Malware Removal Guide For 2009 Q1

Step-By-Step Malware Removal Guide for First Quarter of 2009 (free software edition) 

Required Software:  Malwarebytes Antimalware (free), SuperAntiSpyware (free), Avira AntiVir (free), Threatfire (free), Sandboxie (free)

Download Sites:  filehippo.com, threatfire.com

Software Descriptions:

Malwarebytes Antimalware (mbam) = On-Demand Scan Anti-Malware.
SuperAntiSpyware (sas) = On-Demand Scan Anti-Malware
Avira AntiVir = Realtime Antimalware
Threatfire = Real-time Behavioral Analysis

The steps below will remove almost any piece of malware.  Notice that I say almost.  If you’re infected with a rootkit you may need to use a bootable anti-malware disc.

1. Double Click the MalwareBytes Installer (mbam-setup) and install with default options.
2. Malwarebytes will check for the latest updates.  If Malwarebytes fails to load (closes automatically when you open it) rename C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe to mb.exe.
3. Try to update Mbam.  If mbam fails to update then delete your hosts file in c:\windows\system32\drivers\etc.  If the mbam still fails to update move on to the next step.
4. Run a full scan with Mbam.
5. Once the scan completes click show results and remove anything checked.
6. Reboot.
7. Install SuperAntiSpyware (sas) with default options.
8. Update SAS.  If you can’t update SAS procede to the next step.
9. Run a full scan.
10. When the scan completes make sure all items are checked and click NEXT to begin the quarantine and removal process.
11. Reboot.
12. Once your computer is fully booted install AntiVir.  Choose to do a custom install.  Set heuristics on high.  Let Antivir perform an update.
13. Scan your entire C drive by right clicking on the drive and choosing to “Scan selected files with AntiVir”.  If Antivir detects any malware choose to quarantine it.
14. Reboot after the scan completes.

This concludes the malware removal section in this guide.  Next, we’ll remove any software restrictions placed on our computer from the malware.

Restriction Removal Tips:

Now it’s time to cleanup security restrictions placed on our computer from the malware that was loaded.  Malware will place security restrictions on your pc to make removal all that more difficult.  I use a couple of free utilities and commands to accomplish this.

Commands

(For XP Pro) Click Start – Run – paste the command in below:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

(For Vista) Click Globe – paste in the command below where it says “start search”:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Microsoft also has a small program that will reset your security policy back to defaults.  You can download it here:

http://support.microsoft.com/kb/313222

Misc Commands that may help:

Can’t launch regedit?  Issue this command (click-start-run-paste in the command below):
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

Can’t load the task manager?  Issue this command (click-start-run-paste in the command below):
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Can’t load a command prompt?  Issue this command (click-start-run-paste in the command below):
REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f

Programs To Run (For XP Only)

XP_SecurityConsole will often resolve security restrictions just by opening it (make sure you click the apply key before closing).
http://www.dougknox.com/xp/utils/xp_securityconsole.htm

This concludes for the malware removal guide for now.