Disclaimers

• This article uses Windows XP as an example.
• Always have backups of your files.
• The author is not responsible for any damage to any of your property.
• The author does not have any relationship with the software mentioned in this article. They are mentioned only for your convenience.
• This article may not be reproduced whole or in part without prior permission from Silkroad-Consulting.com except for private use.

Introduction:

Malicious programs (malware, virus, spyware, worms, trojans, rootkits, etc) are becoming more and more sophisticated. It is actually pretty easy to avoid a virus, but it can be very hard to get rid of one. Once you are infected, you might not be able to get back to your computer's pre-existing state. So it is much better to practice safe computing as described in the article here.

Tools and Requirements:

• Anti-malware programs installed and updated. For example:
  • Grisoft AVG anti-virus (grisoft.com)
  • Alwil Avast anti-virus (avast.com)
  • Spybot anti-malware (safer-networking.org)
  • Lavasoft Ad-Aware anti-malware (lavasoft.com)
  • Sysinternals Rootkit Revealer (sysinternals.com)
• (Optional) Administrative password
• (Optional) Boot-disk with anti-malware program, for example, UBCD (ubcd4win.com)
• (Optional) Internet connection to online anti-malware scanners
• A couple to several hours of time

Key Concepts:

1. Clean when your operating system is the least active.

   When your operating system is active, malwares are also active, and when the malware is active, it can try to evade detection, rejuvenate itself after removal or disable anti-malware programs. So the best way to remove malware is to use anti-malware programs to clean your computer when your operating system is the least active.

2. Clean multiple times under different circumstances.

   Malwares are getting better at evasion and rejuvenation. Furthermore, anti-malware programs will be able to detect different malwares under different circumstances. So the key is to clean multiple times under different circumstances. You often need to scan multiple times to completely clean out your computer.

3. Different anti-malware programs might detect different malwares.

   Always clean with at least two brands of each kind of anti-malware program. For example, use two brands of anti-virus program and two brands of anti-spyware program. (Note: Some anti-malware programs might interfere with each other or other programs)

4. Double check your system and manually clean out what your anti-malware program did not detect.

   Anti-malware programs might not be able to completely clean out your computer, so after using them, you need to do a manual inspection of your system and if necessary, do some manual cleaning.

General Technique:

The general technique you get when you combine all the key concepts is to do a series of multiple scans at different levels of computer activity level. Here are the steps in sequence:

1. Clean using a boot CD

   The best case scenario is when you have a boot CD that has anti-malware programs. The advantages are: 1) the operating system is completely inactive and the malware does not get a chance to run, 2) the computer might not have anti-malware program installed 3) the computer might be infected to a point where you cannot run installed anti-malware programs.

2. Schedule a boot-time scan

   If you don't have a boot CD, the next best option is to schedule a boot-time scan. Boot into safe-mode (see below) and try to see if your anti-malware program can schedule a boot-time scan. For example, AVAST (avast.com). After you schedule a boot-time scan, just reboot and let it do a scan at boot time. The operating system is mostly inactive during the scan.

3. Boot into safe-mode and clean

   This option is the most common scenario, but not as ideal as the two options above. In safe-mode, the operating system is active, but at a lower level than normal-mode, many parts of the operating system are not running in this mode but many malware are already active in this mode. To boot into safe-mode, reboot your computer and press F8 before the Windows XP logo appears, if you miss it, just reboot and try again. After you boot into safe-mode, run through your suite of anti-malware programs. Repeat until either getting a clean bill of health or until you cannot make any more progress.

4. Boot into normal-mode and clean

   Boot into normal-mode and run through your suite of anti-malware programs. Repeat until either getting a clean bill of health or until you cannot make any more progress.

5. Scan using online anti-malware website

   If you still do not have a clean bill of health at this point, try to scan using online anti-malware websites, for example:
   • housecall.trendmicro.com
   • www.pandasoftware.com/activescan

6. Inspect your computer and do manual cleaning

   Here are the places you need to inspect:

   • Processes that are running

     Right click on your task bar and select the "Task Manager" to open it. Select the "Processes" tab, click on "Image Name" to sort the processes by name. For each name in the list, use Google or use this list (processid.com) to find out whether it is a legitimate process. If it is a malware, select the process and click "End Process" at the bottom. If you still find malware running, you will probably need to do some manual cleaning.

   • Malware that are still installed

     Open "Control Panel," open "Add/Remove Programs" and Google every program listed to see if it is a legitimate program. If it is a malware, click "Change/Remove" button and uninstall it.

   • Malware that are setup to run at system start up

     Inspect the registry keys listed here and use Goggle to check if they are malware.

7. Re-scan

   If you were able to do some manual clean up in the previous step, you might have dislodged some malware to a point where your anti-malware program can make further progress after your manual clean up. So a re-scan is recommended.

8. Seek help online

   If you get stuck or still cannot get a clean bill of health at this point, do some internet research on the symptoms using Google.com. You can also ask for help in some forums, you might find it useful to run HijackThis and post your diagnostic information.

Windows Built-in Tools:

Windows itself has some tools that can be used to repair itself, these can also be used to clean out malware.

• System File Checker (sfc.exe)

  This is a program in Windows that scans, verifies and replaces certain system files (from a source directory or CD). More info here.

• Windows System Restore

  This is a feature in Windows that restores Windows to a certain point in history. More info here and here.

• Windows Using Last Known Good Configuration

  This is a feature during booting that allows you to restore system files to the last time you startup successfully. More info here.

• Windows System Repair

  This is process to repair Windows by just re-installing the system files from a CD. More info here and here.
• Some more information on repairing Windows here, here and here.

Alternatives and Last Resorts:

If the above steps cannot restore your computer to a satisfactory state, you might want to try alternatives or more drastic steps, some of which may be destructive.

1. If you have access to another computer, you can remove your hard drive and install it on the other computer and scan it using the steps above.
2. If not, it is highly recommended that you have backups before you try the following alternatives.
3. If you have important files at risk, you might want to consider professional help which might cost a couple of hundred dollars but these still do not guarantee non-destructive recovery.
4. (Destructive) Do a operating system re-install or factory restore

Caveats:

• There are some fake malware removal programs that pretend to help you. Make sure you use Goggle to check whatever tool you use.
• While repairing Windows, you should disconnect it from the internet in case it get attacked during repair. Without a firewall, a newly installed Windows can quickly get infected over the internet.