My virus removal procedure sheet..

pc-wiz

pc-wiz

New Member
Reaction score
0
I just put this together, let me know if I missed anything. You are all free to use this for your own use...

Virus Removal Procedure

Non-booting system:
1. Boot to ERD Commander and perform system restore or use UBCD4WIN to get system to boot to Windows.
Booting system:
2. Run rkill to terminate any known malware processes
3. Use Process Explorer to examine and terminate processes
4. Use Autoruns to check for bad startup entries
5. Check the following locations for suspicious files and entries and remove if necessary:
a. C:\Windows
b. C:\Windows\system32
c. C:\Windows\system32\drivers
6. Delete all temporary files
7. Disable and enable System Restore to delete past restore points
8. Run a quick Malwarebytes scan to check for anything that got missed
9. Run a rootkit scan with Sophos or Fsecure Blacklight
9. Reboot! (if malware is still present, double-check all of the above steps and run more scans if necessary)



Virus Removal Resources:
www.virustotal.com – Online file scanner
www.processlibrary.com – Online process library
www.microsoft.com/security_essentials/ - Free Anti-Virus
www.google.com – Lots of free information 
 
Last edited:
That's petty much what I do too, I would also run a Rootkit scanner and I look for any bad guys amongst the installed programs such as rogue anti-virus progs, Crimewire, MyWebSearch, ALOT, FunWebProducts etc. It's also useful to try and establish the date/time of the original infection especially on multi-user systems, so the customer gets an idea of when they actually began the trashing of their system.
 
Why not do steps 4, 5, 6 from UBCD4WIN before booting into Windows? I find this to be the quickest way to do a removal.

For the newer variants I find that all you have to do is find the folder where the rogue antivirus program is being loaded and rename it to something else, reboot and delete the folder and any shortcuts.
 
I use a winpe 2.0 (the vista based one) and scan with eset, drweb and spybot. I then boot into normal mode and scan with malwarebytes before checking everything's good (wallpaper/home page reset, etc). I don't do full scans with all those apps because that would take ages...
 
Last edited:
I try to do as much as I can manually and then just run a quick Malwarebytes scan. Doing scans only always takes longer plus I enjoy removing them manually.
 
NWPhotog said:
Seems like it would miss a good amount of malware (ie rootkits, etc)!
Click to expand...

Yes, absolutely. You are missing ALL of the more interesting malware and rootkits as well as several of the newer fake antivirus software crap. You definately got to read up.

None of the better stuff will show up in Process Explorer
Only the really crappy stuff will show in Autoruns
Malwarebytes has been a goner for a couple of months now (unfortunately). It was never REALLY good, but a helpful tool all the while.

Funny, I have been reading quite a lot of garbage about malware removal, especially manual removal, recently on Technibble. I hope this will change quickly. I get the creeps when I hear people talking about manual malware removal and the methods employed. I would immediately fire any one of my technicians if they went about malware removal in this manner. Read up people, and stop posting crap !! There are people here who are going to take you seriously and who are going to f... up their business.
 
Last edited:
@ncient geek said:
Yes, absolutely. You are missing ALL of the more interesting malware and rootkits as well as several of the newer fake antivirus software crap. You definately got to read up.

None of the better stuff will show up in Process Explorer
Only the really crappy stuff will show in Autoruns
Malwarebytes has been a goner for a couple of months now (unfortunately). It was never REALLY good, but a helpful tool all the while.

Funny, I have been reading quite a lot of garbage about malware removal, especially manual removal, recently on Technibble. I hope this will change quickly. I get the creeps when I hear people talking about manual malware removal and the methods employed. I would immediately fire any one of my technicians if they went about malware removal in this manner. Read up people, and stop posting crap !! There are people here who are going to take you seriously and who are going to f... up their business.
Click to expand...
I can't see many people taking you seriously with that ill-informed rant.
 
Sorry to cause such an uproar. This is not a complete guide to malware removal, It is just the general format that I use when removing malware and I just wanted to share it with you guys. I have never had a virus removal job that I couldn't completely clean. And yes, on the tougher ones I use UBCD4WIN to do most of the removal.
 
To that post dissing Malwarebytes and tech's manually removing stuff --@ncient geek--:

:mad: Bogus!
MBAM is a fantastic tool in Malware removal!
They have a great crew of technicians (their support may not be the best, but that doesn't bother me- I'm used to crappy tech support by now) and they sometimes (often) have the only automated fix for particular problems several hours- and sometimes a day or two- ahead of everyone else!
MBAM and Spybot fill the cracks that the Big League players (for whatever reason) miss. [in my opinion]
~Now, is MBAM perfect at removing everything every time? No! Nothing is! *duh!*

And to the technicians who can manually remove stuff (I'm starting to get the hang of it)- you guys ROCK!:D
I've been able to "cure" some major infections manually after learning a few tricks here at Technibble.
That kind of knowledge, in hand with knowing which tools to use and how to use them, is a force for Malware to reckon with!

+ :cool:Not only is it super-handy, but it makes us look a whole lot cooler!

----------
@ncient geek, go soak your head.
----------

-
 
@ncient geek said:
Yes, absolutely. You are missing ALL of the more interesting malware and rootkits as well as several of the newer fake antivirus software crap. You definately got to read up.

None of the better stuff will show up in Process Explorer
Only the really crappy stuff will show in Autoruns
Malwarebytes has been a goner for a couple of months now (unfortunately). It was never REALLY good, but a helpful tool all the while.

Funny, I have been reading quite a lot of garbage about malware removal, especially manual removal, recently on Technibble. I hope this will change quickly. I get the creeps when I hear people talking about manual malware removal and the methods employed. I would immediately fire any one of my technicians if they went about malware removal in this manner. Read up people, and stop posting crap !! There are people here who are going to take you seriously and who are going to f... up their business.
Click to expand...

OK, so what's your method for virus removal?
 
Virus removal

Strong statement, @ncient Geek! I'm trying to learn how to use Process Explorer right now. Can you show us a better way or direct us to reading material which will show us a better way?
 
If you ask me you cant keep using the same old tools over and over again. I find that i'm always finding new tools to get ride of the crap computers get infected with. Back in the day I used to use spybot search and destroy, now I don't even use it that much anymore.
What was good 1 year ago, is not effective anymore in the fight. That's way we all must use various software's and removal methods to remove the crap..
 
The poster who said the OPs method would miss most modern rootkits is correct in my experience.

Rootkit Revealer is almost useless these days and this is widely admitted on its Sysinternals forum. Icesword also misses most of the current crop of TDL3 rootkits. I know this from personal experience as I've been downloading current rootkits from some of the posters at Sysinternals malware forum as well as finding my own. SVV is also now defunct and Sophos doesn't seem to find much either.

Gmer is much better. It's my first weapon but still missed some. Running the latest TDSSKiller is essential. Other tools I discovered that I had to use in order to spot the malware I infected my machine with are Kernel Detective, Rootkit Unhooker and Rootkit Repeal. Depending on how your system is setup you can get a lot of false suspicious files since some legitimate apps (including various security tools) hook the kernel so you need to use them a few times on some clean systems to get a feel for what to look for.

Dr Web does valuable work especially offline - if you have a couple of hours to kill.

sfc /scannow is quite useful in finding infected driver files as per atapi.sys infections. If you have ERD Commander then you can run it from that. It will spot and replace it thus allowing a previously unbootable system to boot.
 
The bottom line is everything is going to have their own style/way of doing anything in this business........the only person you have to answer to is your client. That is the only person you have to please overall. Some techs maybe faster than others, some may not be, but it doesnt matter....Its not cool to take personal shots at someone else's methods. The post says this is what (I) do....not (this is the law and do it MY way).
 
RicoS said:
The bottom line is everything is going to have their own style/way of doing anything in this business........the only person you have to answer to is your client. That is the only person you have to please overall. Some techs maybe faster than others, some may not be, but it doesnt matter....Its not cool to take personal shots at someone else's methods. The post says this is what (I) do....not (this is the law and do it MY way).
Click to expand...

I don't see anyone taking personal shots here just disputing the efficacy of the tools used. The simple fact of the matter is, the methodology and tools mentioned will not catch the latest rootkits.
 
You must log in or register to reply here.

Similar threads

Appletax
[TIP] Manually Resize Recovery Partition in Win 10 so Updates Do Not Fail
Replies
5
Views
511
Appletax
Appletax
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
263
NviGate Systems
NviGate Systems
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
2K
GTP
GTP
YeOldeStonecat
script help...for WaveBrowser removal
Replies
1
Views
824
YeOldeStonecat
YeOldeStonecat
YeOldeStonecat
FLASH uninstall script
Replies
2
Views
877
Sky-Knight
Sky-Knight
Back
Top