Troubleshooting - Malware Removal



Manual Removal of Malware (advanced)

 

Intro

 
Due to the overwhelming impact of all kinds of malicious software these days, chances are real your system got infected. Sometimes the symptoms are obvious, sometimes not. It may vary from a randomly crashing system to subtle changes in behavior. In many cases the system will slow-down, sometimes just a little, hardly to see, then more and more. Another sure symptom is the system connecting to the internet without any command from the user.
 
There are different sorts of malicious software, some are called virii, others trojans, worms, dialers, keyloggers and so on. The main difference is that a virus rather will make the system visually malfunctioning, while the other sorts try to hide deeply into the system. You find more info about the different internet and e-mail threats in the internet security and privacy pages on this site. For now, whatever sort of malicious software it may be, we call them all "malware".
 
It's obvious that the first step to take if you think you're machine could be infected, is to run a virus-scanner and a spyware-scanner. Or still better, runs two or more programs of each kind, sometimes one program can repair what another can't and vice-versa. And it's a good idea to run those programs regularly, whether you think your system is infected or not. Just play as safe as possible. You find some good anti-virus and anti-spyware programs in the software section on this site.
 
But as it is not always possible to automatically detect and thoroughly remove all traces of malware, it's good practice to know something about doing it manually and thoroughly. This will give you also some deeper insight in the system, and it will help you to detect any malicious programs more easy later. In fact, with a little knowledge and in a few easy steps, you can check your system, and if necessary, repair it without much help.
 
So, whether your computer seems to behave strange or not, take the steps below. There's nothing in it which may damage your system as long as you understand each step.
 
 

Overview

 
We'll see first how to detect if there could be any infections and what software maybe running without the users consent. A little research will become necessary here, for a computer runs many programs in the background, that is without the (normal) user even knowing of it. Also many of these programs are loaded (started) at booting time (start-up of the computer). Of course these programs are legitimate and mostly necessary parts of the system. But many malicious programs behave more or less in the same way; the also may startup at booting time, keep running in the background and so on. So we must be able to make a strict distinction between the normal "hidden" system software and any malicious programs.
 
By the way, in the following text we talk about programs and services. To our purpose it doesn't matter so much if some software is called a program or a service but for a better understanding it may good to know the basic difference between both. A service is a program that starts up and keeps running invisibly in the background each time the system is started up, independently from who is logged in, and without the possibility for the normal user to stop it; while a "normal" program is started up by the user (or at least the user must log in to load his or hers preferences), and it runs visibly in a window. Services are merely used for "system-wide" functions, needed for the system to work, such as internet connectivity, hardware communication and lots of things more.
 
If it seems that some malicious -or at least suspected- software is running or residing on the system, we must first try to kill (stop) those processes and find out what triggers them to startup. As programs can be started up in many ways, we'll look at the different possibilities and block (and remove) the triggers (the startup commands). Then we search for the responsible program-files, thus finding out where they're hiding (the location) on the system. Finally we'll remove them and that's the whole point. Here we go.
 
 

First step

 
An an important one. First thing to do is switching off the Windows (xp) system restore function. Of course you could try to repair the system using system restore, but if this didn't resolve the problem, there's no need to keep it on. And for our purpose now, it's absolutely necessary to switch it off before restarting the system after the removal of malware. Otherwise it's possible that the malicious software that we've manually detected and removed, will be set back (re-installed) by system restore. This is because some malware registers itself as system-critical software to mislead the system. Moreover, some malware hides itself in the restore files too, which is a place where the normal user can't go. So, do not forget this step, better switch it off right now before you begin.
 
Remark: to switch off the system restore function, go into the Windows Control Panel and open the System item. There you can switch it off under the tab System Restore.
 
As for our purposes a freshly started machine may make things a little easier, shut down the system completely (power off) and restart.
 
 

Step two

 
Wait until the system has fully started up, give it the time necessary to show all icons, starting up things and so on. Then, when there's no visible disk activity anymore, we'll do our first checks.
 
Chances of detecting some malware in this and in the following step are practically zero, but we'll overlook the whole system, and it's a way to check a few other important things too.
 
Were there any programs visually starting up... e.g. did some program startup-screen (a "splash-screen") came up? If yes, is it a program you installed yourself, or at least do you know the program? If you know the program and it's legitimate software, that's okay. Otherwise, remember the name of the program, better write it down for there may come more things to remember. Then close the program normally.
 
Remark: Although programs starting up at boot-time may be fully legitimate, in most cases it's not necessary they always start up together with the computer. Sometimes this is useful, but too much programs are loading software into memory, slowing down the system without any good reason. So, although this has nothing to do with the removal of malware (although in some cases you could say it's about bad software), it's a good idea to check the settings of those programs and see if there're any options to switch off the automatic startup at boot-time. Later on we'll see the different start-up methods and the programs using them. Afterwards, you can decide which programs are allowed to run at startup and which ones must be started and stopped normally like any other standard application-program.
 
Now, at first sight, what's running... Look at the small icons at the right side of the taskbar. There maybe a clock, a speaker, an icon from your virus-scan program, an icon from your internet connection... not very much more. All those icons represent programs running in the background (or at least they're loaded into memory). Check if you can see all icons, for some maybe hidden (then click on the taskbar to make them visible). Are there any icon you don't know what they're for? Then click them to find it out (sometimes you can right-click them to get an options menu). And do the same as above: programs you know are okay (but remember the remark above; maybe it's not necessary they start up, and then you may want to switch then off afterwards). If you don't know the program, look for the name and write it down.
 
 

Step three

 
Programs can be started by the user, of course, that's obvious. But they can also be started from within the system itself. There a some locations we can checkout to see what's started up.
 
First one is the Windows Startup menu. As there maybe more than one user on a computer, windows has different Startup menus. Even if you use your computer alone, there're still more Startup menus to check. We do this from within the windows Explorer. Open it and navigate to the Documents and Settings folder. There you find all the users sub-folders, a sub-folder named All Users, and some more. Let's begin with the All Users folder. Open it and look for a sub-folder named Menu Start. Eventually the folder may be empty. If it's not empty, the contents are shortcuts to programs which will startup together with the computer. Same procedure as above now: checkout the folder and see if you know the programs, if not remember them for later. As there are more Startup folders, the easiest way is to open all the sub-folders in Documents and Settings, looking for a Startup menu in it. Each time checkout the contents the same way.
 
If you want a program to automatically start up each time the computer starts, you could put a shortcut to that program in the Startup menu under All Users or under your username. But generally, there's no need for a program to have a shortcut there. So if you find any links to programs in one or more of the Startup menus, decide for yourself if you (or other users of the same computer) find it useful to let those programs startup at boot-time and if not, simply delete all the shortcuts in all the Startup menu folders.
 
 

Step four

 
A little deeper now. Close Windows Explorer, so there're no visible programs running at the moment. We're gonna use the task-manager of windows to see what's running in the background now. If you can find it in the start menu, that's okay, but the easiest way is to start it like this: press the Control key and hold it down, then the Alt key (and hold it), then hit the Delete key. That's the famous combination used to reboot, but it's now used to start the task-manager from within the appearing window.
 
Remark: you could also start it by clicking Start, Run and then type "taskmgr" (without the quotes) to run it.
 
Normally task-manager will open on the "Processes" tab, but first have a look at the programs (applications) tab. For we've not manually started any programs until now (except the task-manager itself, but that not a "normal" program showing up there), the tab field must be blank. If not, read the name and eventually the location of the program(s) running and write it down to remember it later. Check the taskbar below the screen to see if the program has a button there. If so, click it, which should open the program and let you close it normally. If there's no button in the task-bar (except the one from the task-manager itself of course), then stop the program(s) from within the task-manager (end task). A warning message may show up, click to stop the program anyway.
 
Now in task-manager, click the next tab "Processes". A list of running processes will show up. You will find also the task-manager itself there as a running process. It's named "taskmgr.exe", and as we now, we've started it up legally, it's okay for the program to run and to show up in there. When you're working with the computer, every program you start-up will show up in the list, eventually accompanied with other files it need to run. By the way, you can also always use task-manager to stop a non-responding ("hanging") program.
 
Although we've not started them up manually right now, we put the entries of programs (e.g. a virus-scanner) which we've legally installed and gave permission to run at system start, in the same category. These programs will run in the background (without the normal user knowing and seeing them) and their entries show up in task-manager.
 
Besides the program files of the software you started manually, and the running files of the software allowed by the user to run at startup, a lot of other entries will show up in the task-manager list. These processes running in the background are part of the operating system and they must run to make certain functions possible (such as communication with the outside world and many more).
 
One of such processes is called "explorer.exe", that's the windows explorer, running always in the background (whether you open Explorer or not). Tip: instead of logging out and back in again, or instead of a restart, you can stop the process "explorer.exe" from within the task-manager, which will force the system to refresh. After this, if you need to get the task-bar back (below the screen), just use the windows key on the keyboard.
 
Now let's have a closer look at the running processes in the list.
 
First we look for the entries we put in the first category above. These are the processes which are not part of the operating system itself, but were started up by legitimate software, which was given permission by the user to run startup. Here you may find some entries from your virus-scanner program or a hardware driver and so on. Of course these entries are depending on the software installed on your machine.
 
For the moment, all entries you can recognize by their names as legitimate installed software are okay. But 'cause it's not always obvious when (and even if) the user has explicitly given a program permission to run at startup, it's a good thing to remember the program process names, so you could eventually modify their start-up settings from within the programs afterwards (see above). This is important because it could be that some software (application program or software driver) didn't explicitly ask for the permission to run, while it is not absolutely needed for the system to work. Many times drivers and other software are installed by setup-programs, while Windows has already the needed drivers/software on board. So make notices to remember the names afterwards.
 
Then we look at the second category of entries. These are the processes which are part of the operating system and they are needed for the system to work. Which processes exactly must run in the background depends on the operating system and version, and furthermore it depends on the use (the purpose), of the system. Some processes maybe not absolutely required at all time, although they are started up at system start. Eventually, they could be disabled, but to keep things as simple as possible (and because this guide is intended as help for a home-system), we let all processes run which are a legitimate part of the operating system.
 
Because the difference in operating systems and software, it's not possible to give a complete listing of the system processes allowed to run. It's here a little research may become necessary. But we can already get a long way with a list of the processes which are legitimate.
 
Here we go. Most certainly you will find running some, if not all of the processes below. These are all legitimate processes of the operating system. But take care at the spelling; some malware hides itself by using a slightly different name (example: the legitimate process "lsass.exe" could easily be mistaken for "Isass.exe" (with an uppercase "I" instead of the lowercase "l").
 
alg.exe
csrss.exe
explorer.exe
lsass.exe
services.exe
smss.exe
spoolsv.exe
svchost.exe (many instances may occur)
winlogon.exe
 
taskmgr.exe (the task-manager itself)
 
System
 
and the so-called "not-active system processes"
 
 
If you find no other entries than the above, eventually besides the entries of some programs you could recognize, then at least it seems no illegal processes are running at the moment.
 
By the way, don't bother about those "not-active system processes", and don't try to lookup what actually these processes are doing. In fact they're doing just nothing, they even don't exist, for the term "non-active system processes" is used to indicate the free processor power at a certain moment. So don't worry if task-manager indicates that those processes are taking let's say 90% of the system resources. That only means 90% of system power is not used at the moment.
 
If you find other, unknown processes running, then it's time to look things up. Use a search engine to find information about the unknown process. In many cases it will be also a legitimate process, whether started up by the operating system to make certain functions possible, whether installed by some hardware driver or other software. But check it out, for it could be malware installed on the system, doing things you don't want at every moment your computer runs!
 
If you find such a suspected entry, try to stop that service using task-manager. There's no risk in doing this, for nothing is deleted by that. Just stopping a service will only stop it until next reboot. In some cases a service will not stop by that, it will immediately startup again. If it's malware doing this, we'll prevent it from running later.
 
 

Step five

 
In the above we've detected some processes running in the background, but until now we could see only the names of the processes and not the way how (and eventually why and by what program) they were started up.
 
As we've already mentioned in step three, programs (and services) can be started up not only by the user, but also by the system itself. And they can be started up in different ways, or you could say from different locations.
 
To recapitulate a bit, and hopefully make things a bit clearer, remember that the "Startup" folder in the Windows Start Menu was such a location from where programs could be started up. Another, and far more interesting, location is the Windows Registry. The Registry is the massive database where all the Windows and system settings are stored. It's the heart of the system and we'll dive into it later on.
 
Let's try to find out how (from where) the running processes are started up. You use this method to find out how a malware program is started up, but of course you can find out how any legitimate software is started at boot-time too.
 
Just like before, we'll gonna use a Windows system program for this, namely "MsConfig". If you find the program in your Windows Start Menu, that's fine; otherwise click Start, Run and type "msconfig" (without the quotes) to run it.
 
Important: do not stop or disable programs or services from within MsConfig, and after using the program, close it with the Cancel button. Although you can stop things here, nothing will be removed from the system and you'll get warning messages about disabled software at the next reboot. The stop function can be used as a temporary emergency solution, but is not appropriate in our procedure.
 
In MsConfig, click the last tab "Startup". There you will find not only the names of the programs which will startup at each system start, but also how they are started up, that's from which location they are started up. That location could be the Windows Start Menu, or more likely a location in the Windows Registry. The Registry is separated in some parts, called handle keys, which are known as HKEY_CLASSES_ROOT; HKEY_CURRENT_USER; HKEY_LOCAL_MACHINE; HKEY_USERS and HKEY_CURRENT_CONFIG (depending on the version of the operating system the names may vary but this does not affect our procedures).
 
For instance, you may see the reference "HKLM", which stands for the Handle Key Local Machine, followed by something like this: "...\SOFTWARE\Microsoft\Windows\CurrentVersion\Run". This means you must look under that reference, say at that location in the Windows Registry. It may seem a little complicated by now, but after all it's must also look familiar: it works the same way as you navigate through the folder structure of the Windows Explorer.
 
Now all you have to do is open the Registry and look for the entries you found. To open the Registry, click Start, Run and type "regedit" (without the quotes). Then navigate to the entries just as you would do it in Windows Explorer.
 
There you will find back the program starting up, and the name and location of the program-file on the system (on the hard-disk). Write down the location of the file for -if it's malware- you will want to delete it afterwards. From within the Registry you can't delete the file, you can just stop the program from starting up at system start. This is done by simply deleting the program registry-entry.
 
Afterwards, after the next reboot, you can lookup the files in Windows Explorer and delete them normally.
 
Warning: be careful, you're working in the heart of the system now; do not change anything if you're not sure about it and certainly do not change things just for fun or to see what would happen then.
 
 
Next we go back to MsConfig and look at the second last tab "Services". Because we considered all legitimate services which are part of the operating system itself as allowed to run, you can check the checkbox to hide all Microsoft services. This makes things a lot easier (although it could give a slight problem if a service was modified by malware, but chances are very low and otherwise things will go beyond the purpose of this guide).
 
What's left over in "Services" now are the entries of programs which were allowed by the user to startup and run in the background. Normally these programs were already identified, or looked up in the steps before. Any other, unknown program is suspicious and must be checked out (see above).
 
If we want to stop a service (say we have identified a service as malware, e.g. a program that dials up to the internet every now and then, of any other malicious software service), then we must follow a slightly different procedure. In fact, a service is a little bit harder to stop than a normal program starting up from the Registry or else. As every time, remember and write down the names if not already done so.
 
To stop a (suspicious) service we will use another Windows system function. First close MsConfig (remember to use the Cancel button) and go to the Control Panel. There double-click the System Management item and go to Services.
 
Lookup the service you want to stop and right-click it to view its properties. There you can stop the service and set it to disabled. There you also find the program files and their location on the system (on the hard-disk). After stopping and disabling the service you can lookup the program file in Windows Explorer and delete it normally.
 
Last thing to do after stopping and disabling a service is searching the Registry for the appropriate service entry and delete it. You could look at the HKLM\SYSTEM\...\Services keys, but to be safe, just use the Registry search function to find the entry.
 
 

Step six

 
After all this, it's time to reboot the system. After the system has rebooted, don't forget to remove any (suspicious) program files still left on the system (see step five). Although these files cannot do any harm anymore (as long as they are not started manually), it's obvious that the best thing to do is to remove them from the system. Files which were not removable before 'cause they were always running, can now be removed normally.
 
Important: before rebooting the system, be sure the Windows System Restore function is disabled (see step one)! After reboot, and after testing if the system behaves back normally, you can turn on the Restore function again.
 

 


 

Related topics : Basic security and privacy - Web security and privacy - System cleanup - System restore

 


back to the top

MAIN INDEX COMPUTING INDEX

 


All info provided on an "as is"-basis, without any warranty and/or further responsibility whatsoever.
All texts are free for personal non-commercial use. Copyright by the NightOwl.