Guide: Virus Removal 101

Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

Solaris17

Administrator
Staff member
Joined
May 13, 2023
Messages
13
Rules of the road

THIS IS NOT FOR INFECTION HELP! PLEASE MAKE YOUR OWN THREAD!
THIS IS MEANT FOR BEGINNERS BE NICE!


Information and Scope

About

Hello! This thread was created by request and support from a few member of the forums.

I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN.

I have worked for several tech companies and previously I was working for a mid level enterprise as a domain administrator for around 2000 end points between 13 offices.

My personal take on virus removal is that it should be free for those most in need and I very much will write this guide in accordance with my belief that someone is tearing there hair out and just want there computer to work again. The tools I will link and provide are free and I and others in the industry have used to completely disinfect machines.

HOWEVER I also firmly believe that if a product worked for you you should pay for it to support the developers and the science and skill that went in to the program. The world of security software is a mean place with brilliant minds. However from what I have seen "Free" outweighs "Paid" in most peoples minds when dealing with antivirus/malware tools.

If you like something you should buy it. So that the father of 3 can help pay his bills and has the drive to keep making whatever product that saved your ass better. That's the pure & simple.

Now that you know a bit about me we can move on to some other stuff.

Scope

The scope of this guide will be limited to the end user environment. This guide DOES NOT cover enterprise level environments, however it MAY brush on higher level best practices and mitigation techniques.

I intend to cover how to properly remove a virus, malware, root/boot kits and junk-ware from a compromised PC in a basic friendly low impact manner that is easily understood by the average user. This guide will cover normal operating systems in normal environments, each example will be explained under the assumption that you know nothing about security or intrusive programs and have only the most basic software knowledge and user skill.

This approach is meant to cater to the masses and not in anyway meant to demean or imply that a user needs to be handled in this manner.

I will add that this guide is not a place for arguments and I will only accept constructive criticism. Even the most skilled PC builders, programmers, network engineers and users may not know a-lot about security and best practice. That is TOTALLY FINE! That is NOTHING YOU NEED TO BE ASHAMED OF!!!!! Please understand that you may be able to take away something from this guide. I am not here to bump heads with SecOPs or other Operations managers which I am sure exist on this forum.

This guide is meant for the average user. I may omit expanded details or parts of security practice on purpose because the "watered down" explanation is easier to digest. There are always nay sayers and if you would like a specific question asked you can PM me. Not including something usually has a purpose and doesn't necessarily mean I don't know the material.

I will say somethings in this guide some of you will NOT agree with. I am fine with that. I may even make someone upset. I do NOT mean to do this. Please understand my history in my "About" section. I have handled a-lot of machines and different technologies. The information provided herein is a reflection of best practice, facts, personal experience and industry accepted techniques. Multiple resources will be provided to backup certain information.

Getting Started

Lets start with the most controversial point in organizations and business that IT staff have with what this guide is about. Time, money and effort.

A virus removal is not as common place as you may think in the professional industry. It is more a pain in the ass for walmart than it is for you the end user. In most cases if you are speaking with a real IT pro the answer to the question "Can you fix my computer?" is usually just format it and reinstall the OS. This is because;

A: It is far more cost effective if you are paying someone to have them simply wipe it and removal all doubt.

B: It is the ONLY sure fire way to remove w/e infected your system in most cases.

C: Virus removals can do more harm than good.

D: It is far less time consuming in most cases.

Virus removals for the end user are usually more simple than you think. However understand that in the security industry this is very much a fight fire with fire method. Security software is a mean beast. The process can VERY MUCH leave your system in a worse or unusable state, As you can see by this guide it is also very involved if done properly.

Attempting to remove an infection of any type without the right tools can result in not effectively removing the infection and compromising the security of the OS MORE because of the settings and files that need to be manipulated to properly disinfect it.

That's some pretty scary stuff but now we can shed some light on some good news. If you are reading this chances are you are not nearly as infected as you think you might be. The software might be bothersome and annoying even hard to close or impossible to delete. However most users will not run into serious infections.

I am 100% certain anyone reading this (except from an academic standpoint) is probably frustrated out of there minds with the problem they are currently facing. HOWEVER, with that said most everyday infections are very common and easily re-mediated without the risk of damaging the core OS or user data. Even better news if you can read this guide from the infected machine in question you are better off than most.

Regardless of infection type or severity level there is hope of a clean system and I will cover how to properly avoid it later. Your reasons for choosing the route of disinfection are your own. I will not judge those that do not do the easier path of re-installation; I am also fully aware an OSR is not always the easiest solution depending on circumstance. You should also make sure not let anyone else judge you on it. Disinfection is very much a skill and I will try and help you manage it by yourself.

Lets move on :)

Definitions

Lets start with Definitions! Not AV Definitions silly what are we talking about when we say boot kit, add-on, malware? Do they even sell encyclopedia security? This section is going to break down the difference between them all and hopefully teach you the fundamentals of infection for better or for worse knowing is half the battle and if you really want to save your PC than knowing what you need to do is one of the biggest parts of the battle.

Shooting a fly with a tank damages more than the fly and we should always understand that in most cases the cure can be worse than the disease. So lets make sure we apply band-aids before we use penicillin.

Malware:

- Malware like the article suggests is a blanket term for many types of infectious programs. When you say I have "malware" you aren't exactly wrong regardless of what program is causing issue, however you aren't really helping yourself or the person trying to help you get rid of it.

I will break down some of the more common groups below to help you help yourself narrow down the type of problem you have. There are also multiple sub-groups to the primaries listed below but a general knowledge will suffice in most circumstances so I will not be getting into them in this guide.

Junkware:

- Junkware as of late has been the term most used to supersede the old terminology adware. This kind of infection is usually what causes popups in browsers and on your desktop usually by way of installing themselves along with legitimate packages you download from legitimate sites like Java, or Adobe Reader. This is the most common type of "Infection" a user complains about. Java for example has "bundled" toolbars etc for years and download.com by CNET is notorious for spreading bundled installers. I get alot of my junkware samples from them.

Virus:

- A Virus is a term that is usually used for what is actually pretty rare these days in the field of users. The definition of virus has carried alot of different meanings in the past and has changed significantly over the years as security researchers and programmers started to need different "groups" for malicious software to gauge intent and infection rate among other things. Today when dealing with a "Virus" most people in the know assume the Virus is of malicious intent and activly destroys or manipulates user data in a negative way. Such as Trojans or Ransomware or keyloggers. There are some very nasty viruses that are difficult to contain, isolate and remove because they are polymorphic in nature IE they change.

Boot/Root Kit(s):

- A RootKit is a special type of incredibly powerful infection. Rootkits are incredibly hard to cope and deal with because they have the ability to cloak themselves completely or mask themselves as legitimate system processes making detecting one difficult. Rootkits are infections that circumvent the security protocols of the machine and various security software.

Rootkits are used as a foot in the door for other kinds of infections ranging from malware to virus infections and almost any other kind of conceivable infection. True to its name the root kit usually gives complete privileged access of your computer to the attacker, be it remote control of the program or the machine and hardware itself.

On the same branch is the Bootkit. The bootkit like the rootkit has the ability to grant the attacker complete administrative access while remaining hidden and undetectable by most normal means.

The Primary difference in Bootkits is that they are infecting the machine on a very deep level on the hard drive usually interrupting the boot process itself hence the name. Bootkits are capable of defeating even the most robust antivirus software and built in security because bootkits themselves are usually loaded before most of the OS files during the boot process before you even get to the desktop.

Bootkits and there connected files can be the most destructive to remove and hardest to find given there nature.

Software and Background

In this section we will briefly go over the software being used and why we chose this software as opposed to other options. This is more of an academic type of post that will clarify the more important "WHY" when it comes to removal. It is important to understand that in order to effectively remove or have the best chance too remove a virus you must have the proper tools. The software listed below is based on several key points. Those mostly being.
  • Free
  • Easy to use
  • Minimal user interaction
  • Update friendly
At no point should you think that the software chosen was chosen because it is better than xyz or the "Best". That doesn't mean the software is "not the best" just that I am trying to break the mindset of "Best" it is important to shake the idea that a one off solution is always going to be the better one.

A Porsche is fast and will get you to work sooner than an 18 wheeler but if your hauling tractors to work the 18 wheeler is better suited. This is no different in the security world applications are built for a specific purpose for the most part and because of the nature of heuristic code engines some software will do better than others even if it is the same area of interest.

Software List

- Threat Restraint
  • Rkill
-Rootkit Removers
  • TDSS
  • bootkitremover
  • MBAR
-Broad Spectrum Scanners
  • Roguekiller
  • EEK
  • MBAM
  • Sophos VRT
  • HitmanPro
- Malware/Junkware Removers
  • ADWCleaner
  • JRT
-Targeted Repairs
  • Powerliks
  • Combofix
-Wrap-up and Repair
  • TWEAK
  • REVOuninstaller
  • Ccleaner

Examples

Above is the list of software this guide will cover and what you will be using to disinfect the machine in question. Now; we will go more into why we separate them into groups in the next section. Here I will explain weakness and strength between software types and programs so you can understand why there are so many.

A common question is why don't we have a 1 all solution paid or otherwise that can handle all of well...all of this. The answer is simple.

You can't.

Every virus removal tool is different in some way. Some are able to detect things others can not. Above are the groups of different software. For example EEK is a broad spectrum scanner. However EEK cannot detect rootkits as well as programs specifically designed to remove rootkits like TDSS. Likewise Programs like TDSS are completely incapable of detecting malware, it simply isn't programmed for it.

Software in the same category also behaves differently. Hitman is very good at detecting browser issues and cookies. However Sophos isn't so great at browser infections but is better at scanning core system folders.

The AV world is full of these kinds of checks and balances which makes proper removal more of a skill than a click of a few buttons. Nothing is 100% and you must rely on the differences the tools have to increase your chances of success.

- Running scans in order

Running scans in the correct order might be something you are unfamiliar with. I will try to break down the basic concept as to why this is important to you. For the most part it boils down to permissions. Be it actual NTFS permissions or actual Privilege. Digging deeper you should ALWAYS attack an infection in this order.
  • Threat restraint
Threat restraint is an important step because it will allow you the user to more easily work with your machine which is probably super slow because of infection. Using programs like killemall or Rkill stop known malware processes which free up memory and CPU making it a little easier and faster to deal with your machine.
  • Root/Boot Kits
As previously covered Root and Bootkits are low level infections that grant admin (root) access to the machine. This software also for the most part changes permissions of core system files in order to more easily control your machine. It is very important to target and remove these infections first because the modifications they make can stop other higher level removal tools from working correctly.
  • Virus Scans
Actual Virus removal comes next. Trojans, worms, spyware all virus class infections cause some kind of issues with system services, built in security protection and have the ability to prevent removal tools from opening. These kinds of infections need to be delt with second so that we can ease the restraints on the system so that our tools have the proper permissions and resources to run.
  • Mal/Junkware scans
These are the last class of tools to run. These infections usually adhere to the user level of least privilege. They are really annoying and bothersome but are usually the most simple to remove. Unfortunately the tools that remove them require the use of system resources most of the time and assume they have everything they need to proceed. For this reason malware and junkware removal scans are done last because they totally rely on the previous steps being done and corrected to run correctly.
  • Repair
Repair tools like tweak are used last. These programs reset windows to a default usable state. From folder options and icon size to default services and program startup. Most of the virus removal tools correct security related issues that the virus they are removing affected.

However sometimes more things have been touched and damaged and for these we use repair software last to correct the remaining issues after a full removal.

Identification and Resources

Define

One of the most difficult parts of a virus infection is trying to figure out what you are dealing with. This can be impossible to know for certain but there are a few tell tale signs that can tell you how soon you need to deal with the problem. Below I outlined some very basic markers.

-Boot/Rootkit.

  • Machine is running very slow with no sign of infection
  • Machine starts VERY slowly
  • Machine Blue screens for almost no reason
  • Machine BSODS or locks up during virus scans
-Virus

  • Machine runs slowly and has programs running during startup
  • Machine won't let you open task manager
  • Machine won't let you open AV software
  • Machine will play audio when there shouldn't be
  • Machine has pop ups at the desktop
-Junkware/Malware

  • Browsers homepage has changed or changes
  • Browser locks you out when opening new tabs
  • Machine has a lot of programs open during startup that won't close
  • Machine shows a lot of software that ask you to pay for it
  • Machine displays pop ups telling you you have a virus
  • Machine asks you to call a tech support number

Examples

Below are some really common scams and malware making its way around.

- MypcBackup
- Driver installer/download programs
- Fake Antivirus software
- Speed up tune up and cleanup software
- Mindspark toolbars and software
- Slimware utilities software
- Phone call scams telling you your unit is infected
- Email scams with PDF invoices saying you have a package at USPS, UPS, FedEX waiting for you

Ransomware

Ransomware deserves its own section. Here are the common signs.

tesla.png


crypto.png

Anything or program that tells you your files have been locked or encrypted is ransomware.

Address it

IMMEDIATELY unplug your system from the internet and shut it down.

Take it to a professional. This is not a simple procedure or technique. You SHOULD NOT attempt to handle this infection on your own. I SERIOUSLY beg you to take your machine to a local shop to be worked on. It may be possible (although very SLIM) for them to decrypt your data using one of the tools that have been released for the crackable versions.

I am deliberately skipping over risk assessment and disinfection. You NEED to take this to a professional. If you have no important data or pictures on the machine format it immediately. It's already over.

Sources

If you are still unsure if you are infected or have an issue you can always take it to a local shop for diagnosis. However there are a few trustworthy online resources you can use to see what you have.

Should I Remove It?

Should I remove it is a meta based system were users submit there "votes" on a piece of software. Based off of the reaction Positive/Neutral/Bad you can decide if it is something you should keep.

Herdprotect

Herdprotect is a cloud based virus scanner that uses multiple company definitions and engines to determine if you are infected. They also have a pretty handy knowledge base. Simply search for your program or file and see what it comes back with.

Virustotal

Virus total is a google sponsored AV front end. You can search for programs, check shady website URLs or upload a file you aren't sure about. Like herdprotect it uses multiple AV software to come to a conclusion.


Getting Prepared

Before we get started we need to get you ready to run some of the tools I have prepared for you. The below instructions mostly pertain to Windows 7 and 8. By default Windows 10 already comes with the programs you need installed for all of my tools to work.

You will Need

.NET 4.5 and 4.6

We need the .NET frameworks installed because this software has the instructions needed for powershell. Powershell is what we will be using to download the tools you need.

It is best to do them in order so here are the links.

.net 4.5

Download Microsoft .NET Framework 4.5.2 (Web Installer) for Windows Vista SP2, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2008 SP2 Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2 from Official Microsoft Download Center

.net 4.6

Download Microsoft .NET Framework 4.6.1 (Web Installer) for Windows 7 SP1, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2 from Official Microsoft Download Center

Now that we have .NET all caught up. We need to make sure that we install the Latest version of Power shell. We will need atleast 5.0 to make sure the script works correctly. Power shell is Part of the Microsoft Management Framework and like .NET should be installed in order.

Management Framework 4.0

https://www.microsoft.com/en-us/download/details.aspx?id=40855

Management Framework 5.0

Download Windows Management Framework 5.0 (Superceeded by WMF 5.1 RTM version: http://aka.ms/wmf5download) from Official Microsoft Download Center

If you think you might have what you need already we can double check. Search for power shell on your computer and open it. Once opened put in the following command.

Code:
$PSversiontable

If you have the right version (5.0) it will look like this.

psversion.png

The version number MUST start with 5.

Next we need to allow execution of scripts from other machines. To do this search for powershell right click on it and start as administrator.

Then type the following and hit enter.

Code:
Set-ExecutionPolicy RemoteSigned

Powershell will then warn you and ask you how you would like to continue.

Press "A" without quotes and hit enter to allow execution of scripts.

You are now ready to unzip the script attached to this post.

All of the tools downloaded require as of the time of this posting about 610MB

IF A TOOL FAILS TO DOWNLOAD IT MAY NEED TO BE UPDATED PLEASE REPORT IT!!

After you have unzipped the script. Right click on it and select "Run with Powershell" to start downloading the tools.

It will go through some prompts and checks. Just follow the directions in the script. Once complete it should look a little something like this.

download2.png

You are now ready for the next step.
 

Attachments

Removal Process and Repair

Lets get started with the removal! You probably made it this far on will power especially if the only reason you have read so far is because you are infected. Let me take a brief moment (I promise) to explain the usage of Windows 7.

The idea behind its usage is simple. Most people that are on Windows 10 know the equivalent shortcuts or the OS already has he necessary pre-reqs to run the script. Additionally many have upgraded from Windows 7 making this a good starting point along with the fact that since Windows 7 does require pre-reqs to be installed it makes more sense to make the more difficult OS to configure for the task the one we base the instructions off of. The machine was fully patched on a fresh OS with MSE installed and running.

first-setup.png

Initial steps

Make sure you have an active internet connection. Follow the steps above to make sure the script will function for you. Make sure you have set some time aside to make sure you can troubleshoot issues you may have along the way. Make sure you have a copy of the guide provided for offline use in the post above.

QUICK TIPS

If at any point you lose your ability to connect to the internet after a reboot from a tool run the following two commands.

Code:
netsh i i r r

netsh w r


Removal

Threat Restraint


Lets start by running RKill to close some of the malware so we have a little more resources at our disposal.
RKill may ask you for administrator permissions. Just allow it and let it run. When it completes it should look like this.

rkill.png

Rootkit Removers

The next step is to start our rootkit battery. Our first program of choice will be TDSS. TDSS is made by kaspersky labs and is very good at dealing with root/boot kits. When we first open it up we are greeted with 2 EULA type windows, we will need to accept both of them before coming to the main window.

tdss-start.png

Without any further modification go ahead and click start scan to begin the search the window will look like the screen below. TDSS is very specialized so it should not take long for the scan too complete.

tdssscan.png

If you find yourself clean TDSS will tell you no threats were found and you can close the program. If however kits were detected the screen will look like this

tdss-found.png

Click on the drop downs and delete the items. TDSS will ask for a reboot while it attempts to clean the infection. After the reboot we can scan with TDSS again to make sure it is clean. If it is still not we may need to try other programs.

Moving on bitdefenders anti rootkit utility. Like TDSS this program is specialized so scans generally do not last long. The main window looks like this.

bitdefenderrootkitstart.png

After the scan you are greeted with a screen hopefully telling you the unit is clean. If not the options for handling an infection are the same for TDSS I recommend deletion. In rare cases a program will be unable to do so and for these situations I recommend quarantine but only as a last resort.

bitdefenderrootkitfinish.png

Though I don't have a picture if the unit is infected with a rootkit bitdefender sees you will have options very similar to TDSS simply select delete and reboot the machine when prompted.

MBAR is the next tool we will be using and the last in the rootkit category. This tool is a bit more broad than the previous bitdefender and TDSS scanners and because of this the scans are a bit longer. When you open it you will be greeted with the below window. Make sure to hit update. MBAR will also extract to its own folder on the desktop by default, should you need to rerun the program make note of this so you can find it in the future.

mbarmain.png

After the update is complete hit next and then the scan button. You will soon be on your way with mbar chugging along. Below is what the scan will look like.

mbarscan.png

Along with root/bootkits mbar also picks up some pesky virus that modify core system files and services.

After it finishes you will be resented with a clean bill of health or the infections it found. If it found infections press cleanup and reboot when prompted.

mbarinfected.png

After restarting the machine again you may run the scans again to determine there effectiveness. After this stage is complete we now move onto the next stage which will begin our main scan battery and will take the longest amount of time.

Broad Spectrum Scanners

Now that we have moved on to the general scanners we will be removing the majority of the malware on the system. Leading the race will be the EEK. EEK is a good removal tool provided by Emsisoft totally free.

After the program extracts it should open to its main window. Automatically it should start checking for updates which you will be able to see in the left hand box. If it doesn't go ahead and manually update it by clicking update inside the box. When it was complete it will give you a status and turn green.

eekmal.png

Now that its updated go ahead and click on "Malware Scan" on the right hand box. since this is probably the first time you have ran this you will get a few boxes popping up. One of which is going to ask you if you would also like to scan for PUPs a PUP is a "Potentially Unwanted Program" go ahead and press "YES" to this so we can cover all the basis.

eekpup.png

Since this group of programs scans for more things they take a bit longer than the rootkit scans we performed before. After it is complete the window should look like the one below. Click the button labeled "Delete Selected" if prompted to reboot do so.

eekdone.png

After EEK is complete we move on to Roguekiller Roguekiller is made by ADLice and is very good at detecting deep OS hooks. However the free version does not let you scan for PUPs. Lets go ahead nad launch it now. After it starts it will have a scan now button. Click scan now and you will be greeted with a screen of locked options (Free) go ahead and click start scan again to begin.

roguestart2.png

While the scan is running you will see detection (hopefully) start to add up towards the bottom in some circumstances the below will happen. Basically Rogue understands that something MIGHT be a virus even if its definitions aren't sure. When this happens Rogue will ask you if you would like to submit it to virus total which I linked above. Once rogue killer gets a more definitive response it will deal with it accordingly. For these cases I click "Always"

roguevirustotal.png

When the scan finishes you will be greeted with a screen that looks like the following. Right click on anything in the list and then click "select all" followed by "Remove Selected"

rogueall.png

Rogue will begin clean up and you will be asked to reboot the machine, go ahead and do so now.

We will now begin our Malwarebytes Anti Malware or MBAM for short scan. MBAM if you haven't gotten from the name alone specializes in malware removal. This product does infact require installation so lets follow the steps to get it ready to scan.

After opening the program click on "update" next to Database Version" to make sure we are as ready as we can be. After the update completes start the scan.

mbamrun.png

Once the scan is running like almost EVERY other virus scanner there are 3 to 4 distinct stages the software goes through. While the program is scanning you will see the malware tallies rise depending on how infected your system is.

mbamscanning.png

When MBAM is complete it will then automatically start the clean up phase. When the cleanup phase is complete the finish button will activate and turn blue. When this happens you can either click finish and close MBAM however, in some cases MBAM like many others will ask you to reboot. If this happens let it.

mbmamreboot.png

With MBAM done we are going to fire up Hitman. Hitman is a powerful scanner that is represented by surfright as a "second opinion" scanner. Hitmans detection and removal capabilities are fantastic. However you only have a 30 day trial. Hitman also implements a kind of hardware ID that makes it impossible to "reset". Once hitman is "activated" it is free for 30 days and will not remove again until it is paid. Because of this it is usually a good idea to think about its usage. If you deem your infection serious enough we will run it. If not we can move on below to sophos.

Starting hitman is simple enough once open simply hit "Next" until you get to the activation page.

hitmanactivate.png

Click activate free license. Once you have entered your email address and clicked next you will be shown the activation successful screen.

hitmanactivated.png

Simply click next which will start the scan. When the scan is complete you will have the telltale list of infected objects.

hitmanfinished.png

Click on any of the little arrows next to an object and you will be psented with a drop-down menu. go down to "Apply to all" and select "Delete" All of the object status should change to "Delete" next to them. Simply click next and hitman will begin removal. When it is done it will specify and either ask you to close or reboot.

hitmancompleted.png

With Hitman done the majority of the obvious infections should be gone. We can either skip the sophos scan, or we can finish the stage off by running it since hitman and sophos are usually swapped.

Sophos VRT is a disinfection tool made by Sophos themselves. Sophos is a big player in business and enterprise protection. They have been around a very long time and are a leading security company.

Install Sophos VRT and open it. Once Open Sophos should automatically start an update.

sophosupdate.png

After the update completed simply click on "Start Scan" to begin the process. Like the other tools in this category scans can take a long time and Sophos is a bit on the slower side. If however things have been smooth sailing up to this point you should have very few detection hits. Once it is finished click "Start Cleanup" and Sophos will begin its removal.

It is important to note however that we ARE still infact getting them which only provides more motivation to run the entire battery and emphasis the point that infections are difficult to remove and running the correct tools is important in ensuring a successful disinfection.

sophosresults.png

After the cleanup is complete we can close Sophos or reboot if it prompts us. Once either are done we will move on the last primary removal stage.

Malware/Junkware Removers

Now it is time for the last main battery section. The junkware removers. Last out of necessity but not the least powerful. I actually will be introducing you to two of the most powerful tools on the market for removing the junk and adware that infects peoples browsers and tags along in legitimate programs. Hate toolbars? Dislike software constantly popping up in the middle of the screen? These are for you.

Starting with ADWcleaner a powerful little utility that was once independently programmed by Xplode and is now run by Toolslib.

When opening ADW you are greeted with the EULA Accept it to start the program.

adwaccept.png

Once the program opens the interface should be very simple. Simply click on "Start Scan" to get moving. given the type of scan ADW and similar junkware removers usually process quickly.

adwscan.png

Once the scan is Complete ADW has a multi stage completion process. The first is to show you everything that has been found. Click the "Cleanup" button to begin the procedure. ADW will now prompt you several times.

adwwarning.png

After ADW closes the necessary programs it will prompt you for a reboot. Click "Ok" and ADW will reboot your machine.

adwreboot.png

With ADW complete we will now move on to JRT. JRT or Junkware Removal Tool was once a solo program written by thisisudax and then bought by Malwarebytes. They did right by him however and kept the form and function of the program itself the same.

Starting JRT will give you the following screen. For the most part JRT is a very simple program and doesn't have many stages that you need to interact with. Simply follow the on screen instructions. In rare cases JRT will ask you to reboot. Though usually it will simply open its logfile when its complete.

jrtstart.png

After you start the scan it will show its stages by way of representing a loading bar with stars *

jrtrunning.png

Once complete a log of the program is saved to your desktop and then opened before JRT exits. You can simply close this for now.

jrtfinish.png

At this point you are done with the main battery of removals. There are two specialized tools I will go over but both are usually only needed in very specific scenarios. They should also only be ran when all other cleanups have been performed (Which I will get into soon). For now we will begin the very final stages of the whole disinfection process. We will now clean the browsers and run the repair utilities.

Give yourself a pat on the back!!!!! The machine should be running alot better already go you!
Wrap-up and Repair

Browsers are usually always last because they are modified so much by so many types of infection its usually just better to reset them. Because of this I will be showing you the quick and dirty on how to do a full reset on the 3 most popular browsers. More disinfection information can be given, but we are just going to cover getting them to function correctly first.

In comes IE. IE is the default browser for Windows when first installed and alot of people still use it. It has also been around a long time so alot of junkware knows how to integrate with it. When we first open IE you will have a cog or gear symbol in the top right hand side. Press it.

ieoptions.png

Then make your way down to "Internet Options" and click it. Once that is done a box will open which are the settings and controls for IE. At the very top right of the window is a tab that says "Advanced" go ahead and click it to show us the reset options for IE.

ieresetconfirm.png

You can go ahead and click the button labeled "Restore Advanced Settings" If prompted if you would like to continue click yes. After wards click on the "Reset" button just below that. When the box pops up I would also recommend checking the box that says "Delete Personal Settings" This will delete all of your passwords and auto-fill history however.

After the reset is done the small status box will have all green check marks and a close button. Click close and reboot your machine.

ieresetdone.png

With IE done lets move on to Firefox.

Firefox is another big browser with lots of marketshare. Like most other browsers because of it's popularity it also gets quite a bit infected. After opening it like IE at the top right are three bars representing the firefox menu. Go ahead and click it. After its open we will be looking for a question mark bubble at the bottom of the menu.

firefoxreset.png

Go ahead and click on it to open the help menu, We will now find "Troubleshooting Information" and click on it. IT will open a new page with information you dont really need to worry about, however on the top right hand side are two buttons. One of them says "Refresh Firefox" click this button and we will get a confirmation prompt. Hit the "Refresh Firefox" button inside the prompt to reset the browser.

firefoxresetprompt.png

When Firefox is complete it will open a new page for you and you are ready to go!

firefoxcomplete.png

Withe the other two majors out of the way, you guessed it. If you are a chrome user this one is for you. Once we manage to get the browser open like firefox the settings menu is represented by 3 bars in the top right corner. When we click it a menu will pop-up. We want to navigate down to the settings link.

chromesettings.png

If chrome has managed to detect that it has been modified you may be lucky enough to have the reset button in front of your face.

chromereset.png

If not we will need to scroll all the way to the bottom there will be a linked called "Show advanced Settings" click the link and the page will expand to show more settings. Once again scroll all the way to the bottom. The very last item will be a button that says "Reset Settings". Like the button in the previous picture both of these buttons will spawn the following warning box asking if you are sure.

chromeconfirm.png

Click the "Reset" button and chrome will take care of the rest. Once complete your browser is all set and ready to use!

With all of the crazy disinfection hopefully behind us its time to coax our OS back into working order. Much like a massage therapist the OS has been beaten up and changed because of the infections and the tools. We will use a handful of specifically chosen programs that tweak permissions, files, registry entries etc to get your OS back to operating how it should be.

Removing bad software is next on our list. Since we have ran through all of the big bad virus' it is time that we double and triple check to make sure nothing was missed. The last few stages are clean up and repair.

Lets go to control panel and start to remove some stubborn programs and in some cases programs that are more junkware than actual viruses in these cases they were probably skipped by the removers. You can get some help again using the link in this post to try and see if the program your thinking about removing is legit or not.

remove-programs.png

Some key things to keep in mind when removing is that there are some program you probably shouldn't remove. Alot of pre-built machines for example have special software installed to control things like hardware or special keys on your keyboard. Other software is important for things you use everyday like printers or your webcam. Here is a short example of things you probably shouldn't remove.

  • Any program that has your machine name in it DELL, ASUS, HP, ACER, Toshiba etc
  • Any program that has Microsoft in the name
  • Any software that appears like you use it, evernote, office, google chrome.
Here is a short list of things that are probably safe to remove.

  • Any program that has the name of the software that's bothering you
  • Any program that says toolbar
  • Any program that appears to be soliciting, offer, coupon, etc
As always check with the above post to make sure what you are removing is legitimate. Additionally in the course of uninstalling programs you may come across damaged ones that will not uninstall. These programs will give an error similar to the below.

uninstall-issue.png

In these cases we actually already have a tool we can use to rip it out. Though it is always recommended to attempt the uninstall normally if we cannot we can use RevoUninstaller to remove the offending program.

After opening Revo we will need to agree to there terms. After the program will scan the system quickly and display the programs it detects as installed. In the list find the program you were having a hard time removing. Click the program to select it and at the top tool bar click the uninstall button.

At first Revo will try and uninstall the program using the same normal methods windows uses. It is very possible that you will run into the same error you encountered when trying to uninstall it through the control panel, this is fine.

revoerror.png

Simply click ok and you will be shown the screen underneath. This is were we can ask Rev to force remove the program that isn't uninstalling correctly. Check the box labeled "Advanced" and click the scan button. You will be asked if you are absolutely sure you would like to uninstall it. Select yes to begin the scan.

revocheck.png

Revo removes software in two stages. Registry entries and files. When Revo is done its scan it will immediately show you the registry entry list. By default all files and registry entries will be unchecked for safety. If you are sure you would like to delete the program click the button labeled "Select All" and THEN press the "Delete" button. You will get a warning from Revo asking if you are sure. Click "yes", after the deletion is done nothing should be left in the box. Click the next button to move on to the files.

revocofirm.png

The files section will work just like the registry section. Select all the files and press the delete button. After it is complete Simply click the new "Finish" button on the bottom right hand side.

revofiles.png

Revo may ask you to reboot, if this is the case go ahead and let it. Otherwise you are done the uninstall! Just follow the procedure for the other software you might need to uninstall.

revofind.png

Without further adieu I introduce Tweak. Tweak is a AIO modification platform that handles multiple aspects of your operating system. From services, folder options etc it can reset them back to default.

Tweak on first start up will have a button at the bottom left. This button says "Reboot to safemode" Click it. Tweak relies on the clean(er) environment of safemode to complete its modifications successfully. Safemode looks odd to the average user everything will be big for one and your background picture will most likely be gone. Don't worry though! all of this will come back. For now after you are in safemode click on tweak again.

tweakstartup.png

Once we open tweak back up, on the top right hand side is a tab called "Repairs" click this tab to access the repair page.

tweakopenrepair.png

When you are ready simply click the "Open Repairs" button to access the repairs menu. You will be prompted to save a file at this point. Go ahead and choose any folder you would like, but remember where you are saving it. This is actually saving an important set of files we can fallback on if something goes wrong.

The repair window requires no modification by default. Simply click the button called "Start Repairs" and we will be on our way. Given the amount of things Tweak modifies this can take a long time so don't sweat it.

tweakrepairwindow.png

When all is said and done Tweak will tell you its time to reboot your machine. Click the "Yes" button and you will be brought back to normal mode were things will look more like you are used too.

tweakcomplete.png

With Tweak done we can do the last of the cleanup to save some space and speed on the system. The first trick up our sleeve is one all too forgotten. Disk Cleanup. Disk cleanup is a utility built into the Windows operating system that can be used to clean up temporary, old or unused files on the machine. In alot of cases this can save several gigs of data.

To start simply open the start menu and type the word "Disk" When "Disk Cleanup" shows up in the list right click it and select run as administrator (we do this to save time)

diskcleanadmin.png

Disk cleanup will open and start searching. When it is complete it will display a box with small check boxes of things you can select for deletion. We are going to go through the list and check all of the boxes.

diskcleancheck.png

After all of the boxes are checked press the "OK" button. Disk Clean will ask you if you are sure you want to delete the files, click the "Delete Files" button to begin the process. Disk Clean can take hours if there is alot of data to delete, it also depends on the speed of your machine so be patient. When it is done deleting files it will automatically close.

That's it your done! congrats! 👏 :toast:

You have by now hopefully successfully disinfected your system! you did great and awesome job on sticking with it. Lets talk about the elephant in the room though, in the next post I will go over some mitigation and protection techniques you can use to help stop this from happening again.

If you think you might need some extra help you can try the targeted repairs below which might fix or catch things that others have missed, however you need to know that for the most part alot of the targeted repair utilities can damage your machine. Use extreme care when running them.


Targeted Repairs


The targeted Programs are powerliks and Combofix. Combofix is almost like a cross between tweak and a broad spectrum scanner. Powerliks is actually a single tool that looks for 1 single type of infection. You can read more about powerliks here.

To start I will run you through ComboFix this software can cause serious issues with your OS so it is only recommended if you are certain you are still infected. It only supports XP through Windows 8 NOT windows 8.1+.

First and foremost before beginning combofix you should shut off any AV protection you have on. This includes Microsofts MSE. If you do not Combofix will warn you before starting and tell you what product it detected as active. After you have shut off your protection combofix will start and you must accept its agreement.

cfixstart.png

After you accept the agreement Combofix will extract its contents and begin.

cfixextract.png

During the extraction combofix may ask you to update it. Press the "YES" button and the extraction process will start over with the new edition.

cfixupdate.png

Like JRT combofix will automatically begin, Combofix uses a text based output for status. It goes through many different stages and will eventually reboot your machine for you. After the reboot combofix again like JRT will present a text file to you with the outcome of the removal.

Powerliks remover by ESET is the next specialty tool we will be using. ESETPowerliks isnt dangerous in the traditional sense and only takes a moment to run. I excluded it from the main battery scans only because it is seldom needed. However if you would like to make certain you have covered all of your basis this is how to use it.

When opening ESETPowerliks you will be prompted to accept there terms. Accept the terms to move on to the program itself.

powerliks.png

Afterwards the program will run automatically and tell you if you are infected. Most of the time you will not be. If you are Powerliks will ask you to hit any key to disinfect, afterwards it will reboot. If you are infected feel free to scan once more after the reboot.

powerlikscomplete.png

That's it! I will add more off the wall utilities as I deem them needed for this informational and document them accordingly.

Wrap up and Mitigation

Tools

Prevention is arguably the most important deterrent for malware in the security world. Alot of enterprise level technicians and administrators focus on how to keep infections OUT instead of installing relying on software on the machines to deal with infection when they happen. There are alot of tools in the corporate world to do this. However fear not below I outline some of the preventative measures we can use to try and keep this kind of thing from happening.

First is Cryptoprevent. This is a software used to help prevent ransomware from infecting your machine. It used to be a free exclusive and there is a free version still it just doesn't update automatically. For the normal home user this is fine. I SERIOUSLY recommend it for someone that does alot of email attachments and connects to big networks, Apartments, Schools, etc.

When opened cryptoprevent will ask you a few questions and then it will launch. You will be greeted with the window below. At the very least you should choose the default. If you want more protection simply chose a higher stage. If you run into problems you can always open it and step down a level until everything works fine for you. It will then ask if you would like to whitelist programs you can let it if the machine seems fine to you, reboot after it tells you too.

cryptoprevent.png

Browsers

Browsers are another big attack vector for malware. I would SERIOUSLY recommend that you install an adblocker. I have linked the more popular and trust worthy ones below.
CHROME

FIREFOX

IE

Installing adblockers should increase your protection online. Another method you can use that will help with sites that sneak through is modification of the HOSTS file. You may not be unaware of the HOSTS file but in simple terms it can override the website in your browser. This works both ways however and we can prevent the connection to some bad sites with it.

Download New FILE

The site that hosts it is witnhelp2002 they have made the modified host file for years and go into a bit better explanation as to what it does here.

Simply download the file and unzip it. Run the script file named "mvps" and follow the directions.

DNS

The last I can provide for now is OpenDNS this helps restrict the type of content your internet can access, from pornographic websites to political. OpenDNS has great support and a pretty easy setup. Give them a look HERE.

For basic home protection you can change your DNS servers on every device (or just your router) to the addresses below. These servers are pre-configured to block adult content and offer the same uptime as the normal openDNS addresses.
  • 208.67.222.123
  • 208.67.220.123
These servers are public openDNS servers like googles 8.8.8.8 and 8.8.4.4 and unlike the "FAMILY SHIELD" addresses provided above these do not do blocking by default.
  • 208.67.222.222
  • 208.67.220.220
DNS servers translate website names like google.com in the IP Address numbers computers need to find the site you are going too. By using "filtered" DNS servers we can blacklist bad websites from even being allowed to show up on your computer.

Lets dig in! Now generally your PC can use two different DNS servers in case one doesn't work. You can set these servers on each of your internet connected devices. Ideally you would set them on your router which would filter for your entire network. Its a bit better and recommended but unfortunately there are too many different ways to access routers and modems. You can start your search here or ask in another forum thread for help.

Now to set it up on your PC should be a bit easier. OpenDNS actually provides a guide HERE just remember to use:
  • 208.67.222.123
  • 208.67.220.123
Instead of the ones in the guide so that you get protection.

Other great DNS providers exist like Quad9:

9.9.9.9

It also doesn't require any additional setup. You can read more about them HERE.

Explanation

I chose the software and methods above because of the effect they have on the everyday user. Protection is key in the digital world to prevent infection. The tools above are updated frequently and have other security minded people behind them.

They are also easy to use, even for the most computer inept with some simple instruction the tools are easy to use and provide a lot more protection than even default settings. I encourage everyone professional or otherwise to try and improve security wherever they can.

Best Practices

Best practice is a hard trick to teach. Best practice usually involves implementing something or locking something down to the point of almost being as annoying as the malware that made it needed. However this doesn't need to be the case. I have a few examples of how you can use best practices to help protect your data you and your machine by doing some simple routine things, just like taking your car to get an oil change.

Reset your firewall. If you haven't already throughout this guide it would be a good idea too.

Here is a great guide How to Restore or Reset Windows Firewall settings to defaults

Keep a copy of one of the broadspectrum scanners I provided above, something like the EEK or Rogue run every month just once could do loads to help you stay virus free.

When it comes to email too good to be true usually is. Remember what I mentioned before? Be careful with attachments. Don't open them unless they are from someone you know. Also be sure to second guess even some legit looking ones. Ransomware is spread a lot via attachment from a postal service.

Usually masked as a invoice, before opening ask yourself "Did I order anything?" If not chances are its fake and remember UPS/FedE/DHL/USPS etc don't have access to your email, Amazon, ebay and many other online shopping sites aren't allowed or required to give that information. So how would they know to send it too you?

Get some actual protection. Like it or not if you are infected you probably need it. I recommend AV software to begin with, performance issues are rare and I have dealt with alot of systems. While I appreciate people's ability to not use them or concerns about performance impact, if you followed this guide there is no real argument against it. Here are some light weight good guys.

Their are free and paid versions. Usually the difference between free and paid is the extra stuff. Browser blockers and anti spam etc however there usually ARE differences in the free products, definition updates come slower, others don't use an engine as powerful as the paid version. This can let things slip by. Of course the choice is yours. I am only going to advise that you get one.

Sophos Home
A good product, requires internet connection for management but good detection rates.

Kaspersky
A decent AV. Kaspersky has been around for a long time. The detection rates are superb and they play a very big role at detecting new threats in the wild. Deep scans can be rough on the HDD however.

Cylance
Cylance is a AI based AV and one of the first available for everyday users. Its cheap and very light weight and detection rates are great. False positives need to be controlled via the web UI.

Emsisoft
Emsisoft is a fresh perspective on AV with a clean easy to use interface. Its definition driven, but the detection rates are top notch and the AV isn't a drain on system resources. They also have a free on demand scanner the EEK that uses the same engine and DBs. It's a great AV to use even if just for the on demand aspect.

Bitdefender
An ok program that now has a free edition, bitdefender has more aggressive scan options by default that can turn away novice users but its detection rates are great.

ProTip: I have purchased each of the AV products above and used the free ones for some time. I have chosen these among others I have also own(d) because of there usability affordability and availability. They have also made numerous rounds on my malware machines and even attack some of my tools (RUDE). That said in the spirit of the forum and social stigma I have linked the free editions with the exception of Kaspersky which does not but I believe to be too great an option to not include.


Thanks for reading the guide, I hope I have helped enlighten you the reader and with a little luck persuaded you into taking security more seriously in one way or another. For the user that came here because they were infected I really hope it helped you, it really is frustrating.

For guide related questions feel free to respond below.
 
Back
Top