How do "Powerusers" manually find and remove malware from Windows

Take off and nuke the site from orbit, it's the only way to be sure.

— Aliens

Seriously, flatten the machine. When re-installing, store all your data on an external drive (or two) and don't ever allow executables to be stored on there.

Windows has in effect become a 'disposable' installation and you shouldn't get used to it being around for long before it needs re-installing.

And to directly address your question, that is pretty much what all the 'pros' do now. It's just not worth the effort to poke around with DLLs any more.

As for the 'has work to do' argument, explain that it's like driving a car with a flat. In the long run it will always be quicker to stop and change it than to crawl slowly along because you 'dont have time to stop'.


Real power users don't do this all. Really.

It used to be okay, but things have changed over the last several years:

  1. Modern malware travels in packs. You start out with just one breach, but once breached that first infection will download others.
  2. Modern malware is sneakier. Rootkits are becoming more sophisticated, common, and better at evading detection. Your efforts might remove one infection, but leave a buddy still hiding behind a rootkit.
  3. Modern malware is nastier. It used to just show you ads. Now it steals your credit card numbers, banking password, or identity.
  4. Modern malware goes deeper. Sometimes it simply can't be removed without breaking the infected system anyway.

Put all this together and what it means is that it's just not worth it to fix an infected computer. Instead, back up your data, wipe the hard drive, re-install the operating system and apps, and restore your data. Nuke it from orbit, it's the only way to be sure.

For me, it was item #3 that really tipped the scales to this conclusion. I used to be pretty good at removing bad stuff, to the point where I made a significant portion of my living that way, but we put more valuable information on our computers than we did even a few years ago. I particularly want to address this point:

for now the malware hasn't done anything too obstructive.

How do you know? Are you certain his personal details haven't been hijacked and used to create a green card and credit history for some illegal immigrant in Arizona? That might not show up for a few years, but when it does it can pretty much ruin your life.


Here is the method I use. It is pretty successful and takes less than 90 minutes.


Build a flash drive

Download the following from an uninfected computer and load them onto a flash drive. Alternatively, you can burn these to a CD.

  • XP .exe file extension fix (download here)
  • Malwarebytes Anti-Malware (download here)
  • ComboFix (download here)

(I suggest extracting the EXE fix from the ZIP file and putting the registry file on your flash drive.)


Boot into "Safe Mode with Networking"

On the infected computer, boot into safe mode with networking. This is done by pressing the F8 key on the keyboard BEFORE the "Loading Windows" screen appears.

Insert the flash drive (or CD). If you are running on XP, launch the .exe file extension fix (even if you don't think you have a problem with .exe file extensions.)

Next, install Malwarebytes Anti-Malware. On Vista and Windows 7, make sure to right click on the installer and press, "Run as Administrator".


Updating Definitions

Now that you have Malwarebytes installed, you'll want to check your malware definitions. If you fail to do this step, you will not be removing the entire infection from your computer.

Go to the "updates" tab. Check the definition date. No matter what it says, you should do at least one update for good measure. After the first update, if the date is still older than just a couple days ago, you'll need to do a second update. Sometimes I have to do up to three updates to get Malwarebytes up to date.


Scanning for Malware

Go back to the main tab and choose "Full Scan". An average computer has about 100,000 objects and takes 20-30 minutes to scan. This takes longer if the computer has had multiple service packs on it over the years.

When it finishes, click "Show Results". Double check everything in here and then Remove All. It will show you a text log file (you can close this, it's already saved) and then the program will ask you to reboot your computer. Go ahead and let it reboot.


ComboFix

When your computer reboots, don't go into safe mode.

If you have an antivirus loaded onto your computer, you'll want to disable the active protection that it does for this next step. Many antiviruses, such as Symantec, can be disabled by simply right clicking on the icon in the system tray. Other programs, like AVG, require that you actually go into the program and disable them.

Once you have done that, launch ComboFix from your flash drive (Vista and 7 users will want to right click on ComboFix and press "Run as Administrator.")

Accept the warning notice. ComboFix will check for a new version automatically. If there is one, let it download it. It will tell you that it wants to install the Microsoft Recovery Console, permit it to do that as well. If it detects the presence of a RootKit (it is very good about finding these), it will reboot your computer into a safer environment automatically.

Finally, it will start to scan for infections. After a good 10-15 minutes, it will automatically start removing the infections. The program takes forever to finish and clean up (another 10 minutes) and may reboot a few times during the procedure, so be patient. A text log file will be displayed after the program has finished. Do not close the blue window, it will close on its own. Sometimes it takes up to 10 minutes to close.


Reset Internet Explorer

The last thing to do is open Internet Explorer and reset it to factory settings. This will remove any infected add-ons or dlls that are still lodged into IE. To do this, go to "Tools", "Internet Options", Click the "Advanced" Tab, and press the button toward the bottom that says "Reset".

I would suggest checking "Delete Personal Settings", but this usually works without doing that.


Reaction to Criticism

A lot of computer experts advise against cleaning up malware from a user's computer. They claims that you can never really get the infection off and that you can't trust that Malwarebytes and Combofix actually found all of the infection.

My best advice is that the people who fall for these scams often fall for them repeatedly (twice a year or so). Spending the time to reload Windows on their computer is a waste, because you'll be back out there again. More importantly, an IT professional is going to charge you for 3-4 hours for a Windows reload, where the procedure listed above can be done in 60-90 minutes.

Just be informative with the user about the dangerous of repairing vs. reloading and the cost difference of each. It also doesn't hurt to do occasional scans with an updated version of Malwarebytes or ComboFix over the next couple weeks to see if you missed anything the first time around.

Additional information: I remove malware and viruses from 3-5 computers per week. My removal process is always evolving to combat the constant new tricks of malware, but this particular method has been my plan of attack for the last four months. If I find in the future that it stops working or that there are changes needed, I will return to this page and make those changes.