How to remove virtually any malware

In my years working for the Steilacoom Historical School District, I’ve encountered just about every bit of malware out in the wild, and rarely, some viruses.  Using the methods and techniques below for Windows, I’ve been able to remove just about all the bad stuff I’ve come across, from the FBI Ransomware / MoneyPak to the Anti-virus Pro 2012 / 2013 (and the eventual 2014).

Prevention:

By far the easiest way to get rid of any viruses or malware is to prevent getting them in the first place.  I recommend:

  • MalwareByteshttp://www.malwarebytes.org – Free (for personal use) plus 14-Day trial of full version (STRONGLY recommended, paid version offers real-time scanning)
  • Avast! Free Antivirus – http://www.avast.com – Free (other paid versions available)

The second easiest way to prevent getting any viruses or malware is to familiarize yourself with your anti-malware / anti-virus software so you can differentiate between a legitimate threat alert and a fake one.  MalwareBytes offers several videos you can watch to see what it looks like in action.  If you are unsure what your anti-virus software threat notification looks like, you can copy and paste the following into notepad (100% safe), all on one line, and save it (if your anti-virus software will even allow you to):

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

You can read more about the line above here: EICAR.org

Locations:

Most malware is designed to still operate with limited user permissions, and therefore restricted to the infected user’s folder:

C:\users\<username>\appdata  (Vista / Windows 7)
C:\documents and settings\<username>\application data (Windows XP)

Detected malware with hidden duplicates

Detected malware with hidden duplicates

The most obvious malware will be located in those folders directly, other, sneakier malware will be nested within folders listed there, usually in the Local / Roaming folders or in the ProgramData folder (C:\ProgramData).

Another place to look to find the location of malware is in the registry, however this primarily only works while logged in as the infected user (to get to the registry, press the windows key + r, and type “regedit” without quotes).  In the registry, navigate to the following area:

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run

To the right, you will see the list of programs set to run when the user logs in.  You can safely delete any of the entries in there, although it is recommended to keep any of YOUR anti-virus / anti-malware program entries, as well as any sound / video driver related entries.

The other place in the registry to look is identical to the path above, but for anyone who logs in:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run

Identification:

Right-click to jump to location

Right-click to jump to location

In order to find most parts of the malware, you’ll need to (temporarily) enable viewinghidden files and folders, as well as system files.  Malware is usually randomly named, and further identified by other hidden or “system” files with the same name.  In the case of a MalwareBytes scan, it is recommended that you right click each malware identification and click “Jump to location”.  From there, sort by timestamp and delete any other files with the  same timestamp.

Other tips:

Detected malware above suspected malware

Detected malware above suspected malware

We’ve recently encountered more viruses ending up in an undeletable portion of the recycle bin.  To get around this and actually delete it, I had to:  

  1. Log the infected user out and login as a user with administrative permissions
  2. Take ownership of C:\$Recycle.Bin and all sub containers
  3. Open up a command window at C:\$Recycle.Bin and type:
    attrib -R -S -H *.* /S /D
    This removes the read-only, system, and hidden file attributes for all files (*.*) in the current folder, sub-folders, and processes folders as well.

From there, I was able to delete everything in the recycle bin, effectively removing the virus.

It is also common that upon removal of the malware that the infected user’s profile will be hidden and all the start menu configurations will be removed.  To restore this:

  1. Navigate to C:\Users (or C:\Documents and Settings) and right-click the folder of the user that was infected with malware, click properties, and uncheck “Hidden”.  Click Apply, then Ok. (You’ll need to have enabled viewing of hidden / system files and folders)
  2. Have the infected user login once the malware has been removed
  3. Right-click on the Start Menu and click properties

From here, it’s up to the user as to what they had visible.  Usually the Quick Launch toolbar is shown, and for the Start Menu tab (then click customize): Computer, Control Panel, Documents, Music, Personal, and Pictures are displayed as a link, and Connect To, Default Programs, Help, Network, and Search are all checked.

Now the Start Menu should look mostly like it did before.  All the icons that were pinned or added to the Start Menu and Quick Launch were deleted, but can easily be re-added.  The background is also probably black and will need to be reset back to whatever the user had before (or set the windows theme back to the default theme).