Malware Removal Tutorial

SirKenin · 12-15-2006, 10:12 AM

I noticed that the Malware tutorial is severely out of date, so I thought I would make my own. You can add or counter as you deem fit.

For some background, I've been doing malware removal since 1994. I used to have my own extensive collection of virii (ok, for the "outsiders" it's viruses. lol) and distributed them via dialup BBS. They were capable of wiping out BIOS', formatting harddrives, etc. As such I have a fairly indepth knowledge of what these things are capable of. I have been doing spyware removal since it was first introduced. 90% of my current business is residential clients that are infected with up to 12,000 instances of malware.

With that said.

The tools needed to fight these threats are ever changing. As the creators become more devious, they render older tools obsolete. It is a highly competitive market. Whereas Norton used to hold the crown for virus removal, they are now for the larger part ineffective against today's threats. Etc.

There is a simple procedure to remove threats. Following the following steps precisely will greatly improve your chances of success and will dramatically decrease the amount of effort you expend.

1) In normal mode download Prevx1.

http://www.prevx.com/

Install it. Use the online updater to install the latest signature files.

In normal mode run a FULL system scan.

Remove any threats that it finds.

2) Download and install Ewido.

http://www.ewido.net/

Install it. Use the online updater to install the latest definitions.

Reboot into Safe Mode with Networking

Run a FULL system scan.

Remove any threats that it finds.

3) While in Safe Mode with Networking, download SmitFraudFix.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Execute the tool.

4) While in Safe Mode with Networking download Autoruns.

http://www.microsoft.com/technet/sys.../Autoruns.mspx

Run it

Click on Options.

Select Include Empty Locations

Select Verify Code Signatures

Select Hide Microsoft Entries

Click through the tabs and select the things that shouldn't be there. To verify that they shouldn't be there, enter the name of the file into Google and check the descriptions on various security sites such as Liutilities and BleepingComputer.

When in doubt, do NOT delete it, rather post the item here for scrutiny.

5) While in Safe Mode with Networking, do an online virusscan.

http://www.pandasoftware.com/products/activescan

Ensure that all threats have been removed.

6) Finally, should problems still remain, download HijackThis

http://www.spywareinfo.com/~merijn/programs.php

Do a scan and save the log.

Post the log here for analysis.

Following these steps will provide a thorough cleaning of your machine. The HJT log will point out any remaining threats that can be assessed and cleaned on a case by case basis.

To protect yourself against further infections, ensure that you have Avast! which monitors your computer on numerous fronts, including webpages, Prevx1 which includes real time monitoring, and Spybot S&D Teatimer which will protect your Registry from unauthorized modifications.

Good luck and happy computing.

jbrown456 · 12-15-2006, 10:08 PM

nice and simple

good work!

SirKenin · 12-15-2006, 10:36 PM

Thank you kind sir.

It would be good if they made it a sticky to save everyone a lot of time and frustration.

jbrown456 · 12-15-2006, 10:41 PM

Quote:

Originally Posted by SirKenin

It would be good if they made it a sticky to save everyone a lot of time and frustration.

Agreed.

Emperor_nero · 12-15-2006, 11:53 PM

That was really good!

I hope to get into computer security as a profession so I enjoy reading other people’s ways of malware removal.

hpi · 12-15-2006, 11:55 PM

Very informative write up. Thanks.

Now a question: When I go into safe mode I can't go on internet?

Verve · 12-16-2006, 12:24 AM

You need to go to Safemode with Networking, depending on the machine it may be worded differently.

jasonz · 12-16-2006, 03:34 AM

Prevx1-I downloaded this when you posted about it last time. 1. It is always orange and says that i am running an unknown program, but i dont know what it is and all the running processes are accepted. 2. Since, it seems like every program takes longer to open now.

SirKenin · 12-16-2006, 03:51 AM

That's why I posted two. One is to catch what the other misses. Follow the remainder of the steps and we'll catch the culprit. But start a new thread about it so that everyone can help and search for it later.

**apj101** · 12-16-2006, 11:19 AM

Quote:

virii (ok, for the "outsiders" it's viruses. lol)

the offical plural of virus is viruses, in both biological and computer terms

i belive the best thing to do would be the integrate the best bits of this with the offical sticky. This way we can have a one shop stop

12-15-2006, 10:12 AM	#1 (permalink)
SirKenin banned Join Date: Aug 2006 Posts: 4,711	Malware Removal Tutorial I noticed that the Malware tutorial is severely out of date, so I thought I would make my own. You can add or counter as you deem fit. For some background, I've been doing malware removal since 1994. I used to have my own extensive collection of virii (ok, for the "outsiders" it's viruses. lol) and distributed them via dialup BBS. They were capable of wiping out BIOS', formatting harddrives, etc. As such I have a fairly indepth knowledge of what these things are capable of. I have been doing spyware removal since it was first introduced. 90% of my current business is residential clients that are infected with up to 12,000 instances of malware. With that said. The tools needed to fight these threats are ever changing. As the creators become more devious, they render older tools obsolete. It is a highly competitive market. Whereas Norton used to hold the crown for virus removal, they are now for the larger part ineffective against today's threats. Etc. There is a simple procedure to remove threats. Following the following steps precisely will greatly improve your chances of success and will dramatically decrease the amount of effort you expend. 1) In normal mode download Prevx1. http://www.prevx.com/ Install it. Use the online updater to install the latest signature files. In normal mode run a FULL system scan. Remove any threats that it finds. 2) Download and install Ewido. http://www.ewido.net/ Install it. Use the online updater to install the latest definitions. Reboot into Safe Mode with Networking Run a FULL system scan. Remove any threats that it finds. 3) While in Safe Mode with Networking, download SmitFraudFix. http://siri.urz.free.fr/Fix/SmitfraudFix.exe Execute the tool. 4) While in Safe Mode with Networking download Autoruns. http://www.microsoft.com/technet/sys.../Autoruns.mspx Run it Click on Options. Select Include Empty Locations Select Verify Code Signatures Select Hide Microsoft Entries Click through the tabs and select the things that shouldn't be there. To verify that they shouldn't be there, enter the name of the file into Google and check the descriptions on various security sites such as Liutilities and BleepingComputer. When in doubt, do NOT delete it, rather post the item here for scrutiny. 5) While in Safe Mode with Networking, do an online virusscan. http://www.pandasoftware.com/products/activescan Ensure that all threats have been removed. 6) Finally, should problems still remain, download HijackThis http://www.spywareinfo.com/~merijn/programs.php Do a scan and save the log. Post the log here for analysis. Following these steps will provide a thorough cleaning of your machine. The HJT log will point out any remaining threats that can be assessed and cleaned on a case by case basis. To protect yourself against further infections, ensure that you have Avast! which monitors your computer on numerous fronts, including webpages, Prevx1 which includes real time monitoring, and Spybot S&D Teatimer which will protect your Registry from unauthorized modifications. Good luck and happy computing.

12-15-2006, 11:53 PM	#5 (permalink)
Emperor_nero Diamond Member Join Date: Sep 2006 Location: 127.0.0.1 Posts: 2,315	That was really good! I hope to get into computer security as a profession so I enjoy reading other people’s ways of malware removal. __________________ I play Rugby, and no its not like it's sissy cousin with the pads.

12-16-2006, 12:24 AM	#7 (permalink)
Verve Diamond Member Join Date: Sep 2005 Location: Tampa Bay, Florida Age: 20 Posts: 2,518	You need to go to Safemode with Networking, depending on the machine it may be worded differently. __________________ Formerly Starwarsman HP DV6885 Special Edition Core2Duo T8100 @ 2.1 GHz 3GB DDR2 Ram 250GB SATA HDD Geforce 8400m GS Vista Home Premium SP1 The Masterplan

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Excellent spyware removal tool	SirKenin	Computer Security	9	10-04-2006 03:02 AM
hijackthis log	spkenn5	Computer Security	11	07-08-2006 06:34 PM
wireless connection fails after spyware removal	mikekelly	Laptop and Smartphones	5	08-27-2005 06:37 PM
Malware Removal Tools	Cache	Computer Security	3	06-14-2005 11:57 PM

12-15-2006, 10:08 PM	#2 (permalink)
jbrown456 Platinum Member Join Date: Dec 2004 Location: My House Posts: 866	nice and simple good work!

12-15-2006, 10:36 PM	#3 (permalink)
SirKenin banned Join Date: Aug 2006 Posts: 4,711	Thank you kind sir. It would be good if they made it a sticky to save everyone a lot of time and frustration.

12-15-2006, 11:55 PM	#6 (permalink)
hpi banned Join Date: Dec 2006 Location: Montreal, Quebec Posts: 1,515	Very informative write up. Thanks. Now a question: When I go into safe mode I can't go on internet?

12-16-2006, 03:34 AM	#8 (permalink)
jasonz Platinum Member Join Date: Oct 2006 Location: college station, tx Age: 22 Posts: 715	Prevx1-I downloaded this when you posted about it last time. 1. It is always orange and says that i am running an unknown program, but i dont know what it is and all the running processes are accepted. 2. Since, it seems like every program takes longer to open now.

12-16-2006, 03:51 AM	#9 (permalink)
SirKenin banned Join Date: Aug 2006 Posts: 4,711	That's why I posted two. One is to catch what the other misses. Follow the remainder of the steps and we'll catch the culprit. But start a new thread about it so that everyone can help and search for it later.