This is a suggested template for malware removal guidelines document.
This document consists of a set of suggested guidelines and steps to aid in the successful removal of malware. No set of steps can 100% guaranty the state of any machine as far as malware infection goes, but following this guide will hopefully provide a framework to make malware removal more complete, more successful and less likely to end up with wiping the user’s system and starting over.
Factors in determining this must balance the inconvenience of the enduser in needing to backup and restore documents and settings of the various applications they use on a daily basis against the need for security and time allocated in cleaning the malware off of the machine.
No doubt about it: Cleaning malware takes time. It is not unusual for a single scan to take two or more hours. Obviously, multiple scans can add up. There are ways, however, the process can be streamlined or even speeded up.
Preparation for Cleaning
The most important aspect of a successful malware cleaning is determining a plan of attack. Do you know what the infection is? Some types of malware can be more difficult to clean than others, and some types of malware are more dangerous than others. Some types, such as a worm or CryptoLocker, demand taking the machine off of the network immediately. Does the computer have multiple users? Some tools work for single users whereas some will work for multiple users. Can the user be without the machine for a while? Scanning in safe mode is always preferential to scanning in normal mode, and scanning from a boot device, such as a bootable rescue CDROM, is even better still.
If the type of malware has not been identified, scanning with SuperAntiSpyware is a good start. It has an aggressive scanner that not only finds common types of malware, but it also aggressively pursues potentially unwanted programs (PUPs) that can interfere with operation of the computer.
Once identified, one of the most important steps to take is to clean all temporary files. A lot of malware loves to hide in temporary file locations in order to escape detection and removal. Windows has a Disk Cleanup Wizard that can aid in this. Piriform makes Ccleaner, which can clean out temp files and registry entries that no longer point to them. However, those tools are for the current user only. If it is a multiple user computer, such as at a front desk, a temp file cleaner will be needed to clean multiple user accounts, such as TempFileCleaner (TFC).
Also, it is important to try to identify rogue or troublesome processes that are running in memory and remove them. BleepingComputer.com has a download of rkill, which will kill many such processes and restart Windows Explorer cleanly. Rkill comes in three varieties because malware tries to evade and even disable tools designed for detection and removal. Rkill.exe is the normal executable, but it can be renamed to rkill.com in order to run as a command shell program as well. Finally, if neither of those work, it can be renamed to iExplore.exe, which malware typically won’t touch, since that is the filename of Internet Explorer.
Removing these processes is important. This is why safe mode is generally recommended. However, some malware can flourish even in safe mode. If there is a severe infection or a rootkit infection, the best thing is to boot from an optical drive and do an “offline scan” from outside of the operating system.
Cleaning the Malware
At this point, you are ready to get more aggressive with the cleaning. You should know the name and type of infection at this point, so head back over to BleepingComputer.com and search to see if they have a malware removal guide for the type of infection you are dealing with. BleepingComputer.com creates these guides using trained experts in malware cleaning. In fact, they have malware removal training available from their site.
If no guide is available, then you can still reasonably do malware removal with the following loosely suggested sequence, which only ends once you have a clean scan (or you wipe the hard drive and start over):
If it is a rootkit, it is important to start off with a rootkit cleaner, such as TDSSKiller by Kaspersky. It is a good idea to follow it up with Malwarebyte’s Anti-Rootkit.
Malwarebyte’s Anti-Malware (MBAM) has a free edition of software that is reliable in removing infections.
If the problem is adware, another scan with AdwCleaner might be necessary.
If not used already, a scan with SuperAntiSpyware should be done.
Do one last (hopefully) check with ESET Online Scanner.
If still not clean, scan with Panda’s online Cloud Cleaner.
Post-Cleaning
Regardless of the outcome above, the last scan should be run with Surfright’s HitmanPro because it often finds things others miss, including some rootkit items. It is a fast cloud-based scanner that can be activated for 30 days if it finds something (otherwise, it requires no registration or anything else).
Be sure to remove any programs after use.
Resources
In addition, if it is questionable whether or not a file is really infected, VirusTotal.com will upload and scan a file with a number of scan engines. This can help to cut through the false positives that sooner or later you will run into.
If there are no removal guides available at BleepingComputer.com, MalwareTips.com also has a few good ones.
Warnings
Malware removal is not always a trivial task. In particular, rootkit removal can take part of the actual operating system out with it. Good backups are particularly important when malware is suspected.
ComboFix is a popular, last resort, all-inclusive repair program that can be used to remove malware and even some of its side effects. It is also like hammering a nail with a sledgehammer. If you miss, you can put a hole in the wall. ComboFix does not run on 64 bit or Windows 8.1+ systems. Instead, you need to use either FRST or Zoek.
Even with the most trivial malware, something can go wrong, so be sure all user data is backed up first.
Always check for things like proxies, DNS, etc. in Internet Explorer.
Last, but not least, clean up after yourself. Remove SAS, MBAM and other programs and leave the system in better shape than when you found it.