Malware Info‎ > ‎

3. Removal Tools

1. Prevention   |  2. Detection    |  3. Removal

This page is updated to reflect the best tools available.  I intentionally leave some antivirus software and tools off the page.

Resident Antivirus Software - For 24hr Resident Protection

These tools run in the background protecting your computer from potential threats.  They flag questionable behavior and warn you when a file appears infected.

Avira Antivirus
This AV has been around a long while, though it's not extremely popular.  Not as good as it used to be, but still does a decent job.

Kaspersky Antivirus
($$ NOT FREE $$)
Kaspersky is one of the more known AVs that also does a great job at detecting the bad stuff.  Kaspersky has been improving a lot over the past few years and has gained a lot of respect from a lot of security minded people.  It, however, does not have a free solution.  In the past a vulnerability was discovered in the Kaspersky product that actually reduced the security of the system that was running it, but this issue has been resolved and it is now a strong, solid product.

MSE - Microsoft Security Essentials (FREE)
A great, free antivirus solution from Microsoft.  

NOD32 - ESET NOD32. 

AV-Comparatives review of AVS - This website does periodic reviews of AV software.

"Offline" Scanning - Detect more by booting to an alternative, secure environment

These tools require you to burn them to a CD/DVD or to a flash drive in order for them to function. Some require that you update them before using, while others will update from the live environment they invoke. The benefit of these tools is that they can scan files on your computer that are normally locked (or hidden) when you are booted into Windows. This enables them to detect more and provide you with a better sense of security. Some of these boot into a "Linux" environment, which may not be easy to use. If you feel confident enough, check out these free tools.

Acronis Antimalware CD NEW! - A new Live environment by Acronis for malware removal.

AVG Rescue CD - Live version of AVG Antivirus.

Avira AntiVir Rescue System - Live version of my favorite AV, Avira.

BitDefender Rescue CD - Live version of BitDefender Antivirus

Dr. Web LiveCD - Live version of Dr. Web Antivirus

F-Secure Rescue CD - Live version of F-Secure Rescue CD

G-Data BootCD - Live version of G-Data Antivirus

Kaspersky KAV Rescue - Live version of Kaspersky.  Just download the file that ends with .iso.

Microsoft System Sweeper NEW! - Microsoft's Live Malware Removal Environment.

Panda Safe CD - Live version of Panda Antivirus

VBA Rescue - Another live antivirus solution

SARDU - Shardana Antivirus Rescue Disk Utility.  This utility allows you to create a USB flash drive or CD Image that includes all of the above antivirus solutions.  It is a tremendous utility that greatly simplifies the process of running all of these tools from the same media.

Rootkit Detection - Detection of nasty rootkits that can hide malware from detection

Rootkits are common in the wild, now.  What the hell is a rootkit?  Please see this article on Wikipedia.  A lot of viruses and other malware are starting to include them in their payload so that they can hide from detection tools.  Most AVs, including Kaspersky and Avira, are now offering some sort of rootkit protection and detection, but it's better to have a second, third, fourth, and maybe a fifth or sixth opinion when it comes to detecting them.  Here's a few good tools for doing just that.  Not all, maybe not any, of them will detect all rootkits.  You may need to run a few of these tools to make sure you find everything.  Please note, that these tools are fairly advanced.  Just because they output something, doesn't necessarily mean you have a harmful rootkit on your system.  You may have to research the output a bit to confirm or dismiss the "detection".  You also may have to boot to a third-party live-cd like Ubuntu to remove them successfully.  It may be better to let a shop clean it up if you have no idea what I'm talking about.  NOTE: Some software legitimately use rootkit technology in their software for good reasons.  EG: An AV may hide portions of it's software so that malware will not notice it on the system.

WARNING: These tools WILL produce false positives!  Be careful!

eSage Bootkit Remover - This is a CLI program that when launched searches for malicious boot code on the host operating system.  If non-standard boot code is found it will give you the option to repair it. Great utility!

eSage TDSS Removal - Another rootkit remover tool.  Set's a registry setting so that hidden device drivers can be read which may help improve detection.

GMER - GMER is a rootkit detection tool that is available for NT, WIN2K, XP and VISTA. GMER is a very common anti-rootkit engine that does a fairly good job at detecting rootkits that may be on your system.

Hitman PRO 3.5 - 30-day trial.  Great at detecting malware and rootkits.  However, I would only run the software in portable mode, because it is buggy if you leave it running resident.  It can crash explorer if you install it to your system.  It's best used as a standalone cleaning tool.

Radix Anti-Rootkit (32-bit only)- Nice, free, GUI (graphical) anti-rootkit package.

Kaspersky TDSS Removal Tool - TDSS is a family of rootkits that a lot of Rogue Antivirus software has been using to do their dirty work. This is a removal tool created by Kaspersky that can be used to remove it.

Non-resident Malware Removal - For occasional use and cleaning up

It's a good idea to occasionally run these programs to verify that nothing has slipped passed your AV.  They often times discover remanence of an infection that an AV missed and they also seem to be better at removing malicious content.

MalwareBytes - Excellent malware removal tool that can remove most of the non-rootkit Rogue AVs that are floating around right now.  May detect what SuperAntispyware leaves behind.  Free version is good enough.

SuperAntispyware - Another great tool for removing malware.  May detect what Malwarebytes leaves behind.  Free version.

Emsisoft Emergency Kit  - Awesome tool kit for handling malware.

Dr. Web CureIT ADDED 7/2011 - Not sure how I forgot to include this great little tool. It's particularly great at disinfecting files that have been patched and removing full blown viruses. I recommend running this tool initially when performing a cleanup operation.

Advanced Removal Tools - Advanced removal tools that may destroy a system if not used properly.

These tools are very good at getting rid of malware that just will not go away.  They are considered a last resort, but they usually work fairly well.  Do note, though, that using them incorrectly could cause you to have an un-bootable system.  They might delete system files if they detect malicious code embeded in them.  In order to restore the system after this has occurred, you will have to have access to an OS installation disc, and you extract the system files from the disc and then copy them back over to the correct location on the computer using a third-party bootable live-cd.  Sometimes a complete Windows XP/Vista/7 re-install may be required.... or just easier.

Combofix - Taking from it's website: "ComboFix allows the manual removal of spyware infections . It 's a specialized effective cleaning tool, which is useful compared to other malware and spyware removers.
After Combofix finished,a report will be created. You can use this report to search and remove infections which are not automatically removed."  This program updates occasionally, so be sure to update your copy.

EasyBCD - This isn't really an application designed to remove malware, but it can be very beneficial in repairing MBR infections and rebuilding the boot menu.  If another tool claims you have an MBR infection, you can use this to re-write a fresh copy.

Other Tools - Autoruns, File Information, BHO detection, Clean-up, Quick Fixes, etc

Autoruns - This utility will show you everything that launches when your computer starts up.  It is a very strong tool that shows everything you need to know about applications that auto start when you turn your computer on.  Can be used to prevent running trojans and other malware on startup.  Latest version allows you to perform analysis on an offline install!

CCleaner - CCleaner (aka Crap Cleaner) can clean out temporary files and other "crap" on your system.

CleanAfterMe - This is a very nice registry and temporary file cleaning tool.  Any cleaning this tool performs will not break your system, which is sometimes not the truth of other registry tools.  Make sure you uncheck "Installed USB Devices" or you may have to unplug and plug back in all of your USB devices to get them to work again.

CurrPorts - This tool can be used to determine if any open ports exist on your system.  Sometimes malware may open a backdoor to your system and make you apart of a botnet so that your computer can be used to orchestrate other attacks.  This can be used to to see what ports are open so that you can research it to see if they are known to host any sort of malicious server.  Note: Rootkits can hide port information, so this isn't going to be effective 100% of the time.

EXEFix for XP - Sometimes viruses will remove the ability to launch other software.  This can be use to repair that.  This the for XP only. <<not uploaded yet>>

EXEFix for Vista - Repairs the registry so that EXEs will run on Vista. <<not uploaded yet>>

FCleaner - Sort of a spin-off of CCleaner.  It cleans a few things left behind by CCleaner.  However, if you're using Windows 7, it will clear your saved Jump Lists.

FileAssassin - Brought to you by the developers of Malwarebytes, this tool can be used to delete files when a normal delete just doesn't do it.

HiJackThis - Tool used to find BHOs, start-ups, browser addons, registry entries, and strange files on your system.  HiJackThis only gives a report of what's on your system.  It's not going to tell you what's bad and what's good.  You have to determine this yourself.  For this reason, you can post HiJackThis logs on Internet forums if you need help deciphering the results.  Bleepingcomputer is a good place to post these logs.

LSPFix - Sometimes after removing infections, your Internet may no longer function.  You can use this to see if it will solve your issue.  Has successfully repaired connection issues on Windows 7.

Microsoft's TCP/IP Fixit - Microsoft's TCP/IP fix

Microsoft's Winsock FixIt - Microsoft has their own "fixit" tools you can use to repair issues.  This one attempts to fix Winsock related errors.

Microsoft's Windows Update Fixit - This is Microsoft's Windows Update reset tool that can be helpful in repairing windows update after an infection.

My Winsock Fix - This is a little batch script that will reset your Winsock back to default settings.  This also may help with Internet related issues.  Works on Vista and 7.

Permissions Fix
- Here's a little script that will repair some permission problems.  Permission problems can cause some minor problems and annoyances. <<not uploaded yet>>

ProcessExplorer - Great little tool that will display all processes running on your computer, as well as the modules that are loaded into them.  This can be used to detect and delete malware manually.  You can use "AntiHookExec procxp.exe" to discover hidden processes using the anti-rootkit techniques in AntiHookExec.

Process Monitor - Use this tool to find what sort of activity a process is performing.  Can be used to spot shaddy activity from suspicious processes.

Serviwin - Can provide access to lower-level services and drivers that are running in the background.  Windows' built-in service manager, services.msc, does not display all of the services running on your machine.  This tool does.

SmartSniff - This is a similar tool to Wireshark.  Though it's not as powerful as Wireshark, it is easier to use and provides plenty of information for the average user.

VirusTotal.Com - Scan small files (<20MB) against over 35 different antivirus engines.  In addition, you can also put in a URL to analyze websites for malicious content before you visit it.  You can also look up file checksums to see if they are known to be malware.  Excellent tool for scanning small files.

Wireshark - This can be used to sniff out the low-level network communication information from your network card.  This can be used for spying on others, but it can also be used to make sure nothing is secretly sending out personally identifiable information over the Internet.

Info About McAfee and Symantec

I do not recommend using McAfee or Symantec products, because they usually do not perform as well as the products I listed above, and most importantly because they tend to use more resources than other products.  It's not my intention to slap the developers of these products in the face when I give this opinion.  They do a great service by making their products, and they probably have some of the greatest researchers in field, but the only reason there's so many people using their product is because of OEM computer manufacturers.  They've been included in OEM systems for so long that they've gain widespread popularity.  These products aren't completely crap, but they just aren't as good as some of the other products available.  Not just because their detection is slightly less, but also because other products usually don't slow a machine down as much as these two do.  The best way to protect yourself is to learn how to browse safely, not rely on bloated software.

You can use these tools to remove these "infections":
Norton/Symantec Removal Tools - First uninstall then run this tool.
McAfee Removal Tool - First uninstall, then run this tool.

1. Prevention   |  2. Detection    |  3. Removal


Keywords: Virus Removal Tools, Best Antivirus Software, Malware Removal Tools, Disinfect Virus, Rootkit Removal