No announcement yet.

Virus/RootKit/Ransomware Removal and CleanUp

  • Filter
  • Time
  • Show
Clear All
new posts

  • Virus/RootKit/Ransomware Removal and CleanUp

    If the usual AV programs don't work (in Windows Safe Mode), try booting from a USB drive.

    On an uninfected PC - partition and format a USB Flash drive using RMPrepUSB (this cleans the drive of any virus that might already be on the flash drive)
    The following programs can be downloaded on an uninfected computer and copied to a USB Flash drive.
    Then connect the flash drive to the infected computer and boot from it to run the program. If you have a Windows 8 system, you may need to change the BIOS settings to enable BIOS Legacy or CSM Boot mode (not pure UEFI Mode).

    WARNING: Ransomware is becoming very prevalent and there is no way to recover from it (you can remove the virus but you cannot decrypt your files)!
    This type of malware encrypts your documents and files and then they demand a 'ransom' payment to decrypt it for you. It is important to realise that even if you have synchronised online Cloud Storage folders, these will also get encrypted! Therefore synchronising your documents to the 'Cloud' (e.g. DropBox) does not protect you from Ransomware. PLEASE MAKE SURE YOU HAVE A CURRENT BACKUP OF ALL YOUR IMPORTANT FILES IN OFF-LINE STORAGE - for instance use a 1TB USB 3.0 portable hard drive which you keep in a locked drawer. Set a date in your calendar to make a regular backup onto this drive.
    Tip: Try the free Norton Power Eraser. If used in conjunction with the Norton Bootable Recovery Tool (not free) it can remove CryptoLocker/Ransomeware. Also try HitmanPro (see below).

    For an independent evaluation of the various AV products available - see here. For test reports see here.
    Rootkit disinfection

    Kaspersky TDSSKiller (time=5 minutes)

    1. Download the TDSSKiller.exe file and copy it to your USB flash drive
    2. Run the TDSSKiller.exe file on the infected target computer (Restart - press F8.- choose Safe Mode - run TDSSKiller.exe)
    3. Wait until the scanning and disinfection completes.
    4. A reboot might be required after the disinfection completes.

    MBAR - Malwarebytes Anti-Malware (time=2-5 hours)

    1. Download MBAR free version and copy to a USB flash drive (there is also an Anti-RootKit BETA)
    2. Run the program on the target system in safe mode and select the full, deep-scan option
    3. Go and get a cup of tea - it could take a while!

    HitmanPro.Kickstart (anti-ransomware)

    Follow the instructions here (or see Tutorial 119 for a way to add it to a multiboot (E2B) USB Removable Flash drive. Note: an internet connection is required when you use HitManPro, so the infected system must be connected to the internet.
    Other bootable AV LiveCD ISOs

    It is better to boot from a clean USB drive to a linux or WinPE-based recovery solution (LiveCD) than try to run a program from the infected Windows system itself.

    Create an Easy2Boot USB drive and download and drag-and-drop these various AntiVirus ISO files to the E2B USB drive's \_ISO\ANTIVIRUS folder. Details on how to make an E2B multiboot USB drive can be found on the E2B Tutorial 72a.
    1. AVG Rescue CD 120.120823 AVG Rescue Toolkit CD ISO here
    2. Kaspersky Rescue CD Kaspersky Rescue Disk ISO here (also .mnu file available so can have updates stored on USB drive)
    3. Bitdefender Rescue CD 2.0.0 Bitdefender ISO here (.mnu available for persistency - keeps downloaded updates in memory - see Tutorial 10 for details)
    4. Dr Web AV CD
    5. Rising AV CD
    6. VBA Rescue CD
    7. EScan Toolkit
    8. Anvi Rescue Disk
    9. Panda Safe CD Panda Security ISO here
    10. Avira AntiVir Rescue System - rescue_system-common-en.iso and Restore CD SATA.iso
    11. Windows Offline Defender - Save as ISO and copy to E2B flash drive.
    12. Dr Web CureIt Live CD
    13. Download ArcaNix
    14. Download Comodo Rescue Disk
    15. Download ESET Rescue
    16. F-Secure Rescue CD
    17. G Data CD boot
    18. Download Norton Bootable Recovery Tool
    19. PC Tools Alternate Operating System Scanner
    20. Quick Heal Emergency disk (WinPE based) - download - install - make ISO
    21. Rising Antivirus Rescue CD (2010)
    22. Sophos Bootable Anti-Virus (see this page for insturctions)
    23. Trend Micro Rescue Disk
    24. VBA32 Rescue (use Create bootable drive)
    25. Zillya! LiveCD
    26. VirusBuster Rescue CD
    27. Zillya! LiveCD
    28. Trinity Rescue Kit
    29. Avast AV Rescue ISO/USB drive (see here for details)

    AV programs to run from within the OS (e.g. Windows Safe Mode)

    Suggested order for disinfecting and speeding up your system

    Keep a download of the following programs on your USB stick and carry it with you everywhere so you can 'rescue' an infected PC. Install them and run them to clean up the PC and improve performance:

    1. CCleaner
    2. MalwareBytes Anti-Malware
    3. MalwareBytes Anti-Rootkit (mbar)
    4. MalwareBytes Anti-Exploit BETA
    5. AdwCleaner (
    6. Use Windows Control Panel - Programs - Uninstall programs and uninstall any programs you have never used
    7. Uninstall all AV programs except one AV program (e.g. Avast free)
    8. Run the AV (if using Avast do a 'Boot-time scan' and check for 'potentially unwanted programs' (PUPs).
    9. Run MSConfig and disable all unneeded Startup items (if in doubt disable them all except the AV program and then enable any that you find you really need after rebooting!)
    10. In MSConfig - Services - deselect any unwanted, resource hungry services - e.g. Fax, update services, parental controls, Media Centre stuff, Windows Search (use SwiftSearch instead!)
    11. For best performance, change the Windows performance settings ((Right-click on Desktop - Personalize) Windows 7 Classic (or Basic which uses slightly more resources)
    12. Right-click on Computer icon and go to Advanced System Settings - Performance Options - Adjust for best performance - Apply.
    You can also disable System Restore (protection) - remember to make a restore point manually once you have a 'stable' system.
    13. Tweak AV settings exclude some searched folders from a scan to improve performance (e.g. if you keep loads of files in D:\MyVideos and you never download files into that folder then you can exclude it from the AV search scans).
    14. Browser - Reset (e.g. Delete Personal Settings in IE) to clear all old settings and passwords, etc. - then in your browser settings, 'Manage your search engines' and delete all but one (e.g. leave Google). Avoid 'Ask' and 'Delta Search'!
    15, Run CCleaner again and Windows Disk Cleanup
    16. Defrag your hard drives (Windows defrag or Defraggler)
    Other Installable Windows AV programs

    Microsoft Security Essentials (free and doesn't slow the system down too much)
    Kasperksy AV (CD On Demand - retail version - special price!)
    Kasperksy PURE (CD on Demand - retail version - special price!) - click here for MAC version
    Norman AV
    Dr Web CureIt
    EmisSoft Anti-Malware Emergency Kit
    AdAware -
    Malware Bytes
    Bit Defender AV Plus
    Trend Micro
    McAfee AV Plus
    AhnLab AV and Removal Tools


  • #2
    Cleaning your system out sounds easy the way the you just described it. Is interesting to think about to be honest with you because a lot of the time the reason why your system is running so slow because of some random virus that is in your system. Sometimes it's very difficult to locate it but we these instructions I can see exactly what I need to do.


    • #3
      thank you for this great will help me a lot.


      • #4
        This is certainly good information in case you get infected with Ransomware. Hopefully we'll never have to actually follow this guide to restore our PC's


        • #5
          what a nice post this is!!!! thank you so much for this nice post


          • #6
            Modern ransomware like .micro file virus (new version of TeslaCrypt) is extremely sophisticated. It destroys shadow volume copies and may remain inactive to get automatically copied into backups. I am not sure any tools can handle the recovery of data after its invasion. Prevention is the best cure.