How-to Guide for Virus/Trojan/Malware Removal

Joined
Feb 19, 2004
Messages
3,861
It is my intention for this post to be a general purpose guide for people needing help with malware removal. The steps listed below, when done correctly and in order, should clean your computer of all but the most egregious malware. This guide assumes that you do not necessarily have the ability to pull your hard drive and slave it to another computer for the first round of scanning. Also, this guide will ONLY reference applications that are free to download and use for personal use. I'll add screen shots and more detailed steps as time and motivation permit.


1) Download and Install Removal Tools! The following anti-malware apps are generally accepted as the best FREE removal tools right now. This list may change or it may not. If you think something should be on here that isn't please let me know.

- CCleaner - http://www.filehippo.com/download_ccleaner/ - Useful tool for cleaning out all the crap that has built up on your computer from general use. This helps to decrease the amount of files that are scanned and can greatly speed up scanning.

- Malwarebytes Anti-Malware - http://www.filehippo.com/download_malwarebytes_anti_malware/ - One of the best removal tools out there right now.

- SuperAntiSpyware - http://www.filehippo.com/download_superantispyware/ - Another great removal tool

- SuperAntiSpyware Portable Scanner! - http://www.superantispyware.com/portablescanner.html - This is the same SAS scanner and removal engine in a portable formfactor that does not require installation on the infected system. Haven't had a chance to use this in the wild yet but looks promising.

- Spybot Search & Destroy - http://www.filehippo.com/download_spybot_search_destroy/ - Yet another good removal tool. Also useful for "inoculating" your web browsers against future attacks. New version seems to be able to clean temp files that CCleaner sometimes misses and some malware that Malwarebytes missed the last time I used it.

- ComboFix - http://www.combofix.org/ - This is a great tool for cleaning up a system that is messed up to the point you can't run MBAM or anything else. After running this you should still run the other tools to clean up the left-overs.

- RootRepeal - http://rootrepeal.googlepages.com/ - Rootkit removal tool. Run this when you can't get any other tool to run or install.

- TDSSKiller - http://support.kaspersky.com/faq/?qid=208283363 - Rootkit removal tool from Kaspersky. Pretty snazzy if you ask me.

- Avira AntiVir Personal - http://www.filehippo.com/download_antivir/ - Really good free anti-virus application. Has somewhat annoying ad that pops up reminding you of all the fantastic other stuff you get it you would just buy it already. I've found this confuses and scares less savvy users that think it may be one of those fake-AV trojans.

- Microsoft Security Essentials - http://www.microsoft.com/Security_Essentials/ - Microsoft's free Anti-Virus/Anti-Malware program. Has gotten great reviews and I've been using it on systems instead of Avira. Doesn't catch everything but neither does Symantec, McAfee, Sophos, ESET, Avira, Avast, Panda, Trend, etc . . .

- Symantec UnHookExec.inf - http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99 - Tool to reset shell\open\command registry keys

- rkill - http://download.bleepingcomputer.com/grinler/rkill.com - Tool to try and kill any processes associated with running malware/rogue AV applications. Sometimes you have to run it several times before it will finally kill anything. Very useful if you can't get MBAM os SAS to run. Here is a link to a renamed version in case the regular rkill won't run: http://download.bleepingcomputer.com/grinler/iExplore.exe

- Avira AntiVir System Rescure CD - http://www.avira.com/en/support/support_downloads.html - Linux Boot CD that has Avira AntiVir anti-virus/anti-malware software with latest definitions preloaded. Download and burn to a CD and boot your computer from it to do some scanning and removing action.

- Windows Defender Offline! - http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline - Microsoft boot disk with new version of Windows Defender anti-virus/anti-malware scanning engines. Should be fairly good but have not tested it in the wild.


- Sophos Anti-Rootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html - Free RootKit scanning and removal tool from Sophos. Makes you register to download but you can put in bogus information and it will still let you download.

- Norton Power Eraser! - http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default - Appears to be like Symantec's version of ComboFix. Not had a chance to use it in the wild but testing by another forum member suggests it is powerful. "Eliminates deeply embedded and difficult to remove crimeware that traditional virus scanning doesn't always detect."

- FixWin - http://www.thewindowsclub.com/repair-fix-windows-7-vista-problems-with-fixwin-utility - Free tool to reset task manager, desktop, shell stuff. Good for if you find your UI is a bit hosed up after removal all your computer herpies. This is for Windows Vista and Windows7 only. Does not appear to support Windows XP.


2) Turn OFF System Restore! Malware likes to hide in System Restore and come back from the dead after a reboot. If you really want to you can turn it back on AFTER you have removed all infections from your computer. Depending on how many restore points you have this can take anywhere from 1-15 minutes to complete. Don't freak out if your system becomes unresponsive while it clears out all that garbage.

- Right-Click your "My Computer" or "Computer" icon and then select "Properties" from the menu that pops up.


- Click on the "System Restore" tab. Check the box that says "Turn off System Restore on all drives. Click on "Apply" and wait a few minutes, then click on "OK" to close the window.



3) Install and run CCleaner! Install CCleaner and run that pig!
- Check all the boxes for things to clean EXCEPT the "Wipe Free Space" one, that takes forever. Warning: This will wipe out all of your custom folder settings and saved passwords in IE/Firefox and clear out your start menu history. Click on the "Run Cleaner" button and click okay when it asks if you really want to do this. If your computer has multiple user accounts on it then you will want to run CCleaner when logged in as each user to clean out their temp files, too.
- Start the Registry Cleaner and run two passes with it. I usually choose the option to backup the registry and save to the c: drive somewhere, just in case.
- Go to the Tools\Uninstall section and start looking for goofy crap that shouldn't be there. Uninstall all the MyWebSearch toolbars and screensavers and other garbage you have no idea what the crap it is. I've found some crapware can be uninstalled from CCleaner that fail to remove themselves from Add/Remove Programs.
- Go to Tools\StartUp and delete or disable all the obvious bad crap. If you're not sure what is good and what isn't try googling it or just leave it alone and the malware removal tools should remove it anyway.


4) Install and Run Removal Tools! Install Malwarebytes, SuperAntiSpyware and Spybot Search & Destroy. Run the update process for each of the programs. If you don't have an Anti-Virus application or you're using something that sucks then you should consider installing Avira AntiVir Personal or Microsoft Security Essentials.
- Boot into Safe Mode without networking
- Run Malwarebytes Anti-Malware. Set options for full system scan and go grab a beer, preferably a lager, this could take a while. Once it is finished it will give you a list of the malware it found and you can then remove it. After it is finished you will need to restart your computer.
- Boot back into Safe Mode and run SuperAntiSpyware. Do the full system scan and grab another beer. When it is finish follow the prompts to remove the crap and restart your computer again.
- Boot into Safe Mode one more time and run Spybot Search & Destroy. Run the inoculation thingy. Then do the search for crapware. If it asks you for permission to clean out temp files let it do that and then finish the scan. While the scan is running feel free to have another beer, this one's on me. When it is done you can follow the prompts to remove the badware. If it says it needs to do a boot time scan to finish removing some junk then let it do it and restart your computer. If you do the start up scan you'll have to wait until it finishes before you can log into your computer again. NOTE: By default Spybot installs the "Tea Timer" application. Some people like this tool as it alerts you to when an application is trying to make registry changes to your computer and will give you the option to cancel or allow the change. If you find yourself prone to getting infected with nasty computer herpies then you should probably leave this application alone and let it do it's thing. If you don't like it you can disable it from the advanced options in Spybot.
- Run your Anti-Virus program, do a full system scan. If you don't have one then I would strongly suggest you install Avira Anti-Vir. If the pop ups bother you that much I've heard that there are ways to disable them, try searching the googler for a possible solution.


5) Run CCleaner Again! Boot into windows and login like you normally would. Run CCleaner again and the registry cleaner again. Sometime removing malware will leave a bunch of crap laying around and you need to clean it up.


6) Enjoy the Freshness That is Your Cleaned Computer! Your computer should now be free of infections. If you continue to have problems then it is time to backup your important data and wipe/re-install the Windows.

If you cannot run or install any of the tools listed above - Then you should try using the Avira System Rescure CD to boot your computer from and run a scan that way. Another option would be to try one of those fancy new Rootkit Removal applications. One such tool is RootRepeal! I don't have any personal experience with this software but there is a guide on the MalwareBytes Forums for using it and others on these forums have attested to its effectiveness in cleansing the computer herpes.
- Guide: http://www.malwarebytes.org/forums/index.php?showtopic=12709
- Download: http://rootrepeal.googlepages.com/

Hopefully you found this post useful. Happy Hunting!

 
Last edited:
ComboFix = Godsend for heavily infected systems.

Other than that great guide! :D
 
Good list. Well done!
I'd add
A TCP/Winsock repair utility...reset the TCP stack/winsock files which often get injected with those DNS redirects by malware. The utilities reset those files to virgin/default state.

Microsofts Malicious Software Removal Tool...it's a free download from Microsoft updates, it's a quick tool to run (Start==>Run==>MRT) And I have had it find stuff that MalwareBytes, Spybot, SAS, etc...missed. Completes that shotgun approach!

Manytimes some of the newer malware these days prevents you from updating and even running removal tools. What we do in the shop is remove the hard drive, slave it to a PC we have on the bench...and scan it with that PC. Even better than scanning in safe mode.
 
A TCP/Winsock repair utility...

Which one do you usually use? I can google for it and I know I've used one in the past but I can't seem to remember what it was....

Microsoft's Malicious Software Removal Tool...it's a free download from Microsoft updates, it's a quick tool to run (Start==>Run==>MRT) And I have had it find stuff that MalwareBytes, Spybot, SAS, etc...missed. Completes that shotgun approach.

I just tried running that is Windows7 and it no worky... is the MSRT an XP only tool?

Many times some of the newer malware these days prevents you from updating and even running removal tools. What we do in the shop is remove the hard drive, slave it to a PC we have on the bench...and scan it with that PC. Even better than scanning in safe mode.

I agree that this is usually the best way to start. However, I wanted to present a reliable way for people that don't have the ability to slave a HDD to remove malware effectively. There are still a lot of people out there that aren't comfortable opening the side of their computer, let alone pull the HDD out and hook it up to another computer. :D


Thanks for the comments guys, keep 'em coming. I might actually get off my ass sometime this week and start taking some screenshots to upload. ....
 
Winsockxpfix works or just do it from command line netsh winsock reset

This is my way

boot into safemode
kill system restore
run Cleanup or CCleaner
run Combofix, may have to rename it to run
boot into normal windows, let combofix finish
run Mbam
run Avira or some antivirus scanner
re enable system restore
run ccleaner to finish

----

if for some reason you can't get any tool to run, i slave the drive into a bitch machine, run mbam that usually picks up a few items that block it
put drive back into host machine, safemode and do those steps

i like combofix as it gets alot more then just mbam etc.
 
Thanks for your nice guide! Unfortunately i can't get combofix to install on windows 7. i tried setting compatibility with xp and 2000 but neither worked. any ideas?

Also, after about 13 years of heavy internet usage, for the first time i downloaded malware called "protection system". Now, after using almost all programs suggested in this guide and while those tools seem to remove everything, after each reboot, malwarebytes finds one trojan.injector file in the temp folder which usually looks like something like this VRTAC67.tmp or VRTA0D.tmp. It removes everything but by the next reboot it finds similar files in the same folder.

can anyone help?

thx in advance
 
man I hate to be such a downer but I really cant agree with the philosophy of this thread.

Not all spyware can be removed, and from a security standpoint if thats true in my mind it means that no spyware can be removed, or at least any machine once infected and then "cleaned" can never be trusted again.

Computers have been abstracted to such a high degree by so many people and for so many people that planting something in a spot nobody checks isn't impossible. Furthermore its in the spyware authors best intrest to not be found, and not be noticed. Spam-relays are intrested in routing spam and if the code thinks your after it, maybe it modifies its routine to only run between 2AM and 6AM to avoid being discovered. Who knows. These are the same people who've invented (annoyingly strong) polymorphic programs, the only effect solution is a reformat (and even then, there are known ROM-firmware infections).

The only way to really remove spyware as an issue is to remove the vectors it comes in over. To avoid malicious actions against you via computing you need to modify your behavior. Convienience is often the enemy of security; use long passwords and never use the same one twice, check your (inbound and outbound) port activity from time to time, check the certificates/encryption that people claim to be using (MD5 has been cracked!), dont trust every google result you find, and make sure you're updated!!
 
i totally agree, my next step is going to be reformating the hd, just need to backup my stuff. i just think it cant hurt try something else first :)
 
Thanks for your nice guide! Unfortunately i can't get combofix to install on windows 7. i tried setting compatibility with xp and 2000 but neither worked. any ideas?

Also, after about 13 years of heavy internet usage, for the first time i downloaded malware called "protection system". Now, after using almost all programs suggested in this guide and while those tools seem to remove everything, after each reboot, malwarebytes finds one trojan.injector file in the temp folder which usually looks like something like this VRTAC67.tmp or VRTA0D.tmp. It removes everything but by the next reboot it finds similar files in the same folder.

can anyone help?

thx in advance

Did you make sure system restore was turned off? Malware likes to hide there and come back. Also, I just ran ComboFix on my mother-in-law's computer over the weekend and it found but was unable to remove the new "Personal Anti-Virus" vundo variant. Not impressed at all. MBAM was able to take care of it just fine, after I disabled system restore and booted into safe mode and let it run for 30 minutes.
 
man I hate to be such a downer but I really cant agree with the philosophy of this thread.

Not all spyware can be removed, and from a security standpoint if thats true in my mind it means that no spyware can be removed, or at least any machine once infected and then "cleaned" can never be trusted again.

Computers have been abstracted to such a high degree by so many people and for so many people that planting something in a spot nobody checks isn't impossible. Furthermore its in the spyware authors best intrest to not be found, and not be noticed. Spam-relays are intrested in routing spam and if the code thinks your after it, maybe it modifies its routine to only run between 2AM and 6AM to avoid being discovered. Who knows. These are the same people who've invented (annoyingly strong) polymorphic programs, the only effect solution is a reformat (and even then, there are known ROM-firmware infections).

The only way to really remove spyware as an issue is to remove the vectors it comes in over. To avoid malicious actions against you via computing you need to modify your behavior. Convienience is often the enemy of security; use long passwords and never use the same one twice, check your (inbound and outbound) port activity from time to time, check the certificates/encryption that people claim to be using (MD5 has been cracked!), dont trust every google result you find, and make sure you're updated!!

So your philosophy would be to have everyone reformat their computers and re-install the OS if they have an infection? Sure, that's great if you have backups and an IT staff on hand or don't mind shelling out a few hundred dollars to your local repair shop every month or so. For most infections there is no need to take such drastic actions, especially for home users, which is the main target of this thread. Sure, everyone should run a hardware firewall with threat mitigation capabilities and hardware AV/AM scanning before it hits the network, sure people shouldn't go to bad places on the internets and they shouldn't try to "Punch the Monkey!" but that isn't going to happen any time soon. :D
 
Great Guide. I bookmarked and subscribed to it!

Thanks!
 
So your philosophy would be to have everyone reformat their computers and re-install the OS if they have an infection? Sure, that's great if you have backups and an IT staff on hand or don't mind shelling out a few hundred dollars to your local repair shop every month or so. For most infections there is no need to take such drastic actions, especially for home users, which is the main target of this thread. Sure, everyone should run a hardware firewall with threat mitigation capabilities and hardware AV/AM scanning before it hits the network, sure people shouldn't go to bad places on the internets and they shouldn't try to "Punch the Monkey!" but that isn't going to happen any time soon. :D

No, Image.

Imaging software (which you can find, good quality code, for free, all over the place), and online + local data backup means the most exaustive part of reformatting is really just re-installing all your programs.

And just because a computer has been infected doesn't mean you can't use it and that you have to reformat it, it just means you cant trust it with anything sensitive.
 
I need help, i ran all of the cleaners and such, but i still cant get rid of WiniGaurd and its driving me nuts
 
OK combo fix i didnt run, and how do i restart in safe mode?, and yes i did disable system restore and i ran them in the order i was supposed to as outlined at the top
 
Restart your computer and after then start mashing on the F8 key until you get a menu that asks how you would like to start up. If memory serves, ComboFix requires an internet connection so you'll want to choose Safe Mode with Networking. After a while you'll be presented with your desktop or a login page depending on how your system is setup.

What version of Windows are you running??
 
So what tools did you run if you didn't run Combofix?

I use the method I wrote a few posts up and it works great. Combofix kills most of it. If Combofix or MBAM dont run you gotta remove the drive and slave it into another machine or boot off a Live disk and delete some files in System32 or Drivers
 
i have XP and i ran CC cleaner malwarebytes and super antispyware i will run combo fix too in safe mode
 
i don't know if i can run combofix safely,i was looking at the website and i don't think i know enough to not delete something important.... and WiniGaurd is still around
 
Last edited:
just run combofix in safemode, if it runs you are good to go.

download from bleeping computers
 
Symantec UnHookExec.inf should be mentioned in the OP. Awhile back, I had a computer infected with malware that messed with the registry to prevent me from running anything, including all installers and executables, giving me a Gordian knot problem that was cut only by UnHookExec.inf. This malware trick is still being used today. There's a detailed and recent writeup of it here.
 
So today I ran into a new Vundo variant called LiveUpdate Notification. RootRepeal, ComboFix and MBAM were all prevented from running with this one. I was able to get SuperAntiSpyware to install, update and run, though. Trying to remove the infections remotely on this computer so I can't get into safe mode . . . . will see what happens.
 
The best trick that I've found when you can't run MBAM or ComboFix is renaming the .exe files.

Although MBAM is best to be installed onto a thumb drive and renamed to D:\ANTISPYWARE\Spaghetti.exe (with all the files being in the antispyware folder.

Another thing is renaming ComboFix to explorer.exe. I was able to run it successfully through safe mode using this method and I'm fairly certain it worked in regular mode too but don't quote me on that.

I recently camea cross a really nasty Virut infection as well as one I could not pin point what exact infection it was. But the rogue antispyware program it installed was called Cyber Security or Cyber Defense and ComboFix and MBAM did not recognize it at all. Must've been a 0-day or something.

In those cases I often times resort to just nuking the machine.
 
Oh, hey, that's a good idea. Hadn't thought about installing MBAM on a USB drive. :) I'll have to look for a guide for that and update the first post.

On another note, I was able to use that Symantec UnHook.inf thingy and SuperAntiSpyware to clean up most of the junk. Rebooted and then was able to re-install MBAM and update and scan. Found a few more things and CCleanered that pig and all is good now. Yay me! :D
 
Symantec UnHookExec.inf should be mentioned in the OP. Awhile back, I had a computer infected with malware that messed with the registry to prevent me from running anything, including all installers and executables, giving me a Gordian knot problem that was cut only by UnHookExec.inf. This malware trick is still being used today. There's a detailed and recent writeup of it here.

Yeah I used that utility successfully the day before you posted this...
http://hardforum.com/showthread.php?t=1463310&highlight=UnHookExec.inf
 
OP: This thread recently helped a ton. Thanks for keeping this updated!!
 
Back
Top