Home

Malware Removal Guide

27 December, 2009 - 16:24 — COSCstudent
Prerequisites: 

Freeware (explained in tutorial)

Before I start, I want you to understand that this guide is not going to be using any of the tools from Geek Squad. All of the tools used in this tutorial are available for download as freeware. This guide is not going to give you a complete and total walkthrough of every single program, just an overview. I will be providing links to other websites if you wish to read more about each of these softwares. Neither I nor SoldierX hold any responsibility for your actions while following this guide, but simply offer it as a helping hand to get you to understand some of the ways that malware can infect your system while helping you remove them. Neither I nor SoldierX own or have created any of these tools, so you must accept each tool's licensing terms on your own behalf before you use them.

Before getting into the actual malware removal, I want you to understand that the only surefire way to get rid of any and all malware that is affecting your system is to replace your hard drive's MBR (Master Boot Record), use a utility such as DBAN (Darik's Boot And Nuke) to wipe the drive, and then reinstall your operating system.

So, now that I have gotten the legal stuff out of the way, let's get right down to business. This guide is going to cover many different things including, but not limited to: removing malware from an infected computer, the tools used to do the removals, extra utilities to help protect yourself from future attacks, and some fixes that you can do to repair some of the damage caused by removing malware from an infected system. These fixes are not always guaranteed to be correct, but simply are the most common ways to fix the problems caused by removing malware from a system.

Now, you have backed up all of your files, let's get to the tools needed to do the job correctly. Note that not all of these tools are required clean your system, I am just listing all of the tools I have used in the past to get rid of different types of malware. If you want to be as thorough as absolutely possible, you should run ever single one of these tools on the computer you are trying to clean. This will ensure that you have effectively removed most of the traces. I am not going to go in-depth and explain how to use each of these softwares. If you would like to know more about one of these tools, a quick Google search should on the name of the product should bring up a full listing of anything related to that software. Listed below, not in any particular order, are the softwares I use while doing malware removal and the links to each website so you can download them:
1. SmitFraudFix - http://www.bleepingcomputer.com/files/smitfraudfix.php
2. Kaspersky AVZ Antiviral Toolkit - http://www.softpedia.com/get/Antivirus/AVZ-Antiviral-Toolkit.shtml
3. Avira Antivir Removal Tool - http://www.free-av.com/en/tools/3/avira_antivir_removal_tool.html
4. ClamWin Portable - http://portableapps.com/apps/utilities/clamwin_portable
5. McAfee Stinger - http://vil.nai.com/vil/stinger/
6. A-Squared HiJack Free - http://www.hijackfree.com/en/
7. A-Squared Emergency USB - http://www.emsisoft.com/en/software/stick/
8. 1-2-3 Spyware Free USB - http://www.pendriveapps.com/1-2-3-spyware-free/
9. AVG VCleaner - http://free.avg.com/us-en/virus-removal
10. Avast! Portable Virus Cleaner - http://www.pendriveapps.com/avast-virus-cleaner-virus-and-worm-removal-t...
11. SpyDLLRemover - http://rootkitanalytics.com/userland/spy-dll-remover.php
12. Microsoft's Autoruns - http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
13. Kapersky's AVP Tool - http://www.brothersoft.com/kaspersky-avp-tool-190975.html
14. Microsoft's Rootkit Revealer - http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
15. Malwarebyte's Antimalware - http://www.malwarebytes.org/mbam.php (Special note for Malwarebytes. Make sure that when you download the executable, you rename it to something not-related to Malwarebytes or mbam-setup.exe. Most malware now will block mbam or anything related to it from even running. I usually end up naming it MBRemovalTool.exe)
16. Norman Malware Cleaner - http://www.norman.com/support/support_tools/58732/en
17. About Buster - http://www.malwarebytes.org/aboutbuster.php
18. ADS Spy - http://www.bleepingcomputer.com/files/adsspy.php
19. ATF Cleaner - http://www.atribune.org/index.php?option=com_content&task=view&id=25&Ite...
20. AIM Fix - http://www.jayloden.com/aimfix.htm
21. Avira Anti-Rootkit - http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html
22. Avira Boot Sector Repair Tool - http://www.free-av.com/en/tools/9/avira_boot_sector_repair_tool.html
23. Trend Micro's Rootkit Buster - http://free.antivirus.com/rootkit-buster/
24. Trend Micro's CWS Shredder - http://free.antivirus.com/cwshredder/
25. Dial-A-Fix - http://www.softpedia.com/progDownload/Dial-a-fix-Download-27328.html
26. F-Secure BlackLight Anti-Rootkit - http://www.f-secure.com/en_EMEA/products/technologies/blacklight/
27. GMER Anti-Rootkit - http://www.gmer.net/
28. Trend Micro's Hijack This! - http://free.antivirus.com/hijackthis/
29. Kazaa Spyware Removal - http://majorgeeks.com/Kazaa_Spyware_Removal_d3110.html
30. Look2Me Destroyer - http://www.softpedia.com/get/Antivirus/Look2Me-Destroyer.shtml
31. QooFix - http://www.malwarebytes.org/qoofix.php
32. Vundo Fix - http://vundofix.atribune.org/
33. CCleaner - http://www.ccleaner.com/
34. Registry Mechanic - http://www.pctools.com/registry-mechanic/
35. JV16 Power Tools - http://www.macecraft.com/jv16powertools2009-info/
36. Windows Malicious Software Removal Tool - http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4...
37. Dr. Web's CureIt - http://download.cnet.com/Dr-Web-CureIt/3000-2239_4-128071.html
38. SuperAntiSpyware - http://www.superantispyware.com/
39. Defraggler - http://www.piriform.com/defraggler
40. Trend Micro's Rootkit Buster - http://free.antivirus.com/rootkit-buster/
41. Spybot Search & Destroy - http://www.safer-networking.org/en/download/
42. Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix
43. USB Write Protector - http://techie-buzz.com/utilites/usb-write-protector-shields-your-usb-fla...
44. 7-Zip Portable - http://portableapps.com/apps/utilities/7-zip_portable
45. Microsoft Installer CleanUp - http://support.microsoft.com/kb/290301 (Windows XP only)
46. Microsoft Auto Play Fix - http://www.microsoft.com/downloads/details.aspx?familyid=C680A7B6-E8FA-4... (Windows XP only)
47. Winsock Fix - http://windowsxp.mvps.org/winsock.htm (Windows XP only)

Step 1 --> Backups
First thing is first, you are going to want to backup all the files you absolutely can not lose to a flash drive or external hard drive. Also, make sure you backup the registry in-case it is corrupted beyond repair so that you do not have to reinstall your operating system. To learn how to back up your registry, follow the instructions on the following website (ignore the system restore option):
http://windowsxp.mvps.org/registry.htm

Step 2 --> Preparations
Now it is time to move on to the preparations for the removals. The first thing you are going to want to do is to get another USB flash drive. It is probably best to use at least a 2GB drive, but you can get away with a 1GB stick if you don't download all of the tools and store them on there. Personally, I use an 8GB flash drive so that I can store other stuff on it as well. Now, let's do a little preparation before we start the actual removals. First, on the clean computer that you are downloading all of the tools, plug in your flash drive. Follow the directions on the relevant website to install 1-2-3 Spyware Free, A-Squared Hijack Free, A-Squared USB, 7-Zip Portable, and ClamWin Portable onto the flash drive. None of these softwares require registry entries to run. They have all their relevant information they need in configuration files located in the same folders where the programs will be located on your flash drive. Once those softwares are installed, go ahead and transfer over the other utilities that you would like to use. I personally have all of the utilities on my flash drive, along with a few other softwares for other uses. Once you have transferred over all of the utilities that you want to use, make sure you have the entire USB Write Protector folder somewhere on your flash drive. Make sure that you run each of the utilities that require updates (A-Squared USB, 123 Spyware Free, and ClamWinPortable) on the clean computer so that you have the latest definitions. Just one more step and we will get to actually removing the malware. The last step you need to do is use that utility I described to you, USB Write Protector. All you need to do is launch the executable located in the folder and click where it says to "Enable Write Protection." The reason this software is so crucial is because some worms and trojans have the ability to infect flash drives. This software ensures that nothing can write to the flash drive while it is plugged into any computer. Now that the write protection is enabled, we can start the actual removals. Make sure that you close out of the USB Write Protector software and eject your flash drive from the computer. The first thing you need to do on the infected computer is to disable System Restore and delete all of the System Restore Points because a lot of malware likes to hide in these restore points because those restore points are ignored by 99% of malware scanners. Once you have done this, you are ready to move on to the next step.

Note: For removal of rogue security products (ex. Antivirus 2009, Security Tool, Internet Security 2010, etc), begin with the next step. If you are just trying to clean a computer of general malware, please skip to Step 4.

Step 3 --> Removal of rogue antivirus softwares
This is going to give some of our scanners the chance to fully get the most malware removed from your system. We are going to start by trying to kill the infected processes so you will not be as impeded by the popups and other messages. Open up SpyDLLRemover and click on "Start Scan" to start the automated scanner. While that is scanning, click on the "Process Viewer" tab. You will see a more advanced version of the Windows Task Manager. Go ahead and scroll down to where you see the executable that is the main file for your particular rogue security product. This will be easy to see because most of the executables will be similar in name to what the program is named. For example, Personal Antivirus's executable is named PAV.exe. Once you click on the running process, you will see a list of all of the DLL's that are attached to that particular executable. As a side note, write down the name and file path of each of the DLL's that are attached to the running process because each of those are probably infected as well. I will touch on that later on. Once you have written down all of that information, click on the DLL's that are attached to the running process by clicking on their names in the bottom section and then click on the button at the bottom of the window labeled "Remove DLL." If anything prompts you if you are sure of this, click OK. Once you have removed all of the DLL's attached to the executable, you can now kill the running process by clicking on the executable in the top portion of the window and then clicking the button labeled "Kill Process." Now that you have done this, you should have no more popups while you do the rest of your work. By this time, the automated scan you started a few minutes ago should be finished. If the scan has found any of the DLL's that were on your list you made a few minutes ago which were attached to the rogue antivirus software's executable, then click on the DLL's name and below it should pop up and list all of the processes that utilize that DLL. If the only process that utilizes the DLL is the executable from the rogue antivirus software, then click on the button labeled "Remove DLL." If you are unsure as to what to do here, don't do anything. Just write down all of names and file paths so that you make sure that you don't delete a main system file DLL that is required for the computer usage. Once that is complete, you should run SmitFraudFix. If you have any questions on how to use this software, make sure you read the full guide on the same page as where you downloaded the file from. Once this is complete, move on to Step 4.

Step 4 --> Installing software on the computer
To start out, go ahead and run the Malwarebytes Anti-Malware executable to install the program onto the computer. When it prompts you to restart your computer, don't do it because there are a few other things we need to do first. Once Malwarebytes is installed on the computer, install SuperAntiSpyware. Make sure that during the setup of SuperAntiSpyware that you tell it that you do NOT want to enable the proactive defenses, just be able to scan the computer. Lastly, install Spybot Search & Destroy and make sure this one is also configured so that it does not give you proactive threat detection. Once those softwares are installed, you can go ahead and restart your computer. Once your computer has been restarted, go back up to Step 3 and then continue on to Step 5.

Step 5 --> Running the scans on the computer (simultaneously or one after another)
This is the part of the removal process that is the easiest and most automated. First start off by loading up Malwarebytes and starting a scan on the computer's hard drive. Go ahead and minimize the window once the scan is started and load up SuperAntiSpyware. Do the same for SuperAntiSpyware and minimize that scan as well. (Note: Make sure that you are only targeting the hard drive and not your flash drive. Some of the utilities are recognized as malware by the scanners and the scanners will get hung up on trying to remove them from your write-protected flash drive.) If you are working on a slower computer, I would let the two scanners which are running right now finish before going any further. Now, load up A-Squared Free or A-Squared Command Line scanner (read documentation included with this tool for tips on how to use the command-line scanner) and start a scan with either of those tools. Once that is running, load up 1-2-3 Spyware Free and run a scan on the computer with it. Now, load up Spybot Search & Destroy and run a scan with it as well. The last scanner you need to start is Kaspersky's AVZ Antiviral Toolkit. Load up the AVZ.exe file. When the window pops up, make sure the box next to your hard drive is checked. Click on the "File types" tab and make sure that the scanner is set to scan "All files" and that the box next to "Do not scan archives larger than" is unchecked. Next, click on the "Search parameters" tab and under the "Heuristic analysis" group, drag the bar to the top and check the box next to "Extended analysis." Make sure that the boxes next to "Fix SPI/LSP errors automatically," "Search for TCP/UDP ports used by Trojan horses," and "Fix system errors automatically" are checked. Under the "Automatic actions" field, check the box next to "Enable malware removal mode" and make sure that all the drop-down boxes are set to "Remove." Once all of those have been started, click on the button labeled "Start" to start the malware scan. Now, go grab yourself some food or go do something else for about an hour or two while these scanners go to work. Some of the other scanners that you should run afterwards are AvastPortableAntivirus, AviraAntivirRemoval, McAfeeStinger, Norman Malware Cleaner, Kaspersky AVP Tool, and AVG vCleaner.

Special Note: If a particular rogue antivirus software has not been removed from your system after the scanners have run, then make sure that you run SmitFraudFix. To learn how to use it, refer to the site where you download it from.

Step 6 --> Cleanups after automated scanners
Once the scanners have completed, review each of the scan results. If any of the scanners failed to remove or clean a file, ensure that you write down the file and location so you can delete it later using 7-Zip. Once the scanners have been run, you are going to want to restart your computer and boot it into safe mode. Once you have booted into safe mode, you are going to need to run Hijack This. If you are not sure about what to remove using Hijack This, then when you run Hijack This, click on "Do a System Scan and Save a Log File." If you are sure of how to use Hijack This, just click on "Just Do a System Scan" and then remove what you need to. The reason you should not just remove everything on the list is that you can seriously screw up your computer. If you are unaware as to what to remove from this list, you can post your log file at http://www.hijackthis.de/ and they can either analyze it automatically, or you can post in the forums and someone will give you the list as to what exactly to remove from your computer. Now, once you have finished doing that, load up Autoruns from Microsoft. This program is going to allow you to see every single file that is set to autorun when the computer turns on. If there are any of the files that were not deleted when the malware scanners completed, now would be the time to look for those files and stop them from auto-running. Next time you restart the operating system, you should then be able to delete the infected file with no other problems. Once you have stopped all of the items that you did not want starting up on your computer, then your computer should also be running faster. At this point in time, are are welcome to run any of the following utilities, such as: ADS Spy, Dial-A-Fix (Windows XP only), CWSShredder, E2TakeOut, QooFix, Look2Me Destroyer, AboutBuster, VundoFix, and ATF-Cleaner. Make sure you run ATF-Cleaner after all of the other softwares have been run. At this point, I would suggest downloading an antivirus program like Kaspersky, Webroot, Spyware Doctor, or Norton 2010.

Step 7 --> Registry cleanup and repair
This part of the cleanup is relatively easy. The first thing you need to do is install CCleaner. When you start CCleaner, click on the "Cleaner" tab on the left-hand side of the window. Next, click on the "Analyze" button. When the analyze has completed, click on "Run Cleaner." Next, click on the "Registry" tab on the left-hand side of the window. Click on the "Scan for Issues" button. When the scan is complete, click on the button labeled "Fix selected issues..." Make sure that you fix all of the selected issues. You can choose to backup the changes if you want, but I have never had a problem with what CCleaner fixes. When you are done with CCleaner, you can uninstall it from your computer. Do the same things for Registry Mechanic and JV16 Power Tools. Just run the registry cleaners under each of those programs. Once each of these are done, feel free and tweak the registry to your liking. I will be making a post in the forums under Windows Software with some of the registry fixes that I have. If you would like to tweak your registry to your own liking, you can do a quick Google search and you should be able to find the registry fixes for whatever operating system you are using.

Step 8 --> Operating system repair and cleanup
Over the course of the malware removals, the operating system tends to get screwed up. The following fixes should repair the operating system back to a working condition. If there is a particular problem that you are having, a quick Google search should bring up the correct fix for it. Open up a command prompt window. Type in "CHKDSK /R" (without the quotes) and then when it states that CHKDSK can not run in the operating system, type in "SFC /SCANNOW". Once that has completed, restart your computer. Upon restart of your computer, CHKDSK is going to start and verify that there are no bad sectors that are being used. If there are, then the operating system will ignore those sectors so you do not have problems with your operating system. Once that is completed, if you have Windows XP, run the Microsoft Installer CleanUp utility. This will fix any problems that a piece of malware has modified in the Windows Installer that will cause a program not to install correctly or the Windows Installer to not even launch. Also, if you have Windows XP, run the Microsoft Auto Play Fix as well to find any defective AutoPlay settings and then it attempts to fix the ones it finds. Finally, the last fix for Windows XP is to make sure you run the Winsock XP Fix to make sure that there are no traces of malware left in the Windows Winsock.

Note: The last problem that a lot of people usually have after they have completed malware removals on their computer is that they have no internet connection afterwards. This last step is meant only to help those people who have this problem.

Step 9 --> Reconnecting to the internet
First we are going to check the internet connection settings before we start messing with any registry/operating system repairs. First thing is first, make sure that you have your drivers installed. If you have XP, click on "Start," and then click on "Run." If you have Vista, click on "Start," and then type in the blank space under "All Programs." In either of those spaces, type in "devmgmt.msc" and hit Enter. If you look under your network drivers and there are drivers that need to be reinstalled, please download your drivers on another computer and reinstall them. Once you have done that, the next step is to check the network's device settings. To do this, click on "Start," right-click on "Network," then left-click on "Properties." On the left-hand side, click on "Manage Network Connections." In the window that pops up, you should see the network devices that are installed on your computer. The next few steps should be the same for both/any/all of your network devices. Right-click on the network device and then left-click on "Properties." In the next window that pops up, click on "Internet Protocol..." and click on the button to the bottom-right labeled "Properties." Make sure that the two boxes next to "Obtain DNS server address automatically" next to BOTH places in that window. Then click on "OK" and go ahead and close out of all of the network windows. Now, open up Internet Explorer (yes, even if you don't use it) and open up the "Internet Options" that is listed under the "Tools" menu (if you can't see it on Vista, click somewhere in the web browser and hit the Alt key on your keyboard and you will see the menus pop up). If your internet is being redirected, here you can change your homepage. Click on the "Security" tab at the top, then click on the "Internet, Local Intranet, Trusted sites, Restricted sites" and make sure that each of them is set to the "Default level" by clicking the button as you click on each one. Under the "Privacy" tab, do the same thing and make sure it is set to "Default" by clicking on the button labeled as such. Lastly, click on the "Connections" tab, then click on the button labeled "LAN settings" and make sure that the box next to "Automatically detect settings" is checked. Now, close out of Internet Explorer and open up a command prompt window. When you have it open, type in "ipconfig /release" and then "ipconfig /renew". This will force your network card to refresh the network settings that you have just changed. If none of these fixes have worked, then you should do some research into Group Policies. If you have Windows XP, you can use Dial-A-Fix to scan for restrictive policies. If you have any other operating system, you should look at http://technet.microsoft.com/en-us/library/cc960596.aspx to refer how to remove restrictive group policies. Now, the Winsock needs to be reset. If you are running Windows XP, then you need to run the Winsock XP Fix that I had you download earlier. If you are running Windows Vista or 7, then open the command prompt as an administrator and type "netsh windsock reset". After that is complete, type in "ipconfig /release". Once that has completed, type in "ipconfig /renew". When those 3 command have completed, restart your computer. Upon the restart of your computer, you should be able to connect to the internet.

Once you have completed all of these steps, your computer should be clean (for the most part). There is no true way to know for sure that your computer is fully clean unless you reinstall your operating system and replace your MBR. If you have completed all of the steps above and have run all of the softwares listed in this, then your computer should be as clean as you can possibly get it. I will be posting more in-depth guides at a later date on how to use some of the software which was not explained in this particular guide.

I thank you for taking the time to read this guide and if you have any questions, feel free and contact me at [email protected]. I dare say that I had fun making this guide and I hope you enjoyed reading it as much as I enjoyed writing it. I am sorry if anything in this guide is not perfect, but this is how I generally get rid of most malware on computers when I do it for family and friends. Take care everyone and get in contact with me with any questions.

Best regards,
COSCstudent