Removing Malware from your system

There are a number of programs and techniques that are used to kill malware.  None is 100% comprehensive - not even close in fact (some studies show any one program managing to eradicate little more than 30% of all malware however this is extremely hard to assess and measure).  I have found that in many cases a bit of caution and scans with different cleaners can *usually* remove most active malware however this is a very grey area and one that is very poorly addressed by the industry.  In general I recommend that you:

  • Run some basic protection to stop your system from reaching certain sites
  • Run frequent malware scans with a number of different tools
  • Always be suspicious about installing unknown programs and toolbars, especially those which are "bundled" in with a program or utility that you are originally installing
  • if a video link says that you have to "download this player to view this file" - don't, it's often malicious and dangerous
  • I always avoid installing toolbars, search helpers or other things that are “also installed” when you install a program.  Many vendors rely on this revenue – but they also absolve themselves of all responsibility for what that malware can do later on.  Their few cents isn’t worth the months or years of heartache that you could endure

When cleaning a system I tend to use the following programs (sometimes one or two, sometimes all of them).  Their scans often overlap one another but they tend to be fairly good programs in their own right;  you almost always need to download the latest version or at least udpate their database (most include a facility to do this or check for updates).  

IMPORTANT NOTE:  These sites were believed to be correct at time of writing however download locations can change.  Be wary of downloading these programs from other sites too;  there are nefarious programs masquerading as anti-malware scanners or even faked/modified versions of these well known programs which claims to clean your system (while installing their own malware payload).  These steps are intended for Microsoft Windows systems;  I have not included any remedial measures for other enviornments (e.g. Macintosh OSX, Linux, Android, iOS, etc.).  

 


 Download these four programs:

  Installs: Details

 adwcleaner

ADWCleaner

https://toolslib.net/downloads/viewdownload/1-adwcleaner/

May create a directory on your system's root directory (C:\ in most cases) called AdwCleaner.  This includes logs of scans and removals and also a Quarantine directory where malicious files found during scans are stored (this may be necessary for program or system functionality to be restored if they are removed)  This is a particularly aggressive and effective scanner.  It is simple to use;  it will scan for all entries that it regards as malware of any sort and then marks them for removal dividing them into tabs (one for programs, one for registry entries, one for cookies, etc.).  I often run this program first as its initial clearance rate tends to be very high.  It always requires you to restart your system after its initial sweep as some malware programs stay resident in memory.

jrt-logo
 JRT - Junkware Removal Tool

http://thisisudax.org/
 
Very basic - this runs in a DOS (console) window.  It can check to see if it has been updated when run.  This is a very small and seemingly basic program with a fairly limited range of malware detection however it has proven to be a useful addition to the scanning suite as it is able to deal with some malware which evades other measures.  It is a useful second scan step as it is small and relativley easy to run.
malware-bytes-icon

Malware Bytes

https://www.malwarebytes.org/

The freeware version of this program installs a full software installation as a regular program.  The freeware version must be manually updated and scans are performed manually.  This is a larger and more well known anti-malware program.  It has a good detection rate and also contains support to update its internal database and the program core;  it will advise you if it is out of date.  It can peform a range of types of scans and may find malware that has not been picked up by other applications.  The commercial version also has resident protection (that helps avoid re-infection later on) and can also schedule updates and scans automatically.

spyware-blaster

Spyware Blaster 

http://www.brightfort.com/spywareblaster.html

 

 Small program installation - modifications to system HOSTS file This program is different to the others in that it iis not a scanner - it performs special udpates to the system to block malware sites and stop the system being able to find them.  It works by updating the HOSTS file (a local index of sites stored on the system) with a list of known dangerous malware sites and telling the system to look at a local address (called "localhost") to find these sites;  so if the system becomes infected or a website tries to find them it is pointed to the local system. 

 


 

What to do now:

Fighting malware can be difficult – many programs are designed to “fight back” by stopping some well known anti-malware measures from finding them.  Some even block your access to malware busting sites – they do this by masquerading as “security software” and claiming that the legitimate product is “dangerous” when it is not.

Depending on how bad the infestation is – you may be able to return the system to normal with a simple set of scans and removals however I’ve seen some which were so bad that the data had to be carefully evacuated and the system completely wiped and rebuilt from scratch;  obviously a very time consuming exercise.

I’ll outline an approach here that I have used with success on a number of systems (using Windows 7 as the main platform) – you may need to alter some steps for windows 8.x, windows XP, 2000, Vista, etc.  If you’re not sure – it’s best to pay a professional to do this for you.

REMEMBER – ALWAYS BACKUP YOUR DATA FIRST.   Make sure you back it up to somewhere that can be recovered from too – another directory on the same system may not be enough.  If the system is damaged in such a way that it can’t boot,  the infection doesn’t go away or your data files themselves have been infected – you will need professional assistance to recover the system.

As always – I offer no guarantee or warranty for this procedure, it is simply one that I have found to be successful in most cases.  Some infections require additional cleaning measures, often it involves looking for specific behaviour - searching for information on that behaviour from trusted sources only – and then finding utilities and cleaning measures to fix that particular problem.   In most cases however I have found that these programs will work fairly well, more recently I’ve found that they have a fairly good hit-rate for most common malware.

  1. Back up your data to somewhere off the system – make absolutely sure this is secure before you start.  Do not overwrite earlier backups either – if your data files are infected you will be in a more serious situation.
  2.  Download the following programs – I’d bring in all of them, they’re not very large and are either freeware or have freeware versions which you can use without charge
  3. Look at any browers on your system – Internet Explorer, Chrome, Firefox, etc.   Take a note of the home-page that they now go to when you start the system up – any toolbars installed – and look at the search engine configuration.  Typically these have been altered and you may have new unwanted toolbars and other programs installed.  Some of these you can uninstall manually;  you will need to research them on another system usually though as the highjack software that is blocking your browser is often set up to stop you reading about how to remove them.  Either way it’s important to note what the configuration has been set to.

 

Step 1 – run ADWCleaner

Start by installing and running ADWCleaner – this will need to restart your system a few times potentially so be prepared for that.   Click on the SCAN button and below you will see a series of tabs that will start to fill with found services, folders, files, scheduled tasks, etc. – they will be marked for removal by default.  Generally you can click on “Cleaning” after this and then the system may ask to restart as it has to clean some programs which are currently locked (can’t be wiped as they’re actually open). 

After the system has been restarted it should show you a report/log of what was cleaned – if you want to you can run ADWCleaner again however this is usually not necessary.

 

Step 2 – run Malware bytes (freeware version)

This program will install and then ask you to go online to update – do so, it will update itself automatically.  Run a FULL scan – it may find some things that weren’t marked in ADWCleaner.  It too may require a system restart, it doesn’t always do this however.

 

Step 3 – install JRT (Junkware Removal Tool).  This step is optional.

This program may find some things that the others didn’t – it’s a small step to perform and doesn’t take very long so it is worth trying. 

 

Step 4 – run Spyware Blaster. 

This program doesn’t scan or remove infections – what it does is update a local file called “Hosts” which is a bit like a local index for web sites.  It sets the system up so that if the system tries to get to known malware or highjack sites, etc. it will instead be directed to itself;  stopping your system from even going there in the first place.  This program will need to be updated when you first run it too, it has an update button to do this.

 

Step 5 – inspection and review

 Look at ALL of your browers.  Set them to a default home page that you choose – you can use something like www.google.com   Look for any toolbars that you don’t want – make sure they’re removed and not trying to run any more.  Also examine your default search engine in the browser – you may need to remove any “options” that you don’t like the look of;  it the malware put it in the list then it will be unsafe to use at any time, the company is dodgy enough to associate with that type of activity so it should be avoided.

Look at Scheduled Tasks in control panel.  You will have to step through each one – examine them all, look for anything that doesn’t look right.  You can see what it is performing, how often and what triggers it;  there will be quite a few Microsoft entries in here for Office, antivirus updates, etc. however there are some that just don’t look right;  you can disable or better – remove them all together. 

Restart the system and re-inspect everything.  Some malware has special “revival” functionality which is intended to survive this type of cleaning sweep.

Run a full antivirus scan with the system’s AV software.  If you wish an online antivirus scanner can be useful as it may find infections that your local antivirus program missed or doesn’t regard as a risk.

Run these steps in another week or so – this will help you identify any recurrence of infections.  If you find malware running on the system again – and you haven’t installed anything in the period since the last scan – you have an ongoing infection that the programs haven’t found.  Usually this requires a lot more investigation and if you’re not confident that the infection has been removed by that point either seek professional assistance or be prepared to remove all data and rebuild the system.