Malware Info‎ > ‎

Removal Guide #1

This guide will help you remove malware from your computer.  It uses some advanced (but easy) techniques to  clean your computer.  I can not guarantee this will clean your machine, but it should clean the majority of all infections.  If you find this guide hard to follow, you may have success using Guide #2.

NOTE: This is not a good guide if you plan on doing some sort of forensic investigation, as it does not uncover how you got infected.  It focuses primarily on getting your system free from malicious software.  However, if you're curious you can read about some of the common ways people get infected.

Here's a brief summary of what is going to be done:

Basic:
  1. Create a Virus-Removal CD or bootable USB Flash drive
  2. Boot into the live CD
  3. Scan and clean the computer from the live environment
  4. Clean remaining malware from within Windows
  5. Confirm infection is gone
  6. Get Windows Updates
  7. Update and secure outdated/vulnerable software
Advanced:
  1. Completely secure your machine against drive-by malware downloads
  2. Reset certain settings to defaults
  3. Repair permissions

Before performing these steps, I recommend running hardware triage on your machine to make sure it is still in good condition.  I recommend using UBCD to perform these tests.

0. Remove Antivirus Software and Temporary Files (Optional)

Before running any scans, it's a good idea to go ahead and remove any antivirus software and temporary files that are already on the machine.  Sometimes this is not an option, but if you can, go ahead and do this.

You want to remove the old antivirus software because:
1) The antivirus software isn't working.
2) It may conflict with other scanning tools.  You will be running multiple tools.
3) It reduces the number of files that need to be scanned.

By removing temporary files:
1) You can significantly decrease the amount of time it takes to perform a scan.
2) Temporary files often times contain infected content as well, so it may actually remove some malicious software from the machine (temporarily).

You can take care of this step using CCleaner.  CCleaner, aka "Crap Cleaner," cleanses your system of files that are not needed and could potentially be affecting the performance of the machine.  If you've ever cleaned your history in your web browser, CCleaner is basically the same thing, except it goes a step further and removes more.  CCleaner also has a tool built inside of it that allows you quick access to application uninstallers.  It's usually easier and quicker to use than the "Add/Remove" option that exists in the Control Panel.

Download CCleaner, run it, and uninstall any AV.  If the machine is so infected that this step can not be performed, that's fine.  This step is optional.

1. Create a Virus-Removal CD or bootable USB Flash drive

BACKGROUND INFO
Extremely infected machines often times require a computer to be "offline" so that the infections can be detected.  "Offline" in this sense is NOT referring to the network connection, but to the operating system installation...

Normally when you turn on your computer, it will run some system checks and then you will see the "Windows Loading" screen before it will eventually load you to your Logon screen or to your Desktop.  Once this has occured, your machine is in an "online" state, fully loaded into the operating system.  When a machine is "online" there are several background applications, drivers, and services that are loaded that can greatly influence how the machine operates.  If a machine is infected with malicious software known as a rootkit, this can greatly impair the ability to remove any malware that may be present on the machine.  Rootkits hide portions of the system so that removal tools are unable to identify them.  If removal tools are unable to locate the malicious content, then there is no way they can possibly disinfect it.

The majority of all tools that are developed these days do attempt to find rootkits on the machine using advanced techniques.  However, malware writers are constantly upping their rootkit sophistication skills in order to bypass detection tools.  For this reason, it is best to scan for malware while the machine is "offline."  In order to scan the machine while it is "offline," you have two options.  You can either, physically open the computer case, remove the hard drive, and plug it into another machine, and then boot to the other machines' hard drive, or you can follow the steps here in order to create a live bootable CD or USB flash drive. 

A Live-CD enables you to boot to an "offline" environment so that you can perform a very thorough scan of your files on your hard drive.  This "offline" environment will provide you with an un-biased scanning environment that will not hide anything from detection tools.  This enables you to find most of all KNOWN malware infections.  Please note the emphasis on the word "known" in the previous sentence. If a certain infection is unknown, then it's not going to be possible to detect it.  However, you can just plan on this process detecting pretty much anything you may run into, because all popular infections are known.  Most unknown infections are usually analyzed within a few days or weeks after release.  If you are really skeptical of your machine, then you can follow this same process a few days after you run it initially. 

There are some extremely sophisticated attacks that no one will ever experience unless you have someone with a ton of money and/or very talented engineers after you.  It's possible to modify hardware, like the CPU or memory so that it engages in unexpected behavior.  There's really no solution when this happens, except of course swapping out the hardware or buying a computer with clean hardware.  Really, though, if you're one of these persons, I'm sure you know this already.  A slightly more possible, but still sophisticated attack, is the possibility to embed malicious code in the BIOS/EFI or other flashable chips.  These have been found in computers in China.  The only possible solution that I could think of for this would be to re-flash the chip.

MAKING THE LIVECD / USB FLASH DRIVE
In order to make this process as easy as possible, I'm going to introduce you to a wonderful program called SARDU that enables you to create an antivirus rescue disc or flash drive that includes all of the removal tools from popular vendors.
SARDU enables you to download all required software to your computer it needs to create the CD, and also enables you to create a bootable USB flash drive or CD image.  Please note that this doesn't work to well if you have a RAID partition, because the live environments lack the drivers to read RAID volumes.

I highly recommend that you create the disc or flash drive on a machine that is clean.  Otherwise you may have difficulties following this guide.

STEPS TO CREATE AN OFFLINE ENVIRONMENT LIVECD OR FLASH DRIVE USING SARDU:
1) Download SARDU
2) Extract the SARDU application from the zip archive that you download.
3) Open SARDU
4) In order to download the required files, simply click on each button for each tool listed (EG: AOSS PCTools, AVG Rescue CD, Dr. WEB).  After the download completes, a check should be placed next to the button you clicked indicating that it will be included on the Live-CD/USB flash drive
5) Feel free to browse the other tabs for any tools you might want to use and you can include them on the CD or flash drive as well by clicking their button and downloading their image.
6) If you have a flash drive, go ahead and plug it in now, and click the "Search USB" button.
7) If you are creating a flash drive, click the button that has the blue flash drive icon on it.
    If you are creating a CD, click the button with the CD icon on it, then click on "Desktop" from the browse menu that will appear, then click "OK". (note: If you know what you're doing, you can browse to any other location.  If not, follow directions)

8) If you created the USB flash drive, you are now done.
    If you opted for the CD, you are not done.  Go to step 9.

9) You now need to burn the image file that was created to a CD.  If you do not know how to do this, I recommend downloading CDBurnerXP
  • After downloading CDBurnerXP, install it and open it
  • From the window menu it offers, click "Burn ISO image" and click "OK"
  • On the write-cd dialog, click "Browse".  Navigate to your desktop either by clicking on the "Desktop" link on the left, or by typing "Desktop" into the address bar at the top.
  • Click "sardu.iso" and click "OK"
  • Make sure you have a CD in your drive and click "Burn Disc"


You now have your bootable media with all of the best antivirus tools.  Now you just need to boot to it to get started!

2. Boot to the Live-CD or USB Flash Drive

If you haven't already, go ahead and shutdown and power off the infected machine.  For flash drive users, you definitely want to do this before you insert it into the infected computer, because you don't want it writing any infected autoruns or other infected content to the USB flash drive when it is inserted.  It may not affect the removal process, but it could be a source of re-infection.  If you made the media from an infected machine, be careful.

In order to boot to the CD or USB flash drive you just created, you have to select the correct boot device when you first turn the infected machine on.  All computers are created different when it comes to selecting the device to boot when the machine first starts.  Sometimes it can be a little frustrating finding the correct button to press in order to reach the boot selection menu.  Some computers will announce to you the key press you need to hit in order to get to the boot menu, but some do not.  You can follow this general guideline.  If you can't seem to bring up the boot device menu, then you may need to Google your computer's model number and see how you can change the default boot sequence.

STEPS:
1)  Turn off your computer and when you first turn it back on, repeatedly hit the correct key to reach your boot device selection menu.  You can follow the chart below for a general overview of some of the most common key presses that are required to see the boot selection menu.  Some computers do not even provide you with any boot device selection menu.  In order to select the boot device on these computers, you will have to go into the BIOS Configuration and manually change the boot priority for your devices.

DELL
Keep pressing F12 until you see a boot menu.

HP / ASUS
Keep pressing ESCAPE or F10 until you see a boot menu.

Gateway / eMachines
Keep pressing F10 until you see a boot menu.

Other Common Keys to Press
F8 - This may bring up a Windows Safe-Mode Boot menu.  Do not confuse this with your Device Boot Menu!

F9

F11


DEL



If after you bring up your boot device menu and you do not see an option to boot to your USB flash drive, then you may have a computer that does not support booting to USB.  You may want to try the CD option.  However, in my experience, sometimes the flash drive gets detected as a hard drive.  If your boot device selection menu has the option to choose multiple hard drives, then try locating your drive under the hard drive option.  If you still don't find it, sorry to say, but your computer just doesn't support booting to USB.  You'll have to make a CD.


2)  You should now see Sardu's boot menu.
You can now select which particular tool you would like to use.  For antivirus tools, use your key-pad to scroll down to "Menu Antivirus".

If time is not an enemy for you, you can run all of the individual tools and see what sort of infections they can find.  However, you can normally clean the nasty stuff with one or two "offline" tools.  I recommend starting with Dr. Web, because it has the option to "cure" files, which can be really helpful if you have infected system files.  You do not want to delete system files if you can help it.



3. Scan and Clean your Infected Machine

All you need to do now is update the definitions and start scanning your machine with whatever antivirus live environment that you entered.  Please note that if you're running any sort of RAID, then most of the tools will not detect your drive and you will not be able to perform a scan.  If you can not get any of the Live environments to detect your drive, then you can attempt to clean your machine by skipping this step.  However, I recommend pulling the hard drive and running an offline scan from another computer.

Clean any infections that the software detects.  Simple as that.  However, please make sure you don't remove any system files or you may not be able to boot back into Windows following the cleaning.



4. Clean Remaining Malware From Within Windows

Update, and then run a scan with Hitman PRO to see if any rootkit may have some how been missed by the "offline" scanner(s).  Clean and reboot.
Update, and then run a full scan with MalwareBytes.  Clean and reboot.
Update, and then run a full scan with SuperAntispyware.  Clean and reboot.

After completing these scans, you should be free of viruses and malware.  However, there may still be remanence of a virus on the machine.  MBAM and SAS do a good job of eliminating the majority of the malware, but sometimes they can leave behind traces that a virus used to be present.  However, these traces of the virus are usually not harmful, because they have no executable.  In order to clean this trace evidence, you need to manually go through the system and remove anything that doesn't belong or is not associated with any program.  I have no scientific way going about this, you just have to improvise on each system.  For this reason, this is not covered here.  The malware is gone, it just may leave behind a log or something that isn't really affecting the system. 

5. Reset Configuration Settings

After you have removed the malware form your machine, there still may be intermittent issues that occur because of configuration settings that the virus made to your machine.  To remedy these issues, you can reset portions of your OS back to the default settings.

1) Reset Permissions.  Occasionally the need for resetting file and registry permissions may arise.  Resetting permissions will update your OS with the default security settings it had when the OS was brand new.  This ensures that you will not be locked out/allowed into certain configuration areas of the OS as well as solve any permission related issues such as installing software.

- Download SubInACL and install it to the default location ("%ProgramFiles%\Windows Resource Kits\Tools")
- Download Reset script.  Extract it, and run the included .bat batch file.



2) Reset Winsock Settings.  Sometimes it may help to reset Winsock Data.

ALL VERSIONS
- Go to Start->Run
- type "netsh winsock reset"

WINDOWS XP
- Download Microsoft's Winsock Fixit
- Download Winsock-XP-Fix (Optional) - This tool may repair what Microsoft's tool does not.

WINDOWS VISTA/7
- Download Microsoft's Winsock Fixit



3) Reset TCP/IP Settings.  If you still have Internet issues, you can try resetting TCP/IP settings.
- Download Microsoft's TCP/IP Fixit



4) Reset Windows Update. 
If you have issues getting Windows Update to function, you can try these tools.
- Download Microsoft's Windows Update Fixit
- Download My WinUpdate Fix



5) Reset IE Settings. 
Even if you do not use IE, this may be beneficial.  This will reset "Internet Options" to the default settings.
- Download Microsoft's IE Fixit



6) Run IE Performance Fix.
- Download Microsoft's IE Performance Fixit



7) Fix Windows Firewall.
  If the Windows Firewall is not working properly, you can try this tool to repair the issue.
- Download Microsoft's Firewall Fixit

8) Run LSPFix.  If Internet functionality is still missing after performing the above steps, then you can try running LSPFix to repair other LSP related errors.
- Download LSPFix

5. Tweaks

After ridding your machine of malware, you may be interested in learning about other ways, other than an AV to protect yourself.  Here is a few steps you can take to prevent future infections.

1. Use a virtual web browser.
  I will always recommend this to advance users who are interested in keeping their machine as secure as possible.  This involves creating a VMWare ThinApp or a locked down version of your web browser so that it is harder for malware to gain access to your machine.

- Creating a VMWare ThinApp
- Locking down your webbrowser without ThinApp



2. Use NoScript addon for Firefox. 
If you use Firefox, then consider using NoScript.  NoScript will lock your browser down very well, preventing you from being vulnerable to drive-by downloads that work by exploiting vulnerabilities in the web browser. 

NoScript is rather hard to get used to, but it is well worth the learning curve.  It requires that you "train" the browser to allow certain websites to run scripts on your machine.  This enables you to control what part of a page is going to function and what part will stay disabled.  If you happen to stumble across any site that appears that it could possibly be malicious, then you can simply leave that page without it doing any harm (thanks to NoScript).  However, NoScript can also work the other way by removing the ability to watch embedded videos on web pages, until you explicitly allow them.  The longer you use NoScript, the easier it will become to use your "trusted" web pages.  Allowed pages can be remembered and recalled so that you don't have to always explicitly allow a page to run its scripts.


3.  Use AdBlock Plus Addon for Firefox or AdBlock Plus (BETA) for Chrome.  If you use Firefox or Google Chrome (which you should), then I highly recommend the AdBlock Plus Addon/Plugin for these web browsers.  This will eliminate all those advertisements that you see on a web page.  One of the main reasons I like using this addon is that some ads on web pages have the words like "Download Now" or something similar in them, and because they blend in with the web page you are viewing very well, it's very easy to click on those ads, rather than the actual download link that you need to click on to download the software you were searching for originally.  I think these types of ads should not be allowed to exist, but unfortunately they do, and because of this, I highly recommend using Adblock Plus.   Furthermore, besides the "Download Now" issue, blocking ads can also improve your browsing speed, because bandwidth is not consumed downloading advertisements.  It will also prevent downloading images that could possibly have infected content in them, further securing your browser.


4.  Use WOT Plugin.  Another Addon/Plugin for Firefox or Chrome that I consider very useful is "Web of Trust (WOT)."  WOT will inform you of a website's popular web rating that could potentially help keep you away from known malicious websites.


5.  Remove auto start entries using AutoRuns.  If you have a lot of software that starts when your machine first loads into Windows, then you may want to consider using Autoruns to disable some of them.  Auto starting applications when you first log on can make it slow to log on, and can also cause the consumption of all of your memory (RAM) which will destroy the performance of your machine.  Using Autoruns, you can disable items that you do not need running.  This works much better than the "MSCONFIG" that is built in to Windows.  MSCONFIG just forces a "selected" startup with your configuration settings.  AutoRuns can completely remove items from startup without loading to an alternate configuration setting.

- Download Autoruns


6. Update Software

Now would be a great time to apply any free updates that you can get for your software.  Software updates usually include security fixes and functionality enhancements that can greatly improve the security and performance of your machine.  Knowing what software you can update can be a bit of a hassle, but I have found a great little tool that automates the process and even gives you a direct download link to the most updated release of your software.  FileHippo UpdateChecker is a great little tool that greatly simplifies the updating of any outdated software on your machine.  It supports the majority of all mainstream software.  It's highly likely that after you run this tool, you will be able to obtain all software updates available for your machine.  If this application spits out a "Giraffe" then you're fully up-to-date. 

- Download FileHippo UpdateChecker

Also, it's very important that you install all recommended service packs and updates for your OS.

For XP
- Open IE
- Goto Safety->Windows Updates

For Vista/7
- Start->"wuapp.exe"


7. Reinstall Antivirus Software

After completing removal, it is time to select a good antivirus solution.  I have listed a few of my favorite AVs on my Tools page.



Keywords: Virus Removal Guide, Malware Removal Guide, Rootkit Removal Guide, Howto Remove Malware, Disinfection Process, Repair Internet Issues
Comments