Malware removal process suggestions/tips

Speculant · Oct 30, 2014

I work in the tech support department of my university fixing student's computers, which is 90% of the time laptops and 70% of the time viruses. Since it is so often viruses, we have developed a process to make things easier. I'm going to post it here so I can get some suggestions on what we could rearrange, add, or remove in order to make things better, easier, quicker, etc. We do a lot of virus removal so we leave the longest scans for last so they are able to run overnight, sometimes we have 7 or 8 laptops at a time all running Malwarebytes or SpyBot overnight. Anyways, here is the process:

1. Load a clean, formatted USB key with the needed programs, all portable versions, and plug the loaded USB key into the infected computer.
2. Run Rkill.
3. Run Revo Uninstaller to remove any obvious Malware/Adware/Spyware from the programs list, using the "deep clean" option to scan for any registry or other remnants.
4. Run TDSS Killer with all options enabled, which will then reboot the system after scanning unless no infections are found. Run Rkill again after system reboots if it reboots.
5. Run NPE (Norton Power Eraser), which will reboot the system and scan. After scanning, run Rkill.
6. Run RougeKiller.
7. Run JRE (Junkware Removal Tool).
8. Run ADW Cleaner. After it runs, it will restart the computer. After the computer restarts, run Rkill again.
9. Run Malwarebytes portable.
10. Run Spybot Portable.
11. Run CCleaner.
12. Run whatever anti-virus the user has installed, and if none is available install and run Microsoft Security Essentials.
13. Remove any remnants such as logs or temporary files the scans left behind and it is finished! The computer should be clean and good to go.

If the built-in antivirus detects a strangely large amount of viruses (it shouldn't by that point), run through the process again until no detections are made. We figured that if this process can't remove all the viruses it will just be faster, in most cases, to back up the user data and reinstall the operating system as this list includes some pretty heavy-duty programs.

chaslang · Oct 31, 2014

Please don't take this the wrong way but you asked for opinions. In the end it is still up to you to run whatever you feel comfortable with but in quick summary I don't agree with a lot of this. And in many cases you are spending more time then you need to and running too many scans that are repeated for no valid reason ( like Rkill ), or not effective and a waste of time ( Spybot ), and you really need to base what you run on the problems/symptoms the user is having. If they just had a simple search engine/browser hijacking issue you could just fix the browsers that are installed ( all of them ) and remove unwanted junkware addons.

I understand why you want to make use of the overnight scan to save time but in many cases you are better off running these earlier to reduce repeated steps and to find serious problems sooner that the other less detail scanners will not find.

But let's go thru your steps and insert comments in a different color.

1. Load a clean, formatted USB key with the needed programs, all portable versions, and plug the loaded USB key into the infected computer.
2. Run Rkill.

Do you run as admin?
If it does not find anything the first time you probably don't need to keep rerunning it. And note that it is not a cure all and we almost never need to run it in any of our cleaning steps and we don't have hands on like you do!!!

I'm not saying it is bad, but we selectively run it only as an attempt to get started when you appear to be blocked from running other tools. And with really bad malware, it would block this too. But you don't need to keep running it.

3. Run Revo Uninstaller to remove any obvious Malware/Adware/Spyware from the programs list, using the "deep clean" option to scan for any registry or other remnants.
4. Run TDSS Killer with all options enabled, which will then reboot the system after scanning unless no infections are found. Run Rkill again after system reboots if it reboots.

As long as you are just not having it remove everything reported without looking at the logs first because there are false detections and not everything reported as unknown/questionable is a problem.

5. Run NPE (Norton Power Eraser), which will reboot the system and scan. After scanning, run Rkill.

Strongly recommend NEVER running this or another similar tool like Windows Defender Offline. We have had to manually fix hundreds if not thousands of PCs due to what these tools do.

6. Run RougeKiller.

Do you run as admin?
RogueKiller What do you have it do? You need to be very selective about having it fix all that is reported because most of what is reported are not problems.
Also after removing anything with RogueKiller it is recommended to reboot immediately especially if serious issues were found.

7. Run JRE (Junkware Removal Tool).

Do you run as admin?
If anything serious is found, you need reboot immediately.

8. Run ADW Cleaner. After it runs, it will restart the computer. After the computer restarts, run Rkill again.

Do you run as admin?
Be careful! While ADWCleaner is useful, it can report a lot of things that the user may want.

9. Run Malwarebytes portable.

Do you update the databases first? That is are you online or did you manually put the most recent databases on your USB drive so you can update offline first?

Do you fix what it finds?
Reboot immediately after fixing!

10. Run Spybot Portable.

Not worth the time to run. It is ineffective and typically only finds dead registry entries which it quite commonly will not fix anyway and will show again in the next scan. And there should be no reason it cannot remove them. Or it finds false detections. Also the very annoying Teatimer tool it installs is a resource hog and common gets in the way of performing malware cleaning steps. If you really want to run a secondary malware scanner, run a better tool like HitmanPro or SUPERAntispyware for example.

11. Run CCleaner.

Would be much better run very early. Removing all the temp files and recycle stuff and other junk it finds first will speed up all of your other scans since there will be fewer files to scan each time.

DO NOT USE the registry cleaner unless you manually go thru everything reported item by item and only remove true problems. Much of what registry cleaners reported are not problems and in the long run can cause issues with Windows running properly. Tens of thousands of PCs have issue with getting Windows Update to run and the problems were caused by a registry cleaner or some other silly/supposed performance improvement tweaker.

12. Run whatever anti-virus the user has installed, and if none is available install and run Microsoft Security Essentials.

What do you do if that have Windows XP?

13. Remove any remnants such as logs or temporary files the scans left behind and it is finished! The computer should be clean and good to go.

Our experience is that your last sentence is typically not true. There are commonly still unwanted addons in browsers that are causing issues with hijacking or search engines or other junkware. If the scanners worked like you are assuming, people would be clean after running our read and run me but they typically are not.

If the built-in antivirus detects a strangely large amount of viruses (it shouldn't by that point), run through the process again until no detections are made.

Again bad assumption which is why when you have hands on you should quickly look at a few things manually. We don't have hands on luxury here so we collect a bunch of logs from tools to figure out what to do. If I have hands on, what I do is different and faster.

We figured that if this process can't remove all the viruses it will just be faster, in most cases, to back up the user data and reinstall the operating system as this list includes some pretty heavy-duty programs.

NEVER EVER TRUE unless the system as a serious PE file infection which gives you no choice but to reinstall and backups can be dangerous. You have be very selective with PE infections. And you are better detecting PE file type infections earlier before you waste your time running too many scanners than cannot fix or even detect these infections. This is a reason you really need to run at least one more detailed effective scanner like Malwarebytes or Hitman Pro much earlier.
Click to expand...

It's your choice on what approach you prefer to take. But a new install involves more than you may think. Especially to get back to a level of where the system is at before the reinstall. You have to consider all of the below:

You have to backup all the user's own data, settings, configurations etc and first you have to know what/where all of these are. And you have to have the medium (burnable media, second hard drive, etc )

You have to make sure you back up all bookmarks for all browsers that may be installed.

You have to take note of all non-Windows applications a user may have installed, games, misc tools....etc and also backup any tweaks/settings for these.

Then you must make sure you have the necessary disks to reinstall not just your OS but all other software you use especially protection before going online.

Then delete your partitions, recreate partitions, format, reinstall the OS. If you do a simple format/reinstall with any serious infection that lead you to this point, you may still be infected due to a partition being infected.

Now reinstall all your software especially protection

Get back online

Download updates for the Windows OS and these could be significant and may not eve show up right away. It takes Windows awhile after being online to figure what is missing. These installations may require multiple reboots and then a continue.

Download updates for protection software

Reinstall all software that had been installed and that is still needed including printer software/drivers....etc.

Download updates for all other software

Tweak all software back the way the user liked it. Including Desktop settings, icons etc.

Create all the folders that the user requires for everything in normally daily routines

Re-load from your backups to get data back, to get settings, Favorites,Bookmarks.....etc back

Now over the next two weeks the user will realize that you forgot to backup some stuff and also he/she will keep finding something else that needs to be reinstalled and reconfigured.

Speculant · Oct 31, 2014

Thank you for your suggestions! I'm going to suggest to my boss (who has stated multiple times that he is VERY open to changes) immediately replacing Spybot with SUPERAntiSpyware, as it does look a lot better, and also removing NPE from the list of tools, as well as only running Rkill once (unless of course it finds something).

I will address some of the rest of your comments now, but I will also take time to have a deeper look at the process while taking your suggestions strongly into account to develop a better and more-personalized process, as you are right when you say that we should take advantage of having actual hands-on with the user's hardware.

As for Windows XP, it isn't supported by our University, so if the user has it they won't even be able to access the Internet on the University's network. I've worked there for a little over three months now and I have yet to see any laptops come in with XP installed on them.

Also, when we reinstall Windows, we explain to the user that all we will do is make a list of their currently installed applications, back up their "User" folder (and then we also explain the contents of the User folder), reinstall Windows based from the built-in reinstall partition (if there is one, if not we have media available), and restore their User folder to their desktop. Most users are perfectly fine with this procedure and customizing Windows back to the way they like, and if they want us to do more customization we are able and willing to accommodate any specific instructions. I realize that if the infection has spread to or targets specifically the reinstall partition, the new install of Windows will be infected as well. Right now we have Malwarebytes set to scan all partitions although you are correct about the possibility of a recovery partition virus and I will have to look into better ways of doing this procedure if we do end up reinstalling Windows from a recovery partition.

We are a free service to the student population and employ several students who have no previous experience with malware removal (the only real requirement to the job is being in the STEM degree program), so we do want the process to be as easy as possible for the student employees. I feel the best solution is to take small steps at a time, and hopefully by less than a year we have a better, more in-depth (and more hands on) process that everyone feels comfortable with.

chaslang · Nov 1, 2014

You're welcome.

Speculant said: ↑

I'm going to suggest to my boss (who has stated multiple times that he is VERY open to changes)
Click to expand...

Good! It should always be a work in progress that is taylor to what is currently going on in the malware world.

Speculant said: ↑

As for Windows XP, it isn't supported by our University, so if the user has it they won't even be able to access the Internet on the University's network.
Click to expand...

Great! I was just checking. This it the correct approach now to protect the private network.

Speculant said: ↑

We are a free service to the student population and employ several students who have no previous experience with malware removal (the only real requirement to the job is being in the STEM degree program), so we do want the process to be as easy as possible for the student employees. I feel the best solution is to take small steps at a time, and hopefully by less than a year we have a better, more in-depth (and more hands on) process that everyone feels comfortable with.
Click to expand...

Okay. Just be aware that as I stated, that manual analysis of logs and checking the symptoms of a PC at the end of cleaning processes will commonly show there are still some issues. Today one of the biggest problems that goes undetected by scanners are all the unwanted/bad addons/pluggins that get hooked into browsers.

Log in or Sign up

Malware removal process suggestions/tips

Speculant The Confused One

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Speculant The Confused One

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Malware removal process suggestions/tips

Speculant The Confused One

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Speculant The Confused One

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches