A Malware Removal Guide

[Appletax]

Official Malware Removal Guide

• Technibble Discussion

Please let me know what you think. If I should add, remove, or alter anything.
Thanks


How to remove an MBR virus


Malware Removal Guide:


Helpful sites:

"Probably the Best Free Security List in the World"
AV Comparatives - "Independent comparatives of Anti-Virus software"
2-Spyware - "The 2-Spyware.com project is all about spyware and malware removal"



Enter Safe Mode by pressing the F8 key after starting the system. An operating system in safe mode will have reduced functionality,
but the task of isolating problems is easier because many non-core components are disabled (turned off).

rKill - Run this first. Kills unnecessary/suspect processes. View the log to find where malware was found, then remove the malware.

Run CCleaner at the beginning and end to empty the Recycle Bin, temporary files folder, cookies - (may harbor malware)


Manually remove malware and check files/folders before using scanners:

Advanced Malware Cleaning PDF

Learn how to use Autoruns and Process Explorer by watching the video The Case of the Unexplained, 2010: Troubleshooting with Mark Russinovich

Autoruns tip: open the program and choose the Options menu and enable the following option by clicking on them: 1. Include empty location, 2. Verify Code Signatures, 3. Hide Signed Microsoft Entries. Press F5 to refresh the startups list. More Info

Also watch Manually Delete that stubborn Virus File

Check Windows Services (processes that run in the background that require no user intervention):
Win Key + R (open Run): MSCONFIG -> Services -> check “Hide all Microsoft services” (these are good).
Alternative: open Run and type services.msc. Also, while in MSCONFIG, check the startup programs.

Scan with HiJackThis and scan results at hijackthis.de

Check proxy/LAN (TCP/DNS) settings

Check HOSTS files Wiki, MS Fix, MVPS HOSTS File, See this thread for a batch file that'll give you permission to edit the HOSTS file
- malware can alter this file and cause you to be redirected to a different address/site then the one you’re trying to go to.

Reset web browsers



Search these files and folders for malware:

* First -> Explorer -> Alt key -> Folder Options -> View -> Check “Show hidden files, folders, or drives”
(Change back to original setting at the end)

FOLDERS

c:\Windows\system32 - sort by date so the latest files are at the top and look for suspicious files there (if you can't tell the difference ... you'll have to Google all the exe's and dll's)
c:\Users\%user%\AppData
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Default User\Start Menu\Programs\Startup
C:\Documents and Settings\*User Name*\Start Menu\Programs\Startup
C:\windows\tasks

FILES

C:\autoexec.bat
C:\Windows\Win.ini
C:\Windows\System.ini


Search these registry subkeys for malware:

Access by typing Win Key + R, and then regedit

- Be very careful with what you delete because you could corrupt the Registry.
You may want to make a System Restore Point beforehand as well as backup
the Registry (file -> export).

Demystifying the Windows Registry:
http://www.bleepingcomputer.com/tutorials/tutorial74.html

* RegASSASSIN can remove stubborn Registry entries


These registry paths are the most common paths that malware will reside to start up with the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Other places to check:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*service* >ImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\open\Command
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\htafile\Shell\Open\Command
HKEY_CLASSES_ROOT\piffile\shell\open\command

How To Fix The Windows Registry Hive Error


Scanners to use (always best to run multiple scans just to be sure):

Avast - Preferred
Avira - An excellent altern. to Avast
Malwarebytes
SuperAntiSpyware
Kaspersky Virus Fighting Utilities
Spybot Search & Destroy
Dr. Web CureIt
CWShredder
McAfee Stinger
F-Secure Easy Scan
MS Malicious Software Removal Tool


For stubborn malware (be careful with these):

ComboFix
Smitfraudfix


Anti-Rootkit:

GMER
Sophos
TDSSKiller
- More -


Live CDs (contains a bootable operating system that loads directly into memory):

UBCD4Win
Kaspersky Rescue Disc
AVG Rescue CD
Dr Web Live CD


Turn off the System Restore feature and turn it back on (purges it)
- Only do this at the end in case you need to do a restore



Other tools and tips:

Dial-a-fix (XP) - www.bleepingcomputer.com/tutorials/tutorial59.html
LSPFix (XP)

List of Windows Malware Infection Locations
Places that viruses and Trojans hide on start up


If you receive these errors: Error loading operating system, missing operating system, invalid boot partition, then look into repairing a damaged Master Boot Record.
http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

Run chkdsk /f /r from the command prompt to fix and recover data. If you see that it has had to recover or repair anything, then check the health of the hard drive with Crystal Disk Info and HD Tune.
Bad sectors on the hard drive can cause data to become corrupt.

INI File start up entries: win.ini, system.ini and boot.ini are areas that software can start up. Extreme caution should be taken with editing these files. Boot.ini should be left well alone unless you know exactly what you are doing. If you make a mistake with that file Windows will fail to load.

How to determine what services are running under a SVCHOST.EXE process:
http://www.bleepingcomputer.com/tutorials/tutorial129.html

Use SpywareBlaster to secure the web browser:
www.bleepingcomputer.com/tutorials/tutorial49.html




There are various clues that your machine may be infected. Here are some of the most common:

• Your PC is often sluggish, unresponsive and slow.

• Your Windows Task Manager shows high system resource use while idle.

• Strange new icons on your desktop, or there are additions to your Favorites bookmarks or toolbars that you did not install.

• Your browser opens up elsewhere than your normal home page.

• Your internet connection monitor shows a lot of activity during relatively inactive web browsing.

• Prolific popup advertising while you are on the internet and sometimes even when you are not. This is usually a sign that you have a problem with Adware.





See this thread for a huge list of very useful tips and tools:
Go to www.technibble.com and search for “My Tool Kit + Tune Up + Software”, which is in the Guides, Tips, and Tricks section





Malware Analyst's Cookbook




Malware Removal Guide 1 (.doc) - Download

 

[Appletax]

Here's another that I altered from this Technibble thread: Manual Malware Removal Guide

Note: I've never used this lol



1) Boot up computer and get a feel for how bad the infection is.

2) Boot the computer to a Live CD
- Before CD loads completely, insert USB stick with your tools on it. This is so you can copy files onto the HDD before you reboot.
- If you make a WinPE CD, make sure that hidden files are visible. This can be done with through the registry when the CD is first loaded.
- Run CCleaner to remove temp files that may harbor viruses

3) Use EzPcFix
- If it’s XP click load hives
- If it’s Vista or 7 replace “Documents and Settings” with “Users” and click load hives
- If it’s XP delete temp files (select everything but History). This doesn’t work with Vista or 7
- Open up registry keys and delete any suspect entries (or take the time to learn what to delete)
- Take note of file locations so you can delete those later
- Open registry values and correct any wrong values (or learn what to do here)
- Open browser helper objects and delete anything suspect
- Open downloaded program files and click “remove items”
- Open services and cycle through different control sets and options. This is a good place to find some rootkits
- Reset Winsock
- Open pending file rename operations and cycle through control sets
- Open text files and check the hosts file and others

4) Manually look for malware files sorting by date

- TIP: Some file explorers let you create Bookmarks for these locations. Use Explorer++ on custom WinPE CD.
- root of C:\
- C:\Documents and Settings\user name\local settings
- C:\Documents and Settings\user name\application data
- C:\Users\user name\appdata
- Don’t forget to check “all users” and “public” as well
- C:\Program Files
- C:\Program Data
- C:\Windows
- C:\Windows\system32
- C:\Windows\system32\drivers
- C:\Windows\fonts
Search for bogus file names in the Registry (ie:nrsdofzfr.exe):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

5) Copy tools from USB stick onto HDD.

6) Reboot computer and see how things are.
- There should be no serious problems left.
- If there are, go back to step 2 and get some more practice.

7) Run CCleaner
- If it’s a Vista machine EzPcFix won't delete temp files correctly.
- Malware hides in temp files and also these files increase AV scan time.

8) If you aren't confident that the infection is gone, or if it was a serious infection, run ComboFix.

9) Use AutoRuns & Process Explorer & HiJackThis

10) Reset Internet Explorer settings to default.

11) Run virus/rootkit scans and save/print log

12) Proceed to tune up the computer

13) Disable and then Enable system restore




Download - Malware Removal Guide 2 (.doc)

 

[MobileTechie]

As some Malware Infections are placing copies of legitimate system files inside the Temp file locations,
a Temp File cleaning stage -PRIOR to Malware Removal- is No Longer suggested.

Therefore, using junk file cleaning tools,
like CCleaner, ATF Cleaner, TFC etc.
should come at the End of the Malware Removal process.

Can you give some examples of this?

---------------------

 

[iisjman07]

A very nice post text to make the limit be quiet

 

[hozdaman]

Thanks for this post. It helps a lot.

 

[Appletax]

As some Malware Infections are placing copies of legitimate system files inside the Temp file locations,
a Temp File cleaning stage -PRIOR to Malware Removal- is No Longer suggested.

Therefore, using junk file cleaning tools,
like CCleaner, ATF Cleaner, TFC etc.
should come at the End of the Malware Removal process.

I usually run CCleaner probably 4+ times when I do a virus removal or tune up
At the beginning and at the end. Thanks for the tip.

I would also suggest maybe defragmenting the drive with Auslogics Disk Defrag to speed it up so scanners can access data faster.
Some systems I've seen were 50% fragmented and definitely benefited from a defragmentation.

 

[Appletax]

When it comes to Defragmentation, I prefer the Boot-Time one, because it
handles Locked/in-Use files by Windows that canNot be Defragmented within Windows.
My favorite App is a Freeware from Puran

Auslogics can also defrag the MFT like Boot Time, but don't know if it can
defrag locked/in-use files (probably would if ran from a Live CD)

http://www.auslogics.com/en/software/disk-defrag/features/


I''m gonna try the Puran program

 

[Keegan]

Often viruses and trojans may use variations on real Windows system files (usually associated with services)
(e.g. scvhost - rather than svchost, lsasss - rather than lsass etc.)

In general, when Malware is associated with Temp files,
it is pointless to Clean junk files -Before- Cleaning Malware itself.

wow a bold statement, never heard of this before, do you have some examples of this?
names of malware that does this?

 

[ZenTree]

I actually can't tell if you're being sarcastic I'll assume not.

Tons of them. Had one last week that copied well over fifty names of legit .exes already installed on the system, padded on some spaces to the file name and disabled regedit/hiddenfiles/hide known extensions. Packed up with a couple of rootkits including an infected mbr and that made for a fun hour or so

 

[Keegan]

i'm not being sarcastic if you are talking to me
this place is about learning from each other, and i am grateful for posts like this.

the only problem is when you say that something is pointless that have proven right many times, you need something to back it up with.

say this is right, a malware moves(not copies as you said) exe and other stuff over in the temp folder, how are you supposed to get it all back?

They can after all belong to a 1000 different folders, can they not?
if they are win files, maybe easier with sfc than try to copy them manually?

but anyway thanks for the info

 

[red12049]

i'm not being sarcastic if you are talking to me
this place is about learning from each other, and i am grateful for posts like this.

the only problem is when you say that something is pointless that have proven right many times, you need something to back it up with.

say this is right, a malware moves(not copies as you said) exe and other stuff over in the temp folder, how are you supposed to get it all back?

They can after all belong to a 1000 different folders, can they not?
if they are win files, maybe easier with sfc than try to copy them manually?

but anyway thanks for the info

Keegan,

If I were to ask you to "prove" that running a temp files cleaner at the beginning of the malware removal process was the "right" process to follow, could you do so?

If not, then maybe you'll begin to understand that there may be more than one "right" way to accomplish a particular task.

Rick

 

[Xander]

Keegan,

If I were to ask you to "prove" that running a temp files cleaner at the beginning of the malware removal process was the "right" process to follow, could you do so?

It's simple math. Which would run faster, scanning 20000 files or scanning 17500 files? By flushing crap files, all pursuant scans will run faster by having less files to scan.

 

[dipper]

Keegan,

If I were to ask you to "prove" that running a temp files cleaner at the beginning of the malware removal process was the "right" process to follow, could you do so?

If not, then maybe you'll begin to understand that there may be more than one "right" way to accomplish a particular task.

Rick

We always image a hard drive before any type of malware removal. Then if any user files are hiding say in temp directories then we can always restore them from backup.

Also removing temp files makes the scans quicker and potentially removes any malware that hides in temp files first.

 

[Appletax]

We always image a hard drive before any type of malware removal. Then if any user files are hiding say in temp directories then we can always restore them from backup.

Also removing temp files makes the scans quicker and potentially removes any malware that hides in temp files first.

How long does an image typically take to create? GBs?

Is it possible to mess up a machine so bad doing a virus removal that you
couldn't even recover the user's files? (wondering why you should backup data
before doing virus removal)...

 

[iisjman07]

We always image a hard drive before any type of malware removal. Then if any user files are hiding say in temp directories then we can always restore them from backup.

Also removing temp files makes the scans quicker and potentially removes any malware that hides in temp files first.

I considered doing this, but it seems that either my customers have absolutely no data at all and could live on a 40GB hard drive with ease, or they've got hundreds of GB's of videos, music and photos which is not time friendly to backup

 

[Appletax]

I considered doing this, but it seems that either my customers have absolutely no data at all and could live on a 40GB hard drive with ease, or they've got hundreds of GB's of videos, music and photos which is not time friendly to backup

I've also found that most don't use up much hard drive space.

Backing up a client's computer that has hundreds of GBs worth of date would
take awhile lol... I would only do this if the drive was going bad or if I was
gonna do a nuke and pave.

 

[red12049]

We always image a hard drive before any type of malware removal. Then if any user files are hiding say in temp directories then we can always restore them from backup.

Also removing temp files makes the scans quicker and potentially removes any malware that hides in temp files first.

Imaging is almost always a good idea.

I would submit that while technically correct, the increase in speed is negligible. Further, if a file is in use, which malware typically would be, you're not able to delete it with a temp file cleaner.

That said, I was trying to get across to Keegan that running a particular process at a particular time doesn't have to be the only "right" way of accomplishing that task. Kind of like saying that the only "right" way to perform a tune up is to change the spark plugs first, or something like that.

Rick

 

[rapidcom]

It's simple math. Which would run faster, scanning 20000 files or scanning 17500 files? By flushing crap files, all pursuant scans will run faster by having less files to scan.

Makes 100% sense to me

There have been cases when cleaning the Crap/Junk files (inside the Temp files etc.)
and then Rebooting, it was just resulted in the Re-Creation of Crap/Crap/Junk files associated with Malware.

Unless you remove Malware first,
Malware-related Crap/Junk files will not be removed (no matter how many times you run Disk Cleaners).
A simple Reboot and the Malware-related Crap/Junk files
will be regenerated IF you don't remove Malware first.

That's why I wrote that "when Malware is associated with the creation of files inside the Temp files etc.,
it is pointless to Clean Crap/Junk files -Before- Cleaning Malware itself".

But if you remove the junk files right before you run a scan there will be less time wasted filtering through them as stated by eHousecalls, and since you would run your preferred method of virus removal right after there would be a far less number of junk files to scan than there was previously even if the virus re-created some.

Then at the end run Ccleaner again to remove the stragglers.

 

[MobileTechie]

Often viruses and trojans may use variations on real Windows system files (usually associated with services)
(e.g. scvhost - rather than svchost, lsasss - rather than lsass etc.)

In general, when Malware is associated with Temp files,
it is pointless to Clean junk files -Before- Cleaning Malware itself.

I don't see why the fact that malware can use variations of real system files has any impact on the advisability of cleaning temp file folders before scans. Can you explain specifically how these things are linked? I cannot see the relevance. What am I missing?

I wasn't aware that people were doing their junk file cleaning to get rid of viruses but rather to speed up the operation of scanners.

 

[red12049]

Makes 100% sense to me



But if you remove the junk files right before you run a scan there will be less time wasted filtering through them as stated by eHousecalls, and since you would run your preferred method of virus removal right after there would be a far less number of junk files to scan than there was previously even if the virus re-created some.

Then at the end run Ccleaner again to remove the stragglers.

Sheesh. Y'all are being just as pedantic as Keegan. Let's give the premise that cleaning temp files shaves a few seconds, or even a minute, from scans. Does that make it the only "right" way to remove malware? Is there a special hell reserved for those who use it at a different point in their procedure? 'Cause that was my point to Keegan: That there is often more than one right way to accomplish something, and to reserve judgement pending further thought and knowledge. Not when to clean temp files. Cleaning temp files at the beginning might be minutely more efficient, but I doubt that the computer will self destruct if it is done at a different time during the process.

Rick