Poll: How do YOU remove malware?
- Thread starter NathanE
- Start date
Spybot Search and Destroy
Windows Defender
Super Antispyware
Malware Bytes
Ad-Aware (tried and liked, removed because of incompatibility with Comodo Firewall, haven't re-installed yet)
AVG Anti-spyware (tried and liked, removed when I changed from AVG to Avira for AntiVirus)
Spyware Doctor (used to use until it stopped being free a few years ago)
Comodo BOClean (tried and removed)
I usually run most of those apps once a week or so.
If I find something suspicious, or if I suspect my machine is not running as it should, then I'll boot into safe mode and leave them running. I tend to find that they sometimes find things in Safe Mode that was missed normally, and it tends to be easier to remove stubborn things that way too.
What about you?
Windows Defender
Super Antispyware
Malware Bytes
Ad-Aware (tried and liked, removed because of incompatibility with Comodo Firewall, haven't re-installed yet)
AVG Anti-spyware (tried and liked, removed when I changed from AVG to Avira for AntiVirus)
Spyware Doctor (used to use until it stopped being free a few years ago)
Comodo BOClean (tried and removed)
I usually run most of those apps once a week or so.
If I find something suspicious, or if I suspect my machine is not running as it should, then I'll boot into safe mode and leave them running. I tend to find that they sometimes find things in Safe Mode that was missed normally, and it tends to be easier to remove stubborn things that way too.
What about you?
Last edited:
Soldato
- Joined
- 20 Jan 2004
- Posts
- 4,128
- Location
- Fife
I rarely get any (that I know of) but if I did would just format and reinstall.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
Associate
- Joined
- 30 Nov 2003
- Posts
- 2,499
malwarebytes
Not that I really ever have a problem, but on my own PC simply format and reinstall.
Other people's PCs I leave format/reinstall as a last resort. Often people don't have the restore discs for their computer so sometimes its not even an option without spending some money.
In these cases, I'll try and get some anti virus/malware scanners running just to see what's actually on there. Then if these scanners can't remove something then I'll look for a specific tool. After that and a couple of reboots I'll use some of the sysinternals tools to see what's going on. And then finally impart some advice about how to prevent it in the future. I usually also make sure they have the latest service pack, make sure the firewall and automatic updates are configured correctly and install one of the free AV solutions.
I voted format/reinstall, but in reality I use explore all the options depending on the situation.
Other people's PCs I leave format/reinstall as a last resort. Often people don't have the restore discs for their computer so sometimes its not even an option without spending some money.
In these cases, I'll try and get some anti virus/malware scanners running just to see what's actually on there. Then if these scanners can't remove something then I'll look for a specific tool. After that and a couple of reboots I'll use some of the sysinternals tools to see what's going on. And then finally impart some advice about how to prevent it in the future. I usually also make sure they have the latest service pack, make sure the firewall and automatic updates are configured correctly and install one of the free AV solutions.
I voted format/reinstall, but in reality I use explore all the options depending on the situation.
Soldato
- Joined
- 7 Mar 2005
- Posts
- 19,606
- Location
- LU7
Option 2. Haven't ever had to reformat but if the tools I use didn't work I would.
SpywareBlaster, Spybot and Malwarebytes Anti-Malware btw.
SpywareBlaster, Spybot and Malwarebytes Anti-Malware btw.
Format and re-install - you've already lost if your machine's compromised because you can never be sure whether any rinky-dink clean-up tool has truly worked.
Couldn't be bothered doing that on someone else's computer. But being the person who 'fixes computers' for others is a world of pain that's best avoided, anyway..
Couldn't be bothered doing that on someone else's computer. But being the person who 'fixes computers' for others is a world of pain that's best avoided, anyway..
Last edited:
If I ever found malware on one of our home computers I wouldnt hesitate to reinstall or roll back to a backup image.
However when fixing machines that belong to other people I'd use:
[First Disable system restore]
Malwarebytes
CCleaner
Spybot S&D
Combofix
HijackThis
Superantispyware
I'd then install Avast and Comodo firewall to prevent anything returning
However when fixing machines that belong to other people I'd use:
[First Disable system restore]
Malwarebytes
CCleaner
Spybot S&D
Combofix
HijackThis
Superantispyware
I'd then install Avast and Comodo firewall to prevent anything returning
I never have to do malware removal on my own PC but for friends and family it is quite a common thing (probably 3 to 5 times per year on average).
My personal weapons of choice are:
Sysinternals Autoruns
Sysinternals Process Explorer
Sysinternals Rootkit Revealer
Regedit
NTFS Security
I use Autoruns and Procexp to get a broad view of the system and somehow I just "know" more or less instantly whether a filename looks dodgy or not. Then sure enough, after a quick look at the file properties it won't have any Version information like copyright, author or anything like that. Or sometimes it will but it will be badly written like "Micro soft (c)" or something ridiculous.
It is very common these days that malware automatically protect themselves by recreating their startup entries in case they are deleted (i.e. by Autoruns). This can be frustrating because usually "budding malware removers" can't work around the issue and have to reinstall.
But there is a method to remove these types of malware that I have used successfully for years. I used it yesterday on 2 rootkits that were even hiding their files from being listed in Explorer or CMD or anywhere!
The method is NTFS Security!
If you can see the file in Explorer then just goto its Properties and then the Security tab. All you need to do is create two new entries in here, as follows:
1. Create a DENY rule for the "SYSTEM" account. When selecting the permissions to be denied tick the "Full Control" box.
2. Create a DENY rule for the "Everyone" account. When selecting the permissions to be denied ONLY tick the "List folder / read data" and "Traverse folder / execute file" options. All other check boxes should be left unchecked.
Once you have created these rules. Press Apply/OK etc to save the NTFS Security changes you have made to the file(s).
Use this procedure on as many suspected rogue files as possible and then reboot your machine. No need to go into safe mode.
When the machine reboots the system will still attempt to "load" the malware but because you have set a NTFS Security rule to DENY the "SYSTEM" account and the "Everyone" account from reading or executing the file... it will not be loaded. All of the "autostart" regions of Windows will fail silently. So if there is a HKLM\Software\Windows\CurrentVersion\Run entry that points to a file which the system cannot access at startup then you will not receive any warning or notification but the file will not be loaded either.
Once booted back into Windows load up the Autoruns and Procexp again. Now you can attempt to delete the entries listed in the Autoruns software. Once you've deleted all the rogue entries perform a screen refresh (F5 key). The entries should NOT come back (i.e. they shouldn't be regenerated by the malware). If they do come back then it means that the malware is still running somewhere (perhaps you missed one of its companion files) and therefore it has regenerated its autostart entries.
This technique can be used with rootkits that hide their files as well however the procedure can be a little more involved... for the simple fact that while displaying the standard Explorer "File Properties" dialog is totally possible on a rootkit hidden file, it is just not made easy by Explorer to do it. I made a utility to workaround this if anyone wants it.
My personal weapons of choice are:
Sysinternals Autoruns
Sysinternals Process Explorer
Sysinternals Rootkit Revealer
Regedit
NTFS Security
I use Autoruns and Procexp to get a broad view of the system and somehow I just "know" more or less instantly whether a filename looks dodgy or not. Then sure enough, after a quick look at the file properties it won't have any Version information like copyright, author or anything like that. Or sometimes it will but it will be badly written like "Micro soft (c)" or something ridiculous.
It is very common these days that malware automatically protect themselves by recreating their startup entries in case they are deleted (i.e. by Autoruns). This can be frustrating because usually "budding malware removers" can't work around the issue and have to reinstall.
But there is a method to remove these types of malware that I have used successfully for years. I used it yesterday on 2 rootkits that were even hiding their files from being listed in Explorer or CMD or anywhere!
The method is NTFS Security!
If you can see the file in Explorer then just goto its Properties and then the Security tab. All you need to do is create two new entries in here, as follows:
1. Create a DENY rule for the "SYSTEM" account. When selecting the permissions to be denied tick the "Full Control" box.
2. Create a DENY rule for the "Everyone" account. When selecting the permissions to be denied ONLY tick the "List folder / read data" and "Traverse folder / execute file" options. All other check boxes should be left unchecked.
Once you have created these rules. Press Apply/OK etc to save the NTFS Security changes you have made to the file(s).
Use this procedure on as many suspected rogue files as possible and then reboot your machine. No need to go into safe mode.
When the machine reboots the system will still attempt to "load" the malware but because you have set a NTFS Security rule to DENY the "SYSTEM" account and the "Everyone" account from reading or executing the file... it will not be loaded. All of the "autostart" regions of Windows will fail silently. So if there is a HKLM\Software\Windows\CurrentVersion\Run entry that points to a file which the system cannot access at startup then you will not receive any warning or notification but the file will not be loaded either.
Once booted back into Windows load up the Autoruns and Procexp again. Now you can attempt to delete the entries listed in the Autoruns software. Once you've deleted all the rogue entries perform a screen refresh (F5 key). The entries should NOT come back (i.e. they shouldn't be regenerated by the malware). If they do come back then it means that the malware is still running somewhere (perhaps you missed one of its companion files) and therefore it has regenerated its autostart entries.
This technique can be used with rootkits that hide their files as well however the procedure can be a little more involved... for the simple fact that while displaying the standard Explorer "File Properties" dialog is totally possible on a rootkit hidden file, it is just not made easy by Explorer to do it. I made a utility to workaround this if anyone wants it.
Associate
- Joined
- 11 Nov 2007
- Posts
- 194
+1 for Option 2. You can apply TrojanRemover and others to an extent, but there reaches a point where a format is the only way to be sure.
Soldato
- Joined
- 7 Mar 2005
- Posts
- 19,606
- Location
- LU7
I've googled and googled but I've never seen my technique talked about or documented anywhere. Quite strange really considering it is such a simple and easy to use technique.
I believe the only malware/rootkit that at least partially prevents this technique is Conficker. But only because it sets the NTFS Security of its hidden rootkit files to deny the "Users" group all access to its files. But the "SYSTEM" account would still have access so it would just be a case of executing a script under that account to modify the NTFS Security. It would be much more involved but still possible.
I believe the only malware/rootkit that at least partially prevents this technique is Conficker. But only because it sets the NTFS Security of its hidden rootkit files to deny the "Users" group all access to its files. But the "SYSTEM" account would still have access so it would just be a case of executing a script under that account to modify the NTFS Security. It would be much more involved but still possible.