Virus Removal

Edit (2018-12-02): This post is quite out of date now, but some of the tools are still valid for non-Windows 10 machines…

So I’ve been cleaning around 6 viral infections a week for the last few years, and, while I know that it won’t be too useful, I thought I’d write down the basic steps to fix the problems I’ve run into. Mostly so I don’t have to look them up again.

Updated 12/14/10: Changed a few small things, updated links, Combofix works on 64-bit!

Basic Virus Removal Instructions

Remove the hard drive from the infected computer (on laptops, make sure the computer has actually been shut down before removing the drive. Cleaning a drive while Windows was in Hibernation or Sleep mode can actually screw up the machine quite a bit). Plug the hard drive into another machine to perform the “off-line” scans.

Off-line Scans:

  • EMSISoft Emergency Kit and the on-access scanner on the machine
    • make sure both are updated before running the scan
    • disable memory scanning in EMSISoft to reduce scan time and false positives

Alternatively:

If you are unable to remove the drive from the computer to perform off-line scans or don’t have access to another computer, now is the time to use a bootable scanner such as Avira Rescue Scanner, AVG Rescue Scanner, or UBCD4Win. These tools are similar in effectiveness to the off-line scans but, since anti-virus definitions update so frequently, it is inconvenient to keep these tools perfectly up-to-date. Consequently, more maintenance (as well as numerous blank CDs) is required to keep this software effective. Therefore, it is recommended to perform off-line scans on another machine rather than with a bootable CD.

On-line Scans (i.e. once the host operating system is running):

  • Rkill (if virus is still running on machine, this should stop the actual viral processes)
  • Combofix (this is still one of the most effective tools for virus cleaning.)
  • Super Anti-spyware (portable edition, will work on 64-bit)
  • VipreScanner
    • The Vipre scan is rather long. If it appears that the virus is mostly removed from the machine, skipping the Vipre scan is likely okay.
    • The security and ACL permission repairs SHOULD NOT be run on a machine connected to a domain. The ACL repairs will corrupt their domain membership.
  • Malwarebytes (install, update, run full scan)
  • Kapersky Virus Cleaner (good, but make sure to either pay attention to it or set it to auto-clean before running it, as it will be prompting by default)
  • Dr. Web Virus Cleaner (Numerous pop-ups to buy the full version will come up, but it can catch some nasty things)
  • Norman Malware Cleaner (No good stats on actual cleaning ability, but an extra scan doesn’t hurt.)
  • Spyware Doctor (this is the licensed version. The key can be found on the server under “Documents and Instructions\keys\Internal Software Tools.txt”)
  • Spybot (install, update, immunize, run full scan)

Internet Connectivity Problems:

If the machine cannot update an anti-malware app (particularly Malwarebytes) or is having some other difficulty accessing the Internet, the viral infection likely inserted a proxy server into Internet Explorer or in some portion of the TCP/IP stack on the machine. Repairing this problem is usually as simple as running HiJackThis and searching for a Proxy Server entry. In most cases recently, the proxy in question will point to 127.0.0.1:5555. If this solution does not repair the Internet connection, running the Winsock Fix program (or some variation of it) will likely fix the problem.

Can’t Log On To Windows:

After removing the active portion of a virus, occasionally it will appear that the login process for Windows – typically this only happens on Windows XP. If this occurs, fixing the problem isn’t too terribly difficult.

In order to repair this issue, remote access to the infected system’s registry is required. This can be achieved through either a bootable CD with a registry editing tool (like ERD Commander or UBCD4Win) or through a networked machine’s remote registry connection.

Once the connection to the infected registry has been established, we need to navigate to the following registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

It is possible that there are some incorrect keys here. Both the Shell key and Userinit key are known targets for viral changes. The correct settings for each key is as follows:

Shell (REG_SZ [string]) = Explorer.exe
Userinit (REG_SZ [string]) = :\WINDOWS\System32\userinit.exe,

Note that the Userinit executable line is terminated with a comma. This is actually appropriate and should be done.

Once you have corrected these registry entries, restart the machine and Windows should log in properly.

Executable Problems:

A number of malware programs now disable or impede the .exe file extension in some way. In many cases, it is a currently running process that is blocking .exe files. If this is the case, using software like Super Anti-Spyware (which is distributed as a .com file) or Rkill (which is distributed as a .src file) will circumvent the problem and likely allow for removal of the problem program.

In other cases, malware will alter the registry on the infected computer in some way. If cleaning off viral activity does not restore .exe associations, repairing the registry information is likely necessary. Run exefix_xp.com in Windows XP. This will properly re-associate .exe files. In many cases on XP, registry editing (through either reg.exe or regedit.exe) is disabled, so a file that can execute (i.e. a .com file) is required. Merge the Vista_EXE_Fix.reg file into the registry in Windows Vista/7. Since registry merging is accomplished without .exe files in Vista, this will successfully repair the file association.

Download this tool from http://windowsxp.mvps.org/exefile.htm.

Rootkit-specific:

install Unhackme (in the anti-rootkit folder) and run updates, then go through checking computer for rootkits and malware (the boot process scan is unnecessary).

Note: Unhackme is a tricky program to use well, and is rather powerful in its own right. Unhackme is not a first option on a machine, so treat it as such. It is also worth noting that Unhackme is updated frequently, but the update mechanism within the program does not always function properly. Make sure that the most recent major version of the software is installed before attempting updates.

MBR infections can often be cured by running Microsoft’s FixMBR tool in the recovery console in Windows XP or the Windows RE environment in Vista/7.

Occasionally, Unhackme will detect the TDL3+Mutant rootkit and refuse to clean it. This is a variant of the TDSS/Alureon family. It’s nasty, but Kaspersky’s TDSSKiller is effective at removing it.

Clean-up:

  • ATF Cleaner – Will clean obvious temporary files from machine
  • Hi-Jack This – a good way to guarantee that there are no obvious start-up items or other easily identified registry items that may continue to affect the machine.
  • Run Scanner – similar to Hi-Jack This, but much more verbose. This program is not always necessary, but is quite powerful.
  • CCleaner – Will clean less obvious temporary files as well as basic registry cruft. Very useful.

Other Tools:

  • SDFix – must be run in safe mode, very infection-specific
    • Run from “runthis.bat” in the extracted :\SDFix folder
    • requires at least one reboot during its run
  • SmitfraudFix – must be run in safe mode, seems to be preempted by ComboFix.
    • DNS cleaning does not work in safe mode

Links: