How to I clean a system of

Posted on 2009-04-30
Last Modified: 2013-12-09
I've been running into systems that have been infected with Some systems have been cleanable because they were barely hit but some systems not so lucky. Does anyone have a good methodology for cleaning a system? These systems have the following files get infected: services.exe, svchost.exe, explorer.exe, etc. What I did was:

1. disable system restore, reboot into safe mode.
2. Run Spybot, immunize and clean, Use autoruns to cleanup the system and process explorer to end anything that may be running.
3. Clean temp files locations and C:\, C:\windows, C:\windows\system32, C:\windows\system32\drivers of fake files (I usually organize the date fields and can find newer files and get rid of the suspicious items)

Reboot and the system is still infected. I've also tried this again but also ran the removal tool for from symantec. Still infected. I've had it 99% clean and then it starts blue screening. I've tried scf /scannow to repair system files and a Windows repair. System is still infected and unstable.

Is the best option a system reinstall? I want to know the best ways to combat spyware. Reinstalls suck to do compared to being able to save a system.

NOTE: Currently I don't have a system to test this on, I'm looking for good suggestions for combating these threats, good guides or best practices, etc...
Question by:danbnotme
    LVL 15

    Accepted Solution

    Symantec developed a tool here to remove this infection. Give it a try to see if it's successful.

    After that I suggest running the below scans also:

    Download Malwarebytes ' Anti-Malware at or Double-click on mbam-setup.exe to install the application.

    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Full Scan, then click Scan.
    * The scan may take some time to finish, so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * Copy & paste the entire report into your next reply.

    Extra Note:
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Go to and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
    LVL 16

    Assisted Solution

    Virut could be very difficult to remove because this specific variant will infect .exe, .htm, .html, .php, .asp and .scr files ( If it has affected all the exe files within Windows OS (and other exes which have been used), then it would be a big job to actually replace each and every file. Re-install might be your easiest option.

    Always keep your antivirus and OS files up-to-date and give limited access to all users to be able to only do their work. That might help limit the infections to a minimum.
    LVL 47

    Assisted Solution

    If the system has only just been infected and not many files needs to be replaced then also use DrWebCureIt which is good for removing virut.

    But if the system has been infected for a while, my suggestion is a reformat and reinstall. A virut infected system even after all scanners came up clean we still can not guarantee that the system is virus-free or error-free afterwards. The safest solution(and the quickest) in a virut-infected system is to reformat and reinstall.

    Author Comment

    Again, I don't have a system to try this on. But in the future I will try these suggestions and you let know how they workout.

    Greyknight someone else suggested Combofix before. Is it just a scanner like Hijackthis?
    LVL 15

    Expert Comment

    ComboFix is a tool that removes the common infections that we've seen. It also displays files that were created recently so we can trace them easier. It's not a tool we recommend using yourself unless you are familiar using it.

    So in a sense, it's much more powerful than HijackThis. We usually like to see a HijackThis log first as it doesn't make any changes and does give us a general overview of what's currently running.

    Author Closing Comment

    Thanks for the info!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now