Removing most malware (malware = malicious software) is simple and here is how.
  In order for a malware program to cause damage, it has to run. For it to work all
the time, it has to startup with the start of your computer,
after you loggged in, or by some other method.
  So if you want to stop the malware, first of all, you have to find its loadpoint
(how it starts up).
Remove it there or simply remove all the files for it.
Either method should work fine, but it's better to do both.
  There are different ways to remove them, so we will look at each way.
  * Live : Removing it with the system is still running
* Offline : removing its files, boot back up (restart) and then clean up.
 
Before we do any removal we have to know what to remove. This is the tricky part.
It takes some research, but there are very helpful websites and tools out there we
can utilise to do this.
  Of course your Anti Virus program (which you might not have :)) may find some
files, so you know where to start at.
The method I use generally is a program which will list every file starting up in a
system during the boot process.

 

I personally use Autoruns, a System Internals (now Microsoft) tool.
  There are others such as Hijackthis and the newer RunScanner (great tool)
  For this example we will use Autoruns:
http://www.microsoft.com/technet/sysinternals/systeminformation/autoruns.mspx
  Run the tool, click ESC (to stop scanning)
note > it does show what it's doing at bottom left corner.
  Click on Options and select:
* Verify Code signatures
* Hide Signed Microsoft Entries
  Now press F5 (refresh) to re-scan the system.
  There will be a lot less to check through now.
  
 
*** Finding Load Points / Identifying Malware
 
So we are looking at all the different files that are loading on your system that
might possibly be bad, so we need to find out which really are bad.
  To make it a little easier I like to save the files as a text file (file, save as,
autoruns.txt). I am also used that people are sending me these.
  Then open this file with firefox.
File, open file (choose autoruns.txt)
  I do this because it's easier to google entries. If it is just your own computer,
then you will soon learn what is running on it and the next time you do this you
will find it easier.
Everybody has different software installe. It's impossible to tell what is malware,
you need to go through each entry and check what it is.
  A great feature of google is, that you can highlight the filename, right click
them and choose search google for "something.exe"
  A large % of malware will run from the standard run keys, e.g.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  So this is a good place to start.
  Check where the file is exetucted from.
  E.g.
  If Quicktime is installed, you may see a run key like this:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ QuickTime Task QuickTime Task (Not verified) Apple Inc. c:\program
files\quicktime\qttask.exe
  Ok, it says 'Apple Inc.' which is good, but it still might be malware even though
the name Apple is used.
  It is executed from the program files\quicktime\ folder, which is good. So it
looks valid.
  A quick google search for qttask.exe shows several sites with info of the executable.
  From liutilities.com : "Process Name: Apple QuickTime Tray Icon"
  So from all this information we can be quite suren this is a valid application
that is loaded.
  If it would be executed from windows\system32 - or some odd temp folder
(windows\temp) then I would be very suspicious.
 
OK, so move on to the other entries and see if you can find any bad applications.
  It's a good idea to have a notepad (or notepad.exe) running to keep notes of what
you think is definitely bad, possibly bad, etc.. so we can attack or check them
later.
  Now you will notice there are not just .exe's loading but also dll files, and
maybe .dat etc. These might all be bad and we still need to check them.
  Another very common place for malwares to run is the Browser Helper Objects
registry key:
  e.g.
  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ Adobe PDF Reader Link Helper Adobe PDF Helper for Internet Explorer (Verified)
Adobe Systems, Incorporated c:\program files\common
files\adobe\acrobat\activex\acroiehelper.dll
 
This is showing that the Acrobat reader dll is being loaded. We know that it's used
a lot, but check the also the other key's and dll's.
The same questions apply here:
  Where is it running from? Why is it in system32? (note valid things executed from
there, will mostly system programs)
Do I know this software?
What does the google search show?
Is it verified?
Why is it called vxhaqpxbdkkhksszx.dll? (should be easy to google this one :)
 
Ok, so any bad, or suspicious ones please note down the file, location (e.g.
c:\windows\system32\iamsuspicious.dll), the registry key and if you think it is 100%
bad or just possibly bad etc.
  
  
  
 
Ok, So we have a list of bad things, some we need to remove/clean and some we are
not 100% sure of from our research.
  For the suspicious ones we can upload them to online scanners or AV (anti-virus)
companies and wait for a response.
The faster possibilty is an online scanner, but the more accurate are the AV companies.
  
 
** Making things visible:
  Malware wants to stay on your system and they do different things to hide
themselves and attempt to stay on the system.
For this part we just want to be able to access them (copy, upload etc)
  A very basic way they can hide is to use file attributes.
+s = system file
+h = hidden
+r = read only
  To see this info please open the command prompt (start, run, cmd [enter] )
  and type attrib /? [enter]
  This will give you info on the attrib tool, which lets you remove these attributes.
  To view all files in Windows Explorer, please open it.
click Tools > Folder Options > View [a tab]
* Select 'Show Hidden Files and Folders' +h attribute
* Unselect 'Hide protected operating system files' +s attribute
  If you like to use a command prompt, you can use the following command to have
alist of files with any attribute
dir /a
  
  
 
** Upload Samples
  Ok, let's upload the suspicious files to your site of choice, for this example I
will just use threatexpert:
  http://www.threatexpert.com/submit.aspx
  I like to make sure that the files are going to be uploaded correctly by creating
a folder on my desktop called 'samples'
Then I copy the suspicious files into that folder.
Right click on each and make sure it has the same file size (if it doesn't, the copy
could be blocked and will not be uploaded).
  From the samples folder you can start to upload them and wait for the results. As
always make a note of the result, if they are malicious or not.
  Please note the above site is not 100% exact as it is. Your files are just scanned
by malware scanners and they are not analysed by Virus Analysts as it would be if
uploaded to an AV company.
So if you want to be 100% on a dodgy file, please upload it to the company form whom
you use the AV software.
  When the above process is complete, you should now have a list of 100% bad files
and there corresponding registry keys (load points) so we can go on to the
exciting part, cleaning the machine.
  
  
  *** Cleaning
  Disclaimer: Ok I have to do this part. I, nor the site where you are reading this,
take any responsibility if you are removing the wrong files or deleting the wrong
registry keys etc.
We take no responsibility for any damage to your PC.
  Before doing anything you should create a full backup of your system and have a
hard copy of any important information etc.
  **** Offline
  Offline cleaning basically means you are not 'in' windows. Windows is not running
when you are deleting the files on the hard drive. Therefore no malware (so far)
can interfere with the removal process, which makes it very easy.
  The problem is, that most people are use NTFS and not FAT*, so we can no longer
use a basic boot disk and go delete the files.
  We can use:
  * Windows Recovery Console
* Linux boot disk
* BartPE
* maybe other methods
  Here were are just going to talk about the Windows Recovery console to give you an
idea how this works.
  It's quite simple. Just boot your PC from the Windows CD.
  How to boot from a CD:
  get into bios = http://www.computerhope.com/issues/ch000192.htm
  This Microsoft article shows how to use the windows recovery console:
  http://support.microsoft.com/kb/314058
  The malware file and the load point we are looking for is:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ LEgeet fileZ (Not verified) c:\windows\system32\badfile.exe
  (which from research and uploading we know is bad)
 
After you started the recovery console, we can just simply use basic commands to
select and delete the files.
e.g. deleting c:\windows\system32\badfile.exe
we use dir /a badfile* to see the file.
  c:\windows> cd system32
  c:\windows\system32> del badfile.exe
  c:\windows\system32>
  Ok - no error, the file is gone. YAY
  Simple wasn't it :)
  Now, though we might not need to do this, we should reboot and clean the registry
  In normal windows mode, open regedit (start, run, regedit [enter] )
  note - please backup registry before going mad in here.
  Navigate to hkey_local_machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  On the right you should see the entry
Name Type Data
LEgeet fileZ REG_SZ c:\windows\system32\badfile.exe
  Note - it may just say the .exe name without the full path.
  Now just delete the entry (on the right_ for LEgeet fileZ)
  That is it, that particular malware is gone.
  
  
  
  
  **** Live Cleaning
  Some people may not have access to a linux boot cd or the recovery console, or may
just prefer to do the live cleaning. As it is much more intersting.
  Live cleaning is much more difficult, but there are tools that can help us.
  Now for this you need to may need to use your brain a little, but I will try and
show you a few things that can go wrong etc. and how to get around them.
We will do an example simple (ish) clean and a difficult one.
  First of all, please download the process explorer (another system internals tool):
http://www.microsoft.com/technet/sysinternals/Security/ProcessExplorer.mspx
  Like with autoruns, extract and run the main exe (procexp.exe)
Please note, some malware seems to close this app, if this happens, try to rename
the .exe.
  
 
** (a) basic clean, two processes protecting each other.
  Ok, so we have identified one executable loading at startup from some key, so lets
try a few things (that may go wrong).
  We will stick with the same example as above:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ LEgeet fileZ (Not verified) c:\windows\system32\badfile.exe
  We try to delete the file and get the error - Access Denied.. hmm something could
be using it.
  Ok, its running on startup, we do ctrl-alt-del and bring up task manager,
processes [tab]
  There it is running - which is why we can't delete it.
  So, we select it, and choose 'End Process'
  Bang its gone...
  One second later...
  It pops back up - Something is protecting it and has started it back up !! grr.
  Ok, so we know where it is loaded from, maybe we can just delete the registry key,
reboot, and its gone.
  We delete the run key 'LEgeet fileZ' - press F5 - ITS BACK !!!!!!!!! It is
protecting its own run key, clever.
  Let's get the Process Explorer up and have a look.
  We can see the badfile.exe running and its purple.. hmm, this means the file is
packed (very common for malware - though can be legitimate)
  Ok, so we kill the executable again, and we see it pop back up. But this time it
is in a different place. Its just under (under and to the right a bit) of another
process called badfile2.exe. HMM, that is what is protecting the other executable.
Funnily enough, if we kill the other process, it pops back up under badfile.exe.
  Ok, so a nice trick you can do (in process explorer or task manager) is kill the
process tree.
  There is basically a child and parent process, the parent being the higher level
process.
  So, when we kill badfile.exe, it is started up again by badfile2.exe, so if we
have to kill the parent (badfile2.exe) by process tREE, we kill them both.
  YAY - they have not started back up.
  All we need to do now, is delete the files and clean up the registry.
  Please remember the steps in 'making things visible'
  and don't forget, if you still can't delete them, try to remove the attributes.
  To show them:
attrib filename.exe - then check if they have one or all of the HSR attribs.
  To remove them:
attrib -h -s -r filename.exe
  To del (from command prompt)
cd\ = change to root e.g. c:\
cd.. = moves back one folder
cd directory = change to directory e.g. cd windows - changed to windows directory
del filename.exe = deletes filesname
  
  
  ** (b) Advanced Cleaning
 
Ok, now let's look at more advanced stuff. Still relatively simple, once you have
done it once.
  I am going to use an example of a quite popular trojan. Though others use very
similar methods.
  We found our loadpoints.. a few of them this time, but only one dll file.
  PLEASE make sure you have the correct dll, some look very similar. Don't start to
delete keys incorrectly. !!!
  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
badegg c:\windows\system32\badegg.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\badegg
c:\windows\system32\badegg.dll
 
We have seen the BHO (browser helper object) once before, so that,s not too bad.
It's a dll, again.
  The other one... hmm. Winlogon notify.
  Now, Winlogon.exe is a core windows process.
  Trying to delete the file fails, just as it would trying to delete an executable
while it was running. The dll is running.
  Since it is being used, its hard to remove it (remember we can always do this
offline, but this is the live section).
  To delete it, we need to stop it being used.
  DLL's are loaded into executable files, so we need to find what is using them, and
kill them, that should free the file, so we can delete it.
  There are different ways to do this, I'll show you 2.
  * Command prompt:
tasklist /m > c:\mods.txt
then open mods.txt and you will see a list of executables and all the modules (dlls)
loaded into them.
With this list we can go through and see which executable is using the bad dll files.
  * Process Explorer:
  We will stick with process explorer for this one.
  In process explorer, do ctrl-f (find)
and type in the dll name.
  It finds two entries
explorer.exe
winlogon.exe
  ok, easy.... lets gogogo (or not)
  so, we kill explorer.exe and the taskbar goes... hmm, ok that doesnt really matter.
  then we kill winlogon.exe - and BLAM, the machine dies :(
  lets not do that again.
  The trick for winlogon is using process explorer.
  Have a command prompt open when we do this so we can delete the file (start, run,
cmd)
  Kill explorer.exe
  Right Click on SMSS.exe and choose 'suspend'
  now, kill winlogon.exe
  notice, the machine is still running. very good.
  Now we should be able to delete the file from command prompt (remembering the
attribute things)
  If it is still not possible to delete... do another ctrl-f (find) and see if
anything else is holding onto the file, then take it from there.
  Remark - if it is running in lsass.exe, after you killed this it, you will need to
abort the system shutdown, simply:
  shutdown -a
  Then delete the file.
  Different processes have different behaviours, but the main/most common ones are
listed above.
  
 
*** summary
  This is for most of the common malware you will come accross but is far from
everything, but gives you a basci understanding to see what is going on
and where to look etc. Some maybe trial and error, until you get it :)
  Other items not mentioned:
* Rootkits
For now - please run anti-rootkit tools, some listed at the buttom.
For the more curious, try and find new or newly modified .sys files in \drivers or
other places (and get samples of them)
  * File infectors
Speak to your AV company - if your AV does not clean it, they will need samples -
and be patient with them.
  
  
  
 
Stuff to link / list.......
  process explorer :
http://www.microsoft.com/technet/sysinternals/Security/ProcessExplorer.mspx
Autoruns :
http://www.microsoft.com/technet/sysinternals/systeminformation/autoruns.mspx
  Hijackthis : http://www.spywareinfo.com/~merijn/programs.php
Runscanner : http://www.runscanner.net/download.aspx
Please support Runscanner it is a great free app, and still in development.
 
List of places to upload to.
Your AV company
jotti : http://virusscan.jotti.org/
threatexpert : http://www.threatexpert.com/submit.aspx
 
recovery console : http://support.microsoft.com/kb/314058
knoppix (knopper) linux live cd (note - you may need to remount the drive to be
writable)
http://www.knopper.net/knoppix/index-en.html
  Anti rootkit tools
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
http://technet.microsoft.com/en-gb/sysinternals/bb897445.aspx