Malware

DIY: Free tools for removing malicious software

Fighting the malware battle really hurts when you're spending a good deal of your IT budget (if you even have an IT budget) on software to protect machines from attacks. Here's how to do it for free.

Malicious software (be they viruses, rootkits, trojans, worms, or malware) are so prevalent it seems one of the primary jobs for IT is the protecting, cleaning, and removing of said software. It seems no matter how hard you try, or how much you pay for the software you use to protect your desktops, it always seems like a losing battle. Fighting that losing battle really hurts when you are spending a good deal of your IT budget (if you even have an IT budget) on software to protect machines from attacks.

It doesn't have to be that way. I have found plenty of tools that can help in the quest to have a virus/malware-free environment. These tools can be either installed on your machines or used as a toolkit to carry with you to fight the good fight. You won't find enterprise-grade tools here. What you will find are tools I have found to do the best job at keeping my systems clean.

Combofix

Combofix is my first line of defense tool when I suspect something has taken over a machine. But you shouldn't just run this powerful tool without a few considerations. First, and foremost, what will Combofix fix? After a successful run of Combofix, you should have cleaned (if applicable): Malware, Rootkits, Trojans, Worms, and Viruses. What you need to know about Combofix, prior to running is quite important. The single most important issue with Combofix is that you can not run it with an antivirus tool enabled. With some antivirus solutions you can simple disable the tool (Symantec Endpoint Protection is a perfect example). One particular antivirus solution, AVG, I have found to require complete removal before running Combofix. And to be on the safe side, I prefer to run Combofix with the computer in safe mode. One other note: Never download Combofix from any other site than Bleeping Computer or ForoSpyware.

CCleaner

Antoher free tool, CCleaner does two things incredibly well: Cleans the Windows registry and removes cached web data. There are a lot of registry cleaners available, but CCleaner is the one I always trust. As with any tool, you want to make sure you understand the tool before using. And although cleaning cached browser data is fairly harmless, cleaning the registry is not. I highly recommend always doing a backup of the registry when using CCleaner to take care of this task. Fortunately CCleaner has a built-in tool for backing up said registry.

Microsoft Security Essentials

After using so many different anti-virus tools, the one tool that seems to work nearly as well as any other, without any attached cost, is Microsoft Security Essentials. Not only will this anti-virus tool work well to help prevent infection, it does so with as little drain on the system as nearly any anti-virus tool.

Malwarebytes

People are always surprised to find out they need anti-spyware as well as anti-virus protection. Of the anti-malware tools I have used, Malwarebytes seems to be the most effective. Now there are two different versions of Malwarebytes: Free and Paid. The biggest difference is the Paid version has a real-time scanner built in. The free version must be run manually. This is not a problem if you are in control of all the PC scanning, or you can trust your users to manually run the software nightly (as well as manually update the definitions often.) If you can not trust your users to run this piece of software, you might need to buckle down and drop the $24.95 for the licensed version.

Clonezilla

Clonezilla is a Free Open Source Software (FOSS) that allows you to do bare metal backups and recoveries. There are two different versions available: Clonezilla Live or Clonezilla SE (Server Edition). As the name implies, Clonezilla Live is a small, bootable live Linux distribution that allows you to clone to do a single clone at a time. The Server Edition requires a DRBL server and allows you to do massive cloning. With the Server Edition you can do large, simultaneous restores quickly (instead of a single clone at a time.) Regardless of which tool you use, Clonezilla is a very reliable tool for bare metal backups and restores.

Hamachi

Although not a tool that will help you clean up your systems, Hamachi will allow you to add machines to a VPN without having the associated costs of a typical VPN. I have already covered this tool in my OpenSource post "Use Hamachi VPN on your Linux clients," so I will let you use that as a basis for installation and use. If you're curious how this can be used as an admin tool - you can always house your toolkit on a machine connected to Hamachi VPN and then access those tools from anywhere (so long as you can add Hamachi to the machine in question.)

Final thoughts

There are so many pieces of software available for the DIY user, which only means more trouble in discerning which ones are worth using. Hopefully the list above will help you narrow down the tools you need to keep around in your DIY toolkit.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

118 comments
alfredan
alfredan

use krojam cleaner it is going to be help full.

mikifinaz1
mikifinaz1

...the stupid tools that are hired as IT staff. I only call these arrogant, pompous nitwits when I HAVE TO because of company rules. Often their odious shortsighted nostromes ARE wrong. After working in the computer industry for what...20 years, I have come to the point where thankfully I can usually avoid them for the whole term of my engagements at most companies.

herman.claus
herman.claus

for using clonezilla, do not forget the Tuxboot environment -> installs the latest version of clonezilla on an USB key to boot from USB. Tuxboot works also fo GParted, a low level formatter & partition handler for frre (only, when using GParted, do not forget to set the Boot flag on e new formatted C: drive)

Zoey11
Zoey11

kindly Included Microsoft Malicious Software Removal Tool in the article. The Malicious Software Removal Tool is an anti-malware utility that checks computers running Windows 7, Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove malware and any other infections found.

aclckc
aclckc

I have noticed in this article as well as in many others, that even 'professional' writers are failing to do 2 things regularly: Use spell check before submitting the final article, AND failing to re-read what was written for accuracy. For example, under Combofix, the word simple was used instead of simply. And under CCleaner, the very first word (Another) was mis-spelled. To me this looks very unprofessional, and it is becoming much too common in recent articles. But this writer is not the only one doing it. I have seen it in advertising as well. People are too much in a hurry, and they are relying on technology too much to do the word or re-checking for them. A program can't tell when the wrong word is used, just whether or not is spelled correctly. Writers need to slow down, take a deep breath, and double-check their work before they approve and post it.

cwilson56
cwilson56

I use these recommended free malware tools daily. These tools get the job done. If you don't use them, please continue to pay for other substitutes.

BenTremblay
BenTremblay

Hi - I only found CCLean interesting. Downloaded it and ran it, feeling kinda grateful. "BOOTMGR missing" ... ever seen that? I did. Tonight. And I've never seen it before. Ever. And when I say "never" I mean "Not at all" ... and I was using DOS before 3.2 ... No. Don't. w/respect, but not thanks --ben

nomadh
nomadh

I know its a total no no but I have found that I can install MSSE and both norton endpoint or MSSE and avira together. I have had to do these combos a few times now with users who either won't stay out of trouble or can't even recognize when they are in its neighborhood. And both have had no infections after a year or so. Also speed is reasonable still even on older hardware. Those who want to jump to an automatic wipe after an infection way want to consider that if that root kit is so hidded then maybe they are infected right now and have no hint of it. Better go and wipe /reinstall right now. Just in case. That said I do agree after < 1 hr maybe go to reinstall. I have done a few deep digs that took many hours and even after fully cleaning the PC it still had os damage that just could not be fixed. So much like a human patient even a full cure may not repair any of the damage already caused.

OldGyrene
OldGyrene

Do any of you commenters actually read what this guy has written? "And to be on the safe side, I prefer to run Combofix with the computer in safe mode." Clearly he doesn't have a clue about what he is writing and my best advice is that anyone seeking usable information should go find a forum with knowledgeable writers. It certainly isn't here.

Krishna66
Krishna66

CCleaner does a good job of general cleaning and registry cleaning. With CCEnhancer it does a Great job. CCEnhancer is the 'NOS' of CCleaner. Open CCEnhancer, download the latest updates, run CCleaner, and see the magic. Revo Uninstaller is not just an uninstaller which removes all the files, folders and registry entries related to the uninstalled application but much more than that. Run Revo go inside and discover what all it can do. Glary Utilities as the name suggests is a very effective multi tasker. My experience tells me it is better than Advanced System Care and other such utilities. I prefer to run the modules individually than going in for one click. I have been using these three for years without any problem.

Krishna66
Krishna66

CCleaner does a good job of general cleaning and registry cleaning. With CCEnhancer it does a Great job. CCEnhancer is the 'NOS' of CCleaner. Open CCEnhancer, download the latest updates, run CCleaner, and see the magic. Revo Uninstaller is not just an uninstaller which removes all the files, folders and registry entries related to the uninstalled application but much more than that. Run Revo go inside and discover what all it can do. Glary Utilities as the name suggests is a very effective multi tasker. My experience tells me it is better than Advanced System Care and other such utilities. I prefer to run the modules individually than going in for one click. I have been using these three for years without any problem.

pjb66
pjb66

This is a GREAT tool. I've been using it sinsev ersion 1.somthing and its only gotten better. Not only can you choose what to clean, you can also choose what registry items are detected. RECOMMENDED :)

mac0252
mac0252

from backups which are a part of weekly required job. still I have the job done in about an hour.

Derteufel
Derteufel

User education is the most important part of defense. Of course sometimes they get bored and wander. But its not a losing battle here. MSE, SEP, and Malwarebytes are of my favorite. I see a couple of recommendations here that I will look at further. Good work.

mddenton
mddenton

hitman pro has been the most succesful I have seen. faster than all of them

bev
bev

I had an evil bout with rogue adware at the New York Times last fall. BTW, I did not click on anything - I was simply reading the news at their site and my computer became infected. That was when I seriously began questioning how a computer can become infected by simply browsing a website and also being fully "secured" via great virus protection, firewalled, etc... I was also beta testing a Firefox plugin called "Cocoon" www.getcocoon.com (unfortunately not using Firefox when I went to the NYT's site) and decided to use Firefox + Cocoon after the NYT's infection, (even though it was in beta at the time, to guard against potential malware drive-by-downloads.) I have not been disappointed by this plugin. Basically it does not allow malware to touch your computer because everything works off their servers. It did go in to subscription mode last month (though there is a 45 day free trial.) I'm still stoked with the potential that this plugin has in terms of Internet Security! With the toolkits that cybercriminals have access to now -- they are not directing attacks so much at operating systems anymore, but more toward browsers.

spin498
spin498

Seeing as the responses here are all over the ice, it's clear no one is an expert and their are multiple attack angles that work. Wipe a machine? I guess I'm the only one with crummy luck. the cure was worse than the disease, I had to fight with MS for a week to get them to reactivate a licence. Never again. I'll just switch to Linux.

OldGyrene
OldGyrene

1 - No, you don't run ComboFix in "Safe Mode" - try reading the actual instructions sometime. 2 - No, you shouldn't use ComboFix as your first response to malware - there are any number of 'targeted' tools that are much better suited than this sledgehammer. 3 - No, MSE is not (entirely) without cost - if you are beyond the 10 user limit. Then you need to move to the paid for Endpoint protection. I was concerned that so much bad information was posted in a publication that I have respected for so many years - until I read your 'bio'. "Fiction Writer" (obviously) and a LINUS user. 'nuff said.

frendinad
frendinad

i usually use microsoft security essentials and its ff the hook!!! Big up

beck.joycem
beck.joycem

Just last week it got rid of a rogue av when everything else (McAfee, Malwarebytes, SuperAntispyware etc) was 'diverted' to the rogue, even in safe mode. Presumably because it wasn't installed, just run, so the rogue couldn't bend it in the registry. Rebuilding is often best, but sometimes, as with that one, it would have been a complete pain - Vista, lots of apps with no source, Vista, obscure drivers, Vista, slow PC. And there again, it was Vista. (We did try to persuade the client to let us upgrade to Windows 7, but no luck.) Once the rogue was killed there was very little other infection evident - McAfee had kept out a lot, but, as usual, seems pretty hopeless with rogue AVs.

phototropic
phototropic

Most "free" anti-malware apps are not free in a corporate environment. It is my understanding that the free version of Malwarebytes is for domestic use only. Likewise, MSE is only free for domestic users and networks of 10 pcs or less. "...And to be on the safe side, I prefer to run Combofix with the computer in safe mode..." This is directly against the stated directions from Combofix's developers: http://www.bleepingcomputer.com/forums/topic286856.html Indeed, Combofix is something I would only use if the pc had a fierce malware infection which did not respond to anything else. "...Combofix is my first line of defense tool..." No way should it be a first line of defence tool. http://www.bleepingcomputer.com/forums/topic273628.html

allexanndrra
allexanndrra

sunt f multumita de acest site.ma invata multe lucruri utile din IT.

aandruli
aandruli

The Ultimate Boot Disk for WIndows has been the #1 recovery solution for me. Lots of free tools in it, connects to the web (to research while cleaning and disinecting) and even recovered a lost partition once on a customer's PC. I had a ransomware on my home PC that gave me no access to lots of important files and booting up with this, I was able to change the ownership of all the files and gain access once again. And this software, unlike Hiren's, is all legal

forbes9000
forbes9000

I agree that most of the time a full wipe is the best way to fix an infection. We will take a look at a newly hijacked pc for no more than an hour, if it is caught in time and the user does as instructed when confronted with a "you computer is infected" message in a web browser, then we usually can get it clean quickly, otherwise we have found that almost every min past 30 is wasted trying to clean a PC. I didn't read all the comments so I am sure this is a dup, but I would have to add HijackThis and Spybot S&D to "the" toolkit. As well as a PE boot environment like BARTs

adecba2001
adecba2001

You left out Avira anti virus in your write-up. I've used it to manage a network of about 15 online systems for close to 2 years now and I must say I've never experienced any major systems downtime due to viruses. Though I also use Malwarebytes and CCleaner to bolster my network defences. Will try out Combofix soon. Thanks for the tip. Finally network admins will always have to be on top of their networks as users are either too dumb, lazy or outright rebellious to keep simple rules which ultimately produce healthy networks.

mmcguire
mmcguire

Well from my personal standpoint, I've used all of these tools and can say without a doubt that they are not the best tools, but are the only first line of "FREE" defense out there that does a pretty decent job. I've worked on hundreds of computers that are, have been, or (I know because of the user), will be infected again with some sort of virus, malware, spyware etc. I've successfully cleaned a lot of different computers with these programs, but some were total losses that had to be re-built. The worst part about re-building a computer either personal, or business is the fact that if they don't have backups, and you know most of the people who ask you to fix their computers in the first place won't have them, is the fact that they ALWAYS want you to recover their precious vacation photos from 1999 that they never printed. Usually re-build and recovery takes twice as long and can be more difficult that just taking the 2-3 hours to completely clean out a system. Yeah, you run the risk of something that still might be infected, burried deep in the bowels where only the wickedly evil tend to tred, but until there is a REVENGEWARE software built to attack back, we're all going to have to deal with this for the long term. As of right now, I don't know of any one single "FREE" program that will effectively block all variants of spyware, malware, viruses, etc. that's why you have to pay the money for something that will work. With the free antivirus / spyware / malware programs firewalls, etc. there will always that one computer that has all the firewalls up, all the antivirus software installed, yet somehow they call you up to remove the fake antivirus that keeps popping up. If there is such a "FREE" solution out there that someone has invented, that person either is beyond filthy rich, or is not likely to be heard from again.

jacobus57
jacobus57

Many of my residential clients were using AVG (paid) or AVG Free. These are low-risk folks. EVERY machine with these products loaded was hit by some sort of malware. For the folks who would not or could not pony up, I migrated them to Avast! free, and have been very impressed (once it is properly configured) by how light-weight AND robust it is. It blows MSSE out of the water. And of course, prior installations of ANY real-time anti-malware need to be removed. The worst offenders in terms of poor installation and dirty removal are McAfee and Norton, which are also the worst in terms of overhead. Also, Trend has a decent on-line scanning tool for machines whose connectivity isn't hosed.

Craig_B
Craig_B

As a tech, I like to understand the malware, how it got on the system, what it's trying to do, how can I prevent it from being deployed on other systems. As you go through the cleaning process you can start to find out this information. For basic malware that only effects a particular application or process, you may be able to clean it just fine and can verify this if you understand it. Regardless of if you understand it or not, sometimes it just takes more time to clean it and this is when you would deploy a new image. Of course the best thing is prevention, keeping your software patched, having a firewall properly configured, running an anti-malware program, make regular backups and using your knowledge not to click on every link that is sent to you.

Gis Bun
Gis Bun

A few years back I was helping a university clear out a major infection of malware. We were using a pirce of software from McAfee. For whatever reason it only worked on floppies [who has them now?] and CDs. Problem was that the definitions were getting so big that it could run correctly even with a DOS extender late on. So McAfee discontinued it. But it worked well until it reached the definition limit. Funny but true - the worst computer was at the security desk at one building!

ndveitch
ndveitch

I have been using Hirens for a few years now and it comes with a lot of useful tools such as HijackThis, most of the sysinternal tools, some AV products and the newer version also include rootkit tools like GMER. Although most of the tools don't remove the problems, it can help in finding where they are hiding. I would also have to agree that sometimes a complete wipe and reinstall is the answer, sometimes I find it helps to spend some time researching the problem cause what I have found is that if one machine gets infected it might not be long until more are infected. If you just format and reinstall you might not find out where the problem is coming from and once the machine has been redone give it some time and the infection is back. Not sure about you guys but formatting and reinstalling just because there is some malware can get a bit tiresome especially if you are in a company. If it is for a home user then I would try and find out a bit more about the infection before reinstalling. Just had to add my 2 cent :)

juwins007
juwins007

There is a computer i inserted a new formatted hard disk loaded with win xp professional, so when i try putting the system on it only shows some cmos errors at first time and i hit f1 but it didn't boot to windows i shut down and i try booting again, it brought up the same error and i noticed i had to set the time and date, after that i expect to continue booting so it shows me the options at boot menu like....boot in safe mode,from networking or start windoes normally. but i have a problem the keyboard doesn't move again to select the options...i try again samething, i removed the cmos clean it, samething change memory slot just show me cmos error all that but when i have the date inserted it still freezes the keyboard and will not boot when it count to zero.

chrisbedford
chrisbedford

You can choose what to clean or fix, indeed - but when faced with a choice of several hundred registry "issues", who chooses? Most (especially those who don't have a deep understanding of what goes on in a registry, and who does unless you work at MS) will get glazed eyes after scrolling through maybe 50 or so, go "oh f(*&^ it", and tell CCleaner to go ahead and fix the lot. Dangerous.

JCitizen
JCitizen

can only be found by a read only scan from a rescue CD by some of the better AV makers. They are getting picky though. You have to have their product pre-installed for that to work.

JCitizen
JCitizen

and also make sure your applications are up to date. With out that you'd be better off with the free Microsoft Steady State for XP or the paid program from Faronics called DeepFreeze for Vista/Win7.

douglas.gernat
douglas.gernat

Goes right into newer AV products scraping the idea of removing malware, but rather preventing it, by either doing like above, or having sandbox modes.

OldGyrene
OldGyrene

Clearly this author (a fiction writer) has no in-depth knowledge of the subject. My guess would be a few minutes searching with Google, then write the article. As 'Fiction', it isn't even interesting. If he actually meant it to be fact, he got most of it wrong. V

JCitizen
JCitizen

you know anybody that sells it [u]legally[/u] compiled?

JCitizen
JCitizen

but the real time protection is not exactly real time; more like slow on the draw. It will recognize the injection packet AFTER it hoses your computer!

forbes9000
forbes9000

And the free solutions work AS WELL AS if not BETTER than crap like symantec that gets its tangled hooks around everything and if it goes south its harder to eradicate than any malware I have seen. I have a client with end to end symantec and it constantly misses things caught by even quick scans of MWB. So don't start badmouthing freeware that is better and better supported than the dreck companies spend thousands of dollars on.

douglas.gernat
douglas.gernat

I have to agree, that between MSSE, AVG, and Avast, Avast wins. Especially with it's new Sandbox abilities. I will say that its upgrade/ update process can be a little hokie, but nothing to get excited about.

Dbwolf
Dbwolf

That depends on what you use it for.Avast for me turned out to be a resource hog.MSSE caught adware and malware as it tried to install itself on my system.AVG also has become a resource hog for what i use my system for. Of course im not delusional to just rely on MSSE for protection.Ive got other programs on USB sticks that i keep for offline use also.In the end its choice for whatever you use your operating system for.No one AV will catch everything. The difference is this- with MSSE you need a legitimate copy of windows to use it.

JCitizen
JCitizen

so you can take the infected PC to your lab and work on it at you leisure. A guy can learn a lot that way. But I never connect it to the LAN. Fortunately we had a cheap dial up account I could use for testing purposes, and not expose the company LAN!

SteelTrepid
SteelTrepid

Why promote piracy? Sure some tools are out there to help us but I will never use that garbage. I've heard that it is legit now because they removed most of the pirated software but the damage has been done. They pirated software for way too many years. I wish that disc would disappear and the author hung. Some "pro's" think it's great but they are lazy and have done a huge disservice to their clients and themselves. Use a legit tool and learn how to clean up malware the right way: with legit tools, some knowledge, and experience.

Gis Bun
Gis Bun

Aside from the fact that it has unlicensed/illegal software, it could help with some cleaning.

seanferd
seanferd

if I'm reading you right, you are connecting to this machine a disk which already has XP installed? As in, it was installed on a different machine? This will not work. If I misunderstood you, try posting you question with clarification by starting your own thread in Q&A.

JCitizen
JCitizen

I've tried a lot of the best payware, and found it totally lacking, compared with the freeware set I use.

douglas.gernat
douglas.gernat

...But, keep in mind, most payed solutions are Anti-Virus. Too many times the two are confused. I know that anymore, malware gets abiguously thrown over anything that affects a machine, but viruses, worms, etc, which AV programs like Symantec, are designed to remove, are quite different than spyware, fakeware, and so-on. Sure, Symantec and the like brag about having anti-malware programs built in, but we all know they are simply not enough to cut it. I especially like that you put the free in "", emphasizing that most of these free tools are being abused.

JCitizen
JCitizen

The only reason I can see Avast being a hog is if someone is trying to get away with 512Mbs of RAM, but no one in their right mind should be doing that. In my experience, high resource usage with a first install of Avast v. 6 is more likely resident malware trying to hide from it, which is usually unsuccessful. However - no good solution is going to work properly on a hosed PC. If Avast free won't operate properly, it is really time for a total re-installation! I can't recommend the Pro version, because the few features it offers do indeed slow the PC down. Mostly because folks have blu-rays installed on the PC, and all the attendant DRM spies. None of these works well with ANY good security solution, because they are watching the legal spies watching you. It can be a real mess, but using the right combo can work real well on Vista x64. I can't attest to Win7 yet, because only one of my clients has had a successful .NET and/or SP1 installation!

ndveitch
ndveitch

Sorry guys, I never bothered to check all the software on the disk. I have been using it for the past 2 years now and I really just use it for ccleaner, HJT, autoruns and whenever I had to boot into a console to work on locked files, as everything is there on one disk. That was one of the main reasons I mentioned it, cause I wanted to see if anyone else used it and now I know why no one talks about it. Sorry again.

Editor's Picks