I originally wrote this over a period of time. I started when the most dominant malware around was those fake anti-virus programs – you know, the ones that block your system and try to bully you into paying for an upgrade to remove the so-called virus it finds. In reality, the program itself is probably the only virus on your system.
Then came the scareware claiming to be from a law enforcement agency, locking your system with messages stating you have something illegal on your system. Pay up or go to jail. Today, the main problems, from my experience, seem to be PUPs or Potentially Unwanted Programs, such as toolbars and web browser hijackers.
Most people get these by installing programs without paying proper attention and unchecking options for additional software. Another way is when their browser gets hijacked (usually by the previously mentioned method) and immediately sent to a new search page displaying ads claiming there are problems with the computer, including promises to speed up the system and/or Internet.
Scan. Scan. Scan.
When attacking malware I first use CCleaner www.piriform.com/ccleaner, not to clean up temp files but to go to the Tools menu and then the Startup options. Then I disable any start up items, extensions, and Scheduled Tasks that I recognize are not needed. Only experience and/or a good search engine can tell you what to keep or not. Mainly get rid of toolbars, their updaters, optimization programs, registration cleaners and any program promising to speed up your system or prevent future problems. You can also clear out the temp files if you wish. This isn’t going to clean any malware, but it usually helps make the system responsive enough that the next steps are bearable.
Then I will download, install, update, and run the following:
Malwarebytes – www.malwarebytes.org
ComboFix – www.bleepingcomputer.com/combofix/how-to-use-combofix
Before running Malwarebytes go into the Settings tab across the top, then down the left hand side click on Detection and Protection and check the option Scan for rootkits.
Back to the Dashboard, click on Update Now – and then the big blue Scan Now button. I delete anything it finds and restart the system if suggested.
Adwcleaner is pretty straight forward – Just click on the Scan button and when finished click on the cleaning button. This one always asks for a restart. Tdsskiller is also pretty easy to use. Just accept the End User License Agreement the accept the KSN Statement and click on Start scan.
If you cannot start up these programs in normal mode, try Safe Mode
Restart your computer and keep pressing the F8 key on your keyboard. It’s a bit tricky but when you get the timimg right you will be taken to a screen that has a menu with a number of options like safe mode, safe mode with networking, safe mode command prompt, and so on. Use option Safe Mode with Networking where possible. Users of Windows 8 and above have to use Shift + F8, or better yet go to the logon screen and hold down shift while clicking on the power icon and choosing restart from the menu. Safe mode with networking provides you with Internet access while in safe mode, comes in handy for updating anti-virus and anti-malware programs.
If Safe Mode and Safe Mode with Networking is blocked try Safe Mode with Command Prompt. You then start up with a black command window, just type explorer.exe and press enter to bring up the taskbar. You will not have any Internet access here so you’ll have to copy your scanners from another computer to a flash drive or CD. In that case I would recommend the Superantispyware portable version – http://www.superantispyware.com/index.html. It contains all updated definitions at the time the program is made available.
In any case, if you cannot update but can get the scanners to run, run them anyway. Once I run all the scanners and delete everything detected I like to reset the browsers.
Reset your browsers
Reset Internet Explorer – works only with version 7 or higher, reset even if it’s not the main browser being used.
Open up Internet Explorer, click on the gear like icon in the top right hand corner or the Tools option if you have the top menu bar showing. Then Internet Options. When the Internet Options box appears. Click the Advanced tab. Under Reset Internet Explorer settings, click on the Reset button. A box opens up – check the option Delete personal settings, then click Reset again. Finally, click Close.
Open Chrome browser, click on the three black lines stacked on top of each other in the top right hand corner of the browser. In the menu that drops down click on Settings. Go to the bottom of the page and click on the blue letters Show advanced settings then scroll down to the bottom of that page and click on the Reset settings button, then click on Reset in the next box that opens.
Firefox; again click on the three black lines stacked, then click on the little question mark and then Troubleshooting information and in the page that opens click on the Refresh Firefox button at top right.
Opera – still doesn’t have an easy reset option.
Bootable virus scanners
Of course some malware will disable Safe Mode or render a system unbootable or unusable, then you might have to download a boot CD. My experience with these in the past have been Hit-or-Miss. Most anti-virus boot CD/DVDs are based on one anti-virus program or another.
AVG Rescue CD – Bootable AVG Antivirus CD / USB www.avg.com/us-en/download-file-cd-arl-iso
Avira Antivir Rescue Disk www.avira.com/en/download/product/avira-antivir-rescue-system
BitDefender Rescue CD download.bitdefender.com/rescue_cd/
Kaspersky Rescue CD https://support.kaspersky.com/viruses/rescuedisk#downloads
- Check out Jim Hillier’s recent article for further reading: How To Clean Malware from an Unbootable or Unusable System
For the more technically inclined
Sometimes an extra step or two are needed to clean out a system. In these cases, here are a few suggestions.
- Take notice of the name of the fake program and research online to find out the best procedure, make sure all associated files are removed.
- You can manually check for suspicious files and processes using HijackThis – http://sourceforge.net/projects/hjt/
- and Autoruns – http://technet.microsoft.com/en-us/sysinternals/bb963902
Using these requires a bit of knowledge and understanding. It doesn’t automatically delete anything but shows you just about everything running on your computer while giving you the option to manually delete anything you don’t want.
Last but not least; don’t jump around all over the place randomly trying this and that. If you follow the above steps in an orderly fashion you should, in most cases, end up with a clean system again.