# Guide: Virus Removal 101



## Solaris17 (Aug 15, 2016)

*Rules of the road*

*THIS IS NOT FOR INFECTION HELP! PLEASE MAKE YOUR OWN THREAD!*
*THIS IS MEANT FOR BEGINNERS BE NICE!*
*YOUR OPINIONS ARE YOUR OWN THIS GUIDE FOCUSES ON FACTS AND EXPERIENCE!*​
*Information and Scope*​*About*

Hello! This thread was created by request and support from a few member of the forums. I have decided to take up the challenge and write about virus removal since TPU in general doesn't have a real guide or centralized experience with it from what I can see.

Full disclosure. I am currently studying to get my master's degree in Digital Forensics. After I will probably attempt my PhD and the end goal is working for a security firm. Personally I hope to join the ranks of CISCOs Talos Security Division after which I hope to teach into retirement.

I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN in TPU.

I am the CIO for a small PC repair chain in Florida. We are big enough for me to play with some pretty cool technology and just small enough were I help technicians with end user PCs. Personally I touch anywhere between 700-1100 physical machines per year in a repair environment ranging from hardware replacement to software work.

I have worked for several other tech companies and previously I was working for a mid level enterprise as a domain administrator for around 2000 end points between 13 offices.

My personal take on virus removal is that it should be free for those most in need and I very much will write this guide in accordance with my belief that someone is tearing there hair out and just want there computer to work again. The tools I will link and provide are free and I and others in the industry have used to completely disinfect machines.

HOWEVER I also firmly believe that if a product worked for you you should pay for it to support the developers and the science and skill that went in to the program. The world of security software is a mean place with brilliant minds. However from what I have seen "Free" outweighs "Paid" in most peoples minds when dealing with antivirus/malware tools.

If you like something you should buy it. So that the father of 3 can help pay his bills and has the drive to keep making whatever product that saved your ass better. That's the pure & simple.

Now that you know a bit about me we can move on to some other stuff.

*Scope*

The scope of this guide will be limited to the end user environment. This guide DOES NOT cover enterprise level environments, however it _*MAY*_ brush on higher level best practices and mitigation techniques.

I intend to cover how to properly remove a virus, malware, root/boot kits and junk-ware from a compromised PC in a basic friendly low impact manner that is easily understood by the average user. This guide will cover normal operating systems in normal environments, each example will be explained under the assumption that you know nothing about security or intrusive programs and have only the most basic software knowledge and user skill.

This approach is meant to cater to the masses and not in anyway meant to demean or imply that a user needs to be handled in this manner.

I will add that this guide is not a place for arguments and I will only accept constructive criticism. Even the most skilled PC builders, programmers, network engineers and users may not know a-lot about security and best practice. That is TOTALLY FINE! That is NOTHING YOU NEED TO BE ASHAMED OF!!!!! Please understand that you may be able to take away something from this guide. I am not here to bump heads with SecOPs or other Operations managers which I am sure exist on this forum.

This guide is meant for the average user. I may omit expanded details or parts of security practice on purpose because the "watered down" explanation is easier to digest. There are always nay sayers and if you would like a specific question asked you can PM me. Not including something usually has a purpose and doesn't necessarily mean I don't know the material.

I will say somethings in this guide some of you will NOT agree with. I am fine with that. I may even make someone upset. I do NOT mean to do this. Please understand my history in my "About" section. I have handled a-lot of machines and different technologies. The information provided herein is a reflection of best practice, facts, personal experience and industry accepted techniques. Multiple resources will be provided to backup certain information.

*Getting Started*

Lets start with the most controversial point in organizations and business that IT staff have with what this guide is about. Time, money and effort.

A virus removal is not as common place as you may think in the professional industry. It is more a pain in the ass for walmart than it is for you the end user. In most cases if you are speaking with a real IT pro the answer to the question "Can you fix my computer?" is usually just format it and reinstall the OS. This is because;

A: It is far more cost effective if you are paying someone to have them simply wipe it and removal all doubt.

B: It is the ONLY sure fire way to remove w/e infected your system in most cases.

C: Virus removals can do more harm than good.

D: It is far less time consuming in most cases.

Virus removals for the end user are usually more simple than you think. However understand that in the security industry this is very much a fight fire with fire method. Security software is a mean beast. The process can VERY MUCH leave your system in a worse or unusable state, As you can see by this guide it is also very involved if done properly.

Attempting to remove an infection of any type without the right tools can result in not effectively removing the infection and compromising the security of the OS MORE because of the settings and files that need to be manipulated to properly disinfect it.

That's some pretty scary stuff but now we can shed some light on some good news. If you are reading this chances are you are not nearly as infected as you think you might be. The software might be bothersome and annoying even hard to close or impossible to delete. However most users will not run into serious infections.

I am 100% certain anyone reading this (except from an academic standpoint) is probably frustrated out of there minds with the problem they are currently facing. HOWEVER, with that said most everyday infections are very common and easily re-mediated without the risk of damaging the core OS or user data. Even better news if you can read this guide from the infected machine in question you are better off than most.

Regardless of infection type or severity level there is hope of a clean system and I will cover how to properly avoid it later. Your reasons for choosing the route of disinfection are your own. I will not judge those that do not do the easier path of re-installation; I am also fully aware an OSR is not always the easiest solution depending on circumstance. You should also make sure not let anyone else judge you on it. Disinfection is very much a skill and I will try and help you manage it by yourself.

Lets move on 

*Definitions*

Lets start with Definitions! Not AV Definitions silly what are we talking about when we say boot kit, add-on, malware? Do they even sell encyclopedia security? This section is going to break down the difference between them all and hopefully teach you the fundamentals of infection for better or for worse knowing is half the battle and if you really want to save your PC than knowing what you need to do is one of the biggest parts of the battle.

Shooting a fly with a tank damages more than the fly and we should always understand that in most cases the cure can be worse than the disease. So lets make sure we apply band-aids before we use penicillin.

Malware:

- Malware like the article suggests is a blanket term for many types of infectious programs. When you say I have "malware" you aren't exactly wrong regardless of what program is causing issue, however you aren't really helping yourself or the person trying to help you get rid of it.

I will break down some of the more common groups below to help you help yourself narrow down the type of problem you have. There are also multiple sub-groups to the primaries listed below but a general knowledge will suffice in most circumstances so I will not be getting into them in this guide.

Junkware:

- Junkware as of late has been the term most used to supersede the old terminology adware. This kind of infection is usually what causes popups in browsers and on your desktop usually by way of installing themselves along with legitimate packages you download from legitimate sites like Java, or Adobe Reader. This is the most common type of "Infection" a user complains about. Java for example has "bundled" toolbars etc for years and download.com by CNET is notorious for spreading bundled installers. I get alot of my junkware samples from them.

Virus:

- A Virus is a term that is usually used for what is actually pretty rare these days in the field of users. The definition of virus has carried alot of different meanings in the past and has changed significantly over the years as security researchers and programmers started to need different "groups" for malicious software to gauge intent and infection rate among other things. Today when dealing with a "Virus" most people in the know assume the Virus is of malicious intent and activly destroys or manipulates user data in a negative way. Such as Trojans or Ransomware or keyloggers. There are some very nasty viruses that are difficult to contain, isolate and remove because they are polymorphic in nature IE they change.

Boot/Root Kit(s):

- A RootKit is a special type of incredibly powerful infection. Rootkits are incredibly hard to cope and deal with because they have the ability to cloak themselves completely or mask themselves as legitimate system processes making detecting one difficult. Rootkits are infections that circumvent the security protocols of the machine and various security software.

Rootkits are used as a foot in the door for other kinds of infections ranging from malware to virus infections and almost any other kind of conceivable infection. True to its name the root kit usually gives complete privileged access of your computer to the attacker, be it remote control of the program or the machine and hardware itself.

On the same branch is the Bootkit. The bootkit like the rootkit has the ability to grant the attacker complete administrative access while remaining hidden and undetectable by most normal means.

The Primary difference in Bootkits is that they are infecting the machine on a very deep level on the hard drive usually interrupting the boot process itself hence the name. Bootkits are capable of defeating even the most robust antivirus software and built in security because bootkits themselves are usually loaded before most of the OS files during the boot process before you even get to the desktop.

Bootkits and there connected files can be the most destructive to remove and hardest to find given there nature.


----------



## Solaris17 (Aug 15, 2016)

*Software and Background*​
In this section we will briefly go over the software being used and why we chose this software as opposed to other options. This is more of an academic type of post that will clarify the more important "*WHY*" when it comes to removal. It is important to understand that in order to effectively remove or have the best chance too remove a virus you must have the proper tools. The software listed below is based on several key points. Those mostly being.

Free
Easy to use
Minimal user interaction
Update friendly
At no point should you think that the software chosen was chosen because it is better than xyz or the "Best". That doesn't mean the software is "not the best" just that I am trying to break the mindset of *"Best" *it is important to shake the idea that a one off solution is always going to be the better one.

A Porsche is fast and will get you to work sooner than an 18 wheeler but if your hauling tractors to work the 18 wheeler is better suited. This is no different in the security world applications are built for a specific purpose for the most part and because of the nature of heuristic code engines some software will do better than others even if it is the same area of interest.

*Software List*​
- *Threat Restraint*

Rkill
-*Rootkit Removers*

TDSS
bootkitremover
MBAR
-*Broad Spectrum Scanners*

Roguekiller
EEK
MBAM
Sophos VRT
HitmanPro
- *Malware/Junkware Removers*

ADWCleaner
JRT
-*Targeted Repairs*

Powerliks
Combofix
-*Wrap-up and Repair*

TWEAK
REVOuninstaller
Ccleaner

*Examples*

Above is the list of software this guide will cover and what you will be using to disinfect the machine in question. Now; we will go more into why we separate them into groups in the next section. Here I will explain weakness and strength between software types and programs so you can understand why there are so many.

A common question is why don't we have a 1 all solution paid or otherwise that can handle all of well...all of this. The answer is simple.

You can't.

Every virus removal tool is different in some way. Some are able to detect things others can not. Above are the groups of different software.  For example EEK is a broad spectrum scanner. However EEK cannot detect rootkits as well as programs specifically designed to remove rootkits like TDSS. Likewise Programs like TDSS are completely incapable of detecting malware, it simply isn't programmed for it.

Software in the same category also behaves differently. Hitman is very good at detecting browser issues and cookies. However Sophos isn't so great at browser infections but is better at scanning core system folders.

The AV world is full of these kinds of checks and balances which makes proper removal more of a skill than a click of a few buttons. Nothing is 100% and you must rely on the differences the tools have to increase your chances of success.

- *Running scans in order*

Running scans in the correct order might be something you are unfamiliar with. I will try to break down the basic concept as to why this is important to you. For the most part it boils down to permissions. Be it actual NTFS permissions or actual Privilege. Digging deeper you should ALWAYS attack an infection in this order.

Threat restraint
Threat restraint is an important step because it will allow you the user to more easily work with your machine which is probably super slow because of infection. Using programs like killemall or Rkill stop known malware processes which free up memory and CPU making it a little easier and faster to deal with your machine.

Root/Boot Kits
As previously covered Root and Bootkits are low level infections that grant admin (root) access to the machine. This software also for the most part changes permissions of core system files in order to more easily control your machine. It is very important to target and remove these infections first because the modifications they make can stop other higher level removal tools from working correctly.

Virus Scans
Actual Virus removal comes next. Trojans, worms, spyware all virus class infections cause some kind of issues with system services, built in security protection and have the ability to prevent removal tools from opening. These kinds of infections need to be delt with second so that we can ease the restraints on the system so that our tools have the proper permissions and resources to run.

Mal/Junkware scans
These are the last class of tools to run. These infections usually adhere to the user level of least privilege. They are really annoying and bothersome but are usually the most simple to remove. Unfortunately the tools that remove them require the use of system resources most of the time and assume they have everything they need to proceed. For this reason malware and junkware removal scans are done last because they totally rely on the previous steps being done and corrected to run correctly.

Repair
Repair tools like tweak are used last. These programs reset windows to a default usable state. From folder options and icon size to default services and program startup. Most of the virus removal tools correct security related issues that the virus they are removing affected.

However sometimes more things have been touched and damaged and for these we use repair software last to correct the remaining issues after a full removal.


----------



## Solaris17 (Aug 15, 2016)

*Identification and Resources*​
*Define*

One of the most difficult parts of a virus infection is trying to figure out what you are dealing with. This can be impossible to know for certain but there are a few tell tale signs that can tell you how soon you need to deal with the problem. Below I outlined some very basic markers.

-Boot/Rootkit.


Machine is running very slow with no sign of infection
Machine starts VERY slowly
Machine Blue screens for almost no reason
Machine BSODS or locks up during virus scans
-Virus


Machine runs slowly and has programs running during startup
Machine won't let you open task manager
Machine won't let you open AV software
Machine will play audio when there shouldn't be
Machine has pop ups at the desktop
-Junkware/Malware


Browsers homepage has changed or changes
Browser locks you out when opening new tabs
Machine has a lot of programs open during startup that won't close
Machine shows a lot of software that ask you to pay for it
Machine displays pop ups telling you you have a virus
Machine asks you to call a tech support number

*Examples*

Below are some really common scams and malware making its way around.

- MypcBackup
- Driver installer/download programs
- Fake Antivirus software
- Speed up tune up and cleanup software
- Mindspark toolbars and software
- Slimware utilities software
- Phone call scams telling you your unit is infected
- Email scams with PDF invoices saying you have a package at USPS, UPS, FedEX waiting for you

*Ransomware*

Ransomware deserves its own section. Here are the common signs.



Spoiler: Ransomware

















Anything or program that tells you your files have been locked or encrypted is ransomware.

Address it

IMMEDIATELY unplug your system from the internet and shut it down.

Take it to a professional. This is not a simple procedure or technique. You SHOULD NOT attempt to handle this infection on your own. I SERIOUSLY beg you to take your machine to a local shop to be worked on. It may be possible (although very SLIM) for them to decrypt your data using one of the tools that have been released for the crackable versions.

I am deliberately skipping over risk assessment and disinfection. You NEED to take this to a professional. If you have no important data or pictures on the machine format it immediately. It's already over.

*Sources*

If you are still unsure if you are infected or have an issue you can always take it to a local shop for diagnosis. However there are a few trustworthy online resources you can use to see what you have.

*Should I Remove It?*

Should I remove it is a meta based system were users submit there "votes" on a piece of software. Based off of the reaction Positive/Neutral/Bad you can decide if it is something you should keep.

*Herdprotect*

Herdprotect is a cloud based virus scanner that uses multiple company definitions and engines to determine if you are infected. They also have a pretty handy knowledge base. Simply search for your program or file and see what it comes back with.

*Virustotal*

Virus total is a google sponsored AV front end. You can search for programs, check shady website URLs or upload a file you aren't sure about. Like herdprotect it uses multiple AV software to come to a conclusion.


*Getting Prepared*

Before we get started we need to get you ready to run some of the tools I have prepared for you. The below instructions mostly pertain to Windows 7 and 8. By default Windows 10 already comes with the programs you need installed for all of my tools to work.

You will Need

.NET 4.5 and 4.6

We need the .NET frameworks installed because this software has the instructions needed for powershell. Powershell is what we will be using to download the tools you need.

It is best to do them in order so here are the links.

.net 4.5

https://www.microsoft.com/en-us/download/details.aspx?id=42643

.net 4.6

https://www.microsoft.com/en-us/download/details.aspx?id=49981

Now that we have .NET all caught up. We need to make sure that we install the Latest version of Power shell. We will need atleast 5.0 to make sure the script works correctly. Power shell is Part of the Microsoft Management Framework and like .NET should be installed in order.

Management Framework 4.0

https://www.microsoft.com/en-us/download/details.aspx?id=40855

Management Framework 5.0

https://www.microsoft.com/en-us/download/details.aspx?id=50395

If you think you might have what you need already we can double check. Search for power shell on your computer and open it. Once opened put in the following command.


```
$PSversiontable
```

If you have the right version (5.0) it will look like this.



Spoiler: PS Version











The version number MUST start with 5.

Next we need to allow execution of scripts from other machines. To do this search for powershell right click on it and start as administrator.

Then type the following and hit enter.


```
Set-ExecutionPolicy RemoteSigned
```

Powershell will then warn you and ask you how you would like to continue.

Press "A" without quotes and hit enter to allow execution of scripts.

You are now ready to unzip the script attached to this post.

*All of the tools downloaded require as of the time of this posting about 610MB*

*IF A TOOL FAILS TO DOWNLOAD IT MAY NEED TO BE UPDATED PLEASE REPORT IT!!*​
After you have unzipped the script. Right click on it and select "Run with Powershell" to start downloading the tools.

It will go through some prompts and checks. Just follow the directions in the script. Once complete it should look a little something like this.



Spoiler: Script Process











You are now ready for the next step.


----------



## Solaris17 (Aug 15, 2016)

*Removal Process and Repair*​
Lets get started with the removal! You probably made it this far on will power especially if the only reason you have read so far is because you are infected. Let me take a brief moment (I promise) to explain the usage of Windows 7.

The idea behind its usage is simple. Most people that are on Windows 10 know the equivalent shortcuts or the OS already has he necessary pre-reqs to run the script. Additionally many have upgraded from Windows 7 making this a good starting point along with the fact that since Windows 7 does require pre-reqs to be installed it makes more sense to make the more difficult OS to configure for the task the one we base the instructions off of. The machine was fully patched on a fresh OS with MSE installed and running.



Spoiler: Square One











*Initial steps*

Make sure you have an active internet connection. Follow the steps above to make sure the script will function for you. Make sure you have set some time aside to make sure you can troubleshoot issues you may have along the way. Make sure you have a copy of the guide provided for offline use in the post above.

*QUICK TIPS*

If at any point you lose your ability to connect to the internet after a reboot from a tool run the following two commands.


```
netsh i i r r

netsh w r
```


*Removal

Threat Restraint*

Lets start by running RKill to close some of the malware so we have a little more resources at our disposal.
RKill may ask you for administrator permissions. Just allow it and let it run. When it completes it should look like this.



Spoiler: Rkill











*Rootkit Removers*

The next step is to start our rootkit battery. Our first program of choice will be TDSS. TDSS is made by kaspersky labs and is very good at dealing with root/boot kits. When we first open it up we are greeted with 2 EULA type windows, we will need to accept both of them before coming to the main window.



Spoiler: TDSS Start











Without any further modification go ahead and click start scan to begin the search the window will look like the screen below. TDSS is very specialized so it should not take long for the scan too complete.



Spoiler: TDSS Scan











If you find yourself clean TDSS will tell you no threats were found and you can close the program. If however kits were detected the screen will look like this



Spoiler: TDSS Infected











Click on the drop downs and delete the items. TDSS will ask for a reboot while it attempts to clean the infection. After the reboot we can scan with TDSS again to make sure it is clean. If it is still not we may need to try other programs.

Moving on bitdefenders anti rootkit utility. Like TDSS this program is specialized so scans generally do not last long. The main window looks like this.



Spoiler: BRT Start











After the scan you are greeted with a screen hopefully telling you the unit is clean. If not the options for handling an infection are the same for TDSS I recommend deletion. In rare cases a program will be unable to do so and for these situations I recommend quarantine but only as a last resort.



Spoiler: BRT Complete











Though I don't have a picture if the unit is infected with a rootkit bitdefender sees you will have options very similar to TDSS simply select delete and reboot the machine when prompted.

MBAR is the next tool we will be using and the last in the rootkit category. This tool is a bit more broad than the previous bitdefender and TDSS scanners and because of this the scans are a bit longer. When you open it you will be greeted with the below window. Make sure to hit update. MBAR will also extract to its own folder on the desktop by default, should you need to rerun the program make note of this so you can find it in the future.



Spoiler: MBAR Update











After the update is complete hit next and then the scan button. You will soon be on your way with mbar chugging along. Below is what the scan will look like.



Spoiler: MBAR Scan











Along with root/bootkits mbar also picks up some pesky virus that modify core system files and services.

After it finishes you will be resented with a clean bill of health or the infections it found. If it found infections press cleanup and reboot when prompted.



Spoiler: MBAR Infected











After restarting the machine again you may run the scans again to determine there effectiveness. After this stage is complete we now move onto the next stage which will begin our main scan battery and will take the longest amount of time.

*Broad Spectrum Scanners*

Now that we have moved on to the general scanners we will be removing the majority of the malware on the system. Leading the race will be the EEK. EEK is a good removal tool provided by Emsisoft totally free.

After the program extracts it should open to its main window. Automatically it should start checking for updates which you will be able to see in the left hand box. If it doesn't go ahead and manually update it by clicking update inside the box. When it was complete it will give you a status and turn green.



Spoiler: EEK











Now that its updated go ahead and click on "Malware Scan" on the right hand box. since this is probably the first time you have ran this you will get a few boxes popping up. One of which is going to ask you if you would also like to scan for PUPs a PUP is a "Potentially Unwanted Program" go ahead and press "YES" to this so we can cover all the basis.



Spoiler: EEK PUP











Since this group of programs scans for more things they take a bit longer than the rootkit scans we performed before. After it is complete the window should look like the one below. Click the button labeled "Delete Selected" if prompted to reboot do so.



Spoiler: EEK Done











After EEK is complete we move on to Roguekiller Roguekiller is made by ADLice and is very good at detecting deep OS hooks. However the free version does not let you scan for PUPs. Lets go ahead nad launch it now. After it starts it will have a scan now button. Click scan now and you will be greeted with a screen of locked options (Free) go ahead and click start scan again to begin.



Spoiler: Rogue Start











While the scan is running you will see detection (hopefully) start to add up towards the bottom in some circumstances the below will happen. Basically Rogue understands that something _MIGHT _be a virus even if its definitions aren't sure. When this happens Rogue will ask you if you would like to submit it to virus total which I linked above. Once rogue killer gets a more definitive response it will deal with it accordingly. For these cases I click "Always"



Spoiler: Rogue Sample Upload











When the scan finishes you will be greeted with a screen that looks like the following. Right click on anything in the list and then click "select all" followed by "Remove Selected"



Spoiler: Rogue Selection











Rogue will begin clean up and you will be asked to reboot the machine, go ahead and do so now.

We will now begin our Malwarebytes Anti Malware or MBAM for short scan. MBAM if you haven't gotten from the name alone specializes in malware removal. This product does infact require installation so lets follow the steps to get it ready to scan.

After opening the program click on "update" next to Database Version" to make sure we are as ready as we can be. After the update completes start the scan.



Spoiler: MBAM Start











Once the scan is running like almost EVERY other virus scanner there are 3 to 4 distinct stages the software goes through. While the program is scanning you will see the malware tallies rise depending on how infected your system is.



Spoiler: MBAM Scan











When MBAM is complete it will then automatically start the clean up phase. When the cleanup phase is complete the finish button will activate and turn blue. When this happens you can either click finish and close MBAM however, in some cases MBAM like many others will ask you to reboot. If this happens let it.



Spoiler: MBAM Finished











With MBAM done we are going to fire up Hitman. Hitman is a powerful scanner that is represented by surfright as a "second opinion" scanner. Hitmans detection and removal capabilities are fantastic. However you only have a 30 day trial. Hitman also implements a kind of hardware ID that makes it impossible to "reset". Once hitman is "activated" it is free for 30 days and will not remove again until it is paid. Because of this it is usually a good idea to think about its usage. If you deem your infection serious enough we will run it. If not we can move on below to sophos.

Starting hitman is simple enough once open simply hit "Next" until you get to the activation page.



Spoiler: Hitman Activation











Click activate free license. Once you have entered your email address and clicked next you will be shown the activation successful screen.



Spoiler: Hitman Activated











Simply click next which will start the scan. When the scan is complete you will have the telltale list of infected objects.



Spoiler: Hitman Pre-Removal











Click on any of the little arrows next to an object and you will be psented with a drop-down menu. go down to "Apply to all" and select "Delete" All of the object status should change to "Delete" next to them. Simply click next and hitman will begin removal. When it is done it will specify and either ask you to close or reboot.



Spoiler: Hitman Complete











With Hitman done the majority of the obvious infections should be gone. We can either skip the sophos scan, or we can finish the stage off by running it since hitman and sophos are usually swapped.

Sophos VRT is a disinfection tool made by Sophos themselves. Sophos is a big player in business and enterprise protection. They have been around a very long time and are a leading security company.

Install Sophos VRT and open it. Once Open Sophos should automatically start an update.



Spoiler: Sophos Update











After the update completed simply click on "Start Scan" to begin the process. Like the other tools in this category scans can take a long time and Sophos is a bit on the slower side. If however things have been smooth sailing up to this point you should have very few detection hits. Once it is finished click "Start Cleanup" and Sophos will begin its removal.

It is important to note however that we ARE still infact getting them which only provides more motivation to run the entire battery and emphasis the point that infections are difficult to remove and running the correct tools is important in ensuring a successful disinfection.



Spoiler: Sophos Results











After the cleanup is complete we can close Sophos or reboot if it prompts us. Once either are done we will move on the last primary removal stage.

*Malware/Junkware Removers*

Now it is time for the last main battery section. The junkware removers. Last out of necessity but not the least powerful. I actually will be introducing you to two of the most powerful tools on the market for removing the junk and adware that infects peoples browsers and tags along in legitimate programs. Hate toolbars? Dislike software constantly popping up in the middle of the screen? These are for you.

Starting with ADWcleaner a powerful little utility that was once independently programmed by Xplode and is now run by Toolslib.

When opening ADW you are greeted with the EULA Accept it to start the program.



Spoiler: ADW Accept











Once the program opens the interface should be very simple. Simply click on "Start Scan" to get moving. given the type of scan ADW and similar junkware removers usually process quickly.



Spoiler: ADW Interface











Once the scan is Complete ADW has a multi stage completion process. The first is to show you everything that has been found. Click the "Cleanup" button to begin the procedure. ADW will now prompt you several times.



Spoiler: ADW Prompt 1











After ADW closes the necessary programs it will prompt you for a reboot. Click "Ok" and ADW will reboot your machine.



Spoiler: Reboot Prompt











With ADW complete we will now move on to JRT. JRT or Junkware Removal Tool was once a solo program written by thisisudax and then bought by Malwarebytes. They did right by him however and kept the form and function of the program itself the same.

Starting JRT will give you the following screen. For the most part JRT is a very simple program and doesn't have many stages that you need to interact with. Simply follow the on screen instructions. In rare cases JRT will ask you to reboot. Though usually it will simply open its logfile when its complete.



Spoiler: JRT Start











After you start the scan it will show its stages by way of representing a loading bar with stars *



Spoiler: JRT Running











Once complete a log of the program is saved to your desktop and then opened before JRT exits. You can simply close this for now.



Spoiler: JRT Finished











At this point you are done with the main battery of removals. There are two specialized tools I will go over but both are usually only needed in very specific scenarios. They should also only be ran when all other cleanups have been performed (Which I will get into soon). For now we will begin the very final stages of the whole disinfection process. We will now clean the browsers and run the repair utilities.

*Give yourself a pat on the back!!!!! The machine should be running alot better already go you!*
​*Wrap-up and Repair*

Browsers are usually always last because they are modified so much by so many types of infection its usually just better to reset them. Because of this I will be showing you the quick and dirty on how to do a full reset on the 3 most popular browsers. More disinfection information can be given, but we are just going to cover getting them to function correctly first.

In comes IE. IE is the default browser for Windows when first installed and alot of people still use it. It has also been around a long time so alot of junkware knows how to integrate with it. When we first open IE you will have a cog or gear symbol in the top right hand side. Press it.



Spoiler: IE Settings











Then make your way down to "Internet Options" and click it. Once that is done a box will open which are the settings and controls for IE. At the very top right of the window is a tab that says "Advanced" go ahead and click it to show us the reset options for IE.



Spoiler: IE Reset











You can go ahead and click the button labeled "Restore Advanced Settings" If prompted if you would like to continue click yes. After wards click on the "Reset" button just below that. When the box pops up I would also recommend checking the box that says "Delete Personal Settings"  This will delete all of your passwords and auto-fill history however.

After the reset is done the small status box will have all green check marks and a close button. Click close and reboot your machine.



Spoiler: IE Complete











With IE done lets move on to Firefox.

Firefox is another big browser with lots of marketshare. Like most other browsers because of it's popularity it also gets quite a bit infected. After opening it like IE at the top right are three bars representing the firefox menu. Go ahead and click it. After its open we will be looking for a question mark bubble at the bottom of the menu.



Spoiler: Firefox Helpmenu











Go ahead and click on it to open the help menu, We will now find "Troubleshooting Information" and click on it. IT will open a new page with information you dont really need to worry about, however on the top right hand side are two buttons. One of them says "Refresh Firefox" click this button and we will get a confirmation prompt. Hit the "Refresh Firefox" button inside the prompt to reset the browser.



Spoiler: Firefox Refresh











When Firefox is complete it will open a new page for you and you are ready to go!



Spoiler: Firefox Complete











Withe the other two majors out of the way, you guessed it. If you are a chrome user this one is for you. Once we manage to get the browser open like firefox the settings menu is represented by 3 bars in the top right corner. When we click it a menu will pop-up. We want to navigate down to the settings link.



Spoiler: Chrome Settings











If chrome has managed to detect that it has been modified you may be lucky enough to have the reset button in front of your face.



Spoiler: Chrome Warning











If not we will need to scroll all the way to the bottom there will be a linked called "Show advanced Settings" click the link and the page will expand to show more settings. Once again scroll all the way to the bottom. The very last item will be a button that says "Reset Settings". Like the button in the previous picture both of these buttons will spawn the following warning box asking if you are sure.



Spoiler: Chrome confirm











Click the "Reset" button and chrome will take care of the rest. Once complete your browser is all set and ready to use!

With all of the crazy disinfection hopefully behind us its time to coax our OS back into working order. Much like a massage therapist the OS has been beaten up and changed because of the infections and the tools. We will use a handful of specifically chosen programs that tweak permissions, files, registry entries etc to get your OS back to operating how it should be.

Removing bad software is next on our list. Since we have ran through all of the big bad virus' it is time that we double and triple check to make sure nothing was missed. The last few stages are clean up and repair.

Lets go to control panel and start to remove some stubborn programs and in some cases programs that are more junkware than actual viruses in these cases they were probably skipped by the removers. You can get some help again using the link in *this post *to try and see if the program your thinking about removing is legit or not.



Spoiler: Programs List











Some key things to keep in mind when removing is that there are some program you probably shouldn't remove. Alot of pre-built machines for example have special software installed to control things like hardware or special keys on your keyboard. Other software is important for things you use everyday like printers or your webcam. Here is a short example of things you probably shouldn't remove.


Any program that has your machine name in it DELL, ASUS, HP, ACER, Toshiba etc
Any program that has Microsoft in the name
Any software that appears like you use it, evernote, office, google chrome.
Here is a short list of things that are probably safe to remove.


Any program that has the name of the software that's bothering you
Any program that says toolbar
Any program that appears to be soliciting, offer, coupon, etc
As always check with the above post to make sure what you are removing is legitimate. Additionally in the course of uninstalling programs you may come across damaged ones that will not uninstall. These programs will give an error similar to the below.



Spoiler: Program Error











In these cases we actually already have a tool we can use to rip it out. Though it is always recommended to attempt the uninstall normally if we cannot we can use RevoUninstaller to remove the offending program.

After opening Revo we will need to agree to there terms. After the program will scan the system quickly and display the programs it detects as installed. In the list find the program you were having a hard time removing. Click the program to select it and at the top tool bar click the uninstall button.

At first Revo will try and uninstall the program using the same normal methods windows uses. It is very possible that you will run into the same error you encountered when trying to uninstall it through the control panel, this is fine.



Spoiler: Revo Uninstall Error











Simply click ok and you will be shown the screen underneath. This is were we can ask Rev to force remove the program that isn't uninstalling correctly. Check the box labeled "Advanced" and click the scan button. You will be asked if you are absolutely sure you would like to uninstall it. Select yes to begin the scan.



Spoiler: Revo Scan warn











Revo removes software in two stages. Registry entries and files. When Revo is done its scan it will immediately show you the registry entry list. By default all files and registry entries will be unchecked for safety. If you are sure you would like to delete the program click the button labeled "Select All" and THEN press the "Delete" button. You will get a warning from Revo asking if you are sure. Click "yes", after the deletion is done nothing should be left in the box. Click the next button to move on to the files.



Spoiler: Revo Registry











The files section will work just like the registry section. Select all the files and press the delete button. After it is complete Simply click the new "Finish" button on the bottom right hand side.



Spoiler: Revo Finished











Revo may ask you to reboot, if this is the case go ahead and let it. Otherwise you are done the uninstall! Just follow the procedure for the other software you might need to uninstall.



Spoiler: Revo Uninstall











Without further adieu I introduce Tweak. Tweak is a AIO modification platform that handles multiple aspects of your operating system. From services, folder options etc it can reset them back to default.

Tweak on first start up will have a button at the bottom left. This button says "Reboot to safemode" Click it. Tweak relies on the clean(er) environment of safemode to complete its modifications successfully. Safemode looks odd to the average user everything will be big for one and your background picture will most likely be gone. Don't worry though! all of this will come back. For now after you are in safemode click on tweak again.



Spoiler: Tweak Startup











Once we open tweak back up, on the top right hand side is a tab called "Repairs" click this tab to access the repair page.



Spoiler: Tweak Repair page











When you are ready simply click the "Open Repairs" button to access the repairs menu. You will be prompted to save a file at this point. Go ahead and choose any folder you would like, but remember where you are saving it. This is actually saving an important set of files we can fallback on if something goes wrong.

The repair window requires no modification by default. Simply click the button called "Start Repairs" and we will be on our way. Given the amount of things Tweak modifies this can take a long time so don't sweat it.



Spoiler: Tweak Start











When all is said and done Tweak will tell you its time to reboot your machine. Click the "Yes" button and you will be brought back to normal mode were things will look more like you are used too.



Spoiler: Tweak Done











With Tweak done we can do the last of the cleanup to save some space and speed on the system. The first trick up our sleeve is one all too forgotten. Disk Cleanup. Disk cleanup is a utility built into the Windows operating system that can be used to clean up temporary, old or unused files on the machine. In alot of cases this can save several gigs of data.

To start simply open the start menu and type the word "Disk" When "Disk Cleanup" shows up in the list right click it and select run as administrator (we do this to save time)



Spoiler: Disk Clean Admin











Disk cleanup will open and start searching. When it is complete it will display a box with small check boxes of things you can select for deletion. We are going to go through the list and check all of the boxes.



Spoiler: Disk Clean Check











After all of the boxes are checked press the "OK" button. Disk Clean will ask you if you are sure you want to delete the files, click the "Delete Files" button to begin the process. Disk Clean can take hours if there is alot of data to delete, it also depends on the speed of your machine so be patient. When it is done deleting files it will automatically close.

*That's it your done! congrats!  *​
You have by now hopefully successfully disinfected your system! you did great and awesome job on sticking with it. Lets talk about the elephant in the room though, in the next post I will go over some mitigation and protection techniques you can use to help stop this from happening again.

If you think you might need some extra help you can try the targeted repairs below which might fix or catch things that others have missed, however you need to know that for the most part alot of the targeted repair utilities can damage your machine. Use extreme care when running them.

*
Targeted Repairs*

The targeted Programs are powerliks and Combofix. Combofix is almost like a cross between tweak and a broad spectrum scanner. Powerliks is actually a single tool that looks for 1 single type of infection. You can read more about powerliks *here*.

To start I will run you through ComboFix this software can cause serious issues with your OS so it is only recommended if you are certain you are still infected. It only supports XP through Windows 8 NOT windows 8.1+.

First and foremost before beginning combofix you should shut off any AV protection you have on. This includes Microsofts MSE. If you do not Combofix will warn you before starting and tell you what product it detected as active. After you have shut off your protection combofix will start and you must accept its agreement.



Spoiler: Combofix Start











After you accept the agreement Combofix will extract its contents and begin.



Spoiler: Combofix Extract











During the extraction combofix may ask you to update it. Press the "YES" button and the extraction process will start over with the new edition.



Spoiler: Combofix Updating











Like JRT combofix will automatically begin, Combofix uses a text based output for status. It goes through many different stages and will eventually reboot your machine for you. After the reboot combofix again like JRT will present a text file to you with the outcome of the removal.

Powerliks remover by ESET is the next specialty tool we will be using. ESETPowerliks isnt dangerous in the traditional sense and only takes a moment to run. I excluded it from the main battery scans only because it is seldom needed. However if you would like to make certain you have covered all of your basis this is how to use it.

When opening ESETPowerliks you will be prompted to accept there terms. Accept the terms to move on to the program itself.



Spoiler: ESET Accept











Afterwards the program will run automatically and tell you if you are infected. Most of the time you will not be. If you are Powerliks will ask you to hit any key to disinfect, afterwards it will reboot. If you are infected feel free to scan once more after the reboot.



Spoiler: ESET Complete











That's it! I will add more off the wall utilities as I deem them needed for this informational and document them accordingly.


----------



## Solaris17 (Aug 15, 2016)

*Wrap up and Mitigation*​
*Tools*

Prevention is arguably the most important deterrent for malware in the security world. Alot of enterprise level technicians and administrators focus on how to keep infections OUT instead of installing relying on software on the machines to deal with infection when they happen. There are alot of tools in the corporate world to do this. However fear not below I outline some of the preventative measures we can use to try and keep this kind of thing from happening.

First is Cryptoprevent. This is a software used to help prevent ransomware from infecting your machine. It used to be a free exclusive and there is a free version still it just doesn't update automatically. For the normal home user this is fine. I SERIOUSLY recommend it for someone that does alot of email attachments and connects to big networks, Apartments, Schools, etc.

When opened cryptoprevent will ask you a few questions and then it will launch. You will be greeted with the window below. At the very least you should choose the default. If you want more protection simply chose a higher stage. If you run into problems you can always open it and step down a level until everything works fine for you. It will then ask if you would like to whitelist programs you can let it if the machine seems fine to you, reboot after it tells you too.



Spoiler: Crypto Prevent











*Browsers*

Browsers are another big attack vector for malware. I would SERIOUSLY recommend that you install an adblocker. I have linked the more popular and trust worthy ones below.
CHROME

FIREFOX

IE

Installing adblockers should increase your protection online. Another method you can use that will help with sites that sneak through is modification of the HOSTS file. You may not be unaware of the HOSTS file but in simple terms it can override the website in your browser. This works both ways however and we can prevent the connection to some bad sites with it.

Download New FILE

The site that hosts it is witnhelp2002 they have made the modified host file for years and go into a bit better explanation as to what it does here.

Simply download the file and unzip it. Run the script file named "mvps" and follow the directions.

*DNS*

The last I can provide for now is OpenDNS this helps restrict the type of content your internet can access, from pornographic websites to political. OpenDNS has great support and a pretty easy setup. Give them a look HERE.

For basic home protection you can change your DNS servers on every device (or just your router) to the addresses below. These servers are pre-configured to block adult content and offer the same uptime as the normal openDNS addresses.

208.67.222.123
208.67.220.123
These servers are public openDNS servers like googles 8.8.8.8 and 8.8.4.4 and unlike the "FAMILY SHIELD" addresses provided above these do not do blocking by default.

208.67.222.222
208.67.220.220
DNS servers translate website names like google.com in the IP Address numbers computers need to find the site you are going too. By using "filtered" DNS servers we can blacklist bad websites from even being allowed to show up on your computer.

Lets dig in! Now generally your PC can use two different DNS servers in case one doesn't work. You can set these servers on each of your internet connected devices. Ideally you would set them on your router which would filter for your entire network. Its a bit better and recommended but unfortunately there are too many different ways to access routers and modems. You can start your search *here* or ask in another forum thread for help.

Now to set it up on your PC should be a bit easier. OpenDNS actually provides a guide *HERE* just remember to use:

208.67.222.123
208.67.220.123
Instead of the ones in the guide so that you get protection.

Other great DNS providers exist like Quad9:

9.9.9.9

It also doesn't require any additional setup. You can read more about them *HERE.*

*Explanation*

I chose the software and methods above because of the effect they have on the everyday user. Protection is key in the digital world to prevent infection. The tools above are updated frequently and have other security minded people behind them.

They are also easy to use, even for the most computer inept with some simple instruction the tools are easy to use and provide a lot more protection than even default settings. I encourage everyone professional or otherwise to try and improve security wherever they can.

*Best Practices*

Best practice is a hard trick to teach. Best practice usually involves implementing something or locking something down to the point of almost being as annoying as the malware that made it needed. However this doesn't need to be the case. I have a few examples of how you can use best practices to help protect your data you and your machine by doing some simple routine things, just like taking your car to get an oil change.

Reset your firewall. If you haven't already throughout this guide it would be a good idea too.

Here is a great guide http://www.thewindowsclub.com/reset-windows-firewall-settings

Keep a copy of one of the broadspectrum scanners I provided above, something like the EEK or Rogue run every month just once could do loads to help you stay virus free.

When it comes to email too good to be true usually is. Remember what I mentioned before? Be careful with attachments. Don't open them unless they are from someone you know. Also be sure to second guess even some legit looking ones. Ransomware is spread a lot via attachment from a postal service.

Usually masked as a invoice, before opening ask yourself "Did I order anything?" If not chances are its fake and remember UPS/FedE/DHL/USPS etc don't have access to your email, Amazon, ebay and many other online shopping sites aren't allowed or required to give that information. So how would they know to send it too you?

Get some actual protection. Like it or not if you are infected you probably need it. I recommend AV software to begin with, performance issues are rare and I have dealt with alot of systems. While I appreciate people's ability to not use them or concerns about performance impact, if you followed this guide there is no real argument against it. Here are some light weight good guys.

Their are free and paid versions. Usually the difference between free and paid is the extra stuff. Browser blockers and anti spam etc however there usually ARE differences in the free products, definition updates come slower, others don't use an engine as powerful as the paid version. This can let things slip by. Of course the choice is yours. I am only going to advise that you get one.

*Sophos Home*
A good product, requires internet connection for management but good detection rates.

*Kaspersky*
A decent AV. Kaspersky has been around for a long time. The detection rates are superb and they play a very big role at detecting new threats in the wild. Deep scans can be rough on the HDD however.

*Cylance*
Cylance is a AI based AV and one of the first available for everyday users. Its cheap and very light weight and detection rates are great. False positives need to be controlled via the web UI.

*Emsisoft*
Emsisoft is a fresh perspective on AV with a clean easy to use interface. Its definition driven, but the detection rates are top notch and the AV isn't a drain on system resources. They also have a free on demand scanner the *EEK* that uses the same engine and DBs. It's a great AV to use even if just for the on demand aspect.

*Bitdefender*
An ok program that now has a free edition, bitdefender has more aggressive scan options by default that can turn away novice users but its detection rates are great.

ProTip: I have purchased each of the AV products above and used the free ones for some time. I have chosen these among others I have also own(d) because of there usability affordability and availability. They have also made numerous rounds on my malware machines and even attack some of my tools (RUDE). That said in the spirit of the forum and social stigma I have linked the free editions with the exception of Kaspersky which does not but I believe to be too great an option to not include.


*Thanks for reading the guide, I hope I have helped enlighten you the reader and with a little luck persuaded you into taking security more seriously in one way or another. For the user that came here because they were infected I really hope it helped you, it really is frustrating.*

For guide related questions feel free to respond below.


----------



## bogmali (Aug 15, 2016)

Sticky'd while you work on it


----------



## Kursah (Aug 15, 2016)

Good to see a new TPU guide like this come up! Looking forward to seeing it get fleshed out!


----------



## Solaris17 (Aug 15, 2016)

Thanks! I will be at this for a bit while I spin some new VMs on my work laptop and infect my controls so I can take screen shots. I promise I will put as much effort into it as I can but this project will probably take me a few weeks as I fill it out as best I can. It has been awhile since I have written a guide and I have been re-programmed to write such as technical documentation so I will probably edit frequently since my main goal is to make this for beginners and give a brush of enlightenment and not give them a 30 page white paper on security practices. haha. 

@bogmali  Would you be so kind as to lift if possible my edit restriction? I am afraid I will go over it given the amount of work I need to do. Some would argue that I should type this all out in word and then just spend a few hours editing it but I hate the modification tools on forums so its simpler for me to simply format it as I type.

Thanks again @Kursah @Mussels @bogmali  and the others that showed support. I will hopefully bring something to TPU that will help alot of people.


----------



## Mussels (Aug 15, 2016)

this needed a sticky, glad it got it so fast 

Too much confusion, mis-information and bad programs out in the wild for virus/malware removal, we need a local TPU expert on it.


----------



## Tallencor (Aug 15, 2016)

Been away for some time and come back to this. Very exciting indeed. Thanks @Solaris17 . I try to keep a clean p.c. with good practice and Super Anti Spyware/Malwarebytes. Hate to see even a few c.p.u. cycles "wasted" on an installed Virus program. Cant wait to see your end result.


----------



## ThE_MaD_ShOt (Aug 15, 2016)

Just want to thank you @Solaris17 for this really great write up you are embarking on.


----------



## Solaris17 (Aug 15, 2016)

Thanks for the kind words! I will plug away at what I can for a few hours a day schedule allowing making edits along the way. I will be sure to mention when its "done" to avoid confusion. There may be times I submit a bunch of content and other days I only modify a section or two. Probably because I am documenting a removal process in a virtual machine.


----------



## manofthem (Aug 15, 2016)

Very much looking forward to further updates in this thread.  I've often enjoyed posts by you @Solaris17 about viruses, even saving some info you posted recently, so this thread is going to be very much appreciated by all of us!


----------



## Solaris17 (Aug 15, 2016)

manofthem said:


> Very much looking forward to further updates in this thread.  I've often enjoyed posts by you @Solaris17 about viruses, even saving some info you posted recently, so this thread is going to be very much appreciated by all of us!



Thanks! I will certainly push to not disappoint!


----------



## pigulici (Aug 15, 2016)

Not bad, not bad...until now...


----------



## natr0n (Aug 15, 2016)

Spoiler








Gratitude via gif


----------



## RejZoR (Aug 15, 2016)

Actually, for anything not:
- parasitic file infectors (Virut etc)
- ransomware (CryptoLockers etc)

You just have to follow a list of tools and scan the system with each and every one of them until they don't show anything anymore.


----------



## Ahhzz (Aug 15, 2016)

/tag for looking   Thanks for this Solaris. As an IT tech by day, I won't pretend to have all the knowledge, but it helps to makes the user think I do   Always glad to see a well-written guide


----------



## Mindweaver (Aug 15, 2016)

Just a warning don't post in here that you just wipe and reinstall Windows. That is not what this thread is about.


----------



## Octopuss (Aug 16, 2016)

What is this 101 virus?


----------



## Mussels (Aug 16, 2016)

Octopuss said:


> What is this 101 virus?



its a reference to the american school system, think 'introduction to virus removal'


----------



## Solaris17 (Aug 21, 2016)

No this isnt vapor ware I swear! Just figured id let those who are watching know, I have spent all day disinfecting a test machine and have about 143 screenshots I need to wade through and trim. As well as all of the actual documentation to go with it. I also have a few surprises mostly I wrote a PS script that will download all the necessary tools for you, and bonus points every time you run it it will pull the latest version.

I need a few days to process and get this in a state that I can readily say it is "usable" but there are still a few things I wont be able to publish initially. Maybe I will write a paragraph or 2 covering ransomware etc etc. I do hope mods can inject posts out of order. I may need someone to work with me on that. Once I got going I wanted to add more detail.

Worry not though. It will still be very simple to digest. I honestly think its at the scale its at only because I am writing it like your 5.


----------



## Mussels (Aug 21, 2016)

just have one simple 'virus removal guideline' post that people can follow which is basically a list of programs with download links, in your recommended order.

so that even if people fail to educate themselves, we can link to a singular post and say 'do this'


----------



## Solaris17 (Aug 21, 2016)

Mussels said:


> just have one simple 'virus removal guideline' post that people can follow which is basically a list of programs with download links, in your recommended order.
> 
> so that even if people fail to educate themselves, we can link to a singular post and say 'do this'



Agree thats what im going to try and do. I'm uncertain if I need all of the images. I was more worried about link/picture limits in posts. I should be able to stick to what I have already laid.

Wanna know what would be super cool in the long haul? get a few of the forum centric experts to do a collab on like a youtube channel posting various how to vids from there field of expertise. No cams or anything, just a mic and a desktop recorder. hit random topics of intrest, virus/security stuff pertaining to OS, router config and port forwarding basics that kind of stuff might be seriously cool.


----------



## Tallencor (Aug 21, 2016)

Solaris17 said:


> Agree thats what im going to try and do. I'm uncertain if I need all of the images. I was more worried about link/picture limits in posts. I should be able to stick to what I have already laid.
> 
> Wanna know what would be super cool in the long haul? get a few of the forum centric experts to do a collab on like a youtube channel posting various how to vids from there field of expertise. No cams or anything, just a mic and a desktop recorder. hit random topics of intrest, virus/security stuff pertaining to OS, router config and port forwarding basics that kind of stuff might be seriously cool.


+1 For this.


----------



## Solaris17 (Aug 25, 2016)

All set its done! As done as it can be for now anyway, I will add and remove things and evolve it as time goes on. I tried my absolute hardest to write this for a user it was very difficult for me so I apologise in advance for the length. But I can say that if you do read it in its entirety you may see security in a diff light. I also kept the main disinfection procedure in one post for the occasional 1 off send-to @Mussels was talking about. I hope I made it close to what everyone was hoping it would be! If its not well who knows what the future holds! Back to ransomware mitigation on my core DCs.


----------



## johnspack (Aug 25, 2016)

Nice job including ADWCleaner in there.  Very important browser trojan removal tool that finds stuff Malwarebytes ect doesn't.  Little known,  and should be used!


----------



## Solaris17 (Aug 25, 2016)

johnspack said:


> Nice job including ADWCleaner in there.  Very important browser trojan removal tool that finds stuff Malwarebytes ect doesn't.  Little known,  and should be used!



100% agree its a great piece of software! Was very much included because of its ability, filling the gaps is what removal is all about!


----------



## johnspack (Aug 25, 2016)

You do have to be a bit careful with it though,  it thinks my profile buddy profile for Cyberfox is suspicious.  I had to uncheck that....


----------



## stinger608 (Aug 26, 2016)

I am a little surprised that, in the software list, you don't have Malwarebytes or Superantispyware listed.


----------



## Solaris17 (Aug 26, 2016)

I do have it listed and go over it in disinfection MBAM. I don't encourage people to use superantispyware


----------



## redundantslurs (Sep 10, 2016)

Is there a particular reason why u don't encourage people to use superantispyware?


----------



## Mussels (Sep 10, 2016)

redundantslurs said:


> Is there a particular reason why u don't encourage people to use superantispyware?



i dont know anyone who uses it either, it's just not as good as malwarebytes.


----------



## R-T-B (Sep 10, 2016)

puma99dk| said:


> Hmm normally after a hard/annoying Virus/Malware attack the best thing is just to reinstall bcs ur OS won't be the same afterwards.



There are times when that is neither preferable nor desirable, and/or you aren't the client making that call.  Thus this guide.


----------



## Solaris17 (Sep 10, 2016)

redundantslurs said:


> Is there a particular reason why u don't encourage people to use superantispyware?





Mussels said:


> i dont know anyone who uses it either, it's just not as good as malwarebytes.



That should suffice for most people. It's just not a great product, alot of users seem to also judge alot of products by longevity. Unfortunately that is also a bad way to judge effectiveness. I didn't include it because the engine is weak and there are better products. That's all.


----------



## Steevo (Sep 10, 2016)

I wrote a batch script a couple years ago as all the popular rootkit removers were killed by a nasty piece of software, it renamed and launched TDSS from a new folder from the zip version, not that it was hard to do at all, but it may help to add something like it to your program.

Excellent guide!!!

EDIT** Comodo, not sure of the community feel on it now, I am using it currently as Avast was proving to be a PITA, it used to be way more hardcore than it feels now, but its still free, and have very little user interaction for the protection offered.


----------



## Solaris17 (Sep 10, 2016)

Steevo said:


> I wrote a batch script a couple years ago as all the popular rootkit removers were killed by a nasty piece of software, it renamed and launched TDSS from a new folder from the zip version, not that it was hard to do at all, but it may help to add something like it to your program.
> 
> Excellent guide!!!
> 
> EDIT** Comodo, not sure of the community feel on it now, I am using it currently as Avast was proving to be a PITA, it used to be way more hardcore than it feels now, but its still free, and have very little user interaction for the protection offered.



Yeah I liked Comodo I haven't personally batteried them in a few years. I think I stopped because they bundled geek buddy or w/e their add-on is with it and I couldn't stand it, but I never had a problem with the detection rate in testing or personally. I like Avast too. Not sure how its going to go with their purchase of AVG I really hope they cool it on the bundle crap. Emsisoft is actually really good about that stuff but they are a bit in your face with program execution.

That's a good idea I hadn't really considered depending on how infected people are some tools might not even launch. Maybe I'll prompt to ask if they are having trouble running utilities and run a name generation on the files downloaded, not  bad idea.

and thanks! It was a fun piece to write.


----------



## RejZoR (Oct 10, 2016)

I know some cleaning goes into specifics (randsomware and parasitic file infectors), but this guide is way too complicated to be useful and those for whom it's not too complicated, it's not really needed in the first place.

Basically you just have to make a cleaup scan with as many tools as possible to be sure. So, a list of tools and directions to download and run them all one by one. When none of them is showing any stuff left, then you're done. Then the user should ask what to do if malware borked up settings that may cause error dialogs being displayed.


----------



## RejZoR (Oct 10, 2016)

Solaris17 said:


> Yeah I liked Comodo I haven't personally batteried them in a few years. I think I stopped because they bundled geek buddy or w/e their add-on is with it and I couldn't stand it, but I never had a problem with the detection rate in testing or personally. I like Avast too. Not sure how its going to go with their purchase of AVG I really hope they cool it on the bundle crap. Emsisoft is actually really good about that stuff but they are a bit in your face with program execution.
> 
> That's a good idea I hadn't really considered depending on how infected people are some tools might not even launch. Maybe I'll prompt to ask if they are having trouble running utilities and run a name generation on the files downloaded, not  bad idea.
> 
> and thanks! It was a fun piece to write.



Their plan is to leave avast! and AVG brands and products as is and only merge stuff behind the scenes. So, avast! will get protection features from AVG and vice versa. This way they'll enhance protection for both, while not alienating existing userbase with dramatic changes to the interface or functionality.

Btw, stay away from Comodo. People behind this product are retarded children to say the least. I won't lie, they have alright ideas, but their QA is a disaster and don't you even dare questioning their methods or decisions because they'll ban you from their forums simply for disagreeing with them or negatively commenting their garbage. It's a freaking joke when developers start doing such crap. But if you praise them to death, they'll dance around in joy. Like w00t, I maike criticism so shit gets sorted out not to cluelessly bash a company. Most get that, Comodo doesn't. And after they needed like 2 months to address their lack of digital signatures on CIS drivers for Win10 Redstone update, I knew they are a total mess. We are talking essential kernel drivers for real-time protection! avast! had similar issue on some unessential browser cleanup driver and they fixed it in half a day. And when I criticized avast!, even very harshly, they were a bit sad I think so at that moment, but they didn't ban me, instead they sorted out that stuff. That's how you fix stuff, not get butthurt like mad and start banning people. So, yeah, avast! over Comodo any time. In fact any product over Comodo...


----------



## misternikitas (Mar 22, 2017)

Most of the times someone has windows 8.1 or 10, I tell them that an AV is not important, if they have low end machines (which they mostly do), as windows defender is quite good. On windows 7, microsoft essentials is really bad, so I suggest either AVG or Avast. Do you agree with my opinion/suggestion?


----------



## alucasa (Mar 22, 2017)

101:

1. Don't click random links. If must, inspect the link. If must go, go there with no-script and no-Ad addons on.
2. Be careful of where you download your porn.
3. Be careful of torrents you download.
4. Quit using cracks.
5. Quit visiting weird sites.

I haven't had a virus issue for ... forever.


----------



## Solaris17 (Mar 22, 2017)

misternikitas said:


> Most of the times someone has windows 8.1 or 10, I tell them that an AV is not important, if they have low end machines (which they mostly do), as windows defender is quite good. On windows 7, microsoft essentials is really bad, so I suggest either AVG or Avast. Do you agree with my opinion/suggestion?



Hm, this is a very subjective question, since you already seem to have some pre-dispositions.

MSE and Windows Defender, are actually identical products. They differ a little but its mostly the engine and its ability to be "baked in" to the OS. The definitions are for the most part the same. The detection rates and more more importantly the engine itself and its removal ability are very much sub par.

However, the enterprise product system center endpoint has better luck but the engine is not the same one as the consumer edition, though the definitions are the same they are updated more frequently, at least the last time I looked.

The trade off with MSE/WinDef is that the usability is fantastic. Honestly people could not ask for an easier interface. The system resource usage is also pretty great.

Plainly speaking for an all around product it simply doesn't cut it. Not in the slightest. It also unfortunately does not remove heavier infections easily if at all. Normally the success you see with it or malware/junkware related.

Now however, usability and functionality are important especially too users. For someone that browsers the internet casually and checks email it will probably be fine. For those that consume alot of online media and files I wouldn't recommend it.

I can't agree at all regarding AV not being important. I think its even more important today then it was years ago. Several years ago it was as simple as what some of the others have said.

-watch what you goto
-watch what you download

etc etc. The plain truth though is that this is a logical fallacy. You cannot trust everything you get online. You also can't trust a "source" because it hasn't presented issues before. The landscape has changed dramatically and while it isn't some kind of web apocalypse anyone who thinks they are somehow immune to virus' because they "trust" their favorite illegal download site will probably get bit eventually. More and more infections today are coming through channels that arent even normally monitored. Malvertizing campaigns can spread malware to your browser and the site might not even know. Lets take a look at ask jeeves recently.

https://www.carbonblack.com/2017/03...general-tools-sophisticated-targeted-attacks/

of course lastpass was also just compromised.

Yahoo was breached 3 weeks ago IIRC.

This is relevant because you have to understand. It isnt about emailing you an attachment or letting you download some shady file. Why attempt to infect you if your on the look out when they can just break into your favorite sites servers?

of course, I am not arguing with you! I am just here to enlighten a few with some information. If you love MSE and have never had a virus great! Dont go online? Dont need one! Dont think you need one? more power too you.

I analyze the threat landscape, Test tooling and study the effects of malware on operating systems. Among other things I practice how to circumvent them. 

Not a prophet and this isn't some kind of religion.


----------



## misternikitas (Mar 22, 2017)

Hmmm seems that the more technology advances, the more you have to protect yourself from the attackers. Its been years since I last used an AV and since I had any serious issues with viruses, as I know the do's and dont's of surfing online and I regurarly scan for viruses with most of the programs you mentioned above (gonna start using all of them, in the order you mentioned). 

Everytime a friend of mine shows me hislaptop, saying its slow, the first thing I do is check for viruses, then I check the number of processes that run in the background and also see what they do. Most of the times, the laptop is clean, almost a fresh install, but the problem is that it has an AV and some manufacturer applications that slows it down. How can an I3-5005U and 4 Gb ram not get slowed by an AV (Most systems today run Windows 8.1 or 10, which are not very light either)? 

So I ask him how he uses it and if the answer is to browse facebook/Youtube and watch movies, I prefer to uninstall the AV and once in a while look at it to search for any viruses. Of course, I tell him that its not safer than before, but there are not many ways to speed up a low end computer (most of the times, I also disable BITS and Superfetch). If someone, who I don't personally know, asks me whether or not to have an AV, most of the times, I tell him my opinion about all this and if he believes he needs an AV, I recommend him AVG or Avast, as I already mentioned. 

I know that you are not arguing, I am asking to learn. I am studying Computer Engineering in one of the best Universities in Greece, so any additional info about what I love, is more than welcome.


----------



## Mussels (Mar 23, 2017)

Win 10's defender is just good because it cant be disabled - as much at that annoys me as a power user, its fantastic because it stops the general public from turning it off "my free game wont work! stupid antivirus!"

I use avast these days and quite like it, as far as free antivirus goes its not very annoying with upgrade popups to the paid version and not system-heavy..


----------



## revin (Mar 23, 2017)

Solaris17 said:


> Plainly speaking for an all around product it simply doesn't cut it.





Solaris17 said:


> I think its even more important today then it was years ago





Solaris17 said:


> The landscape has changed dramatically





Solaris17 said:


> Yahoo was breached 3 weeks ago


As always Solaris great write-up  
This may explain couple issues I've had last few days ! At some point after closing IE it will not respond after opening. Opens up and nada, just blank as blank, even toolbar not responding. Can open tab's they stay blank also.
Nothing gets detected .Malwarebytes Pro& Antiexploit Premium S&D Spywareblaster, but HitmanPro will give me a detection then I just go manually remove from there.
Now I do visit adult sites, have for over 20 years, rarely do I get hit super bad, but in most cases of hard to remove, good ole format!
This is not about IE, Yahoo or whatnot, I've had issues with all the browsers. I'm an old fucker so I completely understand the issues of adult or warez sites. Lets not debate those merits.
Now day's it has got very crafty for it to intrude in a system. Sure I could just not go places, but my choice  
I've had real good luck with Comodo for over a decade, but it seems I will need to tighten up on it's permisions. Still I need to find just how the crafty lil evil is getting by.

fdudutfwtrqhardoand and GDIPFONTCACHEV1 with DMR 72 exe was the culprit found in VTRoot admin appdata  local temp but cant connect where I was when It got there .


----------



## Solaris17 (Apr 13, 2017)

I updated the tools script and added a more in-depth DNS section under wrap up and mitigation. Further updates to come now that I can edit my posts. Thank you @W1zzard and super mods!


----------



## Folterknecht (Apr 13, 2017)

I ve been using Avast (Free version) for years (beside add blockers and brain.exe) and always was very happy with it until ~1 year ago and now 've reached the point were I'm really considering a change. This thing over the years got really bloated. 

They try to incorporate so much shit ... last year they tried to introduce/sneak in a browser addon with shopping tips (not sure if its still a thing -  I dodged it), than there is a "Software Updater" (fuck that shit) and most annoying some kind of "performance tool" that detects "issues" (but doesn't mention what they are) and wants you to start the cleanup/optimization (click "Start) while giving you no info about what it intends to do. Ofc I 've avoided pressing that button, god knows what kind of trouble that would cause.

So I would reconsider your recommendation for that AV suite at the end of the guide. Otherwise really great work.


----------



## Solaris17 (Apr 14, 2017)

Folterknecht said:


> I ve been using Avast (Free version) for years (beside add blockers and brain.exe) and always was very happy with it until ~1 year ago and now 've reached the point were I'm really considering a change. This thing over the years got really bloated.
> 
> They try to incorporate so much shit ... last year they tried to introduce/sneak in a browser addon with shopping tips (not sure if its still a thing -  I dodged it), than there is a "Software Updater" (fuck that shit) and most annoying some kind of "performance tool" that detects "issues" (but doesn't mention what they are) and wants you to start the cleanup/optimization (click "Start) while giving you no info about what it intends to do. Ofc I 've avoided pressing that button, god knows what kind of trouble that would cause.
> 
> So I would reconsider your recommendation for that AV suite at the end of the guide. Otherwise really great work.



I havent gone back over it, but when I wrote the guide they had not yet acquired AVG. Its already on the list to go back over! thanks!


----------



## Solaris17 (Jun 30, 2017)

Hey Everyone! Bit of an update with a bit of a prod from @revin and @Norton I wanted to do a short write up about the latest in headlining crypto crazes. Today we will go over "NotPetya/Goldeneye" a ransomware variant that was thought to be a revision of petya but unlike its namesake harbors multiple escalation techniques and includes EternalBlue code which the widely known "Wannacry" strain used.

For those that want to go into it, Microsoft actually has a decent write up *here*.

NotPetya like other forms of new ransomware have incredibly high infection rates. Not only are these virus' able to damage sensitive or otherwise important data but they also generally carry the ability to infect entire networks of machines and are capable of infecting a host in multiple ways.

This is dangerous because such infections are not easily mitigated by patching "One hole" but instead are defended against using a a layered security approach, such as being fully patched and having security software. however that isn't to say that you are immune even if your system is in tip top shape, these infections are dangerous and can fell even the newest of systems. With more likely to appear as ransomware becomes ever more popular its important to keep these things in mind.


Make sure your PC is FULLY patched at the least once a month
Make sure you are using some kind of active protection
Make sure you and other users in your environment are security aware you dont have to be the weakest link to be hit (remember these infections can span networks)
Keep separate backups of your important documents. External is best.
With these things in mind and NotPetya on the rise there is hope. Much like wannacry 1.0s Domain kill switch there is a way to "vaccinate" yourself against NotPetya, Now this doesn't mean the infection cannot spread and doesn't mean that your machine can't be exploited. However Amit Serper has found a way to stop the ransomware from infecting the host it has managed to exploit. It seems the infection looks for a specific file in C:\Windows and if it is found halts the encryption process. With the secret now in the wild Lawrence Abrams of bleeping computer was able to piece together Amits technique into a* batch file* that can be run to create the necessary files needed to stop NotPetya.

While the files help prevent the infection I must stress it does not prevent the machine from being broken into. That said it should be noted that lateral movement of the infection seems dependent on eternal blue, and exploits to machines that run in domain environments. While end users that are NOT part of a domain don't necessarily need to worry about those methods of exploitation, they do need to make sure they are patched for the same SMB 1.0 bug that eternal blue and double pulsar used.

This an ongoing report, NotPetya is still being analysed and its characteristics understood. Remember there are HUNDREDS of ransomware variants in the wild, not just what catches your eye in the headlines.

Stay safe out there.


----------



## jboydgolfer (Jun 30, 2017)

Solaris17 said:


> Hey Everyone! Bit of an update with a bit of a prod from @revin and @Norton I wanted to do a short write up about the latest in headlining crypto crazes. Today we will go over "NotPetya/Goldeneye" a ransomware variant that was thought to be a revision of petya but unlike its namesake harbors multiple escalation techniques and includes EternalBlue code which the widely known "Wannacry" strain used.
> 
> For those that want to go into it, Microsoft actually has a decent write up *here*.
> 
> ...




 That was really cool of you to put Your time/work into this... thank you I appreciate it


----------



## lexluthermiester (Dec 17, 2020)

This deserves a bump! Had never seen it before and the work that @Solaris17 has done should be seen more often as it is very informative & comprehensive and therefore likely to be helpful! Give me an oops upside the head if bumping it was not ok...


----------



## Solaris17 (Dec 17, 2020)

I should probably re-visit this script in the future, been busy with a role and department change at work so havent been paying attention to a lot.


----------



## lexluthermiester (Dec 18, 2020)

Solaris17 said:


> I should probably re-visit this script in the future, been busy with a role and department change at work so havent been paying attention to a lot.


No worries! As is it's very informative!


----------



## bobbybluz (Dec 18, 2020)

Kudos to [U]Solaris17[/U] for a job well done. As a former (now retired for 4 years) IT Admin at a public radio station at times I'd be swamped with staff laptops as well as personal laptops of station employees that fux0red them up with malware and other garbage on a regular basis. I used many of the listed tools regularly with Hitman Pro being my usual go-to. In my case things were so bad I finally quit doing cleanings and just did drive wipes with Dban and fresh OS installs because that took less time and I was tired of removing the same garbage from the same laptops on a regular basis. Some folks just never learn. Again, a fine and comprehensive guide that's right on the money.


----------



## Sergiiitooooo (Mar 1, 2021)

This message should be taught by law before buying a computer. 

Clarify, conceptualize and guide you.


----------



## Solaris17 (Sep 12, 2021)

This guide has been updated and the tools script updated.


----------

