A Malware Removal Guide

[seedubya]

In my experience, removing temp files first can knock much more than a minute off a scan. I regularly delete up to 10 Gbs of temp/internet files off clients computers. This can mean deleting a couple of hundred thousand files. I have seen MBAM take 4 hours to scan a PC like that...

 

[rapidcom]

Sheesh. Y'all are being just as pedantic as Keegan. Let's give the premise that cleaning temp files shaves a few seconds, or even a minute, from scans. Does that make it the only "right" way to remove malware? Is there a special hell reserved for those who use it at a different point in their procedure? 'Cause that was my point to Keegan: That there is often more than one right way to accomplish something, and to reserve judgement pending further thought and knowledge. Not when to clean temp files. Cleaning temp files at the beginning might be minutely more efficient, but I doubt that the computer will self destruct if it is done at a different time during the process.

Rick

It doesn't make it the only right way to do a virus removal by any means.

I am simply sharing my thoughts on the subject and I feel in my personal opinion, which is not the only correct way to complete a successful virus removal, that it is the most efficient way.

 

[Xander]

There have been cases when cleaning the Crap/Junk files (inside the Temp files etc.)
and then Rebooting, it was just resulted in the Re-Creation of Crap/Crap/Junk files associated with Malware.

Unless you remove Malware first,
Malware-related Crap/Junk files will not be removed (no matter how many times you run Disk Cleaners).
A simple Reboot and the Malware-related Crap/Junk files
will be regenerated IF you don't remove Malware first.

That's why I wrote that "when Malware is associated with the creation of files inside the Temp files etc.,
it is pointless to Clean Crap/Junk files -Before- Cleaning Malware itself".

If you check at 'Bleeping Computer' and 'Geeks to Go',
which are the Best Malware Removal Fora,
Crap/Junk file Cleaning -BEFORE- Malware Cleaning is No longer a practice.

Haven't checked but I don't think anyone is saying that clearing the junk is necessary, just that it's more practical to first remove files that are, well, crap. If I'm working on an older system with 1GB of junk and it takes 1 min to remove them vs. 5 minutes to scan.... I've saved myself 4 mins of waiting. By the same token, I'm guessing those sites referenced removed them from their steps as, for the end-user, cleaning up some junk files isn't (again) necessary to the process. Why walk an end-user through a step that doesn't need to be done?

I'm not really clear on the concern for "re-creation of files associated with malware". If there's 1GB of junk on a system, I'd be willing to be that <1% are associated and the other 99% would be fair game.

 

[Appletax]

Can we all move on from this lol...


How 'bout discussing things like:

- What should I add to this guide to make it better
- Is there anything listed that's incorrect
- Should I remove anything
- Should I add some tips/tools/scanners etc

 

[Keegan]

I ALREADY explained that
Often viruses and trojans may use variations on real Windows system files (usually associated with services)
(e.g. scvhost - rather than svchost, lsasss - rather than lsass etc.)
As a result, Malware-related Junk files are regenerated after Reboot IF
Malware is Not removed in the first place.

This is how Malware Removal Fora proceed.
>The given is how to Effectively Remove Malware and the Junk files associated with Malware.
>For Malware Removal Experts, the given is Not how to earn some minutes during Scan time.
Computer Repair shops, which are Not Malware Removal Fora, may proceed differently...

Since the Topic is 'Malware Removal Guide', I tried to explained the latest trends in Malware Removal based on the prominent Malware Removal Fora guidelines.

Never mind...
Sorry...and End of Discussion.

don't think we( or I) am not grateful that you share your insight with us. I truly am. It is always great to hear what others do, after all that's why we are here.

When it comes down to it, temp cleaning is not a big thing in malware removal anyhow. But again sharing is king

After all we don't want to end up pedantic like some

 

[MobileTechie]

I think it was the way you explained it made it confusing. It doesn't have anything to do with malware using files named like real system files.

Seems like a total non-issue unless you were expecting a temp file cleaner to kill a virus.

People use them to speed up scans. They tend to remove the relevant files from temp areas, if they exist, during the removal process anyway.

 

[MobileTechie]

You seem to have got yourself all wound up about a total non-issue. Someone was posting their list of tasks for malware removal and you posted: "As some Malware Infections are placing copies of legitimate system files inside the Temp file locations, a Temp File cleaning stage -PRIOR to Malware Removal- is No Longer suggested."

That statement caused confusion because of what you said, not because of people here being too thick to understand you. Re-read what you said there and think about what that implies.

It's this bit that caused the confusion "placing copies of legitimate system files inside the Temp file locations". You were asked to explain more about this and give examples but didn't. Which legitimate system files are in which temp file locations? I don't see any virus doing this. Perhaps you meant put files that LOOK legitimate? But even then, are these similarly named files in temp locations or other locations like Windows or System32? We know of the similarly named files in non-temp file locations. And what difference does it make how these files are named if they are in the temp folders anyway? How does their name impact upon the relevance of a temp file cleaner's operation?

I THINK what you meant to say was that there is no point in doing it if you believe it is helping to remove the virus because it isn't. Is that correct? If so then obviously you are correct. It's not a new thing.

 

[MobileTechie]

You say "Whether Malware is placing copies of legitimate system files or variations of them, it is irrelevant ." - so why did you say earlier that it was the reason why one should not use a temp file cleaner?

Your repeated referral to malware removal forum courses gives me the impression you think anyone who hasn't done forum work is useless. Is that what you think?

BTW, what is a "computer repair shopper"?

As it happens I have first hand experience of one of those courses and so I know for a fact they are good people but not doing anything outside the range of normal removal activities performed by competent support professionals. Much of the course is centered on doing the removal via a forum which is a skill in itself. They are limited by the fact that users can only do certain things - hence some of the tools and methods they use. I'm not remotely putting what they do down because I think it's great but on the other hand they are not all the pinnacle of knowledge when it comes to all things malware. But again this is not relevant.

I don't know that "Modern trends in Malware Diagnosis want Temp file cleaners -which are Often associated with Malware- to remain as they are." Where are you getting that information from?

So are you saying anything other than temp cleaning won't remove a virus these days?

 

[rapidcom]

Personally I feel that this thread needs to be closed. It has become way off topic from what the OP wanted.

Your repeated referral to malware removal forum courses gives me the impression you think anyone who hasn't done forum work is useless. Is that what you think?

That's what I understood

As Malware Removal staff, is Not in a position to know what is going on -Before analyzing Log files-,
they want NO Temp file cleaning (as Temp files can be associated with malware).
Just check the preparation before posting for help at Geekstogo, Bleeping Computer, TechSupportForum etc.
-Why is it so difficult to understand that?

I apologise but I generally don't use these forms, I normally just remove the virus myself with no assistance from what I consider "end-user" help forums.

 

[TheGeekFirm]

Thanks for this write up it had helped me with a couple of tough ones..

 

[Kitten Kong]

Today's windows malware infections have become extremely difficult to repair with spyware removal software of any kind. Removal of any virus is often impossible because the rootkit protects the malware from being discovered. Many repair shops and online blogs fail to grasp the severity of a rootkit infection and continue to scan and fix hoping to get the upper hand on the rootkit.

Sorry, but removal of any virus is NOT impossible. We use a variety of scanners, and manual removal, to eradicate viri, and malware from machines.

I have noticed your recent posts, and they appear to of been copied and pasted from google, and or other forums. We know what rootkits are, and hor to unhook them, we don't need to be told the severity of them.

 

[Xander]

Today's windows malware infections have become extremely difficult to repair with spyware removal software of any kind. Removal of any virus is often impossible because the rootkit protects the malware from being discovered. Many repair shops and online blogs fail to grasp the severity of a rootkit infection and continue to scan and fix hoping to get the upper hand on the rootkit.

You might want to develop your own opinions rather than copy/pasting from "hxxp://www.malware-removal-guide.com/"

http://www.awesomehighlighter.com/page/display/OQc1gDoHq/1

Reported as end user or, possibly, spammer.

 

[iisjman07]

Mine's something like this:

[offline]
1) Perform an offline scan using avast BART or ESET SysRescue (both on bootable usb drive, scan files + mbr)

[host OS]
2) Run CCleaner

3) Use AutoRuns, taskmanager, & HiJackThis (reboot after)

4) Run internet connection repair script (remove proxy settings, grab an ip, reset winsock, etc)

5) Run TDSSkiller and GMER

6) Run quick scan with malwarebytes

7) Quality Assurance Checks:
-ensure bootup without error messages
-check desktop wallpaper suitability
-check browser home page suitability
-check for excess/bad browser toolbars
-check for browser redirections
-ensure windows firewall is enabled
-ensure working security software is installed (avg or avast if not)

8) Proceed to tune up the computer if opted for

9) If all is well, flush system restore

10) Remind customer that they should change their passwords

 

[gazza]

You will never be able to beat the clean install as a solution to rootkit infections, I can't believe any of you would know every variant of any rootkit. If there is any hint of a rootkit on my clients computer, it's clean install for them. Guaranteed fix for the client is what matters, not your bs methods for trying to remove rootkits.

 

[iisjman07]

You will never be able to beat the clean install as a solution to rootkit infections, I can't believe any of you would know every variant of any rootkit. If there is any hint of a rootkit on my clients computer, it's clean install for them. Guaranteed fix for the client is what matters, not your bs methods for trying to remove rootkits.

Whilst I value your opinion and given the chance, a reinstall is the best way to make sure a machine is completely clear of rootkits, I have to disagree. In my experience, 1) rootkits are common and a n&p isn't viable for a lot of customers, and 2) I find that through using various methods, most rootkits are removable (using offline and host os methods). Some may not be easy, but that's why they bring their machines to you.

The main reason I reinstall with virus removals os in case of file infectors, or if the OS is severely damaged. I can't remember the last time I reinstalled because of a rootkit

 

[Vicenarian]

The worst ones are the PSUkits, which infect the Power Supply Unit. So, whenever power is applied to ANY component, the PSUkit reactivates itself, and reinfects the computer. Like I say, they are IMPOSSIBLE to remove. Wherever electricity can flow, the PSUkit can travel.

Even if you replace the PSU, you never know if the old PSU somehow magnetically transfered the infection to the new PSU via inductive capacitance. I've seen it many times before, and I tell ya, it's the wave of the future.

Some even say that new PSUs are being manufactured with secret PSUkits installed...who knows! That's why I only buy Canadian made Power Supplies.

 

[NWPhotog]

The worst ones are the PSUkits, which infect the Power Supply Unit. So, whenever power is applied to ANY component, the PSUkit reactivates itself, and reinfects the computer. Like I say, they are IMPOSSIBLE to remove. Wherever electricity can flow, the PSUkit can travel.

Even if you replace the PSU, you never know if the old PSU somehow magnetically transfered the infection to the new PSU via inductive capacitance. I've seen it many times before, and I tell ya, it's the wave of the future.

Some even say that new PSUs are being manufactured with secret PSUkits installed...who knows! That's why I only buy Canadian made Power Supplies.

Time to put a second tinfoil hat on!!!

 

[Cambridge PC Support]

The worst ones are the PSUkits, which infect the Power Supply Unit. So, whenever power is applied to ANY component, the PSUkit reactivates itself, and reinfects the computer. Like I say, they are IMPOSSIBLE to remove. Wherever electricity can flow, the PSUkit can travel.

Even if you replace the PSU, you never know if the old PSU somehow magnetically transfered the infection to the new PSU via inductive capacitance. I've seen it many times before, and I tell ya, it's the wave of the future.

Some even say that new PSUs are being manufactured with secret PSUkits installed...who knows! That's why I only buy Canadian made Power Supplies.

I've had a couple of these, and those canadian psu's are a bugger to import

Sent from my HTC HD2 using Tapatalk

 

[Kitten Kong]

I've noticed that those from inner magnolia are just as good as those canadian ones.

I get them sent over from my bil. Will use nothing but those now. Never once had a colourful issue.

 

[coco3_man]

You might want to develop your own opinions rather than copy/pasting...

See, Google really is our friend.

Good catch...

When they want to copy and paste then give citation, source, and comment on the statement. As posted is was both unethical and deceptive. NOT in the spirit of a Technibble member.

Tom