Virus Removal Arsenal – Steps to remove Malware

For a long time now, I’ve been helping people with their computers; setting up networks, repairing windows installations, and the ever-constant malware removal.  As an independent web developer and IT guy, I’ve always had a Fix Mix; a bag of tricks and tools I’d use to troubleshoot and clean a computer of infections.  Always effective, my techniques were good, but I found that my ‘Fix-Mix’ could be improved upon. The following is a guide/approach to repairing an infected computer that I have found is very useful and most of all, complete.

If you would prefer immediate professional support, I highly recommend Remote Techy.  They offer both one-time and long-term support options!

I usually save these tools to a thumb-drive, and usually have with me all the time.  Althou

gh there can be many causes to a computer problem, this assumes we’re dealing with dreaded adware, malware, and viruses.  This also assumes you know enough about computers, low-level admin at least.  Also remember, Google is your friend.  When in doubt, google it!

1.  Assess the situation.  Does the system boot in normal mode?  Popups?  Can you run executables?  If needed, it is best to start in safemode to minimize the amount of programs running both for performance and to prevent some malware from starting with Windows.

2. Safe Mode or a Clean Boot.  Still having issues?  Have you tried a clean boot?  There’s a couple of ways to go about this, but best bet is to boot to safemode first.  You can also launch msconfig, and select ‘Diagnostics Startup’.  You can selectively choose which startups you’d like in the ‘Services’ and ‘Startup’ tabs as well.

3.  Errors.  It’s always good to look at ‘Event Viewer’ and see whats going on.  Filter the logs to look for just warnings/errors/critical.  Any ntfs or disk errors?  Which drive?  How about specific application errors?  Some corrupt applications that run automatically, could be causing issues.

4.  The Virut Virus.  A polymorphic (ever changing) bug that can cause serious issues on a system.  It is virtually impossible to get rid of without removing the drive and cleaning it in an isolated state.  Symptoms vary, so when you decide to check for the virut virus is up to you.  But if a problem you think you cleaned, keeps coming back, perhaps under different driver names, etc.  Good chance.  The virut virus will embed itself within multiple system-level files, and is indicated by an increase in explorer.exe file size.  Usually about 17k.  Explorer.exe size varies depending on which OS you are running and with which Service Packs.  Google it.  If your explorer.exe file seems to have been modified, copy it and upload it to http://www.virustotal.com/ to have it checked out

5.  MalwareBytes.  Your first attack wave.  It is constantly getting new definition updates, sometime 3 a day.  Install and run a quick scan, ensure you update it before you run it.  If you cannot run the installation executable, rename to explorer.exe or something.  Some viruses will allow the install, but delete the mbam.exe file.  I usually keep a copy in my fix-mix along with a copy of the most recent rules.ref file.  If so, copy over mbam.exe and rename to explorer.exe or as a 16-bit exec. like somename.com.  If it installs, but cannot connect to the  internet or errors on updating.  Copy the rules.ref file manually, then run.  rules.ref file is located in (abbrev.) C:\Docs&settings\AllUsers\AppData\Malwarebytes\malwarebytes

6.  Rootkits.  Vicious little evil buggers.  Check for them.  Two great checker tools GMER and Root Repeal.  I usually run Root Repeal to look for Stealth or Hidden objects only.  Launching GMER will run a quick scan.  If I find a suspicious entry there, then will use TDSS Killer or GMER itself to disable and then remove the entry.  Another decent TDSS remover is e-sage lab’s TDSS Remover.  Remember, if you’re not sure, google it!

7.  HJT.  Hijack This by Trend-Micro is an awesome tool.  I primarily use this for URL and search Hooks, rogue BHOs, and Hijacked or corrupted Hosts files.  Anything related to internet browsing.  It will run a scan and then let you decide what you want to get rid of.  If you’re not familiar with the tool, I suggest saving a log file and running it through the online analyzer at http://www.hijackthis.de/.  BEWARE though!  Sometimes it misidentifies threats, or misses threats.  Use caution and if you’re in doubt, hit up a forum to help you out.

8.  Are you clean?  At this point, you should be pretty free and clear, but it’s always best to make sure.  Sysinternals developed two tools that will help you verify how clean your system is running:  Process Explorer, a Task Manager on steroids, and AutoRuns, a msconfig on steroids..  These are also great tools to use if and when viruses prevent you from running your initial scans and they need to be tracked down, targeted, and destroyed manually.  9.  Optimize.  A few things to do to ensure the machine is clean and performing at peak.

• Launch Internet options (via control panel).  Clear out the cache.  Set all zones to default, etc.
• Uninstall the unnecessary.  I always delete the lame BHOs, Search Providers, and add-ons.  Although they may not be malicious, they do provide biased results which leads to more viruses.  Delete all the bundled, non-essential or never used stuff.   Streamline the system basically.
• Even if you didn’t need to do a clean-boot, it’s still best to go through the services and programs set to run automatically and disable unneccessary ones from auto-start.  Speed up the boot time!
• Launch System Protection and disable, delete, and then re-enable System Restore.  Create a new clean point.  I’ve seen quite a few bugs that were embedded within the System Volume folders that relaunched and recreated viruses I just cleaned, so in some circumstances, its best to do this earlier in the process.
• Disk cleanup and defrag if necessary.
• Windows Updates!  Turn it on, run it if necessary.  Get the system updated.  Helpful hint:  If your on a system that has not been updated in a long long time, I recommend downloading the latest service pack manually then going through auto-updates.  Trust me!!  Especially with VISTA!!! 

Virus removal download pages quicklist: MBAM – http://www.malwarebytes.org/ Root Repeal – http://sites.google.com/site/rootrepeal/ GMER – http://www.gmer.net/ HJT – http://free.antivirus.com/hijackthis/ Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Autoruns – http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx FFsearcher or click fraud type virus procedures

Still Infected? Need professional help?  Get Expert remote support now with Remote Techy.  24/7/365 North America Based Tech Support!