Malware Cleanup

So your PC have been infected by malware!?

Even if you have installed the best antivirus on the marked you can still become infected with malware, and once you are infected there is no certainty that your antivirus is capable of cleaning up without a little help.

Technical

On this page I will refer to malware as a generalization of viruses, malware, worms and trojans, and the techniques I refer to is aimed at Windows XP (can still be used on other platforms but may require additional steps/actions).

Tell-tail signs that something is wrong;

Your antivirus keep detecting infections day after day, you clean it but the next day when you reboot the machine it is infected again.

When is there little reason to be concerned;

If you browse to a web-site and immediately get a warning from your antivirus that this and that file is infected, and the reference is to a file in a folder with a name something similar to this (it may differ some);

C:\Documents and Settings\username\Application Data\Microsoft\Internet Explorer\UserData\FY2BE6Q4

then there is a good chance your antivirus caught the malware before it got a chance to install itself and there is thus no reason to panic, I would however still recommend a complete system scan with the installed antivirus just to be on the safe side.

Infected, what now!?

How did I get infected and what is the big deal?

What often happens is that your PC is infected by malware while visiting a web-site, this can happen even without visiting dangerous/suspicious web-sites even very reputable sites sometime get malwarecode injected into their sites (this can happen via banner advertisements or by hacking etc.).  As the malware may be brand new your antivirus does maybe not know it and thus raises no warning, you have now unknowingly been infected.  After a few days, your antivirus vendor may pick up on the malware, and issue an update to your antivirus (definition update) once your antivirus has been updated it now detects that your computer has been infected. You might think that everything is fine now, your antivirus has detected the malware and offers to clean the infection!?  The problem is, that quite often a malware infection has had ample time to do it’s nasty business before it was detected and cleaned, thus your antivirus may very well clean the ‘original’ malware but may not pick up on some of the changes done to your system – this could be anything from harmless changes to the titlebar of your internetbrowser to more serious matters like the installation of backdoors, rootkits, botnet clients or other malware.

Anyhow, let us try to picture that your PC has now been well and thoroughly infected.

What do you do!?

  • Check that your antivirus is working and has the latest updates.
  • Do a complete system scan with your antivirus.
  • Restart your machine, do so by shutting down and then starting up the machine again (not a simple reboot)
  • Do another complete system scan with your antivirus.

Now many people think that once this is done, and the antivirus informs you that it has cleaned a number of infections everything is fine, well the correct answer is that MAYBE everything is fine.  The problem is, as mentioned before, that you may not know how long your PC has been infected nor what has happened during this time – if the malware has installed what is known as a rootkit, then this can be very hard to detect and may go completely unnoticed by your antivirus, thus we need to take additional precautions before we jump to the conclusion that everything is fine.

Additional steps/precautions;

  • Run Microsoft Malicious Software Removal Tool (MRT)
    This is a utility that Microsoft has included in Windows Update, it is thus installed on all PC’s and updated monthly, once a month an automated scan is made (without any warning or display thus you will never notice it).  You can launch this utility manually by opening a run dialog box (Windows key + R) and typing MRT.EXE and clicking OK, now click next and do a complete scan (you can start with a quick scan which is much faster, but I strongly suggest a Full scan of the system to be safe).
    run
     

mrt1

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

 

Now your PC should be cleaned for infections, however we still need to verify this.

  • Shutdown your PC, start it again (a simple reboot is not enough) now do a new scan with your antivirus scanner.

Experienced users;

If you are an IT professional here is a few additional steps you may try, these are additional steps not required, and you will still need to perform the steps above. I do not reccomend these steps for novice/non IT professional users.

  • You can try to check which programs are set to autostart, look for suspicious programs that are configured to startup automatically.This can be quite complicated to determine as the references/names used often may be difficult to identify (eg. acr32rd.exe etc).To check which programs and services autostart you can use the utility msconfig.exe (Windows Key + R) type msconfig.exe and hit OK-  or try the more advanced utility from http://live.sysinternals.com/autoruns.exe
    however be cautious, if you disable important systemfiles the PC may not boot correctly and it may be difficult to undo the damage.

Update May 4th 2011;
a new tool is available to scan and clean your pc;
Microsoft Security Scanner, get it free here;
http://www.microsoft.com/security/scanner/en-us/default.aspx

Update June 5th 2011;
Recently I mentioned the Microsoft Security Scanner (http://www.kanmandet.dk/?p=2011) a portable/standalone scanner for your pc, well it seem Microsoft is stepping up their Anti Malware/Rootkit effords – link to their new scanner Windows Defender Offline http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline a bootable ISO containing a Rootkit and Malware scanner.  It is also worth noticing that the latest version of Microsoft DART ”ERD commander” (the old Winternal/Sysinternal utility to boot, modify and fix Windows installations) now also contain a malware scanning and removal utility – this is however sadly only available to Microsoft corporate license holders.

This link may also be useful; http://www.bleepingcomputer.com/download/anti-virus/rkill 
(direct download http://download.bleepingcomputer.com/grinler/rkill.exe)

Video tutorial to installing and cleaning using Malwarebytes scanner;
http://youtu.be/gme75Aq_goI - Danish version 
http://youtu.be/P26migKnHC8 - English version

Additional links added January 2011;

Kaspersky Rescue Disk 10 – a boot and clean disk you can use to cleanup your system (untested by me, but was recommended).
http://support.kaspersky.com/viruses/rescuedisk  (Free)

Sophos Anti-Rootkit (Free) – a detection and removal kit for Rootkits
http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

SpyBot Search and Destroy (Free) (I however still prefer Malwarebytes, but this is a good cleanup utility also)
http://www.safer-networking.org/