Be sure to backup up all your important data before removing malware as explained in this guide.
Be sure to backup all files you mark as suspicious to prevent losing files needed for normal Windows operation!
Please note that in this guide there are a lot of ways to potentially destroy your Windows OS!
Don’t forget that even with the procedure found in this guide, all malware cannot be removed. In the wilderness of Internet, there are always destructive malware that has the ability to encrypt your files, rewrite them with other data, or simply delete them. For most situations we hope you will find this guide helpful. Looking at all types of old DOS viruses that can infect executable files, those couldn’t be removed this way.
Big thanks to kind people from hr.comp.hardver newsgroup for helping me write this guide.
Malware is a word that combines all types of typical threats like viruses, worms, trojan horses, spyware, rootkit infections, etc. Manual malware removal is a set of procedures helping you to manually remove malware threats so your PC can run normally after it has been infected. For this purpose, a set of specialized applications are needed.
Please note that these applications are not automated tools, but merely tools to provide you with enough information to help you make a decision what to do next. For effective malware removal, it is more important that the person is highly skilled, understands processes in Windows, has enough knowledge and experience and of course, uses plain and simple logic.
This guide could be very useful to advanced and professional Windows users. For beginners and others who are not very familiar with Windows OS, this guide could be a good educational material.
Be sure to update your Windows and antivirus software regularly. Antivirus should be updated at least every few hours! Keep this in mind!
Malware detection is a painful process considering very miscellaneous types of malware, which means there is no universal detection technique. Everything ends up in discovering malware ‘master’ files which are ‘engines’ for computer diseases. This process can take up much time for any antivirus application (depending on number of files it has to scan). With this guide, considering the quantity of malware on your PC, it could be resolved faster malware. Since humans use brains and not linear software applications, they have many advantages. We’ll try to explain some useful ways of discovering and removing malware from a PC, but we still urge you to be cautious to prevent damage to your Windows OS.
In most cases it is enough to disable the ‘master’ file from loading. We recommend you use an AntiVirus (AV) application to fully remove all leftovers.
From the beginning of this article, we forgot to mention how to discover if a computer is diseased. Here are some hints how to discover it:
- Computer works very slow
- Some of processes in Task Manager use 100% of the CPU
- Hard drive LED blinks constantly
- Internet connection is very slow (even if it’s a high speed connection)
- There are message popups beginning to show up after reboot, or in normal work warning you about something, or they offer you to connect to some suspicious webpages
- There are popups in system tray with warnings telling you your computer is infected
- Desktop background is changed and Display Properties won’t let you change it back
- Folder Options in Windows Explorer->Tools are no longer accessible
- Task Manager cannot be started
- AV application is notifying it cannot update definitions (even if your internet connection works fine)
- AV application manufacturer’s pages are inaccessible
- Some often used applications cannot be accessed anymore (Windows Explorer, Explorer process, etc).
- Hosts file is tampered with
Here is a list of most useful applications when manually searching for malware.
- Task Manager (keyboard sequence – Ctrl-Shift-Esc): Crucial part of every Windows, offers you a list of loaded processes
- Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx ): Replacement for Task Manager, much more in-depth information about loaded processes
- Regedit (Registry Editor): Crucial part of every Windows, useful for locating folders and files with infected files that are loaded during boot-up process
- HijackThis! (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis ): Useful utility to locate files and folders during Windows boot-up process – recommended
- Command Prompt (Start->Run->Cmd): Crucial part of every Windows OS – looks like the old DOS prompt, provides some neat commands like cacls, del, rd, cd, disk, attrib and netstat
- Killbox (http://killbox.net/ ): Small utility useful when deleting files that cannot be deleted
- Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx ): Listing of what is loaded during Windows startup process
There are some nice automated software packages useful when fighting malware.
- VundoFix (http://vundofix.atribune.org/ )
- CWShredder (http://us.trendmicro.com/us/products/personal/CWShredder/ )
And the most important:
- Internet Access: It’s very important to have an internet connection with access to your favourite search engine to check every filename you find suspicious during the process of identifying malware files.
Every computer needs preparation before search and malware identification starts. It’s important to backup all important data and disable or delete most common places where malware can hide.
Note: While reading this text you’ll often see that one important command is used in command prompt – CACLS. This is a special command in Windows OS that let’s you tamper with security permissions for every file. The basic idea when using this command is to disable all users to read, write or execute the file. This way we effectively ‘destroy’ the file by not letting ‘special users’, such as Administrators or System, execute it – and that’s what most malware needs to infect your computer.
a) BACKUP YOUR IMPORTANT DATA!
The main part of any removal process is backing up important data. Please backup all data you consider important (briefly – any type of data you generated and you cannot download it or it’s difficult to download it from internet) – mailboxes, pictures, movies, sound files, configuration files, bookmarks/favourites etc.
b) Disable System Restore
System restore is a place where malware is often hiding. To disable it (in fact, delete all the saved data) do this:
1. Press together WinKey and Pause to open System Properties
2. Go to System Restore tab
3. Check ‘Turn off system restore’
4. Click Apply and then OK
c) Delete temporary files from TEMP/TMP folder and from IE, Firefox and other browsers
To delete files from TEMP/TMP folders, follow these steps. Some of these files cannot be deleted -just leave them there for now.
2. rd /s %temp%
IE and other browsers save their temporary internet files in special folders. The easiest way to delete this data is using the browser’s properties. Here is a few steps to delete temporary internet data from IE:
1. When in IE, go to Tools->Internet Options
2. Click on Delete Files
3. Check ‘Delete all offline content’
4. Click OK
d) Empty Recycle Bin
The Recycle Bin should be emptied following these steps:
1. Press WinKey + D to show desktop
2. Right click on Recycle Bin
3. Choose Empty recycle bin
4. Press WinKey + D again to show all your previous applications
If there was no icon on the desktop, use the steps provided below:
e) Delete Recycler folder
- Go to command prompt (Start->Run->Cmd)
- Type rd /s C:Recycler
If the folder cannot be deleted, then something from Recycler folder is loaded as a process. Find out which file is that and note its location.
- Navigate to C:Recycler (cd C:Recycler)
- ‘cd‘ and press Tab to see how many Sxxxxxxx-xxxxxx-xxx folders you have. Navigate to each of them with ‘cd once to navigate to the first folder, tab twice for second, etc. This is filename completion, so use it freely
- ‘attrib –r –a –s –h *’ to remove attributes from all files
- ‘del. /y’ to delete all files
- ‘cacls *’ to see leftovers
- If there are any leftovers, destroy their rights with ‘cacls * /d everyone’ and ‘y’ when asked if sure to do so
- Now restart your computer and go to the same RECYCLER folder (as described before) and just delete this file (or leave it there)
Identifying malware is a very tricky process which involves a lot of knowledge, experience, intelligence and intuition. As there are a lot of malware types (viruses, trojan horses, worms, rootkits, etc), it’s very difficult to identify them. But, as stated before, humans use brains and don’t ‘think’ linearly as computer software. This is the advantage we intend to use.
Malware is identified only by it’s behaviour and loaded files. And to be sure it’s hard to find out where they’re hiding! Here are some key tips:
1. It’s very often that malware files have similar names to Windows files (eg. cfmon.exe malware and ctfmon.exe Windows file). More, these files are often found in folders that don’t make them look suspicious (eg. svchosts.exe malware is dropped in C:Windows, and original svchost.exe is in C:WindowsSystem32). As you see, inexperienced people couldn’t discovery these files easily. But, there is a nice way to identify this. DATE of file creation!
Files that were created few days ago are most likely to be malware, so be sure to write their location and filenames and consider them suspicious! To list dates you simply could use Windows Explorer (click on Date Modified to sort out dates from newest to oldest).
2. The second type of files are those with randomly generated filenames which cannot be explained intuitively (eg. twhyjl(1).dll ili hji882a.exe). These types of files are very likely to be malware, but beware – sometimes normal files have names that an inexperienced user cannot explain, but it’s very intuitive to someone who knows what he’s doing. Filenames such as tpfnf7sp.exe, nvsvc32.exe, etc are not suspicious when working on a Thinkpad computer or using nVidia card.
tpfnf7sp.exe is a derivative from ThinkPad (tp) Fn-key (fn) F7-key (f7) which is in fact Presentation Manager for ThinkPad laptops. nvsvc32.exe comes from nVidia (nv) Service32 (svc32). Note that many brand manufacturers name their files with the initials of their company brand (Hewlett-Packard uses HP, Canon uses BJ from BJC inkjet series, ThinkPad uses TP, Toshiba uses TOS, Microsoft uses MS, etc). As we said, be aware of files that look suspicious and have random names – use your favourite search engine to find out what in fact is your suspicious file.
3. The third type of files are those that have funny or very intriguing filename (eg. planet.exe). Browse through Add/Remove Programs to find out if this filename can be explained by some installed applications. Also check from where this file is started, if any of the typical Windows folders (eg. C:Windows, C:WindowsSystem32, C:Documents and Settings) are root folders of this file, consider it a danger and note it for removal.
4. Files located in the same folder, with very similar random name, same size, same date of creation should be immediately considered as malware (sadly, only drops, not master files) and be removed or moved to a safe location.
There are malware files that are very hard to find and stay between Windows applications and the Windows kernel, like gateways. Something similar to ‘rundll32’ application, but these malwares are used for loading .exe applications which makes them a big threat. Also, consider every ‘rundll32.exe’ entry in Task Manager listing as a potential threat that should be further checked. Use Process Explorer, Hijackthis and Autoruns for this.
Always check file properties for version, manufacturer and other useful information. If no data is provided on these pages, the file you’re looking at could be potential malware.
If no information is provided, note the file and check your favourite search engine for it.
Recommendation: check every file you find suspicious on your favourite search engine to see what it really is. Be ready to find a lot of false positives, DO NOT DELETE THESE FILES!
a) View processes using Task Manager (Ctrl-Shift-Esc, go to Processes tab) or using Process Explorer
- Find filenames with most CPU usage (double click on CPU column)
- Find strange, random filenames or filenames similar to typical Windows processes
- Write down names of those processes in Notepad or in a notebook
- Try to End those processes and see if they’re loaded immediately after you killed them
- Check noted names on your favourite search engine
b) View registry keys
- Using Registry Editor (Start->Run->Regedit) check specified registry keys
- Find out which folders are starting location of files you find suspicious
- Go to those folders (Windows Explorer or Command Prompt)
- Check date of creation for those filenames, if the file is few days old, it’s very likely to be malware
- Check noted filenames on your favourite search engine
c) View loaded files using HijackThis!
- Look at the list of which files are loaded during Windows startup
- Note filenames and locations that have suspicious names as explained before
- Check noted filenames on your favourite search engine
- Check them in Hijackthis and click on Fix
- Click on Scan to scan again
- Find out if the filename you checked before is showing again. If you find it, note its location and filename for later low-level removal.
d) View current connections
- Exit all applications and disable all applications that are using internet or network connections
- Wait a few minutes (go fetch a coffee or juice)
- Open your Network Connections and double click on your internet connection to monitor its activity
- Ctrl-Shift-Esc to start Task Manager, go to Networking tab, and monitor your connection to the Internet (you know how you named it)
- ‘Netstat’ to see all open connections
- If there are many open connections (more than 10 ESTABLISHED) and network utilizatio is pretty high (over 2%), it’s likely that you have something sending or downloading files from the internet. Also check if any connection are4 using port 25 (SMTP port for sending email).
- Cross check with your internet connection and see what is going on – is it sending or receiving. If it’s sending data, it’s very likely that you have some kind of malware (like trojan horses that are sending emails around)
- Note the IP addresses or webpages your computer is connected to
- Check noted addresses on your favourite search engine
e) View hosts file
Some malware has the ability to change hosts file in the way that they add redirections of the popular AV application official webpages or update pages to 127.0.0.1, which is in fact localhost (your own computer)
- Open C:WindowsSystem32DriversEtcHosts
- Check if there are only entries known to you (default is only 127.0.0.1 localhost), if anything more is added and you weren’t aware of it, remove it
The other way would be to navigate with Windows Explorer to the C:WindowsSystem32DriversEtc and check ‘Date modified’ for the hosts file. If it’s few days old, it’s been tampered with and should be edited to remove those entries.
If you have made notes during the identification process about files and found that they are malware, you’ll need to remove them from the loading sequence. There are few ways to disable those files from loading again and we’ll describe the most efficient.
First of all you’ll need Administrator privileges. Also, be sure to work from Safe mode or Safe mode with command prompt.
BACKUP EVERY FILE YOU WORK WITH TO ANOTHER LOCATION IN CASE YOU DELETE OR DISABLE WRONG FILE!
Here is the procedure:
Disconnect from the internet and make sure you don’t connect during this process.
a) Windows Explorer
Navigate to the folder where malware resides, and try to delete the file with Shift+Delete (it is immediately deleted, not moved to Recycle Bin).
If the file cannot be deleted, then do the following:
1. Right click on the file
3. Security tab (if not shown, use the command prompt described in b. section)
4. Click and apply for every user and set Full Control to ‘Deny’
Restart the machine and delete the file from Windows Explorer. If you want to protect yourself from this type of threat, browse down to see how to do it.
b) Command prompt (Safe mode with command prompt, XP boot CD recovery console)
2. Navigate to the folder where you found malware files (use cd command)
3. ‘attrib –r –a –s –h ’ to remove all file attributes
4. ‘del ’
5. ‘attrib , if there is no file then you’re done
6. If the file cannot be deleted, it means it’s loaded in memory and protected from deleting or editing
7. ‘cacls /d everyone’ to remove file permissions for every user
8. Reboot the machine and delete the file from Windows Explorer (it’s not loaded anymore since it cannot be loaded, you removed all permission for all users that could read, change or execute this file)
c) Kill explorer and delete the file (we’re not talking about Windows Explorer here!!)
1. Kill explorer via Task Manager (just click on Explorer.exe and choose End Process).
2. Kill the processes you find suspicious
3. In Task Manager choose File->New Task (Run…)
4. ‘cmd’ to start command prompt
5. Navigate with cd command to folder where the file resides and delete it with del
6. Go back to Task Manager and File->New Task->Explorer to start Explorer process
There are few ways to protect yourself from similar problems in the future:
1. Often recommended solution is to keep Windows up to date
2. Use AV software and update it every day
3. Create a file sized 0 bytes with the same name as the malware files you’ve found and destroy it’s privileges
4. One creative solution
Keeping Windows and AV software up to date is not something we will describe in this article, but solution 3. and 4. will be described.
After restart you can delete this file from Windows Explorer (from Command Prompt you cannot delete it anymore).
After you delete it, create the file with the same name but with size 0 bytes (right-click, new, text file, name it filename.ext of the file you deleted in previous step) and go to command prompt (Start->Run->Cmd).
- Navigate to the folder where your file is created
- ‘attrib +r’ to set read-only attribute (theoretically not needed)
- ‘cacls filename.ext /d everyone’, choose ‘Yes’, to remove permissions for this file
This way you disable this type of malware to be set on this location again. Without write rights, no application can edit this file or copy itself across it.
This idea is pretty simple but not very easily done:
1. You will need a list of filenames of the master-files for the most widespread threats
2. Use the solution described before to create zero-filled bytes with this name
3. Keep those files in, let’s say, C:AntiMalware
4. Make this folder hidden (command prompt -> ‘attrib +h C:AntiMalware’) just to keep it from ‘hungry eyes’
5. Create hardlinks for every master-file to the folder where it resides when malware is active
6. Destroy permissions for all contents of C:AntiMalware including the folder itself (so it cannot be deleted)
This solution is yet to be tested – feel free to use it at your will if you find it useful. Hardlink deletion could be a problem, so we have to find a solution to keep those files invisible to malware.
I hope you learned something new. Feel free to contact author of this article with new ideas on firstname.lastname@example.org.