There are no guarantees or shortcuts
when it comes to malware removal, especially when dealing with backdoor Trojans
or rootkit components
that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install.
Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware
) which has not been detected that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Infections will vary and some will cause more harm to your system then others as backdoor Trojans
not only compromise your system
, they have the ability to download more malicious files. Thus, it may take several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.
In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned, repaired or trusted. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee
that all traces will be removed as their tools may not find all the remnants. Further, if something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to your data.
Many experts in the security community believe that once infected with such malware, the best course of action is to wipe the drive clean, reformat
and reinstall the OS. Please read:
Backdoors and What They Mean to You
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
: If you are considering reformatting
and a clean install or doing a factory restore with a Recovery Disk/Recovery Partition
due to malware infection, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup
any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension
or adding to the existing extension as shown here
(click Figure 1 to enlarge
) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions
. Then make sure you scan the backed up data with your anti-virus prior to
to copying it back to your hard drive.
If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data
. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.
Again, do not back up any files with the following file extensions: exe, .scr, .dll, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful
so you should still backup your important data right away. If you wish to proceed, please do the following.
Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
". If you cannot complete a step, then skip it and continue
with the next. In Step 7
there are instructions for downloading and running DDS
which will create a Pseudo HJT Report
as part of its log.
When you have done that, post your log
in the Virus, Trojan, Spyware, and Malware Removal Logs forum
, NOT here
, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.
Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
Edited by quietman7, 17 October 2010 - 03:14 PM.