Recently, I’ve seen a bit more virus outbreaks than usual and decided I would share my general approach for remediation. This won’t be an exhaustive guide to eliminate all viruses, but I’ve found a high level of success in this method.
I start by downloading any potential tools I may need, preferably from another machine if possible. Potential tools consist of Malwarebytes, TDSSKiller, FixTDSS, Unhide, and RKill and are all free to use at home. Please be aware that in a business environment, special licensing may be needed as is the case with Malwarebytes. In most cases booting into Safe Mode, updating your antivirus solution, and running a full scan can be sufficient. As viruses have become more difficult to eradicate, I’ve found that other tools are needed more often.
Some viruses run in Safe Mode which prevent your antivirus solution from running and make cleanup much more difficult. In these situations I use RKill.exe. This utility will scan the system for running processes and will kill and stop known viruses. It’s important to remember that you don’t want to reboot the computer after running RKill as it only stops running processes and doesn’t actually remove them. When the computer reboots, those processes will start up again. RKill has a download page with various names in case the virus knows this process and prevents it from running. You don’t need each variation, you can simply rename the process from RKill.exe to anything else. Sometimes you may need to change the extension to “com” if executables are disabled altogether. Once the processes are stopped, you can attempt your virus scanner again to clean the system.
Unfortunately there isn’t a single antivirus tool to detect all potential infections. Rootkits, which appear to be occurring more frequently, often go undetected with many scanners. For this reason, I’ve started running TDSSKiller by Kaspersky in addition to any standard antivirus scan. This utility is strictly a rootkit scanner and has saved computers that appear to be clean according to scan results, but are still having issues. A common sign of a rootkit infection is seeing webpages redirect when they shouldn’t be. There has been a case or two when TDSSKiller just wouldn’t run, and in this scenario I used Symantec’s FixTDSS.exe which detected an infected MBR, cleaned the infection, and allowed me to run TDSSKiller (all after a reboot).
The last utility, Unhide.exe isn’t really a virus cleanup tool. If you’ve ever been infected and found that your desktop, start menu, and C drive were all missing, then Unhide is appropriate. Quite a few viruses like to hide the entire drive directory. Unhide will scan the system and restore the file attributes, effectively making these disappeared files and directories available again.
These utilities can be run in any order, but my general approach is to boot into Safe Mode with networking if possible and run the currently used antivirus, along with an additional scanner (online or another downloaded solution). If the virus is running in Safe Mode then use Rkill. After scanning the system, I run TDSSKiller or FixTDSS if it won’t run. After a reboot, I’ll run another antivirus scan in normal mode to make sure the system is clean. I’ll then run Unhide if needed, check the proxy settings of Internet Explorer to make sure a proxy isn’t listed, and test the system to make sure everything is functional again.
Hopefully these tools will help the next time you come across an infected system.