Luke’s Definitive Guide for Removing Malware

I get a lot of requests from friends, family and friends of family for MS Windows support – most notably malware removal. You see, I’m a software developer and a Linux user and that somehow qualifies me for this type of work. Yes, the impeccable logic of a common luser never ceases to astound me.

Fortunately for these people I do have a good deal of experience with IT work. This post is my attempt to pass some of this arcane knowledge onto you. Despite the popular belief, removing malware is not some special skill that needs to be trained or gained via experience. I hardly ever actually hunt down the infections and remove them by hand. 90% of time, this stuff boils down to using the right set of tools, and applying a little bit of critical thinking to the task.

The Tools

Most of the nasty malware you will get infected with can be effectively removed with one of these tools:

  1. Malwarebytes Anti-Malware (shareware – free to scan, resident protection costs $$)
  2. Superantispyware.com (freeware)
  3. Combofix (specialist tool)

How did I pick these tools? I didn’t pick them at all. The vocal anti-malware community of the internets picked them. I didn’t look at any polls, benchmarks or critical reviews. I use these tools because I know they work. How do I know they work? Because I’ve seen it and because they are recommended in every single security related thread on the internet.

You see, there are dozens of message boards out there dedicated to helping people clean up their infected machines. Users go there and post their symptoms and the resident experts give them recommendations and guide them through removal steps. Do you know what is usually the first step they recommend?

You guessed it – install Malwarebytes, run a scan, post your log file in the reply. Repeat for superantispyware.com. Between the two of them, these applications can remove just about anything. Very few trojans or worms can withstand this tag team. If they do, you can usually go for broke and use ComboFix which is sort of a last resort measure.

Most of the time it will clean your computer off the nasty infection. Every once in a while however it will hose the OS while trying. It will forcefully delete infected system files other anti-malware tools are affraid to touch with a blatant disregard for system stability. This makes it effective, but a bit of a lose cannon. That’s is why it forces you to install the Recovery Console prior to actually performing an aggressive scan.

The Procedure

There is no magical procedure. You should simply follow your common sense. This is what I usually recommend doing:

  1. Boot into Safe Mode With Networking
  2. Get rid of Temp files (where malware likes to hide) using ATF-Cleaner or CCleaner
  3. Install and update Malwarebytes and run a scan
  4. Install and update Superantispyware.com and run a scan
  5. Repeat 1-2 times until you get a clean log on both
  6. If you can’t remove some infections, or you still see the symptoms reboot into normal mode
  7. Run ComboFix
  8. If you still can’t remove the infection find it’s name
  9. Fucking google it!

The last step is crucial – I can’t emphasize it enough. Unless you are extremely unlucky and you got hit by a brand new variant of the malware, someone already went through this crap. It is more likely than not that you will find a forum or blog post somewhere with detailed removal instructions. Or in worst case, you will find links to more specialized tools that may or may not work against the crapware you are facing.

That’s it. That’s how I get rid of 90% of the crap people get infected with.

It’s so easy, even a caveman could do it!

This entry was posted in sysadmin notes and tagged , . Bookmark the permalink.



12 Responses to Luke’s Definitive Guide for Removing Malware

  1. Tino UNITED STATES Mozilla Firefox Ubuntu Linux Terminalist says:

    Luke’s Definitive Guite?

    merriam-webster.com: 1) wholly, completely /not quite finished/ 2) to an extreme : positively /quite sure/ —often used as an intensifier with a /quite a swell guy//quite a beauty/ 3) to a considerable extent : rather /quite near/

    Well, I guess you are a quite a swell guy for helping others to remove malware :)

    Reply  |  Quote
  2. Luke Maciak UNITED STATES Mozilla Firefox Windows Terminalist says:

    Oh man.. How the hell did I miss that one. :( Thanks for the correction.

    Reply  |  Quote
  3. gabe UNITED STATES Google Chrome Windows says:

    nice post. it never ceases to amaze me how it doesn’t occur to people to google things. the solution to 90% of computer problems begins (and often ends) with a simple google search and people somehow think I’m a genius for “figuring out” their problems.

    Reply  |  Quote
  4. I don’t know, SUPERAntiSpyware sounds pretty nefarious itself!

    Reply  |  Quote
  5. jambarama UNITED STATES Mozilla Firefox Windows Terminalist says:

    For desktops and computers that are easy to get into, I don’t think anything beats using one of those sata/ide-to-usb doohickeys to mount the drive on another system (usually my laptop). From there I run all my scans and I’ve had far better success this way than the safe mode thingy (where some programs won’t run, and the more insidious malware is already loaded up).

    Good rundown on tools though, I’ve never used combofix or Superantispyware.com

    Reply  |  Quote
  6. Luke Maciak UNITED STATES Mozilla Firefox Ubuntu Linux Terminalist says:

    @Chris Wellons: Yeah, it does sound shady but I see it recommended all over the interwebs in reputable forums. I used it before and it works pretty well – sometimes it removes more crap than malwarebytes – sometimes less. It really depends on infection.

    Also the fact that it peacefully coexists with Malwarebytes which does not detect it tells me that it is legit. :)

    @jambarama: Actually, that’s a good idea. I haven’t really thought of that. I will use that trick next time I encounter particularly nasty infection.

    One downside of this method of course is that you need to have your computer and the dohicky with you. The safe mode method can be done “in the field” while you don’t have your system or your tools with you.

    Reply  |  Quote
  7. Mike Duncan UNITED STATES Internet Explorer Windows says:

    I really enjoyed this post and I certainly appreciate the kind words regarding our product. I assure you, we’re 100% legit. We’ve been fighting spyware infections for over 5 years and we protect over 15 million users worldwide. Thanks again for thinking of us, we’ll continue to work hard to fight spyware! – Mike, SUPERAntiSpyware

    Reply  |  Quote
  8. Rob UNITED STATES Mozilla Firefox Windows Terminalist says:

    Hey!

    -Caveman

    Reply  |  Quote
  9. Shrinivas Kudva INDIA Mozilla Firefox Windows says:

    Hi Mike,
    Really nice of you to put up this guide. Like you mentioned, 90% of the people can easily clean up their system using your recommendations. Unfortunately, I suppose those 90% don’t read your blog :-(
    Wouldn’t it be nice to know the different types of people who read your blog? How about a poll? :-) say based on job or age?

    Reply  |  Quote
  10. Pingback: The Ultimate IT FAQ « Terminally Incoherent WordPress

  11. Ed Baptist UNITED STATES Camino Mac OS says:

    Very good. However, I’ve gotten to needing to run Combofix on 64 bit Win 7 computers, and it won’t work because Combofix is 32 bit only. Any suggestions?

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>