How-to Guide for Virus/Trojan/Malware Removal

Great list, I am a big fan of Glary Utilities also, has a lot of nice features too it.
 
The first thing I do (on every startup of an infected computer) is:

1. Check the connection settings in Internet Options to make sure "Use proxy" under "Lan Settings" isn't checked.

2. Check the LAN connection's TCP/IP properties to make sure "obtain automatically" for IP and DNS is set.

3. Check the hosts file to make sure it's just 127.0.0.1 localhost.

4. Reset the Firewall settings.

5. Load each browser and make sure they're not set to use a proxy. (Browsers automatically detect proxy setting changes in Internet Options and will use them).

That usually helps with downloading and updating anti-virus and anti-spyware programs.

I've seen #1 and #2 *a lot*.

I've also seen where the hosts file is locked by something. Booting into the recovery console and replacing the hosts file with a good one often helps.

I also remove Java whenever it's not needed at all as users never update Java and they infect themselves big time.

I also set up user accounts like so (whether they like it or not):

Config (admin account)
Account for each user (limited accounts)
Visitor (limited account for drunk buddies and stupid relatives)

All are password-protected and profile folders are made private.

As for the opening of executables being disabled, it's usually just the "HKEY_CLASSES_ROOT\.exe" key. Although you can't open regedit to fix it, you can still right-click on a reg file with that key and choose merge.

For Spybot, it's best to do a startup scan right from the beginning. You can set the option in its settings and restart. That's much better than waiting for it to finish only to have it say it has to scan all over again at startup.
 
ComboFix - http://www.combofix.org/ - This is a great tool for cleaning up a system that is messed up to the point you can't run MBAM or anything else. After running this you should still run the other tools to clean up the left-overs.
I gotta say, ComboFix really saved my butt recently. Got some kind of nasty that kept multiplying. Desktop wouldn't even show up, although I could get into it thru ctrl-alt-delete. I could still run MSE, MBAM and SAS but the problem wouldn't go away. I was ready to re-format.

Then I read about combofix here. It comes with a lot of dire warnings like don't use it unless you really know what you're doing, yadda, yadda, yadda. I read the instructions, it told me exactly what it would do. And yeah, it sounded kinda scary, not like running your typical AV, but in turning your trust over to a higher power. Cross your fingers and pray.

Reminded me of a few years ago I got a nasty and used something called "vundo be gone" or such. It said something along the lines of "This program will do things your OS won't like. It will cause a BSOD." Took a leap of faith to use it, but I was desperate.
 
This is a very useful thread. I saw it a few months ago, but for some reason never bothered to subscribe to it or reply. :eek:

It would also be really nice if they did a ComboFix for Vista/7 operating systems too.

I wrote two articles related to the topic title and security:
* One-Fits-All Solution for Most Virii/Malware/Spyware Problems
* Securing your network and browsing experience

Of course, the first link will mostly handle only the low-level/common ones. :S The more complicated types require a bit more effort and intelligence to circumvent.

EDIT: http://www.hlrse.net/Qwerty/cleanup.html
 
Last edited:
Chiming in with some love for ComboFix. It's saved me on multiple occasions.
 
Did you make sure system restore was turned off? Malware likes to hide there and come back. Also, I just ran ComboFix on my mother-in-law's computer over the weekend and it found but was unable to remove the new "Personal Anti-Virus" vundo variant. Not impressed at all. MBAM was able to take care of it just fine, after I disabled system restore and booted into safe mode and let it run for 30 minutes.

combofix is not a scanner. It searches from a list of names of the malware then removes it. That's not its real power. Its real power and the thing people mean when they say should not be used without a consultant is its scripting power.
Malware change their names in every system. If you can id the name it uses then you can make a script and combofix will hunt it down.

Fake security mbam are the best with. It specializes in it. Super Antispyware as well
Script malware the avg av has a detection rate of 90 percent with it. That's why not using IE is a very good idea. No script add on in firefox can help you with that.
But people should only blame themselves running a admin acount and then get infected you shouldn't be surprised.

Locking up a admin account using a limited users account alone restrict malware to just a part of your system unable to do any damage
 
I gotta say, ComboFix really saved my butt recently. Got some kind of nasty that kept multiplying. Desktop wouldn't even show up, although I could get into it thru ctrl-alt-delete. I could still run MSE, MBAM and SAS but the problem wouldn't go away. I was ready to re-format.

Then I read about combofix here. It comes with a lot of dire warnings like don't use it unless you really know what you're doing, yadda, yadda, yadda. I read the instructions, it told me exactly what it would do. And yeah, it sounded kinda scary, not like running your typical AV, but in turning your trust over to a higher power. Cross your fingers and pray.

Reminded me of a few years ago I got a nasty and used something called "vundo be gone" or such. It said something along the lines of "This program will do things your OS won't like. It will cause a BSOD." Took a leap of faith to use it, but I was desperate.

dr web rescue disk. That's it. Boot up with it then it scan and cleans your system. Even do a boot repair. File viruses will render apps like combofix and gmner useless. Offline scanning only hope
 
I hate to knock you for this but Dr web on any machine takes hours for a full scan, that i a little unacceptable on a slow,unresponsive older machine. The Dr web rescue disk is really slow (maybe its just me or the machine i have dealt with).

I agree with everything esle on here for dealing with malware. A layered approach with different scanners is the best approach out there.

Another useful program i just found out about is Hitmanpro35 its a good second opinion scanner and it is really fast.
 
what no autoruns, no process explorer? How are you going to runs those apps with virus killing them. Good luck installing a av after a infection.

Golden Rule Never boot into safe mode untill you identified the malware. A file virus will destroy your pc beyond repair and Rootkits wont be detected. Rogue security programs its a good idea but not until you identified it.

A.anti malware:
there are a plenty of good anti malware tools and cleaners like:
1.Malware byte anti malware:code name mbam is a good tool for detecting and cleaning malware"file infectors not included"
2.Super anti spyware:another good tool for detecting and removing malware,code name sas.it has an advantge over mbam that it a separate "system and browser repairs"
3.Dr.web cure it!:my favourite tool for totally get rid of file infectors like sality,alman,........and other malware.its cleaning routines are so poweful,and its advantge over mbam and sas that it can handle viruses

after cleaning may some files of registry keys still in the system so you should repair them by system cleaners and fixers

B.System cleaners:
1.ccleaner:a good freeware to clean junk files,registry errors.It has also a uninstaller"some or a lot of spyware has an

uninstall entry so removing by uninstaller is more easier"
2.dial a fix:good powerful tool for xp users can fix policies and had a good arsenal of fixes.
3.glary utilities:another good tool.and there is hunderds of freeware to do such mission.

may you have got a rootkit,so you should check for rootkit
C.Anti rootkits:
1.avast! anti rootkit:simple anti rootkit,it has some false positives in registry,and system restore folder,any the log created by it is what makes it good not its removal functions
2.Panda anti rootkit:another simple UI anti rootkit"it is good but last time i run it i got an olly debug window tell me that an Access violation occur,but dont worry my pc is a freak for anti malware"
3.Radix antirootkit:a very helpful tool generate a few FP and its clean is wonderful,it compains ease of use and power

of another advanced tools like GMER,or RKU.
4.GMER:advanced tool so use it to analyze the system then give the reports

favorite anti rootkit
5.RKU:another good analyzer but like gmer dont take decision if you dont know about what you do
6.rootkit revealer:good tool to analyze files and registry keys that hide from your eyes. enough anti rootkits

Sometimes YOU NEED to analyze the system and clean it by your self because the anti malware dont catch or cant remove the malware

A.Processes managers
1.procexp:
the best task manager i had ever seen give you a very good image of what running with high lighting and it is co-operative with his brother autoruns to catch malware"highlighting explore the packed processes running so you should suspect it first

2.APT"Advanced Process Termination":good in one thing killing process
3.GMER
until now no one program stand against the termination of GMER,firewalls and anti viruses like:comodo,avast,avira,outpost,eset

B.Overall system analyzer:it can give you an overall view of your system
1.Eset Sysinspector:ESET SysInspector is an application that thoroughly inspects your computer and displays

2.autoruns:
the best tool in the world to determine the startups,and it can work with procexp.easy thing to work with it after some tweaking:from options menu check"hide Microsoft and windows entries"then check "verify code signatures",the unverified entries thet come from unknown publisher may be suspect and need to be investigated.you can use autoruns to disable the malware start up entries after terminate it"so it not re-enable it self after terminating"

3.Hijack this:simple tool to do simple logs

4.a2HijackFree:good tool give you an overall look for your processes,ports,autoruns,services,and some other places where the malwares can hide.it has a good removal ability.

C.files and registry removals:

1.unlocker:very good tool to delete malware files since it will remove it on the next start up if it dont remove immediatly
2.FileASSASSIN:nice file deleter,it lack the riht click menu,so i prefer unlocker
3.RegASSASSIN:a tool to remove registry keys&values.

D.other tools
Api guard a handy tool to run suspicious files without hurting your system"if your av dont catch a virus in a suspect file you can run it from api guard

refrences:
www.freedrweb.com/cureit/?lng=en
www.malwarebytes.org/mbam.php
www.superantispyware.com/
www.ccleaner.com/
www.glaryutilities.com/
download.cnet.com/Panda-Anti-Rootkit/3000-8022_4-10717196.html
www.gmer.net/
technet.microsoft.com/en-us/.../bb897445.aspx
technet.microsoft.com/en-us/.../bb896653.aspx
www.diamondcs.com.au/advancedseries/apt.php
www.eset.com/download/sysinspector.php
technet.microsoft.com/en-us/.../bb963902.aspx
www.hijackfree.com/en/hijackfree/
www.freefixer.com/
ccollomb.free.fr/unlocker/

OP maybe you can have a look at some of those tools and see if theyre worthy
 
Last edited:
Something I have seen four times in the last two weeks that has annoyed the hell out of me is after virus removal and fixing the hidden files thing, nothing will appear on your desktop and you're unable to right-click.

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer

Delete the "NoDesktop" key.

So obvious after I figured it out but took me two hours of banging my head against the wall.
 
I don't use CCcleaner i use a program called cleanup its faster, and efficent without the risk of registry damage which ive seen cccleaner do before. I've said it before to my friends and the one guy that works part time for me. If you need to fix the registry do it yourself dont let a program do it for you, programs sometimes dont understand that registry entry and delete it, when its needed.
 
@Captain -- Thanks for keeping this list updated. It's been most helpful.
 
Honestly speaking None of these actually work if your pc gets infected by a trojan,malware or a virus..I am using Windows XP and whenever I had issues I had to format it completely to make sure my PC is all clean..
 
Honestly speaking None of these actually work if your pc gets infected by a trojan,malware or a virus..I am using Windows XP and whenever I had issues I had to format it completely to make sure my PC is all clean..

Seriously? Thanks for being a forum member for two days and then posting garbage. You're either a troll or an idiot.
 
There is a single tool which makes 99% of the stuff mention here (including the 1st post) obsolete.
Kaspersky Rescue CD
You boot you pc from (sort of live lunux) it loads the antivirus, updates it and scans your hd
Viruses, trojans and even Rootkits don't stand a chance. I cleaned several different Fake "Antivirus" infections without any issues. So much faster and easier since the virus is not active.

I'm not affiliated with the company or its products. This product is not supported unless your Kaspersky AV customer.
 
Microsoft released another tool beta, Windows Defender Offline Beta

Haven't used it yet, but it allows you to make a bootable CD, DVD, or USB key. It supposedly has the same engine as the Windows 8 version of defender, both anti-malware and anti-virus.
 
Microsoft released another tool beta, Windows Defender Offline Beta

Haven't used it yet, but it allows you to make a bootable CD, DVD, or USB key. It supposedly has the same engine as the Windows 8 version of defender, both anti-malware and anti-virus.

Will add to the list shortly. Could have used this earlier in the week. New round of fake hdd alert variants going around that ComboFix and MBAM haven't been able to remove completely....
 
Anyone know if MSE plays well with Norton Internet Security?
I already have NIS 2011 installed on all my PCs, but would like to give MSE a try.
 
General rule of thumb is that you shouldn't have more than one active scanner going at a time. You could install MSE and disable NIS at the service level, that might work. I would uninstall NIS first, then install MSE on a machine and test it out. Then you can decide how you want to proceed on the rest of the PCs.
 
I got that damn Windows 7 security virus. This thread helped out a lot! I think my registry is pretty screwed up though, I can't even enable my windows firewall. Thinking about just doing a clean W7 install...sigh there goes all my files.
 
You shouldn't have to lose everything, just pull the drive and hook up to another computer to scan and backup your stuff. If you don't have a spare computer then you can boot from an Ubuntu Live CD and copy your files to an external drive.
 
You shouldn't have to lose everything, just pull the drive and hook up to another computer to scan and backup your stuff. If you don't have a spare computer then you can boot from an Ubuntu Live CD and copy your files to an external drive.

Yeah that's probably what I'll do. Such a pain in the ass! Second time I've got that stupid virus but it's my own damn fault for not keeping my browsers/adobe programs/ and virus scanners up to date. I've finally learned my lesson.
 
D7 utility...scripted malware tools fix
http://www.technibble.com/d7-computer-repair-multi-tool/

The utility does a lot more than just cleaning malware, but under the malware tab....you can set it to "script" running a BUNCH of tools...so you can kick off the script and walk away for a day, as the tool runs scan after scan after scan after scan (repeat process) of the bundled tools. A time saver for guys like us that fix infested computers often...we don't have to stand and hover around as much.
 
Fantastic guide by the way , sped up my system a little bit and its smooth sailing now ( I hate reinstalling).
 
I did not see this guide posted here yet so here it is, provided by the very reputable Microsoft sysinternals team:

Zero Day Malware Cleaning Guide

It has lots of various tricks and commands/utility recommendations to assist in resolving a lot of malware issues.
 
Back
Top