Then came the scareware claiming to be from a law enforcement agency, locking your system with messages stating you have something illegal on your system. Pay up or go to jail. Today, the main problems, from my experience, seem to be PUPs or Potentially Unwanted Programs, such as toolbars and web browser hijackers.
Most people get these by installing programs without paying proper attention and unchecking options for additional software. Another way is when their browser gets hijacked (usually by the previously mentioned method) and immediately sent to a new search page displaying ads claiming there are problems with the computer, including promises to speed up the system and/or Internet.
Scan. Scan. Scan.
When attacking malware I first use CCleaner www.piriform.com/ccleaner, not to clean up temp files but to go to the Tools menu and then the Startup options. Then I disable any start up items, extensions, and Scheduled Tasks that I recognize are not needed. Only experience and/or a good search engine can tell you what to keep or not. Mainly get rid of toolbars, their updaters, optimization programs, registration cleaners and any program promising to speed up your system or prevent future problems. You can also clear out the temp files if you wish. This isn’t going to clean any malware, but it usually helps make the system responsive enough that the next steps are bearable.
Then I will download, install, update, and run the following:
Malwarebytes – www.malwarebytes.org
ComboFix – www.bleepingcomputer.com/combofix/how-to-use-combofix
Before running Malwarebytes go into the Settings tab across the top, then down the left hand side click on Detection and Protection and check the option Scan for rootkits.
Back to the Dashboard, click on Update Now – and then the big blue Scan Now button. I delete anything it finds and restart the system if suggested.
Adwcleaner is pretty straight forward – Just click on the Scan button and when finished click on the cleaning button. This one always asks for a restart. Tdsskiller is also pretty easy to use. Just accept the End User License Agreement the accept the KSN Statement and click on Start scan.
If you cannot start up these programs in normal mode, try Safe Mode
If Safe Mode and Safe Mode with Networking is blocked try Safe Mode with Command Prompt. You then start up with a black command window, just type explorer.exe and press enter to bring up the taskbar. You will not have any Internet access here so you’ll have to copy your scanners from another computer to a flash drive or CD. In that case I would recommend the Superantispyware portable version – http://www.superantispyware.com/index.html. It contains all updated definitions at the time the program is made available.
In any case, if you cannot update but can get the scanners to run, run them anyway. Once I run all the scanners and delete everything detected I like to reset the browsers.
Reset your browsers
Reset Internet Explorer – works only with version 7 or higher, reset even if it’s not the main browser being used.
Opera – still doesn’t have an easy reset option.
Bootable virus scanners
Of course some malware will disable Safe Mode or render a system unbootable or unusable, then you might have to download a boot CD. My experience with these in the past have been Hit-or-Miss. Most anti-virus boot CD/DVDs are based on one anti-virus program or another.
AVG Rescue CD – Bootable AVG Antivirus CD / USB www.avg.com/us-en/download-file-cd-arl-iso
Avira Antivir Rescue Disk www.avira.com/en/download/product/avira-antivir-rescue-system
BitDefender Rescue CD download.bitdefender.com/rescue_cd/
Kaspersky Rescue CD https://support.kaspersky.com/viruses/rescuedisk#downloads
- Check out Jim Hillier’s recent article for further reading: How To Clean Malware from an Unbootable or Unusable System
For the more technically inclined
Sometimes an extra step or two are needed to clean out a system. In these cases, here are a few suggestions.
- Take notice of the name of the fake program and research online to find out the best procedure, make sure all associated files are removed.
- You can manually check for suspicious files and processes using HijackThis – http://sourceforge.net/projects/hjt/
- and Autoruns – http://technet.microsoft.com/en-us/sysinternals/bb963902
Using these requires a bit of knowledge and understanding. It doesn’t automatically delete anything but shows you just about everything running on your computer while giving you the option to manually delete anything you don’t want.
Last but not least; don’t jump around all over the place randomly trying this and that. If you follow the above steps in an orderly fashion you should, in most cases, end up with a clean system again.