Malware Removal 1-2-3 Guide
Malware is short for "Malicious Software". It is a general term that refers to any software or program code designed to infiltrate or damage a computer system without the owner's informed consent. This includes Viruses, Worms, Trojans, Spyware, Adware and Rootkits. This 3 step guide will show you how to remove these infections and protect yourself from future infections for free using free software.
FACT: 89% of consumer PCs are infected with spyware
OS Support
Windows 2000
Windows XP
Legal Notice - Reproduction of this guide in whole or in part is strictly forbidden. This guide and ALL versions thereof are protected by copyright under the Digital Millennium Copyright Act (DMCA). Feel free to link to this Guide.
Step 1 - Cleanup
This first step will delete temporary and other unnecessary files from your harddrive to reduce scan times.
Disk Cleanup
- Home Page
Disk Cleanup removes unused and temporary files from your system and compresses old files to save disk space.
Instructions - Go to "Start", "All Programs", "Accessories", "System Tools", and then select "Disk Cleanup". Under the "Disk Cleanup" tab check all the boxes except; "Compress old files" and "Catalog files for the Content Indexer", then select "OK" and "Yes" to perform these actions.
CCleaner
- Download
- Home Page
CCleaner (Crap Cleaner) removes unused and temporary files from your system, including cleaning the registry.
Instructions - Download the Slim version and install. Go to the "Windows" tab, then select "Run Cleaner". Finally select the "Registry" button and select "Scan for Issues" when it finishes scanning select "Fix Selected Issues", then "Fix All Selected Issues".
Installation Warning - The latest Standard version of CCleaner bundles the useless Yahoo Toolbar. Do not install this! Get the Slim version instead. If you accidentally do install it, simply use add/remove in the windows control panel to remove the Yahoo Toolbar.
Prefetch Cleaning Warning - The Advanced section has a performance slowing cleaning option "Old Prefetch data", never select this option for cleaning as it will increase application and Windows load times. Cleaning the Prefetch folder is a Myth and actually hurts performance. Windows XP automatically cleans this folder at 128 entries back to the 32 most used prefetch files. Anyone who claims this should be cleaned for ANY reason does not understand how Windows Prefetching works. -
Source
CleanUp!
- Download
- Home Page
CleanUp! removes unused and temporary files from your system from all user accounts.
Instructions - Download and install. Select the "Options" button, uncheck "Delete Prefetch files" and then "OK". Next select the "CleanUp!" button and when it is finished select the "Close" button and then "Yes" to logoff and reboot your system.
Step 2 - Scan and Clean
This second step will clean your system of Malware.
Rogue/Suspect Anti-Spyware Products & Web Sites - The Malware removal market is being flooded with bogus scanners, some even closely resemble legitimate programs like Spybot Search and Destroy. These Rogue programs can produce false positives, leave actual Malware installed or worse even install Malware. I strongly recommend only using the following programs and uninstalling any other scanners you may have tried.
Clean and Infected File Sharing Programs - Microsoft Windows Defender will detect numerous Peer to Peer programs as Malware. If you are 100% positive you are using a non Malware infected file sharing program select ignore on these entries. Use this list to be sure.
Cookies are not Spyware - While certain cookies can still pose some privacy concerns and if you wish to remove them it will do no harm. The point is when you find many of these after running a standard scan you should not get excited that you are infected with Malware.
Trend Micro HouseCall
- Home Page
"Trend Micro HouseCall is an application for checking whether your computer has been infected by Viruses, Spyware, or other Malware. HouseCall performs additional security checks to identify and fix vulnerabilities to prevent reinfection."
Instructions - Using Internet Explorer select "Scan Now. It's Free!", check "Yes, I accept the Terms of Use" and then select "Launching HouseCall". Next select "Browser Plug-in" and "Starting HouseCall". Follow the instructions to scan and clean your system. Even if you have an AntiVirus program installed run this anyway. If you do not, Avast! AntiVirus is completely free.
Trend Micro Sysclean Package
- Download
+ Virus Pattern File
+ Spyware Pattern File
- Home Page
"A free tool addressing a wide variety of system infections rather than a specific Malware infection."
Instructions - Download the Sysclean Package: sysclean.com, the latest Virus Pattern File: lptXXX.zip and the latest Spyware Pattern File: ssapiptnXXX.zip (Ssapiptn.Da5). Create a folder on your C: drive (C:\Sysclean), download all files to this folder, unzip the "lptXXX.zip" and "ssapiptnXXX.zip" pattern file into this folder, then run "sysclean.com", check "Automatically clean or delete detected files" and "Enable Spyware Scan", left-click "Scan". Tough to remove Malware requires a more thorough scan. Reboot your computer into safe mode by pressing the F8 key down during boot up and selecting "Safe Mode" from the Windows Advanced Options menu. In safe mode do another Sysclean scan and remove the remaining Malware infections.
Notes - The Pattern File is updated on a daily basis, make sure you are using the latest Pattern File(s). Anytime Malware is detected that your AntiVirus program or the Online Virus Scanner is unable to clean, you will have to redownload the latest Pattern File for Sysclean to be able to properly remove it. A larger numbered file (lptXXX.zip, ssapiptnXXX.zip) represents a newer Pattern File. Control Pattern Releases will offer better detection since they are updated more frequently.
Troubleshooting - This is what the folder and files should look like before you begin scanning
- Sysclean Folder Image (Pattern File(s) number will change). If you run the Sysclean Package after Avast! is installed, Avast! will falsely detect the sysclean.com file as infected with VBS:Redlof. This has to do with the Sysclean Package's cleaning database not being encrypted, so the code line in the database used for detection of VBS:Redlof is falsely detected as the Virus itself. Other AntiVirus Programs may give the same false alarm. Before running the Sysclean Package you will need to temporarily disable Avast! or your AntiVirus program.
Spybot - Search and Destroy
- Download
- Home Page
- Forums
Application to scan and remove Spyware, Adware, hijackers and other malicious software.
Instructions - Install Spybot (Do not install the TeaTimer), select "Update", "Search For Updates", "Search", check the box next to each update and select "Download Updates". When this is finished go to "Settings", "Ignore products", "All products" Tab, right click on "Product", left-click on "Deselect all". Finally select "Search and Destroy", "Check for problems" and after scanning is complete "Fix selected problems". Tough to remove Malware requires a more thorough scan. Reboot your computer into safe mode by pressing the F8 key down during boot up and selecting "Safe Mode" from the Windows Advanced Options menu. In safe mode do another Spybot scan and remove the remaining Malware infections.
Advanced - For better detection but at the risk of false positives you can enable Beta updates: Go to "Mode" - "Advanced Mode", "Settings" - "Settings", "Web update" and check "Display available beta versions". Then run through the update steps again and run another scan.
Notes - The TeaTimer is a resident tool which perpetually monitors the processes called/initiated and changes to some critical registry keys. This is redundant to Windows Defender's superior and less intrusive real-time protection.
Microsoft Windows Defender
- Download
- Download (Alt)
- Home Page
- Forums
"Microsoft Windows Defender (Formerly Microsoft AntiSpyware) is a free program that helps protect your computer against security threats caused by Spyware and other unwanted software. It features real-time protection, a monitoring system that recommends actions against Spyware when it's detected."
Instructions - All updates happen through Windows Updates and are automatic. Select "Scan Options", then "Full Scan". Tough to remove Malware requires a more thorough scan. Reboot your computer into safe mode by pressing the F8 key down during boot up and selecting "Safe Mode" from the Windows Advanced Options menu. In safe mode do another scan and remove the remaining Malware infections.
Trend Micro RootkitBuster
- Download
"Trend Micro RootkitBuster is a rootkit scanner that offers ability to scan for hidden files, registry entries, processes, drivers and hooked system service. It also includes the cleaning capability for hidden files and registry entries.."
Instructions - Download, unzip and run. Check all boxes and then select "Scan". Delete any items it finds and run it again to confirm you are clean.
- Once you have completely cleaned your system, if you are infected with any key loggers, you need to immediately change ALL your passwords you have typed in from that computer.
Step 3 - Protection
This third step will protect you from future infection.
Windows Update
- Home Page
Installing security updates is critical so that you do not get infected again. Confirm that your system is 100% clean before proceeding.
Instructions - Install All Critical Updates. This may have to be run multiple times. Run it over again until it says 0 Critical Updates available. You may also need to reboot.
Notes - Windows Update requires the following services be enabled:
- Automatic Updates - Automatic
- Background Intelligent Transfer Service - Manual or Automatic
Windows XP Firewall
- Home Page
Windows XP comes with a built-in firewall and installing SP2 automatically enables it. SP2 includes significant security enhancements to the original Windows XP Firewall such as boot time protection. Confirm that it is enabled.
Instructions - Go to "Start", "Settings", "Control Panel", "Windows Firewall", select "On (recommended)". In the exceptions tab uncheck all of them unless you are sharing Files or Printers, then leave "File and Printer Sharing" enabled.
Notes - The Windows XP Firewall is more then sufficient for most users with full inbound protection. In Windows XP there is no way to guarantee 100% outbound protection once your system is compromised.
- Source
- Source 2
Avast! Home Edition
- Download
- Home Page
- Register
A free AntiVirus Program for those who do not already own a commercial one such as
Trend Micro's PC-Cillin, McAfee or
Norton AntiVirus. Avast Home Edition includes full virus protection in an easy to use interface with free automatic updating. If you are currently using a commercial AntiVirus program do not install this but confirm that yours is updated. (e-mail registration is required).
Avast! Home Edition Features:
- Real-time Protection
- Automatic Updates
- Boot-time Scan
- Peer-to-Peer (file sharing) Protection
- Instant Messaging Protection
Spybot - Search and Destroy
- (This should already be installed from Step 2)
Instructions - Select "Immunize", uncheck Windows - "Global (Hosts)" and then click the "Immunize" button.
SpywareBlaster
- Download
- Home Page
Application to prevent the installation of Malware in Internet Explorer and Firefox.
Instructions - Install, select "Updates", "Check for Updates". Then select "Protection" and finally "Enable All Protection".
Microsoft Windows Defender
- (This should already be installed from Step 2)
Notes - When you installed Windows Defender the real-time protection is automatically activated.
Microsoft Java Virtual Machine v1.1.4 Removal Tool
- Download
+ Registry Fix
- Home Page
Certain Auto-installing Malware exploit Microsoft's discontinued Java Virtual Machine v1.1.4 (Build 5.0.3810). Infection occurs by simply browsing the wrong website. There are no patches from Microsoft to fix this. To protect yourself uninstall MSJVM using this tool. Under NO circumstances should MSJVM be installed or used.
Instructions - Run the MSJVM Removal Tool, then the Registry Fix and finally install Sun's JVM.
Notes - The Registry Fix is necessary since the MSJVM Removal Tool does not delete a registry key that Windows uses to properly identify what version of Java is installed. Sun's JVM installer does not overwrite this key but will create it if it does not exist. Windows XP SP1a and SP2 will uninstall MSJVM. However, it will not hurt to do this since it is possible for an application or person to reinstall MSJVM on top of SP1a and SP2.
Sun Java Virtual Machine
- Download
- Home Page
- Test Page
Sun's JVM does not have these exploits as it was designed specifically not to allow code execution outside of the Java Virtual Machine. The Java Virtual Machine is only one aspect of Java software that is involved in web interaction. The Java Virtual Machine is built right into your Java software download, and helps the Sun JRE run Java applications. Windows 2000 SP4, Windows XP SP1 and IE v5.5+, Mozilla v1.4+ or Firefox v1.0+ Required.
Instructions - Download, Install and then use the Test Page to confirm it is installed properly. If the test page does not work you may need to run the Registry fix. If the Registry Fix is run after Sun's JVM is already installed you will need to go to the "Control Panel", "Add or Remove Programs" and uninstall all instances of the J2SE Runtime Environment (Sun's JVM) and then reinstall Sun's JVM again.
When Step 3 is completed you will only have two applications running all the time:
1. An Anti-Virus Program (Avast)
2. Microsoft Windows Defender
Advanced Cleaning
With certain tough to remove Malware you may need to use an advanced cleaner.
CWShredder 2.x
- Download
- Home Page
"Trend Micro CWShredder is the premier tool to find and remove traces of CoolWebSearch, the name for a wide range of insidious browser hijackers from your PC."
SmitFraudFix
- Download
- Home Page
"An advanced Malware removal tool for difficult to remove infections like Smitfraud, SpyAxe, SpySheriff and many more..."
VundoFix
- Download
- Home Page
"VundoFix.exe is a removal tool developed to remove Virtumonde infections."
Advanced Detection
Autoruns
- Download
- Home Page
"Utility to display and control startup applications. A much more powerful msconfig type program."
HijackThis
- Download
- Home Page
- Tutorial
- Online Log Analyzer
- The Overuse of HijackThis
"A general homepage hijackers detector and remover."
Process Explorer
- Download
- Home Page
"Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process."
Process Monitor
- Download
- Home Page
"An advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements."
RootkitRevealer
- Download
- Home Page
"RootkitRevealer is an advanced patent-pending rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit."
TCPView
- Download
- Home Page
- Port Authority Database
"An advanced monitoring utility that will show you detailed listings of all open TCP and UDP ports on your system, including the local and remote addresses and the connection state. On Windows 2000 and XP, TCPView also reports the name of the process that owns the open port."
Advanced Repair
Dial-a-fix
- Download
- Home Page
"An advanced utility for Microsoft Windows that repairs various Windows problems, such as: Windows Update, Windows Installer, Permissions and more."
Windows XP Security Console
- Download
- Home Page
"Windows XP Security Console allows you to assign various restrictions to specific users, whether you're running XP Pro or XP Home. XP Home leaves you completely without the Group Policy Editor, while XP Pro lacks the ability to use the Group Policy Editor to selectively apply policies to specific users."
End
This guide will be revised as needed. Comments: OptimizeXP@comcast.net. Do not send Technical Support Questions. While there are many other applications to clean and protect your system from Malware, the ones recommended here are based on extensive real-world use on thousands of systems.
I am well aware of these programs and many others please do not submit them:
A-Squared
ATF Cleaner
avast! Virus Cleaner
AVG Anti-Rootkit
AVG Anti-Spyware
AVG Anti-Virus
Avira AntiVir
BitDefender Online Scanner
CA eTrust AntiVirus Scanner
CA eTrust PestPatrol
CA eTrust PestScan
ClamWin AntiVirus
Comodo BOClean
Comodo Free Firewall
Drop My Rights
F-Secure BlackLight
F-Secure Online Scanner
Javacool SpywareGuard
Hitman Pro
Kaspersky Online Scanner
Lavasoft Ad-Aware
Panda ActiveScan
Panda QuickRemover
Panda NanoScan
Panda TotalScan
PC Tools Spyware Doctor
Malwarebytes Anti-malware
McAfee Avert Stinger
McAfee FreeScan
Norton Security Scan
Runscanner
Sandboxie
Spyware Doctor Starter Edition
Spyware Terminator
SUPERAntiSpyware
Sunbelt CounterSpy
Symantec Security Check
The Cleaner
ThreatFire AntiVirus
TrojanScan
Webroot Spy Sweeper
ZoneAlarm Spyware Scanner
