Manually Cleaning Up Malware
** FOR HJT TRAINEES AND BEGINNERS **
After identifying the malware files either through an anti-malware scan or through helper tools, the next thing that come to action is cleaning them from the system.
Manual cleanup is divided into the following:
1. Adware, PUP, foistware and bloatware: use add/remove programs if applicable. To check whether the unwanted program can be uninstalled, please see:
2. File/Folder deletion: In safe mode, simply browse to the suspected files and then delete them. Make sure that the file extensions, hidden and system files are shown before locating the files. Stubborn files may require tools such as Killbox, File Assassin, Unlocker, etc.
3. ADS: A third-party tool is needed. You can use Hijackthis ADS removal or LADS software. Make sure that the ADS process is not active before removal. To learn about Alternate Data Streams see this: http://www.bleepingcomputer.com/tutorials/tutorial25.html
4. Ending Processes: I am not fond of ending processes manually. The only time it is needed is when dealing with rootkits. Task manager always fails so a third-party tool is needed. You can use killbox, hijackthis mult-process killing, icesword, etc.. Hopefully, in safe mode you will not need to end processes. However, if in safe mode a process is active, it is then best to use combofix and other semi-automated tools while in normal mode.
5. Win Services: To remove a service, you will need to stop it first. Three ways to stop a service without any additional tool:
a) using services.msc (not recommended since malware may not be listed there)
b) using sc stop <serviceKeyName> dos command in windows XP/Vista.
c) using net stop <serviceKeyName> dos command in windows 2K/XP/Vista
Please note that a windows service key name is different than its "display name" and description. HJT helpers should be able to identify the service key names from the display names in hjt logs.
To delete a service, the two easiest ways:
a) using sc delete <serviceKeyName> dos command in windows XP/Vista.
b) using hijackthis delete an NT service option at the misc. tools section.
NOTE: There are some malware services that can not be stopped manually. Only in this case, try deleting the service first and then reboot.
6. Registry keys and entries: There are three different ways of deleting or changing an arbitrary (can be located anywhere) registry item without the aid of a third-party tool.
a) Using a gui interface through regedit
b) Using the command-line reg.exe such as reg delete or reg add
c) Using scripts via .reg files
7. LSP entries: a third-party tool is needed such as LSPfix
8. Infected host file: you can use mvp hosts to simply replace the bad host file with a much better one. see: http://www.mvps.org/winhelp2002/hosts.htm
9. DLLs: if a dll file does not depend on the rundll32.exe, then it is preferred that they be unregisted before deletion. To unregister a dll, you can use the dos command:
regsvr32 /u <path\badDllName.dll>
10. R3 entries that cannot be removed by hijackthis: use Registrar Lite to delete the key
11. Registry with embedded nulls: You will need to use tools such as regdelnull and SWreg. For more information about embedded nulls, please see:
12. Infected System Restore files: Based on an old Microsoft KB article, it is best to turn off system restore. This will clear up all restore files including the infected ones. Once the entre system is clear from malware by a thorough anti-virus scan, you can then turn on system restore and create a restore point.
13. Policies that have been added by Malware: download and run fixpolicies.exe from here:
14. Rootkits and MBR infections: please read Detecting and Removing Rootkits in a Nutshell