It's been a long time since my last post so here goes.
Here are the lists of techniques you can do to remove malwares. Some of these are easy no brainer, to moderately difficult to extremely hard (for the average Joe, and some technicians included).
Here are the easiest solution though you need some preparations for these to work like downloading the iso and burning or making a bootable USB drive.
- Using a Bootable CD/DVD/USB of any AntiVirus. Advisable to update the antivirus signatures before scanning. Here are a few examples:
- Performing a scheduled Boot Scan (Ex. Avast!)
- I'll add Hiren's Boot CD. Unless you have the latest version of an antivirus with the option of updating the AV signatures, you might miss a zero-day malware or newer strains by scanning with an outdated AV. (Note: I use HBCD ver. 10 so I never use it for scanning)
- Scanning the infected HDD as a slave on a clean system with updated antivirus
This one requires that you know where to look for malwares
- Booting with Live Windows CD/DVD or any Linux distro and manually deleting the malware that starts with Windows. With Windows, I'd start with the registry (research offline registry editing) and work my way in reverse. If you don't know your way around the registry, you can use programs like Autoruns. For Linux, I'll look for the usual places where a malware may reside. Temp folder is a good place to start.
There are times when malware will not let you boot in Safe Mode, in cases that you can, you can try the following:
- Boot in Safe Mode with Networking so you can update your antivirus prior to scanning.
Last is removing the malware while it is active in memory in Normal Mode. The steps are simple.
- Search and Destroy
- Search - Using Tasklist, TaskMan or any similar program to look for suspicious running processes. Or other suspicious programs that starts with Windows
- Mostly these are processes with gibberish filename (Ex. sfhkewj.exe)
- Something that looks like a legit Windows file but in the wrong place (Ex. C:\Windows\System\csrss.exe)
- Shortcuts, *.pif or *.vbs/vbe in Startup folder
- Other programs that starts from AppData or Temp folders
- Destroy - Terminating the running malware processes using TaskMan or similar app and deleting the malware plus other drop files.
- Another way to look for malware file location is to look at the registry. Here are some of the key locations:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Using enumerators or AV tools to look for malware. You base your search on the report logs
After you terminated the malware from running, it's time to do a scan using an updated antivirus/antimalware
Scan also all external/USB drives. Unhide all folders and files in case you were infected with a shortcut worm like Ramnit.
Note: For other high risks malware/worm (Ex. sality, virut) always use a dedicated removal tool.
Other tools for malware removal worth mentioning that I still use:
- File Assassin - Use this to delete stubborn malware
- Unlocker - Same function as File Assassin
- Blitzblank - My Go tool when File Assassin or Unlocker failed to delete malware. Must have prior knowledge of files and registry items to delete.
All content ("Information") contained in this report is the
copyrighted work of WinXPert: Virus and Malware Removal.
The Information is provided on an "as is" basis. WinXPert
disclaims all warranties, whether express or implied, to the maximum
extent permitted by law, including the implied warranties that the
Information is merchantable, of satisfactory quality, accurate, fit for
a particular purpose or need, or non-infringing, unless such implied
warranties are legally incapable of exclusion. Further, WinXPert does
not warrant or make any representations regarding the use or the
results of the use of the Information in terms of their correctness,
accuracy, reliability, or otherwise.
Copyright © 2019 WinXPert. All rights reserved. All other
trademarks are the sole property of their respective owners.
To GOD be the glory!
