ComputerClinic
New Member
- Reaction score
- 4
There has been a lot of debate about virus removal vs. Nuke and Paving. I hope to end this argument with this thread. 99% of virus removals can be done much faster than a Nuke and Pave. Before you flame me for this statement take the time to learn my method:
1) Boot up computer and get a feel for how bad the infection is.
2) Boot the computer to a CD
-Malware defenses are completely down when outside of Windows
-You can use a custom WinPE CD or UBCD4Win
-Before CD loads completely, insert USB stick with your tools on it. This is so you can copy files onto the HDD before you reboot.
-If you make a WinPE CD, make sure that hidden files are visible. This can be done with through the registry when the CD is first loaded.
-IMO this would be the best time to delete all temp files. If anyone knows of an effective, portable temp file cleaner that will work on an offline Windows install (including Vista and 7) let me know. You could delete temp files when you boot initially I suppose. But if malware is in one of those locations, it likely won't be deleted since Windows is running.
3) Use EzPcFix
-if its XP click load hives
-if its Vista or 7 replace “Documents and Settings” with “Users” and click load hives
-if its XP delete temp files (I select everything but History). This won't work with Vista or 7
-open up registry keys and delete any suspect entries (or take the time to learn what to delete)
-take note of file locations so you can delete those later
-open registry values and correct any wrong values (or learn what to do here)
-open browser helper objects and delete anything suspect
-open downloaded program files and click “remove items”
-open services and cycle through different control sets and options. This is a good place to find some rootkits
-reset Winsock (it cant hurt right?)
-open pending file rename operations and cycle through control sets
-open text files and check the hosts file and others
4) Manually look for malware files sorting by date and company name
-TIP: Some file explorers let you create Bookmarks for these locations. I use Explorer++ on my custom WinPE CD.
-root of C:\
-C:\Documents and Settings\user name\local settings
-C:\Documents and Settings\user name\application data
-C:\Users\user name\appdata
-dont forget to check “all users” and “public” as well
-C:\Program Files
-C:\Program Data
-C:\Windows
-C:\Windows\system32
-C:\Windows\system32\drivers
-C:\Windows\fonts
5) Copy tools from your USB stick onto the HDD.
-ComboFix, MBAM, Autoruns, other scanners, and whatever you use for tune ups.
-rename these files so they are less likely to be detected by malware.
-This is so you don't risk infecting your USB stick if there is still malware on the machine.
6) Reboot computer and see how things are.
-There should be no serious problems left.
-If there are, go back to step 2 and get some more practice.
-After some practice, you should be able to reach this point in 20 minutes or less.
7) Disable and then Enable system restore.
-this will delete restore points. But some malware will recreate themselves unless this is done
8) Run CCleaner or whatever temporary file cleaner you use.
-If its a Vista machine EzPcFix won't delete temp files correctly.
-Malware hides in temp files and also these files increase AV scan time.
-BTW, does anyone know of a good temp file cleaner that works with Vista and will run off a WinPE CD?
9) If you aren't confident that the infection is gone, or if it was a serious infection, run ComboFix.
10) Use AutoRuns to check start up entries.
11) Reset Internet Explorer settings to default.
12) Run scans with Malwarebytes or whatever AV software you want to cleanup whatever you happened to miss.
13) Proceed to tune up the computer with whatever method you use for that.
14) Create a System Restore point or possibly a complete image of the HDD.
I know this method isn't perfect. But I hope its helpful for those wanting to learn manual removal and increase malware removal speeds. I don't fully understand everything in EzPcFix and also don't know every location I should be checking for malware files, but I've had good luck with the above locations. I would appreciate any tips or improvements you could suggest and I'll update this post accordingly.
1) Boot up computer and get a feel for how bad the infection is.
2) Boot the computer to a CD
-Malware defenses are completely down when outside of Windows
-You can use a custom WinPE CD or UBCD4Win
-Before CD loads completely, insert USB stick with your tools on it. This is so you can copy files onto the HDD before you reboot.
-If you make a WinPE CD, make sure that hidden files are visible. This can be done with through the registry when the CD is first loaded.
-IMO this would be the best time to delete all temp files. If anyone knows of an effective, portable temp file cleaner that will work on an offline Windows install (including Vista and 7) let me know. You could delete temp files when you boot initially I suppose. But if malware is in one of those locations, it likely won't be deleted since Windows is running.
3) Use EzPcFix
-if its XP click load hives
-if its Vista or 7 replace “Documents and Settings” with “Users” and click load hives
-if its XP delete temp files (I select everything but History). This won't work with Vista or 7
-open up registry keys and delete any suspect entries (or take the time to learn what to delete)
-take note of file locations so you can delete those later
-open registry values and correct any wrong values (or learn what to do here)
-open browser helper objects and delete anything suspect
-open downloaded program files and click “remove items”
-open services and cycle through different control sets and options. This is a good place to find some rootkits
-reset Winsock (it cant hurt right?)
-open pending file rename operations and cycle through control sets
-open text files and check the hosts file and others
4) Manually look for malware files sorting by date and company name
-TIP: Some file explorers let you create Bookmarks for these locations. I use Explorer++ on my custom WinPE CD.
-root of C:\
-C:\Documents and Settings\user name\local settings
-C:\Documents and Settings\user name\application data
-C:\Users\user name\appdata
-dont forget to check “all users” and “public” as well
-C:\Program Files
-C:\Program Data
-C:\Windows
-C:\Windows\system32
-C:\Windows\system32\drivers
-C:\Windows\fonts
5) Copy tools from your USB stick onto the HDD.
-ComboFix, MBAM, Autoruns, other scanners, and whatever you use for tune ups.
-rename these files so they are less likely to be detected by malware.
-This is so you don't risk infecting your USB stick if there is still malware on the machine.
6) Reboot computer and see how things are.
-There should be no serious problems left.
-If there are, go back to step 2 and get some more practice.
-After some practice, you should be able to reach this point in 20 minutes or less.
7) Disable and then Enable system restore.
-this will delete restore points. But some malware will recreate themselves unless this is done
8) Run CCleaner or whatever temporary file cleaner you use.
-If its a Vista machine EzPcFix won't delete temp files correctly.
-Malware hides in temp files and also these files increase AV scan time.
-BTW, does anyone know of a good temp file cleaner that works with Vista and will run off a WinPE CD?
9) If you aren't confident that the infection is gone, or if it was a serious infection, run ComboFix.
10) Use AutoRuns to check start up entries.
11) Reset Internet Explorer settings to default.
12) Run scans with Malwarebytes or whatever AV software you want to cleanup whatever you happened to miss.
13) Proceed to tune up the computer with whatever method you use for that.
14) Create a System Restore point or possibly a complete image of the HDD.
I know this method isn't perfect. But I hope its helpful for those wanting to learn manual removal and increase malware removal speeds. I don't fully understand everything in EzPcFix and also don't know every location I should be checking for malware files, but I've had good luck with the above locations. I would appreciate any tips or improvements you could suggest and I'll update this post accordingly.
Last edited: