The "Art" of Malware Removal

This site recently passed the five year mark. During that time, we’ve seen malware issues  explode. The malware removal forum has become by far the most popular forum on our message board.

ComputerArtistAt one time, removing malware generally involved running Ad-Aware, Spybot S&D and using HijackThis to clean up what was left over. However, these old standbys will not remove most of the current crop of infections.

Now we often use tools targeted at specific infections like Smitfraudfix, VundoFix, and FixIEDef. New removal tools like Malwarebytes’ Anti-malware (MBAM) and ComboFix (only to be used under supervision) are more effective at removing modern infections. New malware scanners like Deckard’s System Scanner (DSS) reveal things that HijackThis might miss.

Malware removal guides for common infections have also become popular. However, not all infections have removal techniques or tools that allow for these step-by-step instructions.

Malware authors have taken note of these specialized removal tools, removal guides and other advancements. They’re not sitting still. There are now infections that change almost daily. There are infections that download other malware. The malware infections they download, and the download sources change often. This requires almost daily updates to the removal tools, and makes removal guides difficult, or impossible to keep updated.

When there are no scripts to follow, no special removal tools, it becomes the “art” of malware removal. The art of malware removal is required with new, unknown infections, and these infections that are continually morphing or downloading new payloads. Those being helped can sometimes be confused, or concerned that we don’t know what we’re doing when the person helping asks for a number of scans, or doesn’t offer the same removal instructions that someone else received for a similar infection. While the infections may appear similar they are often different. Also, the same infection may require different techniques on different system configurations.

Since malware is getting so good at hiding from tools like HijackThis, we often request additional scans. We also will sometimes request additional scans to ensure additional infections aren’t missed. If you’re being helped on a forum, and they ask for scans, please complete them all, and respond with the results. While it may be time consuming, rest assured the person helping you is trying their best to help remove all malware from your system.

Finally, people that help remove malware are sometimes called “elitists”. Some seem to think we have a stash of secret removal tools and techniques, and that our geek egos are somehow too fragile to share them. In fact, our goal is to educate so that you don’t become infected. If you become infected, our first step generally includes tools that will remove common infections. We offer removal guides for infections when they’re appropriate. We often have more people asking for help then there are people to help them. It would be silly to withhold information that people could use to safely clean their own system, and we don’t do it.

However, I do agree that the malware removal staff here, and at other sites are “elite”. Malware is getting ever more difficult to remove. To become staff, and be approved to help remove malware, they’ve had to complete intensive malware removal training. This training often takes many months to complete, and involves everything from using HijackThis to authoring advanced registry scripts. The vast majority of people that start training do not complete it. It takes someone special to freely give their time and knowledge to help others. It’s a wonderful community of people, it’s challenging, and it can be very rewarding when receiving a heart-felt thank you.

If you’re unfortunate enough to get a malware infection, we hope you’ll be able to remove it with information found here or elsewhere. If not, we hope you enjoy the experience of working with a malware removal artist. Please complete all the instructions they give you, and don’t forget to say thank you!

  • Tal

    Great post Blair. I think it says everything we malware helpers have on our minds.

  • Tal

    Great post Blair. I think it says everything we malware helpers have on our minds.

  • It should be noted that SUPERAntiSpyware, with over 8 million active users and DDA (Direct Disk Access) technology that will see rootkits others miss is also an effective tool to help in the fight against malware.

  • It should be noted that SUPERAntiSpyware, with over 8 million active users and DDA (Direct Disk Access) technology that will see rootkits others miss is also an effective tool to help in the fight against malware.

  • Blair

    I didn't intend for this post to be an inclusive list of all removal tools that are available, or that we'd recommend. I chose to highlight a few that are homebrewed contributions from members of our anti-malware community. SuperAntiSpyware is a great product, and we often recommend it.

  • Seamey.T

    I would just like to add a comment and thank everyone at GTG for the never ending sterling work they do.
    Like many before me I have fell foul of Malware and many other problems,but with the help of staff and members they soon got things put right for me.

    So I say a big thank you to all Staff,Members,all who give up their spare time to help and unpaid for that matter.

    To all members who use their services,be polite and support them.

  • Seamey.T

    I would just like to add a comment and thank everyone at GTG for the never ending sterling work they do.
    Like many before me I have fell foul of Malware and many other problems,but with the help of staff and members they soon got things put right for me.

    So I say a big thank you to all Staff,Members,all who give up their spare time to help and unpaid for that matter.

    To all members who use their services,be polite and support them.

  • The real question is once infected can you remove all the code to the point where you fell comfortable going to your bank site, or other financial sites. For me the answer is no, if I'm infected I just keep a good backup, so I reformat and reinstall. A few years ago it was fairly simple now however, after running every product out there and editing the registry the stuff seems to remain.

  • The real question is once infected can you remove all the code to the point where you fell comfortable going to your bank site, or other financial sites. For me the answer is no, if I'm infected I just keep a good backup, so I reformat and reinstall. A few years ago it was fairly simple now however, after running every product out there and editing the registry the stuff seems to remain.

  • Linda

    I'm hoping for some help.
    I very stupidly downloaded something that contained Vundo something or other. It took over my computer and was BAD. I managed to download a program that got most everything back. HOwever, I'm left with a pernicious code that subverts my web brower. It just won't go to some sites and it won't search some things. Sometimes things show up on websites that say "Your computer might be infected yata yata yata" and it blinks and offers a free scan. One popped up on your site and I'm sure it's not a part. It looks just like the other stupid windows that pop up here and there.

    Anyway . . . I ran Norton AntiVirus, XoftSpyXE, Sypware Doctor and after initially finding things and removing them, they no longer find anything to remove. Same thing happened with an old verson of HijackThis. I downloaded the newest HijackThis but there are so many things that showed up and they and none of them look really suspicious that I didn't dare "fix" any thing.

    So where do I go from here? Sure hope you can help and I really appreciate any advice.

    ls

  • Linda

    I'm hoping for some help.
    I very stupidly downloaded something that contained Vundo something or other. It took over my computer and was BAD. I managed to download a program that got most everything back. HOwever, I'm left with a pernicious code that subverts my web brower. It just won't go to some sites and it won't search some things. Sometimes things show up on websites that say "Your computer might be infected yata yata yata" and it blinks and offers a free scan. One popped up on your site and I'm sure it's not a part. It looks just like the other stupid windows that pop up here and there.

    Anyway . . . I ran Norton AntiVirus, XoftSpyXE, Sypware Doctor and after initially finding things and removing them, they no longer find anything to remove. Same thing happened with an old verson of HijackThis. I downloaded the newest HijackThis but there are so many things that showed up and they and none of them look really suspicious that I didn't dare "fix" any thing.

    So where do I go from here? Sure hope you can help and I really appreciate any advice.

    ls

  • Mark Cummuta

    All I can say is, nicely written summary of a difficult job! I haven't done in-the-trenches tech support for several years, but I certainly remember what it was like. These systems are intentionally made difficult to edit and alter, specifically so most people could not mess themselves up. So of course, that's exactly what hackers and malware writers edit and alter. Further, they use all manner of social reengineering to get us to download and click on seemingly innocuous links and websites, to get into our machines.

    So, thank you for your efforts and assistance! There are many many beneficiaries of your help "out there" that truly appreciate your assistance. They just might not know how to say thank you very well! 🙂

  • Mark Cummuta

    All I can say is, nicely written summary of a difficult job! I haven't done in-the-trenches tech support for several years, but I certainly remember what it was like. These systems are intentionally made difficult to edit and alter, specifically so most people could not mess themselves up. So of course, that's exactly what hackers and malware writers edit and alter. Further, they use all manner of social reengineering to get us to download and click on seemingly innocuous links and websites, to get into our machines.

    So, thank you for your efforts and assistance! There are many many beneficiaries of your help "out there" that truly appreciate your assistance. They just might not know how to say thank you very well! 🙂

  • Tommy Thomas

    I have gotten valueable assistance from this site. Bravo! Thank you. I have another problem now that I need help with, please. I picked up a bug that will not let access my startup page for the internet or run a system restore point. When I run a system restore my computer goes through the motions and locks up on the restart. It will not shut down. When I unplug and restart, I get an error on shutdown message. I cannot shut down from regular computer use either. I contacted Embarg and we shut down my embarq security and ran a series of checks. Everything pings just fine. No help. I have a Compac with Dell works inside. Neither company will even discuss any thing with me as my system is compromised. If I time my startup, I can access my homepage. It is hit or miss at best. This is the only page that I could get to on your site. Is there a program downlosd available or some help that you may be able to offer. My computer savy is limited. Again, thank you for your previous recommendations and help.

  • Tommy Thomas

    I have gotten valueable assistance from this site. Bravo! Thank you. I have another problem now that I need help with, please. I picked up a bug that will not let access my startup page for the internet or run a system restore point. When I run a system restore my computer goes through the motions and locks up on the restart. It will not shut down. When I unplug and restart, I get an error on shutdown message. I cannot shut down from regular computer use either. I contacted Embarg and we shut down my embarq security and ran a series of checks. Everything pings just fine. No help. I have a Compac with Dell works inside. Neither company will even discuss any thing with me as my system is compromised. If I time my startup, I can access my homepage. It is hit or miss at best. This is the only page that I could get to on your site. Is there a program downlosd available or some help that you may be able to offer. My computer savy is limited. Again, thank you for your previous recommendations and help.

  • I have extreme problems both accessing your site and navigating the 'rules' imposed for members.
    Bearing in mind I am a newbie to computers and am desperate for help, is it unreasonable to to expect that once finally managing to access your site, one is not required to wait hours to access various parts of it to get simple information, like entrance to forums. I do not understand why you have made your site so difficult so understand, especially as, most people requiring your assistance are mainly novices to computering.
    It is very frustrating to say the least to read the forums of your sterling work, join as a member and get less 'rights' than being just an ordinary visitor.
    Please explain how, once making a post, one is expected to know how are going to be willing to respond with assisstance, if like me, you dare to select the wrong box.
    Due to various popups encountered on my screen, most of a dubious nature , it is becoming really difficult to trust anything one sees or reads on the internet as reliable.
    Please restore my faith in those who are unquestionabley savvy in the art of knowing how to overcome problems with viruses etc, that your site is not yet another hoax.

  • I have extreme problems both accessing your site and navigating the 'rules' imposed for members.
    Bearing in mind I am a newbie to computers and am desperate for help, is it unreasonable to to expect that once finally managing to access your site, one is not required to wait hours to access various parts of it to get simple information, like entrance to forums. I do not understand why you have made your site so difficult so understand, especially as, most people requiring your assistance are mainly novices to computering.
    It is very frustrating to say the least to read the forums of your sterling work, join as a member and get less 'rights' than being just an ordinary visitor.
    Please explain how, once making a post, one is expected to know how are going to be willing to respond with assisstance, if like me, you dare to select the wrong box.
    Due to various popups encountered on my screen, most of a dubious nature , it is becoming really difficult to trust anything one sees or reads on the internet as reliable.
    Please restore my faith in those who are unquestionabley savvy in the art of knowing how to overcome problems with viruses etc, that your site is not yet another hoax.

  • Blair

    Thank your for taking the time to comment cassie1052. While it's not really related to this post, and many people successfully navigate the site to get help, I'm sure we can improve.

    I've sent an email to the address you entered with this comment. Please follow up so that we may help you, and in turn help others that may be having the same difficulties.

  • davey88000

    I have been receiving recently a permission request for an addition to my registry for “*SPRTRA”, by my Spybot S&D. I naturally banned it, but every time I reboot my system it keeps trying to be added on. I can’t fine a word about it. Is it some type of virus, malware, spyware, residue of another program?? Perhaps you can help me remove it. I am truly stumped. I am running Win XP SPll, and of course NIS 2008. I’ve run Ad-Aware 2007, Windows Defender, not to mention a full system scan by NAV to no avail.

  • Cassie 1052

    Hello again!
    In sheer desperation I have to contact you with a plea for help! Fenzodahl1572 has sent me a link, with an offer to assist me, but once agaian I am unable to reach the site! It has taken me two days and still....nothing! None of the links you have sent have worked, so this is the only option available....Sorry!
    P.S. I write this after finally managing to access the site but left hanging in mid air waiting for a reponse in all departments (Total time 18hrs gmt)

  • Cassie 1052

    Hello again!
    In sheer desperation I have to contact you with a plea for help! Fenzodahl1572 has sent me a link, with an offer to assist me, but once agaian I am unable to reach the site! It has taken me two days and still....nothing! None of the links you have sent have worked, so this is the only option available....Sorry!
    P.S. I write this after finally managing to access the site but left hanging in mid air waiting for a reponse in all departments (Total time 18hrs gmt)

  • Blair

    @ Linda & davey8800, the purpose of this article is simply to showcase challenges faced by malware removal staff and forums, not provide support or troubleshooting advice for them.

    If you’re having trouble with a specific infection, I suggest you post a question in a malware removal forum.

    @ Cassie 1052, I personally responded to your comment via email, offering my personal email for feedback. I'm disappointed you didn't chose to reply. You've also had a very timely reply to your forum topic but chosen not to respond.

    All future support comments will be removed.

  • davey88000

    I have been receiving recently a permission request for an addition to my registry for “*SPRTRA”, by my Spybot S&D. I naturally banned it, but every time I reboot my system it keeps trying to be added on. I can’t fine a word about it. Is it some type of virus, malware, spyware, residue of another program?? Perhaps you can help me remove it. I am truly stumped. I am running Win XP SPll, and of course NIS 2008. I’ve run Ad-Aware 2007, Windows Defender, not to mention a full system scan by NAV to no avail.

  • If he is not good at virus removal, it's only a nightmare not an art:P