is for Windows Vista and Windows7 only. Does not appear to support Windows XP.
2) Turn OFF System Restore! Malware likes to hide in System Restore and come back from the dead after a reboot. If you really want to you can turn it back on AFTER you have removed all infections from your computer. Depending on how many restore points you have this can take anywhere from 1-15 minutes to complete. Don't freak out if your system becomes unresponsive while it clears out all that garbage.
- Right-Click your "My Computer" or "Computer" icon and then select "Properties" from the menu that pops up.
- Click on the "System Restore" tab. Check the box that says "Turn off System Restore on all drives. Click on "Apply" and wait a few minutes, then click on "OK" to close the window.
3) Install and run CCleaner! Install CCleaner and run that pig!
- Check all the boxes for things to clean EXCEPT the "Wipe Free Space" one, that takes forever. Warning: This will wipe out all of your custom folder settings and saved passwords in IE/Firefox and clear out your start menu history. Click on the "Run Cleaner" button and click okay when it asks if you really want to do this. If your computer has multiple user accounts on it then you will want to run CCleaner when logged in as each user to clean out their temp files, too.
- Start the Registry Cleaner and run two passes with it. I usually choose the option to backup the registry and save to the c: drive somewhere, just in case.
- Go to the Tools\Uninstall section and start looking for goofy crap that shouldn't be there. Uninstall all the MyWebSearch toolbars and screensavers and other garbage you have no idea what the crap it is. I've found some crapware can be uninstalled from CCleaner that fail to remove themselves from Add/Remove Programs.
- Go to Tools\StartUp and delete or disable all the obvious bad crap. If you're not sure what is good and what isn't try googling it or just leave it alone and the malware removal tools should remove it anyway.
4) Install and Run Removal Tools! Install Malwarebytes, SuperAntiSpyware and Spybot Search & Destroy. Run the update process for each of the programs. If you don't have an Anti-Virus application or you're using something that sucks then you should consider installing Avira AntiVir Personal or Microsoft Security Essentials.
- Boot into Safe Mode without networking
- Run Malwarebytes Anti-Malware. Set options for full system scan and go grab a beer, preferably a lager, this could take a while. Once it is finished it will give you a list of the malware it found and you can then remove it. After it is finished you will need to restart your computer.
- Boot back into Safe Mode and run SuperAntiSpyware. Do the full system scan and grab another beer. When it is finish follow the prompts to remove the crap and restart your computer again.
- Boot into Safe Mode one more time and run Spybot Search & Destroy. Run the inoculation thingy. Then do the search for crapware. If it asks you for permission to clean out temp files let it do that and then finish the scan. While the scan is running feel free to have another beer, this one's on me. When it is done you can follow the prompts to remove the badware. If it says it needs to do a boot time scan to finish removing some junk then let it do it and restart your computer. If you do the start up scan you'll have to wait until it finishes before you can log into your computer again. NOTE: By default Spybot installs the "Tea Timer" application. Some people like this tool as it alerts you to when an application is trying to make registry changes to your computer and will give you the option to cancel or allow the change. If you find yourself prone to getting infected with nasty computer herpies then you should probably leave this application alone and let it do it's thing. If you don't like it you can disable it from the advanced options in Spybot.
- Run your Anti-Virus program, do a full system scan. If you don't have one then I would strongly suggest you install Avira Anti-Vir. If the pop ups bother you that much I've heard that there are ways to disable them, try searching the googler for a possible solution.
5) Run CCleaner Again! Boot into windows and login like you normally would. Run CCleaner again and the registry cleaner again. Sometime removing malware will leave a bunch of crap laying around and you need to clean it up.
6) Enjoy the Freshness That is Your Cleaned Computer! Your computer should now be free of infections. If you continue to have problems then it is time to backup your important data and wipe/re-install the Windows.
If you cannot run or install any of the tools listed above - Then you should try using the Avira System Rescure CD to boot your computer from and run a scan that way. Another option would be to try one of those fancy new Rootkit Removal applications. One such tool is RootRepeal! I don't have any personal experience with this software but there is a guide on the MalwareBytes Forums for using it and others on these forums have attested to its effectiveness in cleansing the computer herpes.
- Guide: http://www.malwarebytes.org/forums/index.php?showtopic=12709
- Download: http://rootrepeal.googlepages.com/
Hopefully you found this post useful. Happy Hunting!
Last edited: