New Video: How to Remove Malware for Free – 2013 Edition

On Saturday I made probably the longest video ever (it’s over an hour)!  While this video is long, it will show you how to completely remove malware for free without having to hire someone to do it for you.

You can read the written malware removal guide here.  While the video does follow the guide in general it does deviate from some of the steps, but the result is the same…a completely clean PC using free software.


36 Responses to New Video: How to Remove Malware for Free – 2013 Edition

  1. Dave December 10, 2012 at 8:03 pm #

    Good video Matt and I’m kinda glad it went like it did because that’s definitely real life. Case in point, I had one come in this morning (was working on it while watching your video) with the ‘System Progressive Protection’ virus on it and tried running KRD but it kept shutting down during the scan, all it said was it closed for some unknown reason, I don’t know if the malware had anything to do with it or not but after 2 tries I said enough of this. Booted in to safe mode and ran Hitman Pro and booted back in to normal mode and all was good. Ran MBAM and it found nothing and scanned with MSE and the all clear was given.

    • malwarekilla December 10, 2012 at 8:50 pm #

      Thanks Dave. One thing I’ve learned by now is that you never know what’s going to happen when it comes to malware.

      • jcitizen December 14, 2012 at 4:22 pm #

        I agree that this unexpected event made the video even better!! I once had a problem with Kaspersky Rescue disc 10, when it recognized a ZAccess backdoor, but didn’t have the new definitions to remove it. The dang thing was a “shape-shifter” and Kaspersky couldn’t remove it yet. Just like Matt said in the video – just wait a day or two and the new signatures will download.

        Fortunately I was able to backup the PC in the PE using HP’s Symantec Recovery service, and restore the factory image. By then Avast had a signature on the pesky backdoor variant, and nailed it right away upon scanning the recovery folder. No worries on backing up the malware, because you can usually rid the storage device of the offending files before restoring them to the PC. If possible I tell the client to simply keep the backup separate from the PC for a while, until needed, so the zero day threat will pass.

        • Thomas Lau December 24, 2012 at 3:44 am #

          what about removing the threat via Knoppix after noting the threat’s location?

          • jcitizen December 26, 2012 at 4:30 pm #

            I’ve done that too – but I didn’t have my Knoppix CD with me when I re-installed the operating system. I figured the client had the whole machine pretty messed up – the analysis of the Windows updates indicated many of them were not installed correctly, and especially the .NET updates. So a clean install and file recovery was in order.

  2. Shaun Zhang December 10, 2012 at 8:31 pm #

    I have already seen your video, Matt, it was not bad.
    Keep in mind that every antimalware company have their own ways of stopping malware processes to allow their antimalware products to run. Hitman Pro by Surfright is using force breach mode, but malwarebyes is using Malwarebytes Chameleon to stop known malware processes, to allow Malwarebytes Antimalware to run, in some ways, it is even better than Hitman Pro force breach mode, it does everything automatically, you don’t have to do much in this case.
    I have posted comments about Malwarebytes Chameleon on your last post, I don’t know if you have seen them or not.

    • malwarekilla December 10, 2012 at 8:53 pm #

      Thanks Shaun, I’m just getting around to all these comments. I’m going to do a video on Malwarebytes Chameleon against the same Rogue, so we’ll see what happens 🙂

  3. shifflav December 11, 2012 at 1:56 am #

    Nice Video… I’d like to see a coverage on dealing with the aftermath of a virus infection. Removing them is easy enough, but the huge time killer for me is restoring damaged files, services that are no longer loading, etc. Figuring out what is damaged or disabled is a huge time-waster. I have a few automated repair tools (D7, Dial-a-fix, etc.), but I’m always looking for better options. Time is money in this business.

    • malwarekilla December 11, 2012 at 3:04 pm #

      If one of my reviews corrupts a system then I’ll create a video on it for ya.

  4. Adam Bottjen December 11, 2012 at 2:23 am #

    Wouldn’t it be a good idea to plug in the USB stick, and back up your data from a PE environment, so the malware that is currently on your system doesn’t infect the usb stick? Wouldn’t it also be a good idea to buy write protected usb sticks that you put all your bootable tools on.

    • malwarekilla December 11, 2012 at 3:05 pm #

      Yeah, it would be a good idea, however I thought it would add a little too much complexity for the basic user. It’s hard enough for them to boot to the disc, update it and scan.

  5. Simon December 11, 2012 at 3:21 pm #

    Does anyone know much about System Scanning with Spybot Search and Destroy, a friend says it only takes a few mins to complete and wants to know more about its system scan ?

    • JCitizen December 14, 2012 at 5:40 am #

      I hope Matt doesn’t mind me interjecting here; So far I only recommend Spybot S&D for folks who just can’t afford the lifetime 24 buck license for MBAM. Believe me there are poor folks who can’t. It is one of the only AM solutions I know that actually blocks most bad cookies(and maybe hosts too); but I’m not sure about the resident’s full real time capabilities – sorry.

      I wasn’t using it anymore, because it is long in tooth, but I haven’t been recommending AdAware since disreputable interests bought Lavasoft out in January. My clients that don’t do online banking and shopping have refused to get rid of AdAware, because they have too much trouble with the new malware variants that can do quite a lot of mischief, even if you use restricted rights accounts. So I’ve been testing the new v. 2.0, and it has improved some. I’m not sure about any conflict – but I run Spyware Blaster alongside it for active X protection. You would have to update it often, as well as anything else that is free(except Avast), because of no auto-update – this to help prevent zero day infection as much as possible. Nether of them conflict other AV/AM solutions we’ve discussed here, or in the video Matt refers to.

      Maybe Matt can correct me, but I’m not sure if the host file manipulations of those two anti-malware conflict with each other. I’ve always understood you can’t have two host files per browser. Maybe someone can weight in here. The makers of SS&D(Safer-Networking) used to recommend coexistence with Spyware Blaster because they used different techniques to help provide REAL TIME PROTECTION in a free product. This is what is critical to helping keep the junk off you computer in the first place.

      So far I’ve notice less malware interference using the new SS&D, but MBAM has very good IP blocking and other real time protections that work even in the restricted account environment. I was always told that even MBAM Pro could only block IP on limited rights, but I saw it slam a “Trojan_Fake_MS notepad.exe” the other day – and it even cleaned up most of the remnants without rebooting. However I ran CCleaner in admin mode to finish removing the trash left behind in the registry. I run with the paid version of MBAM, because I do a lot of online shopping and banking too. Maybe Matt will do a video on the solutions that work at near kernel level to protect your passwords and logins even in an infected environment. I’ve had great success along those lines.

      I hope that helps – sorry for bumping in the middle here Matt – I figure you’re plenty busy as it is! 🙂

      I do not have a web site – and probably never will – so please don’t infer that I’m trying to hijack any of Matt’s business – I just hate malware intensely, and will even work for free to help indigent clients keep from becoming victims.

      • Simon December 14, 2012 at 11:03 am #

        Thanks for that response JCitizen , a friend uses the portable version of SS&D and wondered why the scan was over so quickly. WOW you use Spyware Blaster too, thats the first thing I enable when I boot up my PC, dunno how many people still use it though or if Java Cool (if thats their name) are going to keep bringing out new versions (wonder if it works with Windows 8)

        • jcitizen December 14, 2012 at 4:03 pm #

          I feel SpywareBlaster is still a contender, because it has such non-intrusive passive real time protection(basically registry blockers), and a good host file to block known malicious servers. If I’m not mistaken Active X includes all Windows based flash files. Since Adobe flash is still one of the number one vectors for taking administrative control over your computer – I’d day it is still important. Since it only uses registry hacks and a host file – I doubt it would ever conflict with any other solution – except where Comodo used to mistake the reg entries as malware(false positive) – but that was a long time ago.

  6. JCitizen December 14, 2012 at 5:58 am #

    For clarification – when I say MBAM slammed a malware, what I specifically mean is that, while I am logged in as a limited user, the AUTOMATIC real time protection of MBAM stopped this infection in its tracks. Of course it blocked any IP address of any malicious server that tries to come to the rescue of the malware to help it evade or otherwise obfuscate the disinfection process. As was seen in the video, the scanning power of these solutions are very effective, but they also have real time auto protection to keep them from gaining a foot hold in the first place. Some times you will see them slam a malware immediately after downloading the updated signature, or HIPS signature.

    I think Matt has done some good videos in the past of various good HIPs solutions. The good ones don’t conflict with Avast or Norton, but I can’t attest to how tolerant Kaspersky is to coexisting with other AM solutions. It has been years since I tested it, and it was very intolerant of any other AM products at that time. Of course Avast, Norton, and Kaspersky all have their own excellent HIPs(Heuristic Intrusion Prevention System), but in a good blended defense you can usually find several that work very well together, with no conflicts in the event viewer.

  7. Simon December 14, 2012 at 2:59 pm #

    From what I remember Matt is an advocate of Kaspersky, because he knows it very well. (When he gets a moment i’m sure he will clarify)

    • malwarekilla December 14, 2012 at 3:39 pm #

      Either KIS or NIS. Both work really well outta the box for my clients. It’s basically install and forget. I haven’t had a single client get re-infected with malware after they’ve installed either KIS or NIS.

      • jcitizen December 14, 2012 at 3:56 pm #

        KIS must be the first suite product I’ve seen that can nail the new malware then. That is encouraging news! Thanks Matt! Maybe I can now recommend it to my clients who are not on a tight budget. SMBs should take heed to your advice!

        As you noticed when you did the video, the new malware are a slippery lot!

        I’m assuming KIS and MBAM get along swimmingly? I’d hate to drop it! 🙂

      • Simon December 14, 2012 at 5:42 pm #

        I have NIS 2013, the only thing I changed on install was that I changed “Enable Boot Time Protection” to aggressive, as per Matt’s review of NIS 2012

  8. Simon December 14, 2012 at 5:40 pm #

    What do you think about the Kaspersky ONE security Suite (it might go by a different name in America) – which provides All-in-One protection for Mac, PC &Android devices – worth it or not ?

    • malwarekilla December 14, 2012 at 6:57 pm #

      Never tried it.

      • Simon December 14, 2012 at 10:07 pm #

        Do u think it would be worth it though, to have Kaspersky on my PC, Macbook and Android Smartphone – sounds interesting

  9. ZOU December 20, 2012 at 1:13 am #

    I used to use Spyware Blaster with Spybot S&D. I now utilize a behavior blocker on paranoid mode and a HIPS. I am trump tight, especially when compared to anything that Spybot S&D or Spyware Blaster can/could handle. Your novice/destitute clients are not going to be able to mentally deal with a HIPS or BB though. Novices need only use Avast Free Edition with Windows firewall, and MBAM Free. Anything else is just to stressful for novices, whether relative to initial setup, (and) or choosing actions to take. Sandboxie is great for novices too, as long as you are willing to make a few minor tweaks before you turn them loose with it.
    My HIPS is Malware Defender and my BB is Threatfire (set to level 5). PC Tools does not promote Threatfire as a standalone product anymore, but they use it, or it’s tech, in PC Tools AV by Symantec.

    IMHO, intermediates and experts should choose from NIS and KIS (per Matt). F-Secure has a wicked suite too, as does ESET, and Comodo.

    • Simon December 20, 2012 at 10:49 am #

      ZOU- According to this article Malware Defender is a Rogue Anti-Spyware program

      You didnt mention Bitdefender or G Data Internet Security Suite, they are also very powerful

      • jcitizen December 20, 2012 at 7:58 pm #

        Perhaps that malware was a poser. There are some that try to fool the user into thinking they are getting legitimate anti-malware. This is why my clients only download from reputable providers like File-Hippo, or Major Geeks. CNET used to be a good source, but their download manager should be declared a PUP!!

        My novice users were able to get used to Comodo’s Defense + but Comodo has become too bloated for their use now. I have them put Winpatrol on as a bandaid. Hey they are basically broke – so you just have to work with what you can afford. As the economy or their personal situation improves – I ease them into the paid solutions.

        That is very interesting news that PC-Tools and Symantec are co-operating in a venture like that. I hadn’t read about it yet.

  10. Simon December 20, 2012 at 10:38 pm #

    Actually I think PC Tools is now owned by Symantec, if u look closely enough on the PC Tools website, that coupled with the fact that PC Tools used to market an anitivirus for Apple Macs called iAntivirus which is now developed by Symantec

    • jcitizen December 21, 2012 at 7:50 am #

      Yep! You’re right the “Official web site” says PC Tools by Symantec. If you can’t going them – buy them out!

      • jcitizen December 21, 2012 at 7:53 am #

        I should say,”JOIN them!”, not going them!
        I really need to check my spelling before posting! HA!

  11. Simon December 22, 2012 at 1:22 pm #

    Now which is better then: PC Tools Internet Security or NIS….thats the question !!

    Merry Christmas Everyone

    • jcitizen December 22, 2012 at 5:36 pm #

      That is a good question Simon – I’ve read many good things about Threatfire, and used to recommend it as an adjunct to other blended defenses, but I never tested it yet. I’ve had bad luck with PC-Tools products in the past – most instability and deleterious effects to the operating system. I would always have to move away trom them and hope for improvement later.

      I’ve had the same luck with Emisoft, who has a good reputation for the Online Armor firewall, and their AM HIPS products. I get the same bad luck on my machines I had with PC-Tools. I do have clients that have not experienced this – probably because they don’t use kernel based utilities to protect the browser against key-logging, screen capture, or session riding into the bank sites, or the shopping they do. I refuse to go online without at least a good password manager and Rapport for the IE and FireFox browser; so that may be why I’m having problems with some of these “Suite” solutions. I prefer standalone solutions only, and have had extremely good luck in my day to day operations, and also in my honeypot lab computers. Your mileage may vary.

      I like a base of solutions that work at the kernel level to resist malware manipulation, that can work even in an infected environment to thwart the mission of banking trojans and similar malware such as Zeus variants. If any AV or AM addon to that creates conflict – I get rid of that stand alone add-on. Most of my solutions are free, or very economical to buy – and use varied technology so they can’t conflict with each other. I really do regret having to end using Lavasoft’s AdAware, as I’ve had malware manipulation problems every since. Many of the new malware do not need special administrative permission to do their dirty deeds, so I’ve witnessed some problems that can be very vexing to the uninitiated novice. However – I just can’t trust Lavasoft anymore, since they were bought out last January by a pretty sleazy bunch of grifters.

      To use the new AdAware 10 you have to accept their anti-virus which is supposedly written by Viper; but I was running into the same system instability issues I had with other comprehensive suites like this from many I’ve mentioned already. Performance was badly degraded also.

    • jcitizen December 22, 2012 at 5:50 pm #

      I might add that the only malware I catch anymore, are ones that come in with other software I’m testing, or as something added to a driver by on OEM. There isn’t much you can do to avoid those scenarios other than remove the offending software/malware and complain to the OEM issuing it. I never cease to be amazed at the ridiculously naive approach Original Equipment Manufacturers have to so many of the drivers and software packages they hawk along with their hardware!!!

      All other attacks are either blocked entirely, or otherwise thwarted by my blended defenses, and the Windows protections already provided by x64 bit operating systems, and the IE 9 browser. I never go online as administrator unless I’m updating my OS or applications.

  12. Thomas Lau December 23, 2012 at 10:50 pm #

    I have a question, if your pc is infected with all sorts of nasty stuff (worm, malware, virus, torjan, root-kits and ect.). If you plug your USB thumb drive in back up your important files, won’t the USB thumb drive also get infected also?

    • jcitizen December 30, 2012 at 6:36 am #

      Yes – However, I’ve never had a problem cleaning up the backup files post zero day. If the client is a business and can’t wait – providing they properly used incremental backup – not all the backup files need be restored until after the zero day date.

      In my experience – just like Matt said – in about 48 hours, the file definitions for any threat has come down the update pike. And removal from backup files is not a problem.

  13. Simon December 24, 2012 at 6:06 pm #

    I’d just like to say wishing you all a Very Merry Christmas 🙂

  14. Robert January 11, 2013 at 5:50 pm #

    Hello Matt. Another great video. If it’s alright with you, I have a couple of questions.

    1. About the Kaspersky Disk, how is it able to boot into a non windows based environmental? Aren’t windows computers not designed to be booted up in any other environment except windows?

    2. Are the instructions that you gave for any of the rescue disks or just this one?

    3. I know that choosing Avast is your personal preference; however, I am curious as to why you would want Avast over Comodo especially since after seeing another one of your videos, I think you stated that you weren’t able to get anything past Comodo. it’s not a big deal and it’s your own choice again, but I’m just curious; After all, I once made Avast my choice for personal Antivirus and who knows, I may just go back to it one day.

    4. Speaking of Comodo, are you planning on testing Comodo 6.0 and the Comodo rescue disk?

Leave a Reply