• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Guide: Virus Removal 101

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#1
Rules of the road

THIS IS NOT FOR INFECTION HELP! PLEASE MAKE YOUR OWN THREAD!
THIS IS MEANT FOR BEGINNERS BE NICE!
YOUR OPINIONS ARE YOUR OWN THIS GUIDE FOCUSES ON FACTS AND EXPERIENCE!

Information and Scope
About

Hello! This thread was created by request and support from a few member of the forums. I have decided to take up the challenge and write about virus removal since TPU in general doesn't have a real guide or centralized experience with it from what I can see.

Full disclosure. I am currently studying to get my master's degree in Digital Forensics. After I will probably attempt my PhD and the end goal is working for a security firm. Personally I hope to join the ranks of CISCOs Talos Security Division after which I hope to teach into retirement.

I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN in TPU.

I am the CIO for a small PC repair chain in Florida. We are big enough for me to play with some pretty cool technology and just small enough were I help technicians with end user PCs. Personally I touch anywhere between 700-1100 physical machines per year in a repair environment ranging from hardware replacement to software work.

I have worked for several other tech companies and previously I was working for a mid level enterprise as a domain administrator for around 2000 end points between 13 offices.

My personal take on virus removal is that it should be free for those most in need and I very much will write this guide in accordance with my belief that someone is tearing there hair out and just want there computer to work again. The tools I will link and provide are free and I and others in the industry have used to completely disinfect machines.

HOWEVER I also firmly believe that if a product worked for you you should pay for it to support the developers and the science and skill that went in to the program. The world of security software is a mean place with brilliant minds. However from what I have seen "Free" outweighs "Paid" in most peoples minds when dealing with antivirus/malware tools.

If you like something you should buy it. So that the father of 3 can help pay his bills and has the drive to keep making whatever product that saved your ass better. That's the pure & simple.

Now that you know a bit about me we can move on to some other stuff.

Scope

The scope of this guide will be limited to the end user environment. This guide DOES NOT cover enterprise level environments, however it MAY brush on higher level best practices and mitigation techniques.

I intend to cover how to properly remove a virus, malware, root/boot kits and junk-ware from a compromised PC in a basic friendly low impact manner that is easily understood by the average user. This guide will cover normal operating systems in normal environments, each example will be explained under the assumption that you know nothing about security or intrusive programs and have only the most basic software knowledge and user skill.

This approach is meant to cater to the masses and not in anyway meant to demean or imply that a user needs to be handled in this manner.

I will add that this guide is not a place for arguments and I will only accept constructive criticism. Even the most skilled PC builders, programmers, network engineers and users may not know a-lot about security and best practice. That is TOTALLY FINE! That is NOTHING YOU NEED TO BE ASHAMED OF!!!!! Please understand that you may be able to take away something from this guide. I am not here to bump heads with SecOPs or other Operations managers which I am sure exist on this forum.

This guide is meant for the average user. I may omit expanded details or parts of security practice on purpose because the "watered down" explanation is easier to digest. There are always nay sayers and if you would like a specific question asked you can PM me. Not including something usually has a purpose and doesn't necessarily mean I don't know the material.

I will say somethings in this guide some of you will NOT agree with. I am fine with that. I may even make someone upset. I do NOT mean to do this. Please understand my history in my "About" section. I have handled a-lot of machines and different technologies. The information provided herein is a reflection of best practice, facts, personal experience and industry accepted techniques. Multiple resources will be provided to backup certain information.

Getting Started

Lets start with the most controversial point in organizations and business that IT staff have with what this guide is about. Time, money and effort.

A virus removal is not as common place as you may think in the professional industry. It is more a pain in the ass for walmart than it is for you the end user. In most cases if you are speaking with a real IT pro the answer to the question "Can you fix my computer?" is usually just format it and reinstall the OS. This is because;

A: It is far more cost effective if you are paying someone to have them simply wipe it and removal all doubt.

B: It is the ONLY sure fire way to remove w/e infected your system in most cases.

C: Virus removals can do more harm than good.

D: It is far less time consuming in most cases.

Virus removals for the end user are usually more simple than you think. However understand that in the security industry this is very much a fight fire with fire method. Security software is a mean beast. The process can VERY MUCH leave your system in a worse or unusable state, As you can see by this guide it is also very involved if done properly.

Attempting to remove an infection of any type without the right tools can result in not effectively removing the infection and compromising the security of the OS MORE because of the settings and files that need to be manipulated to properly disinfect it.

That's some pretty scary stuff but now we can shed some light on some good news. If you are reading this chances are you are not nearly as infected as you think you might be. The software might be bothersome and annoying even hard to close or impossible to delete. However most users will not run into serious infections.

I am 100% certain anyone reading this (except from an academic standpoint) is probably frustrated out of there minds with the problem they are currently facing. HOWEVER, with that said most everyday infections are very common and easily re-mediated without the risk of damaging the core OS or user data. Even better news if you can read this guide from the infected machine in question you are better off than most.

Regardless of infection type or severity level there is hope of a clean system and I will cover how to properly avoid it later. Your reasons for choosing the route of disinfection are your own. I will not judge those that do not do the easier path of re-installation; I am also fully aware an OSR is not always the easiest solution depending on circumstance. You should also make sure not let anyone else judge you on it. Disinfection is very much a skill and I will try and help you manage it by yourself.

Lets move on :)

Definitions

Lets start with Definitions! Not AV Definitions silly what are we talking about when we say boot kit, add-on, malware? Do they even sell encyclopedia security? This section is going to break down the difference between them all and hopefully teach you the fundamentals of infection for better or for worse knowing is half the battle and if you really want to save your PC than knowing what you need to do is one of the biggest parts of the battle.

Shooting a fly with a tank damages more than the fly and we should always understand that in most cases the cure can be worse than the disease. So lets make sure we apply band-aids before we use penicillin.

Malware:

- Malware like the article suggests is a blanket term for many types of infectious programs. When you say I have "malware" you aren't exactly wrong regardless of what program is causing issue, however you aren't really helping yourself or the person trying to help you get rid of it.

I will break down some of the more common groups below to help you help yourself narrow down the type of problem you have. There are also multiple sub-groups to the primaries listed below but a general knowledge will suffice in most circumstances so I will not be getting into them in this guide.

Junkware:

- Junkware as of late has been the term most used to supersede the old terminology adware. This kind of infection is usually what causes popups in browsers and on your desktop usually by way of installing themselves along with legitimate packages you download from legitimate sites like Java, or Adobe Reader. This is the most common type of "Infection" a user complains about. Java for example has "bundled" toolbars etc for years and download.com by CNET is notorious for spreading bundled installers. I get alot of my junkware samples from them.

Virus:

- A Virus is a term that is usually used for what is actually pretty rare these days in the field of users. The definition of virus has carried alot of different meanings in the past and has changed significantly over the years as security researchers and programmers started to need different "groups" for malicious software to gauge intent and infection rate among other things. Today when dealing with a "Virus" most people in the know assume the Virus is of malicious intent and activly destroys or manipulates user data in a negative way. Such as Trojans or Ransomware or keyloggers. There are some very nasty viruses that are difficult to contain, isolate and remove because they are polymorphic in nature IE they change.

Boot/Root Kit(s):

- A RootKit is a special type of incredibly powerful infection. Rootkits are incredibly hard to cope and deal with because they have the ability to cloak themselves completely or mask themselves as legitimate system processes making detecting one difficult. Rootkits are infections that circumvent the security protocols of the machine and various security software.

Rootkits are used as a foot in the door for other kinds of infections ranging from malware to virus infections and almost any other kind of conceivable infection. True to its name the root kit usually gives complete privileged access of your computer to the attacker, be it remote control of the program or the machine and hardware itself.

On the same branch is the Bootkit. The bootkit like the rootkit has the ability to grant the attacker complete administrative access while remaining hidden and undetectable by most normal means.

The Primary difference in Bootkits is that they are infecting the machine on a very deep level on the hard drive usually interrupting the boot process itself hence the name. Bootkits are capable of defeating even the most robust antivirus software and built in security because bootkits themselves are usually loaded before most of the OS files during the boot process before you even get to the desktop.

Bootkits and there connected files can be the most destructive to remove and hardest to find given there nature.
 
Last edited:

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#2
Software and Background

In this section we will briefly go over the software being used and why we chose this software as opposed to other options. This is more of an academic type of post that will clarify the more important "WHY" when it comes to removal. It is important to understand that in order to effectively remove or have the best chance too remove a virus you must have the proper tools. The software listed below is based on several key points. Those mostly being.
  • Free
  • Easy to use
  • Minimal user interaction
  • Update friendly
At no point should you think that the software chosen was chosen because it is better than xyz or the "Best". That doesn't mean the software is "not the best" just that I am trying to break the mindset of "Best" it is important to shake the idea that a one off solution is always going to be the better one.

A Porsche is fast and will get you to work sooner than an 18 wheeler but if your hauling tractors to work the 18 wheeler is better suited. This is no different in the security world applications are built for a specific purpose for the most part and because of the nature of heuristic code engines some software will do better than others even if it is the same area of interest.

Software List

- Threat Restraint
  • Rkill
-Rootkit Removers
  • TDSS
  • bootkitremover
  • MBAR
-Broad Spectrum Scanners
  • Roguekiller
  • EEK
  • MBAM
  • Sophos VRT
  • HitmanPro
- Malware/Junkware Removers
  • ADWCleaner
  • JRT
-Targeted Repairs
  • Powerliks
  • Combofix
-Wrap-up and Repair
  • TWEAK
  • REVOuninstaller
  • Ccleaner

Examples

Above is the list of software this guide will cover and what you will be using to disinfect the machine in question. Now; we will go more into why we separate them into groups in the next section. Here I will explain weakness and strength between software types and programs so you can understand why there are so many.

A common question is why don't we have a 1 all solution paid or otherwise that can handle all of well...all of this. The answer is simple.

You can't.

Every virus removal tool is different in some way. Some are able to detect things others can not. Above are the groups of different software. For example EEK is a broad spectrum scanner. However EEK cannot detect rootkits as well as programs specifically designed to remove rootkits like TDSS. Likewise Programs like TDSS are completely incapable of detecting malware, it simply isn't programmed for it.

Software in the same category also behaves differently. Hitman is very good at detecting browser issues and cookies. However Sophos isn't so great at browser infections but is better at scanning core system folders.

The AV world is full of these kinds of checks and balances which makes proper removal more of a skill than a click of a few buttons. Nothing is 100% and you must rely on the differences the tools have to increase your chances of success.

- Running scans in order

Running scans in the correct order might be something you are unfamiliar with. I will try to break down the basic concept as to why this is important to you. For the most part it boils down to permissions. Be it actual NTFS permissions or actual Privilege. Digging deeper you should ALWAYS attack an infection in this order.
  • Threat restraint
Threat restraint is an important step because it will allow you the user to more easily work with your machine which is probably super slow because of infection. Using programs like killemall or Rkill stop known malware processes which free up memory and CPU making it a little easier and faster to deal with your machine.
  • Root/Boot Kits
As previously covered Root and Bootkits are low level infections that grant admin (root) access to the machine. This software also for the most part changes permissions of core system files in order to more easily control your machine. It is very important to target and remove these infections first because the modifications they make can stop other higher level removal tools from working correctly.
  • Virus Scans
Actual Virus removal comes next. Trojans, worms, spyware all virus class infections cause some kind of issues with system services, built in security protection and have the ability to prevent removal tools from opening. These kinds of infections need to be delt with second so that we can ease the restraints on the system so that our tools have the proper permissions and resources to run.
  • Mal/Junkware scans
These are the last class of tools to run. These infections usually adhere to the user level of least privilege. They are really annoying and bothersome but are usually the most simple to remove. Unfortunately the tools that remove them require the use of system resources most of the time and assume they have everything they need to proceed. For this reason malware and junkware removal scans are done last because they totally rely on the previous steps being done and corrected to run correctly.
  • Repair
Repair tools like tweak are used last. These programs reset windows to a default usable state. From folder options and icon size to default services and program startup. Most of the virus removal tools correct security related issues that the virus they are removing affected.

However sometimes more things have been touched and damaged and for these we use repair software last to correct the remaining issues after a full removal.
 
Last edited:

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#3
Identification and Resources

Define

One of the most difficult parts of a virus infection is trying to figure out what you are dealing with. This can be impossible to know for certain but there are a few tell tale signs that can tell you how soon you need to deal with the problem. Below I outlined some very basic markers.

-Boot/Rootkit.

  • Machine is running very slow with no sign of infection
  • Machine starts VERY slowly
  • Machine Blue screens for almost no reason
  • Machine BSODS or locks up during virus scans
-Virus

  • Machine runs slowly and has programs running during startup
  • Machine wont let you open task manager
  • Machine wont let you open AV software
  • Machine will play audio when there shouldn't be
  • Machine has popups at the desktop
-Junkware/Malware

  • Browsers homepage has changed or changes
  • Browser locks you out when opening new tabs
  • Machine has alot of programs open during startup that wont close
  • Machine shows alot of software that ask you to pay for it
  • Machine displays popups telling you you have a virus
  • Machine asks you to call a tech support number

Examples

Below are some really common scams and malware making its way around.

- MypcBackup
- Driver installer/download programs
- Fake Antivirus software
- Speed up tune up and cleanup software
- Mindspark toolbars and software
- Slimware utilities software
- Phone call scams telling you your unit is infected
- Email scams with PDF invoices saying you have a package at USPS, UPS, FedEX waiting for you

Ransomware

Ransomware deserves its own section. Here are the common signs.




Anything or program that tells you your files have been locked or encrypted is ransomware.

Address it

IMMEDIATELY unplug your system from the internet and shut it down.

Take it to a professional. This is not a simple procedure or technique. You SHOULD NOT attempt to handle this infection on your own. I SERIOUSLY beg you to take your machine to a local shop to be worked on. It may be possible (although very SLIM) for them to decrypt your data using one of the tools that have been released for the crackable versions.

I am deliberately skipping over risk assessment and disinfection. You NEED to take this to a professional. If you have no important data or pictures on the machine format it immediately. It's already over.

Sources

If you are still unsure if you are infected or have an issue you can always take it to a local shop for diagnosis. However there are a few trustworthy online resources you can use to see what you have.

Should I Remove It?

Should I remove it is a meta based system were users submit there "votes" on a piece of software. Based off of the reaction Positive/Neutral/Bad you can decide if it is something you should keep.

Herdprotect

Herdprotect is a cloud based virus scanner that uses multiple company definitions and engines to determine if you are infected. They also have a pretty handy knowledge base. Simply search for your program or file and see what it comes back with.

Virustotal

Virus total is a google sponsored AV front end. You can search for programs, check shady website URLs or upload a file you aren't sure about. Like herdprotect it uses multiple AV software to come to a conclusion.

ReasonCore

Like herdprotect offers an online database of samples that you can search through.

Getting Prepared


Before we get started we need to get you ready to run some of the tools I have prepared for you. The below instructions mostly pertain to Windows 7 and 8. By default Windows 10 already comes with the programs you need installed for all of my tools to work.

You will Need

.NET 4.5 and 4.6

We need the .NET framworks installed because this software has the instructions needed for powershell. Powershell is what we will be using to download the tools you need.

It is best to do them in order so here are the links.

.net 4.5

https://www.microsoft.com/en-us/download/details.aspx?id=42643

.net 4.6

https://www.microsoft.com/en-us/download/details.aspx?id=49981

Now that we have .NET all caught up. We need to make sure that we install the Latest version of Power shell. We will need atleast 5.0 to make sure the script works correctly. Power shell is Part of the Microsoft Management Framework and like .NET should be installed in order.

Management Framework 4.0

https://www.microsoft.com/en-us/download/details.aspx?id=40855

Management Framework 5.0

https://www.microsoft.com/en-us/download/details.aspx?id=50395

If you think you might have what you need already we can double check. Search for power shell on your computer and open it. Once opened put in the following command.

Code:
$PSversiontable
If you have the right version (5.0) it will look like this.


The version number MUST start with 5.

Next we need to allow execution of scripts from other machines. To do this search for powershell right click on it and start as administrator.

Then type the following and hit enter.

Code:
Set-ExecutionPolicy RemoteSigned
Powershell will then warn you and ask you how you would like to continue.

Press "A" without quotes and hit enter to allow execution of scripts.

You are now ready to unzip the script attached to this post.

All of the tools downloaded require as of the time of this posting about 610MB

IF A TOOL FAILS TO DOWNLOAD IT MAY NEED TO BE UPDATED PLEASE REPORT IT!!

After you have unzipped the script. Right click on it and select "Run with Powershell" to start downloading the tools.

It will go through some prompts and checks. Just follow the directions in the script. Once complete it should look a little something like this.


You are now ready for the next step.
 

Attachments

Last edited:

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#4
Removal Process and Repair

Lets get started with the removal! You probably made it this far on will power especially if the only reason you have read so far is because you are infected. Let me take a brief moment (I promise) to explain the usage of Windows 7.

The idea behind its usage is simple. Most people that are on Windows 10 know the equivalent shortcuts or the OS already has he necessary pre-reqs to run the script. Additionally many have upgraded from Windows 7 making this a good starting point along with the fact that since Windows 7 does require pre-reqs to be installed it makes more sense to make the more difficult OS to configure for the task the one we base the instructions off of. The machine was fully patched on a fresh OS with MSE installed and running.


Initial steps

Make sure you have an active internet connection. Follow the steps above to make sure the script will function for you. Make sure you have set some time aside to make sure you can troubleshoot issues you may have along the way. Make sure you have a copy of the guide provided for offline use in the post above.

QUICK TIPS

If at any point you lose your ability to connect to the internet after a reboot from a tool run the following two commands.

Code:
netsh i i r r

netsh w r

Removal

Threat Restraint


Lets start by running RKill to close some of the malware so we have a little more resources at our disposal.
RKill may ask you for administrator permissions. Just allow it and let it run. When it completes it should look like this.


Rootkit Removers

The next step is to start our rootkit battery. Our first program of choice will be TDSS. TDSS is made by kaspersky labs and is very good at dealing with root/boot kits. When we first open it up we are greeted with 2 EULA type windows, we will need to accept both of them before coming to the main window.


Without any further modification go ahead and click start scan to begin the search the window will look like the screen below. TDSS is very specialized so it should not take long for the scan too complete.


If you find yourself clean TDSS will tell you no threats were found and you can close the program. If however kits were detected the screen will look like this


Click on the drop downs and delete the items. TDSS will ask for a reboot while it attempts to clean the infection. After the reboot we can scan with TDSS again to make sure it is clean. If it is still not we may need to try other programs.

Moving on bitdefenders anti rootkit utility. Like TDSS this program is specialized so scans generally do not last long. The main window looks like this.


After the scan you are greeted with a screen hopefully telling you the unit is clean. If not the options for handling an infection are the same for TDSS I recommend deletion. In rare cases a program will be unable to do so and for these situations I recommend quarantine but only as a last resort.


Though I don't have a picture if the unit is infected with a rootkit bitdefender sees you will have options very similar to TDSS simply select delete and reboot the machine when prompted.

MBAR is the next tool we will be using and the last in the rootkit category. This tool is a bit more broad than the previous bitdefender and TDSS scanners and because of this the scans are a bit longer. When you open it you will be greeted with the below window. Make sure to hit update. MBAR will also extract to its own folder on the desktop by default, should you need to rerun the program make note of this so you can find it in the future.


After the update is complete hit next and then the scan button. You will soon be on your way with mbar chugging along. Below is what the scan will look like.


Along with root/bootkits mbar also picks up some pesky virus that modify core system files and services.

After it finishes you will be resented with a clean bill of health or the infections it found. If it found infections press cleanup and reboot when prompted.


After restarting the machine again you may run the scans again to determine there effectiveness. After this stage is complete we now move onto the next stage which will begin our main scan battery and will take the longest amount of time.

Broad Spectrum Scanners

Now that we have moved on to the general scanners we will be removing the majority of the malware on the system. Leading the race will be the EEK. EEK is a good removal tool provided by Emsisoft totally free.

After the program extracts it should open to its main window. Automatically it should start checking for updates which you will be able to see in the left hand box. If it doesn't go ahead and manually update it by clicking update inside the box. When it was complete it will give you a status and turn green.


Now that its updated go ahead and click on "Malware Scan" on the right hand box. since this is probably the first time you have ran this you will get a few boxes popping up. One of which is going to ask you if you would also like to scan for PUPs a PUP is a "Potentially Unwanted Program" go ahead and press "YES" to this so we can cover all the basis.


Since this group of programs scans for more things they take a bit longer than the rootkit scans we performed before. After it is complete the window should look like the one below. Click the button labeled "Delete Selected" if prompted to reboot do so.


After EEK is complete we move on to Roguekiller Roguekiller is made by ADLice and is very good at detecting deep OS hooks. However the free version does not let you scan for PUPs. Lets go ahead nad launch it now. After it starts it will have a scan now button. Click scan now and you will be greeted with a screen of locked options (Free) go ahead and click start scan again to begin.


While the scan is running you will see detection (hopefully) start to add up towards the bottom in some circumstances the below will happen. Basically Rogue understands that something MIGHT be a virus even if its definitions aren't sure. When this happens Rogue will ask you if you would like to submit it to virus total which I linked above. Once rogue killer gets a more definitive response it will deal with it accordingly. For these cases I click "Always"


When the scan finishes you will be greeted with a screen that looks like the following. Right click on anything in the list and then click "select all" followed by "Remove Selected"


Rogue will begin clean up and you will be asked to reboot the machine, go ahead and do so now.

We will now begin our Malwarebytes Anti Malware or MBAM for short scan. MBAM if you haven't gotten from the name alone specializes in malware removal. This product does infact require installation so lets follow the steps to get it ready to scan.

After opening the program click on "update" next to Database Version" to make sure we are as ready as we can be. After the update completes start the scan.


Once the scan is running like almost EVERY other virus scanner there are 3 to 4 distinct stages the software goes through. While the program is scanning you will see the malware tallies rise depending on how infected your system is.


When MBAM is complete it will then automatically start the clean up phase. When the cleanup phase is complete the finish button will activate and turn blue. When this happens you can either click finish and close MBAM however, in some cases MBAM like many others will ask you to reboot. If this happens let it.


With MBAM done we are going to fire up Hitman. Hitman is a powerful scanner that is represented by surfright as a "second opinion" scanner. Hitmans detection and removal capabilities are fantastic. However you only have a 30 day trial. Hitman also implements a kind of hardware ID that makes it impossible to "reset". Once hitman is "activated" it is free for 30 days and will not remove again until it is paid. Because of this it is usually a good idea to think about its usage. If you deem your infection serious enough we will run it. If not we can move on below to sophos.

Starting hitman is simple enough once open simply hit "Next" until you get to the activation page.


Click activate free license. Once you have entered your email address and clicked next you will be shown the activation successful screen.


Simply click next which will start the scan. When the scan is complete you will have the telltale list of infected objects.


Click on any of the little arrows next to an object and you will be psented with a drop-down menu. go down to "Apply to all" and select "Delete" All of the object status should change to "Delete" next to them. Simply click next and hitman will begin removal. When it is done it will specify and either ask you to close or reboot.


With Hitman done the majority of the obvious infections should be gone. We can either skip the sophos scan, or we can finish the stage off by running it since hitman and sophos are usually swapped.

Sophos VRT is a disinfection tool made by Sophos themselves. Sophos is a big player in business and enterprise protection. They have been around a very long time and are a leading security company.

Install Sophos VRT and open it. Once Open Sophos should automatically start an update.


After the update completed simply click on "Start Scan" to begin the process. Like the other tools in this category scans can take a long time and Sophos is a bit on the slower side. If however things have been smooth sailing up to this point you should have very few detection hits. Once it is finished click "Start Cleanup" and Sophos will begin its removal.

It is important to note however that we ARE still infact getting them which only provides more motivation to run the entire battery and emphasis the point that infections are difficult to remove and running the correct tools is important in ensuring a successful disinfection.


After the cleanup is complete we can close Sophos or reboot if it prompts us. Once either are done we will move on the last primary removal stage.

Malware/Junkware Removers

Now it is time for the last main battery section. The junkware removers. Last out of necessity but not the least powerful. I actually will be introducing you to two of the most powerful tools on the market for removing the junk and adware that infects peoples browsers and tags along in legitimate programs. Hate toolbars? Dislike software constantly popping up in the middle of the screen? These are for you.

Starting with ADWcleaner a powerful little utility that was once independently programmed by Xplode and is now run by Toolslib.

When opening ADW you are greeted with the EULA Accept it to start the program.


Once the program opens the interface should be very simple. Simply click on "Start Scan" to get moving. given the type of scan ADW and similar junkware removers usually process quickly.


Once the scan is Complete ADW has a multi stage completion process. The first is to show you everything that has been found. Click the "Cleanup" button to begin the procedure. ADW will now prompt you several times.


After ADW closes the necessary programs it will prompt you for a reboot. Click "Ok" and ADW will reboot your machine.


With ADW complete we will now move on to JRT. JRT or Junkware Removal Tool was once a solo program written by thisisudax and then bought by Malwarebytes. They did right by him however and kept the form and function of the program itself the same.

Starting JRT will give you the following screen. For the most part JRT is a very simple program and doesn't have many stages that you need to interact with. Simply follow the on screen instructions. In rare cases JRT will ask you to reboot. Though usually it will simply open its logfile when its complete.


After you start the scan it will show its stages by way of representing a loading bar with stars *


Once complete a log of the program is saved to your desktop and then opened before JRT exits. You can simply close this for now.


At this point you are done with the main battery of removals. There are two specialized tools I will go over but both are usually only needed in very specific scenarios. They should also only be ran when all other cleanups have been performed (Which I will get into soon). For now we will begin the very final stages of the whole disinfection process. We will now clean the browsers and run the repair utilities.

Give yourself a pat on the back!!!!! The machine should be running alot better already go you!
Wrap-up and Repair

Browsers are usually always last because they are modified so much by so many types of infection its usually just better to reset them. Because of this I will be showing you the quick and dirty on how to do a full reset on the 3 most popular browsers. More disinfection information can be given, but we are just going to cover getting them to function correctly first.

In comes IE. IE is the default browser for Windows when first installed and alot of people still use it. It has also been around a long time so alot of junkware knows how to integrate with it. When we first open IE you will have a cog or gear symbol in the top right hand side. Press it.


Then make your way down to "Internet Options" and click it. Once that is done a box will open which are the settings and controls for IE. At the very top right of the window is a tab that says "Advanced" go ahead and click it to show us the reset options for IE.


You can go ahead and click the button labeled "Restore Advanced Settings" If prompted if you would like to continue click yes. After wards click on the "Reset" button just below that. When the box pops up I would also recommend checking the box that says "Delete Personal Settings" This will delete all of your passwords and auto-fill history however.

After the reset is done the small status box will have all green check marks and a close button. Click close and reboot your machine.


With IE done lets move on to Firefox.

Firefox is another big browser with lots of marketshare. Like most other browsers because of it's popularity it also gets quite a bit infected. After opening it like IE at the top right are three bars representing the firefox menu. Go ahead and click it. After its open we will be looking for a question mark bubble at the bottom of the menu.


Go ahead and click on it to open the help menu, We will now find "Troubleshooting Information" and click on it. IT will open a new page with information you dont really need to worry about, however on the top right hand side are two buttons. One of them says "Refresh Firefox" click this button and we will get a confirmation prompt. Hit the "Refresh Firefox" button inside the prompt to reset the browser.


When Firefox is complete it will open a new page for you and you are ready to go!


Withe the other two majors out of the way, you guessed it. If you are a chrome user this one is for you. Once we manage to get the browser open like firefox the settings menu is represented by 3 bars in the top right corner. When we click it a menu will pop-up. We want to navigate down to the settings link.


If chrome has managed to detect that it has been modified you may be lucky enough to have the reset button in front of your face.


If not we will need to scroll all the way to the bottom there will be a linked called "Show advanced Settings" click the link and the page will expand to show more settings. Once again scroll all the way to the bottom. The very last item will be a button that says "Reset Settings". Like the button in the previous picture both of these buttons will spawn the following warning box asking if you are sure.


Click the "Reset" button and chrome will take care of the rest. Once complete your browser is all set and ready to use!

With all of the crazy disinfection hopefully behind us its time to coax our OS back into working order. Much like a massage therapist the OS has been beaten up and changed because of the infections and the tools. We will use a handful of specifically chosen programs that tweak permissions, files, registry entries etc to get your OS back to operating how it should be.

Removing bad software is next on our list. Since we have ran through all of the big bad virus' it is time that we double and triple check to make sure nothing was missed. The last few stages are clean up and repair.

Lets go to control panel and start to remove some stubborn programs and in some cases programs that are more junkware than actual viruses in these cases they were probably skipped by the removers. You can get some help again using the link in this post to try and see if the program your thinking about removing is legit or not.


Some key things to keep in mind when removing is that there are some program you probably shouldn't remove. Alot of pre-built machines for example have special software installed to control things like hardware or special keys on your keyboard. Other software is important for things you use everyday like printers or your webcam. Here is a short example of things you probably shouldn't remove.

  • Any program that has your machine name in it DELL, ASUS, HP, ACER, Toshiba etc
  • Any program that has Microsoft in the name
  • Any software that appears like you use it, evernote, office, google chrome.
Here is a short list of things that are probably safe to remove.

  • Any program that has the name of the software that's bothering you
  • Any program that says toolbar
  • Any program that appears to be soliciting, offer, coupon, etc
As always check with the above post to make sure what you are removing is legitimate. Additionally in the course of uninstalling programs you may come across damaged ones that will not uninstall. These programs will give an error similar to the below.


In these cases we actually already have a tool we can use to rip it out. Though it is always recommended to attempt the uninstall normally if we cannot we can use RevoUninstaller to remove the offending program.

After opening Revo we will need to agree to there terms. After the program will scan the system quickly and display the programs it detects as installed. In the list find the program you were having a hard time removing. Click the program to select it and at the top tool bar click the uninstall button.

At first Revo will try and uninstall the program using the same normal methods windows uses. It is very possible that you will run into the same error you encountered when trying to uninstall it through the control panel, this is fine.


Simply click ok and you will be shown the screen underneath. This is were we can ask Rev to force remove the program that isn't uninstalling correctly. Check the box labeled "Advanced" and click the scan button. You will be asked if you are absolutely sure you would like to uninstall it. Select yes to begin the scan.


Revo removes software in two stages. Registry entries and files. When Revo is done its scan it will immediately show you the registry entry list. By default all files and registry entries will be unchecked for safety. If you are sure you would like to delete the program click the button labeled "Select All" and THEN press the "Delete" button. You will get a warning from Revo asking if you are sure. Click "yes", after the deletion is done nothing should be left in the box. Click the next button to move on to the files.


The files section will work just like the registry section. Select all the files and press the delete button. After it is complete Simply click the new "Finish" button on the bottom right hand side.


Revo may ask you to reboot, if this is the case go ahead and let it. Otherwise you are done the uninstall! Just follow the procedure for the other software you might need to uninstall.


Without further adieu I introduce Tweak. Tweak is a AIO modification platform that handles multiple aspects of your operating system. From services, folder options etc it can reset them back to default.

Tweak on first start up will have a button at the bottom left. This button says "Reboot to safemode" Click it. Tweak relies on the clean(er) environment of safemode to complete its modifications successfully. Safemode looks odd to the average user everything will be big for one and your background picture will most likely be gone. Don't worry though! all of this will come back. For now after you are in safemode click on tweak again.


Once we open tweak back up, on the top right hand side is a tab called "Repairs" click this tab to access the repair page.


When you are ready simply click the "Open Repairs" button to access the repairs menu. You will be prompted to save a file at this point. Go ahead and choose any folder you would like, but remember where you are saving it. This is actually saving an important set of files we can fallback on if something goes wrong.

The repair window requires no modification by default. Simply click the button called "Start Repairs" and we will be on our way. Given the amount of things Tweak modifies this can take a long time so don't sweat it.


When all is said and done Tweak will tell you its time to reboot your machine. Click the "Yes" button and you will be brought back to normal mode were things will look more like you are used too.


With Tweak done we can do the last of the cleanup to save some space and speed on the system. The first trick up our sleeve is one all too forgotten. Disk Cleanup. Disk cleanup is a utility built into the Windows operating system that can be used to clean up temporary, old or unused files on the machine. In alot of cases this can save several gigs of data.

To start simply open the start menu and type the word "Disk" When "Disk Cleanup" shows up in the list right click it and select run as administrator (we do this to save time)


Disk cleanup will open and start searching. When it is complete it will display a box with small check boxes of things you can select for deletion. We are going to go through the list and check all of the boxes.


After all of the boxes are checked press the "OK" button. Disk Clean will ask you if you are sure you want to delete the files, click the "Delete Files" button to begin the process. Disk Clean can take hours if there is alot of data to delete, it also depends on the speed of your machine so be patient. When it is done deleting files it will automatically close.

That's it your done! congrats! :clap: :toast:

You have by now hopefully successfully disinfected your system! you did great and awesome job on sticking with it. Lets talk about the elephant in the room though, in the next post I will go over some mitigation and protection techniques you can use to help stop this from happening again.

If you think you might need some extra help you can try the targeted repairs below which might fix or catch things that others have missed, however you need to know that for the most part alot of the targeted repair utilities can damage your machine. Use extreme care when running them.


Targeted Repairs


The targeted Programs are powerliks and Combofix. Combofix is almost like a cross between tweak and a broad spectrum scanner. Powerliks is actually a single tool that looks for 1 single type of infection. You can read more about powerliks here.

To start I will run you through ComboFix this software can cause serious issues with your OS so it is only recommended if you are certain you are still infected. It only supports XP through Windows 8 NOT windows 8.1+.

First and foremost before beginning combofix you should shut off any AV protection you have on. This includes Microsofts MSE. If you do not Combofix will warn you before starting and tell you what product it detected as active. After you have shut off your protection combofix will start and you must accept its agreement.


After you accept the agreement Combofix will extract its contents and begin.


During the extraction combofix may ask you to update it. Press the "YES" button and the extraction process will start over with the new edition.


Like JRT combofix will automatically begin, Combofix uses a text based output for status. It goes through many different stages and will eventually reboot your machine for you. After the reboot combofix again like JRT will present a text file to you with the outcome of the removal.

Powerliks remover by ESET is the next specialty tool we will be using. ESETPowerliks isnt dangerous in the traditional sense and only takes a moment to run. I excluded it from the main battery scans only because it is seldom needed. However if you would like to make certain you have covered all of your basis this is how to use it.

When opening ESETPowerliks you will be prompted to accept there terms. Accept the terms to move on to the program itself.


Afterwards the program will run automatically and tell you if you are infected. Most of the time you will not be. If you are Powerliks will ask you to hit any key to disinfect, afterwards it will reboot. If you are infected feel free to scan once more after the reboot.


That's it! I will add more off the wall utilities as I deem them needed for this informational and document them accordingly.
 
Last edited:

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#5
Wrap up and Mitigation

Tools

Prevention is arguably the most important deterrent for malware in the security world. Alot of enterprise level technicians and administrators focus on how to keep infections OUT instead of installing relying on software on the machines to deal with infection when they happen. There are alot of tools in the corporate world to do this. However fear not below I outline some of the preventative measures we can use to try and keep this kind of thing from happening.

First is Cryptoprevent. This is a software used to help prevent ransomware from infecting your machine. It used to be a free exclusive and there is a free version still it just doesn't update automatically. For the normal home user this is fine. I SERIOUSLY recommend it for someone that does alot of email attachments and connects to big networks, Apartments, Schools, etc.

When opened cryptoprevent will ask you a few questions and then it will launch. You will be greeted with the window below. At the very least you should choose the default. If you want more protection simply chose a higher stage. If you run into problems you can always open it and step down a level until everything works fine for you. It will then ask if you would like to whitelist programs you can let it if the machine seems fine to you, reboot after it tells you too.


Browsers

Browsers are another big attack vector for malware. I would SERIOUSLY recommend that you install an adblocker. I have linked the more popular and trust worthy ones below.

CHROME


FIREFOX

IE

Installing adblockers should increase your protection online. Another method you can use that will help with sites that sneak through is modification of the HOSTS file. You may not be unaware of the HOSTS file but in simple terms it can override the website in your browser. This works both ways however and we can prevent the connection to some bad sites with it.

Download New FILE

The site that hosts it is witnhelp2002 they have made the modified host file for years and go into a bit better explanation as to what it does here.

Simply download the file and unzip it. Run the script file named "mvps" and follow the directions.

DNS

The last I can provide for now is OpenDNS this helps restrict the type of content your internet can access, from pornographic websites to political. OpenDNS has great support and a pretty easy setup. Give them a look HERE.

For basic home protection you can change your DNS servers on every device (or just your router) to the addresses below. These servers are pre-configured to block adult content and offer the same uptime as the normal openDNS addresses.
  • 208.67.222.123
  • 208.67.220.123
These servers are public openDNS servers like googles 8.8.8.8 and 8.8.4.4 and unlike the "FAMILY SHIELD" addresses provided above these do not do blocking by default.
  • 208.67.222.222
  • 208.67.220.220
DNS servers translate website names like google.com in the IP Address numbers computers need to find the site you are going too. By using "filtered" DNS servers we can blacklist bad websites from even being allowed to show up on your computer.

Lets dig in! Now generally your PC can use two different DNS servers in case one doesn't work. You can set these servers on each of your internet connected devices. Ideally you would set them on your router which would filter for your entire network. Its a bit better and recommended but unfortunately there are too many different ways to access routers and modems. You can start your search here or ask in another forum thread for help.

Now to set it up on your PC should be a bit easier. OpenDNS actually provides a guide HERE just remember to use:
  • 208.67.222.123
  • 208.67.220.123
Instead of the ones in the guide so that you get protection.

Explanation

I chose the software and methods above because of the effect they have on the everyday user. Protection is key in the digital world to prevent infection. The tools above are updated frequently and have other security minded people behind them.

They are also easy to use, even for the most computer inept with some simple instruction the tools are easy to use and provide alot more protection than even default settings. I encourage everyone professional or otherwise to try and improve security wherever they can.

Best Practices

Best practice is a hard trick to teach. Best practice usually involves implementing something or locking something down to the point of almost being as annoying as the malware that made it needed. However this doesn't need to be the case. I have a few examples of how you can use best practices to help protect your data you and your machine by doing some simple routine things, just like taking your car to get an oil change.

Reset your firewall. If you haven't already throughout this guide it would be a good idea too.

Here is a great guide http://www.thewindowsclub.com/reset-windows-firewall-settings

Keep a copy of one of the broadspectrum scanners I provided above, something like the EEK or Rogue run every month just once could do loads to help you stay virus free.

When it comes to email too good to be true usually is. Remember what I mentioned before? Be careful with attachments. Don't open them unless they are from someone you know. Also be sure to second guess even some legit looking ones. Ransomware is spread alot via attachment from a postal service.

Usually masked as a invoice, before opening ask yourself "Did I order anything?" If not chances are its fake and remember UPS/FedE/DHL/USPS etc don't have access to your email, Amazon, ebay and many other online shopping sites aren't allowed or required to give that information. So how would they know to send it too you?

Get some actual protection. Like it or not if you are infected you probably need it. I recommend AV software to begin with, performance issues are rare and I have dealt with alot of systems. While I appreciate peoples ability to not use them or concerns about performance impact, if you followed this guide there is no real argument against it. Here are some light weight good guys.

Their are free and paid versions. Usually the difference between free and paid is the extra stuff. Browser blockers and anti spam etc however there usually ARE differences in the free products, definition updates come slower, others don't use an engine as powerful as the paid version. This can let things slip by. Of course the choice is yours. I am only going to advise that you get one.

Sophos Home
A great product, requires internet connection for management but good detection rates.

Kaspersky
A great AV Kaspersky has been around for a long time. The detection rates are superb and they play a very big role at detecting new threats in the wild.

Avast!
Avast is a personal favorite of mine. the detection rates are good and the product is easy to navigate and great features for those that are advanced or novice users. There free product is great.

Avira
Avira I have had pleasant dealings with on machines and in testing environments where I am working with malware. The detection rates arent bad and the usability is great for the novice user. They offer a free product and it is worth looking into.

Bitdefender
A great program that now has a free edition, bitdefender has more aggressive scan options by default that can turn away novice users but its detection rates are great.

ProTip: I have purchased each of the AV products above and used the free ones for some time. I have chosen these among others I have also own(d) because of there usability affordability and availability. They have also made numerous rounds on my malware machines and even attack some of my tools (RUDE). That said in the spirit of the forum and social stigma I have linked the free editions with the exception of Kaspersky which does not but I believe to be too great an option to not include.


Thanks for reading the guide, I hope I have helped enlighten you the reader and with a little luck persuaded you into taking security more seriously in one way or another. For the user that came here because they were infected I really hope it helped you, it really is frustrating.


For guide related questions feel free to respond below.
 
Last edited:

bogmali

In Orbe Terrum Non Visi
Staff member
Joined
Mar 16, 2008
Messages
7,775 (2.01/day)
Likes
5,138
Location
Pacific Northwest
System Name System Has No Name
Processor Core i7-7820X
Motherboard MSI X299 Gaming Pro Carbon
Cooling Corsair H115i AIO
Memory Adata XPG Spectrix D41 4x8GB DDR4-3200
Video Card(s) Gigabyte AORUS GTX-1080ti
Storage Sandisk SDSSDXP 240GB SSD, Sandisk Extreme Pro 480GB SSD, Samsung 960 Pro M.2 NVMe 1TB
Display(s) Samsung UE510 UHD 28"
Case Coolermaster MasterCase H500P
Audio Device(s) Onboard
Power Supply Seasonic Prime Ultra 1K Watt
Mouse EpicGear Zora
Keyboard CM Quickfire Xti
Software Win10 Pro 64
Benchmark Scores Xbox Live Gamertag=jondonken
#6
Sticky'd while you work on it:D
 

Kursah

Moderator
Staff member
Joined
Oct 15, 2006
Messages
11,747 (2.68/day)
Likes
5,813
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig - Haswell Edition | Spartan Home Server 2015
Processor i7 4790k 4.0/4.8 @ 1.26v | i7 4790k 4.0/4.4 @ 1.18v - Both delidded w/CLU
Motherboard Asus Z87-Pro - BIOS 2103 | Asus Z87-Pro - BIOS 2103
Cooling Noctua NH-U14S Push-Pull | Cooler Master 212 EVO Stock - Using NT-H1 and AC MX-4
Memory 16GB (2x8) Corsair Dominator DDR3 2400 CL11 | 32GB (4x8) G.Skill DDR3-1600 CL9
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4600
Storage 850EVO 250GB SSD, 960GB SSD, 1x2TB | 840 120GB SSD, RAID10 6x2TB (6TB) + 8TB Backup
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" 4:3 Dell LCD..mostly RDP.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Realtek ALC1150
Power Supply EVGA 750G2 Modular + APC 1500VA UPS | EVGA KR500 80+ Bronze + CyberPower 1000VA UPS
Mouse Logitech G502 | Dell USB Laser Mouse
Keyboard Logitech G15 rv2 | Dell USB Keyboard
Software Windows 10 Pro x64 | Windows Server 2012 R2 (GUI Core,Hyper-V + VMs)
#7
Good to see a new TPU guide like this come up! Looking forward to seeing it get fleshed out! :toast:
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#8
Thanks! I will be at this for a bit while I spin some new VMs on my work laptop and infect my controls so I can take screen shots. I promise I will put as much effort into it as I can but this project will probably take me a few weeks as I fill it out as best I can. It has been awhile since I have written a guide and I have been re-programmed to write such as technical documentation so I will probably edit frequently since my main goal is to make this for beginners and give a brush of enlightenment and not give them a 30 page white paper on security practices. haha.

@bogmali Would you be so kind as to lift if possible my edit restriction? I am afraid I will go over it given the amount of work I need to do. Some would argue that I should type this all out in word and then just spend a few hours editing it but I hate the modification tools on forums so its simpler for me to simply format it as I type.

Thanks again @Kursah @Mussels @bogmali and the others that showed support. I will hopefully bring something to TPU that will help alot of people.
 

Mussels

Moderprator
Staff member
Joined
Oct 6, 2004
Messages
46,606 (9.09/day)
Likes
14,197
Location
Australalalalalaia.
System Name OCD (Overclocking Compulsive Disorder)
Processor Ryzen R7 2700X (stock/XFR OC)
Motherboard Aorus AX370-Gaming 5
Cooling Corsair H115i Pro (yay for maglev fans!)
Memory 16GB DDR4 3200 Corsair Vengeance RGB Pro (1.4v 14-16-18-34)
Video Card(s) MSI GTX 1080 Gaming X (BIOS modded to Gaming Z - faster and solved black screen bugs!)
Storage 1TB Intel SSD Pro 6000p (+60TB USB3 storage)
Display(s) Phillips 328m6fjrmb (32" 1440p 144hz curved) + Samsung 4K 40" HDTV (UA40KU6000WXXY)
Case Fractal Design R5 White Gold edition + corsair RGB lighting
Audio Device(s) Pioneer VSX-519V + Yamaha YHT-270 + Corsair Void pro RGB, Blue Yeti mic
Power Supply Corsair HX 750i (Platinum, fan off til 300W)
Mouse Logitech G703 + PowerPlay mousepad
Keyboard Corsair K65 Rapidfire
Software Windows 10 pro x64 (all systems)
Benchmark Scores Laptops: i7-4510U + 840M 2GB (touchscreen) 275GB SSD + 16GB i7-2630QM + GT 540M + 8GB
#9
this needed a sticky, glad it got it so fast :D

Too much confusion, mis-information and bad programs out in the wild for virus/malware removal, we need a local TPU expert on it.
 
Joined
Nov 25, 2013
Messages
753 (0.42/day)
Likes
905
Location
N.S. Can.
System Name Not an AAR Cuda/#2 Hellcat
Processor 3770k @4.5 delid/#2 7700k @4.8
Motherboard Gigabyte z77x-D3H rev1.1/#2 Rog Maximus IX Code
Cooling Coolermaster Hyper 212 evo/#2 Corsair H100i V2
Memory 16 GB HyperX fury Black 1866 Mhz/#2 32 GB Gskill Trident Z RGB 3200 xmp
Video Card(s) MSI RX 480 Gaming x 8G @1380/2100 /#2 <- Crossfire stock clocks
Storage Samsung960evo250GB os (Thanks Brother;) Samsung 840 evo 250GB (Games)Samsung 840 120 (Storage)
Display(s) Viewsonic XG 2701 Freesync
Case Haf 922m/#2 Corsair Crystal 570x
Audio Device(s) Xonar DG/#2 On board Supreme FX
Power Supply Evga 750 G2/#2Evga 850 G3
Mouse Logitech G602/ #2Logitech G900
Keyboard Azio KB505U
Software Win 10 Pro 64/ Win 10 Home
Benchmark Scores I can play 2 games at the same time.
#10
Been away for some time and come back to this. Very exciting indeed. Thanks @Solaris17 . I try to keep a clean p.c. with good practice and Super Anti Spyware/Malwarebytes. Hate to see even a few c.p.u. cycles "wasted";) on an installed Virus program. Cant wait to see your end result.
 
Joined
Nov 29, 2011
Messages
5,975 (2.38/day)
Likes
5,282
Location
Hi! I'm from the Internet
System Name Selene / Yoda
Processor Fx 8350 @ 4.4 / Phenom II x6 1090t @ 3.6
Motherboard Gigabyte 990FXA-UD3 r4.0 / Gigabyte 890XA-UD3
Cooling H100i / Xig Dark Knight
Memory 4x 8gb G.Skill Snipers / 4x 4gb G.Skill Ares
Video Card(s) Gigabyte R9 290x / XfX DD & VisionTek HD6850's C'fired
Storage 256gb ssd, 2x 2tb Wd Blacks & 1x 1tb Wd black / 1x 1tb
Display(s) Dell Ultra Sharp 2408 WFp / Hp w2207
Case Raidmax Vampire / Chieftec Alum. Dragon Blue
Audio Device(s) Onboard Hd Audio / Onboard Hd Audio
Power Supply Corsair TX 850 watt / Corsair TX 750 watt
Mouse Logitech G500s
Keyboard Corsair Strafe
Software Win 10 pro / Win Vista Home prem. 64 bit
Benchmark Scores What are benchmarks anyway?
#11
Just want to thank you @Solaris17 for this really great write up you are embarking on. :toast:
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#12
Thanks for the kind words! I will plug away at what I can for a few hours a day schedule allowing making edits along the way. I will be sure to mention when its "done" to avoid confusion. There may be times I submit a bunch of content and other days I only modify a section or two. Probably because I am documenting a removal process in a virtual machine.
 

manofthem

WCG-TPU Team All-Star!
Joined
Jan 9, 2011
Messages
10,898 (3.84/day)
Likes
26,777
Location
Florida
System Name crunchBox | officeBox
Processor Ryzen 1600X @3.7 | i7 4770k @4.3
Motherboard AsRock X370 Taichi | MSI Z87 G45
Cooling Water | Water
Memory 16GB G Skill Ripjaws V 2800 | G Skill TridentX 8GB 2400
Video Card(s) GTX 980 SC ACX2.0 | R9 290
Storage ADATA SX700 512GB | 850 Evo 250GB
Display(s) LG 34UC88 & QNIX WX2710 | Shimian Achieva QH270-Lite
Case Fractal Design S | Corsair 900D
Audio Device(s) Siberia v2 | onboard
Power Supply SeaSonic 660XP2 | Corsair AX1200
Mouse Logitech G900 | M50 Division Zero
Keyboard Das Keyboard 4 Pro | Cougar Attack X3
Software Windows 10 Pro | Windows 10 Pro
#13
Very much looking forward to further updates in this thread. I've often enjoyed posts by you @Solaris17 about viruses, even saving some info you posted recently, so this thread is going to be very much appreciated by all of us! :respect:
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#14
Very much looking forward to further updates in this thread. I've often enjoyed posts by you @Solaris17 about viruses, even saving some info you posted recently, so this thread is going to be very much appreciated by all of us! :respect:
Thanks! I will certainly push to not disappoint!
 
Joined
Apr 19, 2009
Messages
844 (0.24/day)
Likes
1,162
Location
Romania
Processor i7-8700
Motherboard Asus Z370-P
Memory 32GB DDR4
Video Card(s) msi 1080
Storage Samsung SSD 850 pro 2TB+1tb hdd 7200rpm
Software Mageia 6 + Windows 10
#15
Not bad, not bad...until now...
 
Joined
Jan 29, 2012
Messages
5,066 (2.06/day)
Likes
4,478
Location
Florida
System Name natr0n-PC
Processor 2600K@5GHz / Xeon E3-1290 / Phenom II X6 1100T / Dual Xeon X5675's (12c24t)
Motherboard Asus Sabertooth Z77 / MSI 970 Gaming / GIGABYTE GA-7TESM
Cooling Deep Cool Assassin / TRUE 120 / Stock
Memory Gskill Ripjaws X - 16GB DDR3 / Samsung Reg - 24GB DDR3 Hexa-Channel
Video Card(s) MSI 7970/EVGA GTX 980 / ASUS 980ti Strix
Storage Crucial MX300 525GB + Multiple Mechs
Display(s) SyncMaster 2343BWX 23" 2048x1152 / Dell 1909W 19" 1440x900
Audio Device(s) X-Fi Fatality / X-Fi Titanium
Power Supply Corsair TX650 v1/ EVGA SuperNOVA 750
Software Windows XP/7/8.1/10
Benchmark Scores Xeon E3-1290 cpuz world record
#16
youre-the-best-around-gif-imgu-k4l9.gif
Gratitude via gif
 
Last edited by a moderator:
Joined
Oct 2, 2004
Messages
13,791 (2.69/day)
Likes
6,919
#17
Actually, for anything not:
- parasitic file infectors (Virut etc)
- ransomware (CryptoLockers etc)

You just have to follow a list of tools and scan the system with each and every one of them until they don't show anything anymore.
 

Ahhzz

Moderator
Staff member
Joined
Feb 27, 2008
Messages
4,746 (1.22/day)
Likes
4,230
System Name Ironic
Processor Intel 2500k 4.4Ghz
Motherboard ASROCK|Z68 PROFESSIONAL Gen 3
Cooling Corsair H60
Memory 32GB GSkill Ripjaw X 1866
Video Card(s) Sapphire R9 290 Vapor-X 4Gb
Storage Western Digital Caviar Black 2TB SATA 3 (6G/s)
Display(s) 22" Dell Wide/ 22" Acer wide/24" Asus
Case Antec Lanboy Air Black & Blue
Audio Device(s) SB Audigy 7.1
Power Supply Corsair Enthusiast TX750
Mouse Logitech G9x, custom frame
Keyboard Corsair Vengeance K95
Software Win 7 Ult 64 bit
#18
/tag for looking :) Thanks for this Solaris. As an IT tech by day, I won't pretend to have all the knowledge, but it helps to makes the user think I do :) Always glad to see a well-written guide :)
 

Mindweaver

Moderato®™
Staff member
Joined
Apr 16, 2009
Messages
6,796 (1.96/day)
Likes
4,090
Location
Charleston, SC
System Name Sechs / EyeSeven
Processor i7 5820k @ 4.5ghz / i7 2600k @ 4.0Ghz
Motherboard X99S GAMING 7 / ASRock Z68 Extreme3 Gen3
Cooling CORSAIR Hydro Series H100i Extreme / Stock cooler... H50 leaked!..
Memory G.Skill DDR4 2800 16GB 4x4GB / G.Skill DDR3 1600 8gb 2x4GB
Video Card(s) PNY Quadro K2000 / MSI GTX 970 GAMING 4Gb
Storage Samsung 850 PRO 256GB SSD /Intel 240gb, corsair 120gb SSD, 3x 1 tb s storage
Display(s) 2x Acer G276HL 27" 1080p / 3x Acer 22" Nvidia surround
Case Phanteks “Enthoo Pro series”/ Cooler Master Storm Scout
Audio Device(s) Azalia Realtek ALC1150 / SB X-Fi Gamer
Power Supply Corsair CXM CX600M / Corsair 600w
Mouse Razer DeathAdder Chroma / Razer DeathAdder
Keyboard Razer BlackWidow Ultimate /
Software Windows 10 Pro x64 / Windows 10 Pro x64
#19
Just a warning don't post in here that you just wipe and reinstall Windows. That is not what this thread is about.
 
Joined
Aug 13, 2009
Messages
2,184 (0.65/day)
Likes
757
Location
Czech republic
Processor Core i7 3770K
Motherboard Gigabyte Z77X-UD3H
Memory 16GB
Video Card(s) Sapphire Radeon Rx 580 Nitro+ 8GB
Display(s) Dell U2415
Audio Device(s) Creative Sound Blaster ZxR
Power Supply Seasonic 550W
Software Windows 7 x64
#20
What is this 101 virus?
 

Mussels

Moderprator
Staff member
Joined
Oct 6, 2004
Messages
46,606 (9.09/day)
Likes
14,197
Location
Australalalalalaia.
System Name OCD (Overclocking Compulsive Disorder)
Processor Ryzen R7 2700X (stock/XFR OC)
Motherboard Aorus AX370-Gaming 5
Cooling Corsair H115i Pro (yay for maglev fans!)
Memory 16GB DDR4 3200 Corsair Vengeance RGB Pro (1.4v 14-16-18-34)
Video Card(s) MSI GTX 1080 Gaming X (BIOS modded to Gaming Z - faster and solved black screen bugs!)
Storage 1TB Intel SSD Pro 6000p (+60TB USB3 storage)
Display(s) Phillips 328m6fjrmb (32" 1440p 144hz curved) + Samsung 4K 40" HDTV (UA40KU6000WXXY)
Case Fractal Design R5 White Gold edition + corsair RGB lighting
Audio Device(s) Pioneer VSX-519V + Yamaha YHT-270 + Corsair Void pro RGB, Blue Yeti mic
Power Supply Corsair HX 750i (Platinum, fan off til 300W)
Mouse Logitech G703 + PowerPlay mousepad
Keyboard Corsair K65 Rapidfire
Software Windows 10 pro x64 (all systems)
Benchmark Scores Laptops: i7-4510U + 840M 2GB (touchscreen) 275GB SSD + 16GB i7-2630QM + GT 540M + 8GB
#21

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#22
No this isnt vapor ware I swear! Just figured id let those who are watching know, I have spent all day disinfecting a test machine and have about 143 screenshots I need to wade through and trim. As well as all of the actual documentation to go with it. I also have a few surprises mostly I wrote a PS script that will download all the necessary tools for you, and bonus points every time you run it it will pull the latest version.

I need a few days to process and get this in a state that I can readily say it is "usable" but there are still a few things I wont be able to publish initially. Maybe I will write a paragraph or 2 covering ransomware etc etc. I do hope mods can inject posts out of order. I may need someone to work with me on that. Once I got going I wanted to add more detail.

Worry not though. It will still be very simple to digest. I honestly think its at the scale its at only because I am writing it like your 5.
 

Mussels

Moderprator
Staff member
Joined
Oct 6, 2004
Messages
46,606 (9.09/day)
Likes
14,197
Location
Australalalalalaia.
System Name OCD (Overclocking Compulsive Disorder)
Processor Ryzen R7 2700X (stock/XFR OC)
Motherboard Aorus AX370-Gaming 5
Cooling Corsair H115i Pro (yay for maglev fans!)
Memory 16GB DDR4 3200 Corsair Vengeance RGB Pro (1.4v 14-16-18-34)
Video Card(s) MSI GTX 1080 Gaming X (BIOS modded to Gaming Z - faster and solved black screen bugs!)
Storage 1TB Intel SSD Pro 6000p (+60TB USB3 storage)
Display(s) Phillips 328m6fjrmb (32" 1440p 144hz curved) + Samsung 4K 40" HDTV (UA40KU6000WXXY)
Case Fractal Design R5 White Gold edition + corsair RGB lighting
Audio Device(s) Pioneer VSX-519V + Yamaha YHT-270 + Corsair Void pro RGB, Blue Yeti mic
Power Supply Corsair HX 750i (Platinum, fan off til 300W)
Mouse Logitech G703 + PowerPlay mousepad
Keyboard Corsair K65 Rapidfire
Software Windows 10 pro x64 (all systems)
Benchmark Scores Laptops: i7-4510U + 840M 2GB (touchscreen) 275GB SSD + 16GB i7-2630QM + GT 540M + 8GB
#23
just have one simple 'virus removal guideline' post that people can follow which is basically a list of programs with download links, in your recommended order.

so that even if people fail to educate themselves, we can link to a singular post and say 'do this'
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
19,838 (4.12/day)
Likes
6,917
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#24
just have one simple 'virus removal guideline' post that people can follow which is basically a list of programs with download links, in your recommended order.

so that even if people fail to educate themselves, we can link to a singular post and say 'do this'
Agree thats what im going to try and do. I'm uncertain if I need all of the images. I was more worried about link/picture limits in posts. I should be able to stick to what I have already laid.

Wanna know what would be super cool in the long haul? get a few of the forum centric experts to do a collab on like a youtube channel posting various how to vids from there field of expertise. No cams or anything, just a mic and a desktop recorder. hit random topics of intrest, virus/security stuff pertaining to OS, router config and port forwarding basics that kind of stuff might be seriously cool.
 
Last edited:
Joined
Nov 25, 2013
Messages
753 (0.42/day)
Likes
905
Location
N.S. Can.
System Name Not an AAR Cuda/#2 Hellcat
Processor 3770k @4.5 delid/#2 7700k @4.8
Motherboard Gigabyte z77x-D3H rev1.1/#2 Rog Maximus IX Code
Cooling Coolermaster Hyper 212 evo/#2 Corsair H100i V2
Memory 16 GB HyperX fury Black 1866 Mhz/#2 32 GB Gskill Trident Z RGB 3200 xmp
Video Card(s) MSI RX 480 Gaming x 8G @1380/2100 /#2 <- Crossfire stock clocks
Storage Samsung960evo250GB os (Thanks Brother;) Samsung 840 evo 250GB (Games)Samsung 840 120 (Storage)
Display(s) Viewsonic XG 2701 Freesync
Case Haf 922m/#2 Corsair Crystal 570x
Audio Device(s) Xonar DG/#2 On board Supreme FX
Power Supply Evga 750 G2/#2Evga 850 G3
Mouse Logitech G602/ #2Logitech G900
Keyboard Azio KB505U
Software Win 10 Pro 64/ Win 10 Home
Benchmark Scores I can play 2 games at the same time.
#25
Agree thats what im going to try and do. I'm uncertain if I need all of the images. I was more worried about link/picture limits in posts. I should be able to stick to what I have already laid.

Wanna know what would be super cool in the long haul? get a few of the forum centric experts to do a collab on like a youtube channel posting various how to vids from there field of expertise. No cams or anything, just a mic and a desktop recorder. hit random topics of intrest, virus/security stuff pertaining to OS, router config and port forwarding basics that kind of stuff might be seriously cool.
+1 For this.
 
Top