How To Remove Any Malware-related File
Sometimes it is the case that more conventional methods (like booting into safe mode) or even extreme methods (like using Unlocker) fail to deliver any result. Below you can find a method which you can use in this case.
Warning! This assumes that the computer is for your personal use. If the computer is part of a larger network and you are not authorized to change the settings, please contact your IT department.
What you need:
- A Windows XP installation CD (the process works similarly with other versions of the NT family like Windows 2003 or Vista, however the screenshots are made using XP)
- The password of the Administrator account (this is usually set during the installation of the system. If you don't know it, you can reset it issuing the following command:
net user Administrator <the password you want to set>
If the password includes space, you should surround it with quotes).
- Write down (or print out) the list of files you wish to remove. If you take the list from a BitDefender log file, make sure to ignore any strings after "=>" (which means extracted from). So for example from "C:\aaaaa=>bbbbb" you would only write down "C:\aaaaa"
- Put the Cd-Rom in your CD drive and boot from it. For this you need to make sure that the CD drive is before the hard-drive in the BIOS boot sequence (consult the manual of your motherboard to find out how to change the boot order) and also to press a key when the message "Press any key to boot from CD" is displayed.
- At the screen show below select "repair a Windows XP installation" by pressing R
- At the next screen select your Windows installation by pressing the corresponding number followed by Enter (usually you will have only one choice - so press 1. Multiple choices are present only if you have multiple versions of Windows installed on separate partitions)
- Enter the Administrator password (if it is empty, just press Enter), and you will be greeted by a command prompt where you can manage the files. You can:
- Delete a file by issuing the
del <filename>
command. If the filename contains spaces, surround it with quotes. If you get an error message (like "No matching files were found"), it is possible that the file you want to delete has the hidden / system / read-only attributes set. To remove them issue the following three commands (again, if the filename contains spaces, surround it with quotes):
attrib -H <filename>
attrib -R <filename>
attrib -S <filename> - Rename the files by issuing the
ren <oldname> <newname>
command. (Again, if any of the file names contain spaces, they have to be surrounded by quotes for them to be interpreted correctly). If you wish to get detailed information about the files (by sending them to us for example), you should use this instead of deleting the files. For example you might do:
ren infected.exe c:\file0001.dat
ren infected.sys c:\file0002.dat
Two important advices on choosing the file names are: use a non executable extension (for example .dat or .inf) to avoid execution of the files by mistake. Also, move them to a different directory and use a file name which is unlike the original (like file0001, file0002 and so on). This is important because if you have a rootkit and you boot your machine normally (to send the files to us for example), the rootkit might hide the files based on their name and / or the directory they are in. Also, if you get an error during the moving of the files, you should try removing any hiddent / system / read-only attributes as shown above. - If the files are in ADS's (Alternate Data Streams - they are an alternate way to store files, using which one file can contain multiple data streams and are used by malware like the Rustock family because many tools don't support working with them - you can read more about them here), you can remove them by doing
echo><name of the file>
for example
echo>C:\Windows\System32:lzx32.sys
Files in ADS's can be identified by the fact that they contain an additional colon beside the one after the drive. In the previous example this would be the one written with underline C:\Windows\System32:lzx32.sys.
- When you are done, remove the Windows XP cd-rom and reboot your computer (by typing exit or by using the reboot button if you computer has one). Don't forget to undo any changes to the boot order you might have done (again, consult the documentation of your motherboard).
- Delete a file by issuing the