Computer virus removal (Quick & dirty)

Fastest way to deal with viruses, spyware and malware

Citation
, XML
Authors

Abstract

You (or someone you care about) is having problems with a PC and suspect an infection. You want to try to fix it as quickly and painlessly as possible, so here are some first steps that often result in success.

I’ve had to disinfect many PCs over the years and have developed a set of methods that I feel are the most effective in the shortest possible amount of time.

This article assumes

  • you have at least average PC knowledge/skills
  • the computer is a Windows PC
  • the PC has a working internet connection that isn’t too slow
  • the PC isn’t so infected that it can’t browse the internet reasonably ok
  • the PC wasn’t adequately protected by anti-virus software

Different infections require different approaches. The material in this article is not so much a tutorial, as a collection of tools and techniques that I’ve had success with

First things to do (latest advice)

As of early 2009, my best advice is to start by downloading and running the only program that I’ve found to be of much use these days. It seems like the old standard tools aren’t keeping up very well. For the last three infections I’ve had very good results with MalWareBytes. “MBAM” is free, simple to use and effective, a welcome throwback to the good-ole-days. It’s like the Google of anti-virus. The free version fixes. Pay $25 (once) and you can unlock its protection features. This program eradicated Vundo.H on my personal ‘puter when nothing else (Avira, TrendMicro, and several utilities) would touch it. See this article for more info.

After MalwareBytes, the next most useful tool is HiJackThis (see below), but mostly for two purposes: 1) to get rid of the stuff that’s easy to fix, as a “noise reduction” step, and 2) to point out what’s left that is going to require the most effort. If you have HiJackThis fix something and it keeps coming back, you’ve identified your enemy.

First things to do (traditional)

are to check for some simple fixes, just in case your infection is not very clever:

  • Check the Startup folder in Start>Programs>Startup and delete any entries that are obviously not wanted. {Easiest.}
  • Open the “Add or Remove Programs” control panel and uninstall any unwanted programs. {Easy and reduces “noise” for rest of the process.}
  • If you know how to safely use the Registry Editor without damaging your system, check for unwanted entries in the  HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Currentversion/Run keys and delete them. If you aren’t experienced with Registry Editor, let some of the tools recommended below worry about the registry. (Quick, often IDs some infections}
  • Use MSConfig. (Start>Run…>msconfig>Startup tab.) Uncheck anything that you really don’t need to startup automatically. {Quick, IDs many infections}
  • Open the WindowsSystem32 directory in a window and sort by “Date Modified”. Look at both the latest files and the oldest files. Most infections will drop some of their files here, and most of them will have very recent mod dates or will have false ridiculously old mod dates. {Quick, IDs presence of many infections}

Next thing to do

is to use the free online virus scanner tool offered by TrendMicro. This will get rid of the easily removed infections and help identify ones that aren’t easy to remove. Go to TrendMicro’s “Housecall” online scanner and initiate a scan of your computer. Go watch TV for an hour or two, checking back during commercials.

When it is done, write down any identified threats, and then have it automatically remove everything it can. Shut your computer down and restart, then run the scan again. Often it will find different or the same infections. If it finds the same infections, or keeps telling you that it can’t remove certain infections, you will probably need to.

Specialized tools

If you are really computer savvy, here is a list of tools for you to check out (i.e. Google them)

  • Windows Recovery Console (see “Rootkits  below”)
  • Rootkit Revealer
  • GMER
  • MoveOnBoot

Find a special software tool

to do the work for you. Use a search engine to find them, using the name of the infection and the word “remove” as search terms. Review the search results looking for references to removal tools and for user’s experiences with the infection and the various methods used to remove it. The experience comments will help confirm that you’ve got the same infection. Don’t just use the first technique for removal that you find, take the time to read as many postings as you can find, and look for tools/methods that seem to have had the best results. Symantic has a collection (including one for Vundo called VundoFix.exe, but it doesn’t work for the latest versions.)

Things to remember:
Most PCs become infected by several different nasties. Removing some of the less-nasty sometimes helps in dealing with the more nasty. The modern more-nasty infections can be quite devious, using multiple hidden files and methods for re-infecting, even if most of it has been removed. If Housecall doesn’t fix it, look for specialized removal tools designed just for that particular infection.

Another way to get rid of some malware is to

use “HijackThis”

but it requires caution and some good judgement. Fortunately, if you have a day or two to work on the problem, you can post the data from HijackThis to several different forums and let more knowledgable persons tell you what to do. You can download HijackThis from the author’s website or from TrendMicro’s. HijackThis will scan your system and show you a list of programs that are configured to run on your system. Some of the entries in the results will be obviously OK as they mention names of programs that you know are supposed to be there. Some might obviously be unwanted, usually BHO (Browser Helper Objects) that hijack your browser and it’s toolbars. A lot of them will have “search” or “ad” in their names. Others will have nonsense letters in the name, which are randomly generated everytime the infection re-seeds itself. These can be safely checked (selected) for removal. See below for links to lists of startup programs and processes, which can be used in addition to posting HijackThis logs to forums.

Use Task Manager to diagnose/confirm infections

Often, you can use HijackThis to remove infections and they come right back. This is because there are one or more hidden seeding programs, that watch your computer and create fresh infestations as soon as the active one(s) are removed or at least upon the next reboot. These often can be confirmed by useing the Task Manager to end running processes. Bring up Task Manager (CRTL-SHFT-ESC > Processes tab). Sort on Image Name (or Process) by clicking on the column head. Make sure anything you care about is saved. Look for suspiciously named processes. “akalsfdjl.exe”, for example, is obviously and randomly-generated name. Often the name will be very similar to valid Windows process, so be careful. Again, some processes will obviously be ok, some will be suspicious and some will be in between, depending on your level of experience. See below for links to lists of startup programs and processes, which can be used in addition to posting HijackThis logs to forums. You can select a process and click the “End Process” button. If you try to end a valid process, your request may be refused or it may do something annoying, like freeze or crash. (I told you to save anything you care about, remember?) But if you are able to End Process a file, and then it comes right back or is replaced by a similar process, you can probably assume that you’ve found a Nasty. Go find a removal tool. If Housecall didn’t give you a name fragment to ID it with, you’ll need to take longer and

download or purchase other scanners

and tools to continue with the fix. Don’t use anything that isn’t recommended from a reputable source. Lot’s of nasties masquarade as anti-spyware/anti-virus software.

The traditional first-choices are:

ANTI-SPYWARE

For more choices, and for a list of ones to beware of, see this article.
One of the best rated spyware scanners offers a free scan-only program which is useful for checking how clean a PC really is.
ANTI-VIRUS
Most of the free versions have disappeared (AVG & Bitdefender, e.g.). These are still free (August 2008):

  • Microsoft’s Security Essentials. This seems to be one where M$ actually got it right. It is highly rated and unlike AVG, Norton, etc isn’t in your face all the time and consuming half your machine’s resources. And it’s free.

For more choices, see this article.

Whenever I run several scanners, they usually have overlapping but different results, that is, each scanner will find something that the others missed. None are 100% successful, and it’s good to run several when dealing with dealing with multiple infections. And remember that no infection is really gone unless you’ve rebooted several times and it doesn’t come back. Keep working on it till you get clean scans from several different scanners.

Links

SysInfo.org List of programs as they appear in startup lists (like MSConfig and HijackThis), both safe and unsafe
UniBlue List of processes (as found in Task Manager and HijackThis)
AnswersThatWork List of processes (as found in Task Manager and HijackThis)

Protection

After the PC is clean, how should you protect it? This really depends on the user(s). I run with very little protection and only have to clean about every two years. But I’m consistantly careful and willing to clean every now and then. I don’t like antivirus software as it slows things down, is usually pricey and requires a lot of maintenance. For most users, however, it is worth it to avoid infections. I haven’t personally tried MBAM for protection, but if it works as well as the scanner/fixer, it would be worth the one-time $25 price for the real-time protection version.  Here is a list of other programs to choose from.

Firewalls are ok, and should be used in general. I use a lot of programs where I don’t want to deal with the firewall’s interference, but often use the one built into Windows these days. If you use one, and some program stops working, check the firewall first to see if it is the culprit and add the program to its exception list.

———————————————————————————————————————————-

What if the PC is too infected to run Housecall?

Some options are:

  • Download HijackThis on a different PC and install it on the infected PC. Running it may free up the computer to allow you to use the browsers and the internet again.
  • Download a different browser on a different PC and install it on the infected PC. If the infected PC’s browser is hijacked, using a different browser might circumvent the hijackings.
  • Download a 30-day trial versions of Grisoft’s AVG and anti-spyware programs (or some other respected alternative) on a different PC and install it on the infected PC.
  • Boot into Safe Mode with networking and try Housecall.
  • With newer PCs, you may have the option to restore back to a pre-infected state. You can Google “Restore Points” and “System Restore” to learn more. However, unless you’ve been saving good Restore Points, and the virus hasn’t infected the Restore Points (the really nasty ones can do that), you might be wasting your time. I’m sure that some have had success, but I’ve not heard a lot of success stories.
  • If you have all the installation media/codes for all the software that you care about, you can reformat the harddrive and reinstall everything from scratch. This is a last resort, but is sometimes easier than spending a month chasing a really bad Nasty. You’ll need to backup all your data files. You’ll need to be certain that you can reinstall the operationing system, and you’ll need to inventory all the programs that you’ve installed (including downloads). If you’ve verified that you have all the media and install keys, and a list of everything you’ve downloaded and installed, then you can think about reformatting etc. If you have a newer PC, the vendor (e.g. Dell) may have saved the original installation on a hidden part of the harddrive (call them and ask) or you can use the oldest Restore Point (see above, but be aware that viruses can infect Restore Points too). Another approach is to add a new harddrive, making it the primary and installing the OS and all software and drivers on to it, as well as one or more good virus/spyware scanners and using them to clean the infected harddrive. It might also be possible to add the infected harddrive as a secondary drive to an unifected-but-wel-protected PC, scan/fix the infected drive and then return it to service.

Rootkits

There are more and more infections out there that are almost impossible to fix. Most of these are “rootkit” viruses. They can hide themselves from the Windows API functions, and even hide all files with similar names. Some tools that you can use include installing the Windows Recovery Console, which is like booting up into DOS and being able to unhide and delete files in the system directories (only). There are scanner tools that compare the file’s info from the API functions vs. the data from other programming methods, which can help identify files that are trying to hide. You can use utilities like “Move On Boot”, to delete files on bootup, but these have never really been of much use in my experience so far. It took me a week to eradicate the second to last one of these. I’m still working on the current infection (can’t find the seed program).

Also, most of the modern, really-hard-to-kill viruses, hide copies of themselves in the hidden Restore Points. That’s right. The technology that Microsoft developed to fix your computer if it gets into trouble, is actually doing virus creators a bigger favor. I’ve never yet used a Restore Point, so I turn mine off.

Summary

This gives you an idea of the issues, points you to some tools. The struggle against the slime-balls that enjoy making life miserable for others continues. The methods of infecting and fighting infection continue. Expensive protection software like Norton or TrendMicro doesn’t stop everything.

A radical alternative to prevention

There is a lot to be said for a preventative strategy that works like this. Plan on reinstalling your computer every few months. Keep all your data on a separate hard drive and backup that drive to an external USB drive every day or week. Unplug the USB cable when not backing up. Keep all your installation disks handy. Whenever you download and install software and updates, save the install files to a special directory on your data drive.  If you get a really nasty virus, reformat your hard drive and reinstall everything. Obviously, you need to be comfortable reformating hard drives and in installing operating systems. Keeping notes about configuration options / installation choices is helpful.