Useful Malware Removal and Diagnostics Tools

Since I blew my entire weekend exuding hate towards car salesmen (weekends are when I queue my posts), here is another quick and easy post. This time it is a list. Lists are cool, right?

If you recall, not so long ago, I release the Definitive Guide for Removing Malware. Today I wanted to expand upon that post and list more tools and websites you may find useful on your journeys.

Dangerous to go Alone

It is dangerous to go alone, take these!

Diagnostic Tools

Sometimes, before you even start removing things, it is a good idea to diagnose the problem. This is especially important when you are doing remote support for a clueless user. Here is a list of nifty tools that don’t necessarily remove stuff, but instead dump out log files that can help you identify potential problems.

  • Hijack This – by far, the most popular diagnostic tool out there. It is easy to use, has a neat GUI and it is backed by Trend Micro. Sometimes it is a good idea to use it with one of the multiple online analysis tools.

  • X-Ray PC -s imilar to Hijack This but with built in analysis tools that flag legitimate software and potential threats.

  • D.D.S. – a nifty diagnostic tool created by one of the regulars at the Bleeping Computer forums. It is good alternative when dealing with users who can’t be bothered to click on GUI buttons. You can have them just run this, and then make them attach the resulting log files to an email.

  • Random’s System Information Tool (RSIT) – this one is actually quite comprehensive. It incorporates a silent Hijack This run, but lists much more information.

  • Screen317′s Security Check – very useful tool that allows you to quickly check whether or not the machine in question has some gaping security holes. It makes a few WMI calls to see if an AntiVirus software is installed, if a firewall is running, if Java, Flash and Adobe Reader are up to date, if you are running an updated browser and etc. Dumps everything into a text file, with BBCode formatted headings.

  • GMER – a very comprehensive rootkit detector.

  • Rootkit Unhooker – another rootkit detector, this one focused on finding weird API hooks.

  • Rootkit Repeal – and another one, in case the other ones were being blocked.

Removal Tools

These are good removal tools that go above and beyond of what your usual A/V suite does. Some of these are fairly big apps that need to be installed. Others are tiny self-contained executables.

  • Malwarebytes – hands down, one of the most popular and most respected removal tools out there now. You can use it for free, but it does have a paid version which comes with a resident scanner. It is a typical A/V like tool that needs to be installed to work.

    Since this tends to be the tool to end all tools, here are some very useful links:

    • mbam-rules.exe – direct link to the offline updates. If the infected machine can’t connect to the internet and download updates after the installation is complete, you can use this to install the latest definitions.

    • mbam-clean.exe – if your Malwarebytes is broken after a botched patch, you can use this tool to remove it.

  • Super AntiSpyware – another tool I mentioned in my definitive guide. It gets good results. It also requires installation.

  • Dr. Web CureIt – small, self contained executable with a nice GUI. I found cases in which it was able to remove threats that Malwarebytes and SuperAntispyware couldn’t.

  • ComboFix – very ugly, but very, very effective. It is tiny, self contained but it packs quite a punch. If ComboFix can’t remove something I usually start prepping for re-imaging, because chances are nothing else will work either.

  • TDSSKiller – a nice, self contained, GUI removal tool specializing in ripping out the notorious TDSS familly rootkits and bootkits. Made by Kaspersky.

  • GooredFix – tool for fixing the Google redirects often left over by malware.

  • VundoFix and VirtuoMundo Begone – stand-alone tools for fixing the notorious Vundo family trojans.

  • CWShreader – tool for removing the CoolWebSearch malware (which I haven’t seen in a while).

  • McAfee Removal Tool (MCPR) – removes the notorious bloatware that is McAfee. Works with most of their products. Useful if your A/V suite gotten itself into a weird state and can’t be uninstalled normally (which seems to happen after every patch for some reason).

Misc. Tools

Here is a collection of tools that do not detect or remove any Mallware, but help during cleanup or preparation stages.

  • CCleaner – automated temp file deletion tool. Helps to recover disk space, and also flushes out all the common places where malware likes to hide their executables. Warning: the installer likes to ship with like 7 million toolbars, so be vigilant during the installation process.

  • ATF Cleaner – similar to the above, but self contained, and small. Slightly less thorough, but it doesn’t ship with toolbars.

  • RKill – neat little script that will kill unnecessary processes. Very useful when trying to clean up an infected machine. Often it is able to kill very persistent malware, and keep it out of memory while you scan.

  • DeFogger – another Bleeping Computer tool. This one lets you temporarily disable all CD emulation tools which could interfere with rootkit detection.

  • Unhide Tool – another one from Bleeping Computer forums. A lot of recent infections hide all the files and folders on your system. This tool scans through the filesystem and removes the hide flag from everything that is not supposed to have one.

  • Secunia PSI – scans your system, and checks if all the installed software is up to date. Complains all the time if it is not. Can be a memory hog if you run it at all times, but very useful if you need to make sure a machine is all up to date.

Checking Files for Viruses

Sometimes you download a weird file, and want to make sure it contains no viruses. Your A/V may clear it, but if you want to be absolutely sure, you may want to try one of these:

  • Kaspersky Online Scan – scans a single uploaded file using the latest and greatest version of Kaspersky A/V.

  • Jotti Malware Scan – scans a single uploaded file with a dozen antivirus suites.

  • Virus Total – you can either submit a single file, or a URL to a file. It will be scanned with a very comprehensive list of virus scanners. Possibly the best site of this kind.

Online Scanners

Finally, I leave you with a list of “scan from your browser” type services. They may or may not be useful to you.

And there you go. This list is by no means complete, so feel free to leave links to interesting and useful tools in the comments.

Oh, I almost forgot to do a little bit of shameless self promotion. If you want all the tools above as functional buttons on a single tab, then Luke’s Setup Assistant is a perfect tool for you. This list is essentially everything that is located on the security tab.

This entry was posted in sysadmin notes. Bookmark the permalink.



13 Responses to Useful Malware Removal and Diagnostics Tools

  1. Eric UNITED STATES Google Chrome Ubuntu Linux says:

    spybot search and destroy.

    http://www.safer-networking.org/index2.html

    I have been using this software for at least ten years and it works well.

    Reply  |  Quote
  2. Alphast NETHERLANDS Mozilla Firefox Windows Terminalist says:

    ATF cleaner’s download link is dead, as far as I can tell…

    Reply  |  Quote
  3. Luke Maciak UNITED STATES Google Chrome Linux Terminalist says:

    @ Eric:

    Ah, good old Spybot. I used to use it religiously but Malwarebytes replaced it as my go-to removal tool. It doesn’t really seem like the SpyBot team has been keeping up with the times as well. But maybe I’m wrong.

    @ Alphast:

    Oh wow… It seems that the whole atribune.org site wend down hard. I wonder what happened.

    Reply  |  Quote
  4. road UNITED STATES Google Chrome Windows says:

    I’m surprised you didn’t mention Microsoft’s Malicious Software Removal Tool and Security Essentials. I find they’re usually as effective as anything else. Also I can never remember which tools are current and trusted (this list should help) and it’s so friggin’ hard to google for that sort of information because there are so many scanners that are malware, themselves. For that reason I like using stuff I download from microsoft.com.

    Reply  |  Quote
  5. Luke Maciak UNITED STATES Google Chrome Linux Terminalist says:

    @ road:

    Good point. Security Essentials is actually pretty effective these days. Kinda surprising, but not in a bad way.

    Reply  |  Quote
  6. Kim Johnsson SWEDEN Google Chrome Windows Terminalist says:

    I am so glad I’ve moved away from everyone who needs my help with these things. And if anyone at work fucks up their PC, that’s fine. “Assign Rule-based Image”, netboot, done =)

    Reply  |  Quote
  7. Andrew Zimmerman UNITED STATES Google Chrome Windows Terminalist says:

    I agree. MSE actually uses the same definitions as their Forefront, so essentially you are using enterprise antivirus as a home user..no real reason to pay for antivirus anymore.

    Reply  |  Quote
  8. ST/op DENMARK Mozilla Firefox Linux Terminalist says:

    Funny, but – at least here in Denmark – CCleaner has not been shipping any toolbars for a couple of years or so… Instead, they now want you to install Google Chrome and optionally make it your default browser :)

    Reply  |  Quote
  9. MrJones GERMANY Internet Explorer Windows says:

    Luke!

    *meme*

    Y U post Malware Removal Tools when webpage slogan is “I will not fix your computer”?

    Reply  |  Quote
  10. Luke Maciak UNITED STATES Google Chrome Linux Terminalist says:

    @ Kim Johnsson:

    I really should set up disk images for some of my relatives who have me on speed dial for computer issue. At work we have a nice Clonezilla server for that very purpose. Of course 99% of time the first step is of course trying to recover the person’s last week or two of work, because they never, ever, ever back anything up.

    @ Andrew Zimmerman:

    Strange times we live in when paying for McAfee or Norton is actually counter productive seeing how 90% of infections out there specifically target and disable these products.

    @ ST/op:

    Oh, maybe that’s what they are doing right now. I don’t think the ever peddled anything malicious. I think it was always Yahoo and/or Google promotions. Still, no reason to install that stuff if you don’t need it.

    @ MrJones:

    Well, I’m not fixing it, am I? I’m just giving advice. :)

    Reply  |  Quote
  11. Jeff UNITED STATES Mozilla Firefox Windows says:

    You might also want to try Metascan Online to check files for viruses, which quickly uses 19 antivirus engines to scan files for malware.

    Reply  |  Quote
  12. cptacek UNITED STATES Mozilla Firefox Windows says:

    Thanks, Luke. I keep coming back to your pages for reference to fix my neighbors’ computers :blech: This last one took me about 10 hours to figure out I needed to take something out of the Run portion of the registry. So, how do you charge for that? 10 hours of meandering around trying to figure it out, when the answer was <-Backspace.

    $30 an hour, or $300? She could have bought a new one for $375. $50 just to prove a point about not giving it away? What am I saying. Her husband was in our wedding, so yep, it's going to be free.

    Reply  |  Quote
  13. Luke Maciak UNITED STATES Google Chrome Linux Terminalist says:

    @ cptacek:

    Yeah, I never know what to charge friends and neighbors so I usually end up doing shit like this for free. If I had to charge I would probably look at what I had to do, rather how long it took me to find the source of the problem. Sometimes it is just not worth spending countless hours hunting for something that may or may not be there and easier route is to just back up and reformat. It is also easier to bill people that way because then you can give them an itemized list along the lines of:

    - backing up data to external drive
    - formatting the hard drive
    - re-installing windows
    - finding, downloading and installing all the drivers (since you brought no CD’s)
    - restoring data from the external drive
    - downloading and installing requested software

    Put a completely arbitrary price tag on each item and make it add up to whatever sum you are willing to charge them for this.

    Usually something like this is easier for people to swallow if you give them a hourly rate that adds up to the exact same sum – because this way they can actually see what you did.

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>