Malware Removal Guide



Malware Removal Guide Clean Adware, Rootkits, Spyware, Trojans, Viruses and Worms. Malware is short for malicious software. It is a general term that refers to any software or program code designed to infiltrate or damage a computer system without the owner's informed consent. This guide will show you how to remove these infections and protect yourself from future infections using free software.

FACT: 89% of consumer PCs are infected with spyware



Key Key

Windows 2000 - Windows 2000
Windows XP - Windows XP

Warning OS Support - Only applications listing the supported operating system icon will work on your system

Legal Notice - Reproduction of this guide in whole or in part is strictly forbidden. This guide and ALL versions thereof are protected by copyright under the Digital Millennium Copyright Act (DMCA). Feel free to link to this Guide.

^ TOP

Step 1 - Cleanup



This first step will delete temporary and other unnecessary files from your harddrive to reduce scan times

CCleaner CCleaner - Download - Home Page Windows 2000 Windows XP
CCleaner (Crap Cleaner) removes unused and temporary files from your system, including cleaning the registry.

Instructions - Download the Slim version and install. Go to the "Windows" tab, then select "Run Cleaner". Finally select the "Registry" button and select "Scan for Issues" when it finishes scanning select "Fix Selected Issues", then "Fix All Selected Issues".

Warning Installation Warning - Do not install the standard version of CCleaner which bundles the useless Yahoo Toolbar. Get the Slim version instead. If you accidentally do install it, simply use add/remove in the windows control panel to remove the Yahoo Toolbar.

Warning Prefetch Cleaning Warning - The Advanced section has a performance slowing cleaning option "Old Prefetch data", never select this option for cleaning as it will increase application and Windows load times. Cleaning the Prefetch folder is a Myth and actually hurts performance. Windows XP automatically cleans this folder at 128 entries back to the 32 most used prefetch files. Anyone who claims this should be cleaned for ANY reason does not understand how Windows Prefetching works. - Source


CleanUp! CleanUp! - Download - Home Page Windows 2000 Windows XP
CleanUp! removes unused and temporary files from your system from all user accounts.

Instructions - Download and install. Select the "Options" button, uncheck "Delete Prefetch files" and then "OK". Next select the "CleanUp!" button and when it is finished select the "Close" button and then "Yes" to logoff and reboot your system.

^ TOP

Step 2 - Scan and Clean

This second step will clean your system of Malware


Warning Rogue/Suspect Anti-Spyware Products & Web Sites - The Malware removal market is being flooded with bogus scanners, some even closely resemble legitimate programs like Spybot Search and Destroy. These Rogue programs can produce false positives, leave actual Malware installed or worse even install Malware. I strongly recommend only using the following programs and uninstalling any other scanners you may have tried.

Warning Clean and Infected File Sharing Programs - Microsoft Windows Defender will detect numerous Peer to Peer programs as Malware. If you are 100% positive you are using a non Malware infected file sharing program select ignore on these entries. Use this list to be sure.

Warning Cookies are not Spyware - While certain cookies can still pose some privacy concerns and if you wish to remove them it will do no harm. The point is when you find many of these after running a standard scan you should not get excited that you are infected with Malware.


Trend Micro Trend Micro Sysclean Package - Download + Virus Pattern File + Spyware Pattern File - Home Page Windows 2000 Windows XP
Trend Micro Sysclean Package is a stand-alone fix package that incorporates the Trend Micro Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine. This tool will terminate all detected malware/spyware instances in memory, remove malware/spyware registry entries, remove malware/spyware entries from system files, scan for and delete all detected malware/spyware copies in all local drives.

Instructions - Download the Sysclean Package: sysclean.com, the latest Virus Pattern File: lptXXX.zip and the latest Spyware Pattern File: ssapiptnXXX.zip (Ssapiptn.Da5). Create a folder on your C: drive (C:\Sysclean), download all files to this folder, unzip the "lptXXX.zip" and "ssapiptnXXX.zip" pattern file into this folder, then run "sysclean.com", check "Automatically clean or delete detected files" and "Enable Spyware Scan", left-click "Scan". Tough to remove Malware requires a more thorough scan. Reboot your computer into safe mode by pressing the F8 key down during boot up and selecting "Safe Mode" from the Windows Advanced Options menu. In safe mode do another Sysclean scan and remove the remaining Malware infections.

Notes - The Pattern File is updated on a daily basis, make sure you are using the latest Pattern File(s). Anytime Malware is detected that your AntiVirus program or the Online Virus Scanner is unable to clean, you will have to redownload the latest Pattern File for Sysclean to be able to properly remove it. A larger numbered file (lptXXX.zip, ssapiptnXXX.zip) represents a newer Pattern File. Control Pattern Releases will offer better detection since they are updated more frequently.

Troubleshooting - This is what the folder and files should look like before you begin scanning - Sysclean Folder Image (Pattern File(s) number will change). If you run the Sysclean Package after Avast! is installed, Avast! will falsely detect the sysclean.com file as infected with VBS:Redlof. This has to do with the Sysclean Package's cleaning database not being encrypted, so the code line in the database used for detection of VBS:Redlof is falsely detected as the Virus itself. Other AntiVirus Programs may give the same false alarm. Before running the Sysclean Package you will need to temporarily disable Avast! or your AntiVirus program.


Spybot Spybot - Search and Destroy - Download - Home Page - Forums Windows 2000 Windows XP
Spybot - Search and Destroy detects and removes spyware, a relatively new kind of threat not yet covered by common anti-virus applications. Spyware silently tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies.

Instructions - Install Spybot (Do not install the TeaTimer or SDHelper), select "Update", "Search For Updates", "Search", check the box next to each update and select "Download Updates". When this is finished go to "Settings", "Ignore products", "All products" Tab, right click on "Product", left-click on "Deselect all". Finally select "Search and Destroy", "Check for problems" and after scanning is complete "Fix selected problems". Tough to remove Malware requires a more thorough scan. Reboot your computer into safe mode by pressing the F8 key down during boot up and selecting "Safe Mode" from the Windows Advanced Options menu. In safe mode do another Spybot scan and remove the remaining Malware infections.

Advanced - For better detection but at the risk of false positives you can enable Beta updates: Go to "Mode" - "Advanced Mode", "Settings" - "Settings", "Web update" and check "Display available beta versions". Then run through the update steps again and run another scan.

Notes - The TeaTimer is a resident tool which perpetually monitors the processes called/initiated and changes to some critical registry keys. This is redundant to Windows Defender's superior and less intrusive real-time protection. The Immunization feature will cause IE8 to load slowly. (Microsoft)


Windows Defender Microsoft Windows Defender - Download - Download (Alt) - Home Page Windows XP
Windows Defender is software that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer. Windows Defender features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, minimizes interruptions, and helps you stay productive.

Instructions - All updates happen through Windows Updates and are automatic. Select "Scan Options", then "Full Scan". Tough to remove Malware requires a more thorough scan. Reboot your computer into safe mode by pressing the F8 key down during boot up and selecting "Safe Mode" from the Windows Advanced Options menu. In safe mode do another scan and remove the remaining Malware infections.


Trend Micro RootkitBuster Trend Micro RootkitBuster - Download - Home Page Windows 2000 Windows XP
Trend Micro RootkitBuster is a rootkit scanner that scans hidden files, registry entries, processes, drivers, and Master Boot Record (MBR) Rootkits. In addition, RootkitBuster can also clean hidden files and registry entries.

Instructions - Download, unzip and run. Check all boxes and then select "Scan". Delete any items it finds and run it again to confirm you are clean.


Warning Once you have completely cleaned your system, if you are infected with any key loggers, you need to immediately change ALL your passwords you have typed in from that computer.

^ TOP

Step 3 - Protection

This third step will protect you from future infection


Avira Avira AntiVir Personal - Download - Home Page - Disable Popup - Disable Splash Screen Windows 2000 Windows XP
Avira AntiVir Personal is a German made, comprehensive, easy to use antivirus program, designed to offer reliable free of charge virus protection to home-users with a 99.7% Malware Detection Rate.


Windows Defender Microsoft Windows Defender Windows XP (This is already installed from Step 2)

When you installed Windows Defender the real-time protection is automatically activated.


No Java Microsoft Java Virtual Machine v1.1.4 Removal Tool - Download + Registry Fix - Home Page Windows 2000 Windows XP
Certain Auto-installing Malware exploit Microsoft's discontinued Java Virtual Machine v1.1.4 (Build 5.0.3810). Infection occurs by simply browsing the wrong website. There are no patches from Microsoft to fix this. To protect yourself uninstall MSJVM using this tool. Under NO circumstances should MSJVM be installed or used.

Instructions - Run the MSJVM Removal Tool, then the Registry Fix and finally install Sun's JVM.

Notes - The Registry Fix is necessary since the MSJVM Removal Tool does not delete a registry key that Windows uses to properly identify what version of Java is installed. Sun's JVM installer does not overwrite this key but will create it if it does not exist. Windows XP SP1a and SP2 will uninstall MSJVM. However, it will not hurt to do this since it is possible for an application or person to reinstall MSJVM on top of SP1a and SP2.


Java Sun Java Virtual Machine - Download - Home Page - Test Page Windows 2000 Windows XP
Sun's JVM does not have these exploits as it was designed specifically not to allow code execution outside of the Java Virtual Machine. The Java Virtual Machine is only one aspect of Java software that is involved in web interaction. The Java Virtual Machine is built right into your Java software download, and helps the Sun JRE run Java applications. Windows 2000 SP4, Windows XP SP1 and IE v5.5+, Mozilla v1.4+ or Firefox v1.0+ Required.

Instructions - Download, Install and then use the Test Page to confirm it is installed properly. If the test page does not work you may need to run the Registry fix. If the Registry Fix is run after Sun's JVM is already installed you will need to go to the "Control Panel", "Add or Remove Programs" and uninstall all instances of the J2SE Runtime Environment (Sun's JVM) and then reinstall Sun's JVM again.


WinUpdate Windows Update - Home Page Windows 2000 Windows XP
Installing security updates is critical so that you do not get infected again. Confirm that your system is 100% clean before proceeding.

Instructions - Install All Critical Updates. This may have to be run multiple times. Run it over again until it says 0 Critical Updates available. You may also need to reboot.

Notes - Windows Update requires the following services be enabled:

- Automatic Updates - Automatic
- Background Intelligent Transfer Service - Manual or Automatic


Firewall Windows XP Firewall - Home Page Windows XP
Windows XP comes with a built-in firewall and installing SP2 automatically enables it. SP2 includes significant security enhancements to the original Windows XP Firewall such as boot time protection. Confirm that it is enabled.

Instructions - Go to "Start", "Settings", "Control Panel", "Windows Firewall", select "On (recommended)". In the exceptions tab uncheck all of them unless you are sharing Files or Printers, then leave "File and Printer Sharing" enabled.

Notes - The Windows XP Firewall is more then sufficient for most users with full inbound protection. In Windows XP there is no way to guarantee 100% outbound protection once your system is compromised.

- At Least This Snake Oil Is Free (Jesper Johansson, Ph.D. Management Information Systems)
- Windows Firewall: the best new security feature in Vista? (Jesper Johansson, Ph.D. Management Information Systems)


When Step 3 is completed you will only have two applications running all the time:

1. An Anti-Virus Program (Avira)
2. Microsoft Windows Defender

^ TOP

Advanced Cleaning

SmitFraudFix SmitFraudFix - Download - Home Page Windows 2000 Windows XP
SmitFraudFix is an advanced malware removal tool for difficult to remove infections like Smitfraud, SpyAxe, SpySheriff and many more.


CWShredder Trend Micro CWShredder - Download - Home Page Windows 2000 Windows XP
Trend Micro CWShredder is the premier tool to find and remove traces of CoolWebSearch the name for a wide range of insidious browser hijackers from your PC.


VundoFix VundoFix - Download - Home Page Windows 2000 Windows XP
VundoFix is a freeware removal tool for many of the known variants of Trojan.Vundo, Trojan.Conhook and other similar infections.

^ TOP

Advanced Detection

Autoruns Autoruns - Download - Home Page Windows 2000 Windows XP
"Utility to display and control startup applications. A much more powerful msconfig type program."

- Startup Applications List (Sysinfo.org)
- Startup Programs Database (Bleeping Computer)


HijackThis HijackThis - Download - Home Page - Tutorial Windows 2000 Windows XP
"A general homepage hijackers detector and remover."

- Online Log Analyzer (HijackThis.de)
- The Overuse of HijackThis (Popular Technology)


Process Explorer Process Explorer - Download - Home Page Windows 2000 Windows XP
"Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process."


Process Monitor Process Monitor - Download - Home Page Windows 2000 Windows XP
"An advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements."


RootkitRevealer RootkitRevealer - Download - Home Page Windows 2000 Windows XP
"RootkitRevealer is an advanced patent-pending rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit."


TCPView TCPView - Download - Home Page Windows 2000 Windows XP
"An advanced monitoring utility that will show you detailed listings of all open TCP and UDP ports on your system, including the local and remote addresses and the connection state. On Windows 2000 and XP, TCPView also reports the name of the process that owns the open port."

- Port Authority Database (GRC)

^ TOP

Advanced Repair

Dial-a-fix Dial-a-fix - Download - Home Page Windows 2000 Windows XP
"An advanced utility for Microsoft Windows that repairs various Windows problems, such as: Windows Update, Windows Installer, Permissions and more."


Windows XP Security Console Windows XP Security Console - Download - Home Page Windows XP
"Windows XP Security Console allows you to assign various restrictions to specific users, whether you're running XP Pro or XP Home. XP Home leaves you completely without the Group Policy Editor, while XP Pro lacks the ability to use the Group Policy Editor to selectively apply policies to specific users."

^ TOP

End

This guide will be revised as needed. Comments: OptimizeXP@comcast.net. Do not send Technical Support Questions. While there are many other applications to clean and protect your system from Malware, the ones recommended here are based on extensive real-world use on thousands of systems. I am well aware of these programs and many others please do not submit them:

A-Squared
ATF Cleaner
avast! Virus Cleaner
AVG Anti-Rootkit
AVG Anti-Spyware
AVG Anti-Virus
Avira AntiVir
BitDefender Online Scanner
CA eTrust AntiVirus Scanner
CA eTrust PestPatrol
CA eTrust PestScan
ClamWin AntiVirus
Comodo BOClean
Comodo Free Firewall
Drop My Rights
F-Secure BlackLight
F-Secure Online Scanner
Javacool SpywareGuard
Hitman Pro
Kaspersky Online Scanner
Lavasoft Ad-Aware
Panda ActiveScan
Panda QuickRemover
Panda NanoScan Panda TotalScan
PC Tools Spyware Doctor
Malwarebytes Anti-malware
McAfee Avert Stinger
McAfee FreeScan
Norton Security Scan
Runscanner
Sandboxie
Spyware Doctor Starter Edition
Spyware Terminator
SUPERAntiSpyware
Sunbelt CounterSpy
Symantec Security Check
The Cleaner
ThreatFire AntiVirus
TrojanScan
Webroot Spy Sweeper
Windows Live OneCare Safety Scanner
ZoneAlarm Spyware Scanner

www.FirefoxMyths.com
www.OptimizeGuides.com