Computer Malware

It’s so easy to become infected by a virus, trojan, or other form of malware while surfing the web – but often very difficult to remove them. If you need a free virus removal guide – one that will help the average person remove most viruses, trojans, spyware, ransomware, etc., from your Windows computer – then this is for you! Be aware, the following steps are akin to using a butcher, rather than a trained surgeon. Both can remove an unwanted tumor, but the trained surgeon is going to give a more precise result and find the ones that aren’t obvious. We recommend that you get someone who knows the finer points of virus/malware removal if at all possible. If that option isn’t for you, read on!

The removal tools we recommend are all freely available for download. Keep in mind that the steps outlined here may not disinfect every computer. There are many types of infections that operate in various ways and no single removal methodology will work every time. However, most people will have reasonably good success if they follow this guide.

The removal tools we recommend are all freely available for download. Keep in mind that the steps outlined here may not disinfect every computer. There are many types of infections that operate in various ways and no single removal methodology will work every time. However, most people will have reasonably good success if they follow this guide.

Removal Procedure

Identify it if possible

Sometimes the infection can be identified. If you can, that will help tremendously. For example, there are a number of “fake” Anti-Virus programs out there that pretend to be real antivirus programs. Names like “Total Security”, “AntiVirus 2009″, “AntiVirus 360″, come to mind. Fortunately, there are often virus removal procedures written just for them. Being able to identify the malware lets you search the Internet for a procedure that can get you out of a jam rather quickly. Bleepingcomputer.com is an excellent place to search for removal procedures, and if you need a “trained surgeon”, they will be glad to help you. If you can’t identify it, or suspect that you have more than what’s obvious, then we will suggest some removal tools that will help. But first…

Backup your Files

Backup your computer! There is always a certain amount of risk when attempting malware removal. It’s tricky business. Sometimes computers fail to reboot successfully after a removal tool is used, either due to incomplete or faulty removal, or just the unique set of circumstances that have besieged your computer. In any case, if at all possible – backup your computer in it’s entirety before attempting these procedures! At the very least, save your important data like documents, email, pictures, videos, browser bookmarks etc., to an external storage device like a USB thumb-drive, and run System Restore and make a Restore Point. This may help put things back the way they were if things don’t go well.

Download the Removal Programs

1. Download Combofix from bleepingcomputer.com and save the Combofix program to the Windows Desktop

2. Download Anti-Malware from Malwarebytes.org and save the mbam-setup program to the Windows Desktop

3. Read and/or print out the Combofix Tutorial

Sometimes the Combofix download is a bit slow. Give it the benefit of the doubt. After a reasonable amount of time, if the download does not appear to be successful, try again.

Combofix is a a godsend because it’s easy to use and has broken the back of many of the toughest infections around. I doubt there are any virus removal guru’s who don’t have Combofix in their toolbox. Exactly how Combofix works seems to be a closely held secret. Divulging it’s inner workings could compromise it’s effectiveness if malware creators were to find ways to defeat it.

Using Combofix is easy but not without risk. Once you answer the Combofix prompts, you should step away from the keyboard and mouse and let it run it’s course. You are especially warned in the tutorial not to click within the Combofix window while it is running. Doing so could freeze the computer. If things go as planned, when Combofix finishes it’s removal procedures, it will reboot your computer and you can proceed to other removal steps. Occasionally however, things do not go as planned. Sometimes computers do not boot successfully after running Combofix. It’s a risk you must be willing to accept if you are not seeking professional help. Again, please backup everything you possibly can before attempting to use any of these removal procedures. And it’s a great idea to have the Windows Installation disc nearby.

Warning! Combofix works well with 32bit Windows XP  – which is the vast majorty of all installations of XP – and Windows 2000. Its track record when run on Windows Vista is a bit shaky from what I’ve read. Some Vista users have had no problems at all, while some have experienced serious problems – such as unsuccessful reboots – after running Combofix. The Combofix tutorial mentions running it on Vista, yet the Combofix creators website only claims compatibility for XP and Windows 2000. Until the creator(s) specifically claim compatibility for Vista or Windows 7, I cannot recommend it’s use on computers with those operating systems.

For a few tips on using the Malwarebytes program, see this post on using Anti-Malware.

Rename the files

Because some malware has been designed to detect Combofix and Anti-Malware, and prevent them from running, I suggest renaming the programs to something else as follows…

Rename combofix to cfx-???, where ??? is any three random characters.

Rename mbam-setup to mbm-???, where ??? is any three random characters.

Close or Disable Running Programs

Before we proceed, close all unnecessary programs and disable real-time protection in all currently running Anti-Virus, Anti-Spyware, Anti-Whateverware programs that you have. If you are unsure about whether a program has real-time protection, just use whatever procedure is appropriate to disable or close the program(s). You want to avoid any conflicts with the removal process.

1. Run Combofix FIRST

Run Combofix FIRST by clicking on the cfx-??? icon (or whatever you renamed it to).

Use the Combofix Tutorial as a guide

After Combofix is finished, it may force a reboot. Assuming the reboot is successful, you are ready for the next step.

2. Install and run Anti-Malware SECOND

If Combofix caused a reboot, your current Anti-Virus programs may have re-enabled themselves. Disable them again before proceeding.

Click on the mbm-??? icon (or whatever you renamed it to).

Answer the prompts

When the main screen appears, click on “Perform Full Scan” and then click the “Scan” button

If any malware is found, you will be presented with a list of the malware and they will all be selected by default

Click on the “Remove Selected” button

Reboot your computer if Anti-Malware indicates it needs to do so to remove some of the infected files

You are ready for the next step

3. Run a Virus Scanner THIRD

Follow up the two previous steps with a general virus remover.

The one I like is a scanner based on the NOD32 Antivirus program from ESET.

Here is the link for the ESET Scanner (English Language)

Just save the esetsmartinstaller_enu.exe file to the Windows Desktop and then click on its icon to run.

Click “YES, I accept the terms of use”, and then click the “Start” button.

The ESET scanner will download the latest virus definitions to your computer.

If you want it to scan your archive files, then select that option.

Click the “Start” button.

Note: You can also use the online scanner from Kaspersky, but you will need to install Java if you don’t already have it.

That’s All… or is it?

The above three steps may very well have eliminated your problem, or at least crippled it so that it can’t function. Now, install some good protection and relax. But, it is still possible that something slipped through our triple-scan dragnet. Sometimes there will be orphaned files that are left behind in various temporary folders. Some of these, on their own, are harmless. But some may be in a form that might execute if clicked on.

A good program for removing temporary files is ATF Cleaner and it can be freely downloaded from download.com. Just launch it and click on “Select all”. Before you click on the “Empty Selected” button, you may want to unselect “Cookies”. If cookies don’t matter to you, then leave them checked and click on “Empty Selected”.

Forensics, the Final Frontier

All the above may still not catch everything. If that is the case, you can try repeating the procedures above one more time. Otherwise, you are at the point of needing a knowledgeable person that knows how to use forensic tools like Process Explorer, Autoruns or Hijackthis. That will have to be another article for a more technical crowd than the typical user.

Troubleshooting Tips

Missing Desktop Icons

Occasionally, after running Combofix, the Windows Desktop does not return. Icons will be missing and the taskbar is nowhere to be found. Likely there is an issue with the Windows interface called explorer.exe (not related to Internet Explorer). You can try reloading explorer.exe by using the following steps…

  1. At the blank screen, press Ctrl-Alt-Del
  2. Select “Task Manager”
  3. In Task Manager, click on “File”, then click on “New Task (Run…)”
  4. In the “Create New Task” dialog box, type: explorer.exe
  5. Click the “OK” button

Note: If explorer.exe fails to load, click the Task Manger “Processes” tab and look for “explorer.exe”. Click once to select it, and then click the “End Process” button. Repeat from step 3. above.

No Internet Access?

Sometimes the virus/trojan/whatever may change the proxy settings in your browser or otherwise disable your Internet access, making it difficult for you to get the tools to remove it. Here are a few things to try that may get your Internet access back.

Check Proxy Settings

Generally proxy servers are not used in a home setting. However, a company computer may be configured to use a proxy server in order to monitor and control Internet usage. Assuming your computer is not setup for a company proxy server, follow these instructions to check the proxy settings of Internet Explorer and Firefox.

Internet Explorer

In Control Panel, click on “Internet Options”. Then click on the “Connections” tab and then the “Lan Settings” button. You will see a “Local area Network (Lan Settings) ” dialog box. In the lower section labeled “Proxy Server”, check the setting named “Use a Proxy Server for your Lan”. It is not normally checked in a home setting. If it is checked, try unchecking it. Click OK, close Internet Explorer if it is open and re-start it.

Firefox

Launch FireFox. Click on menu bar, then click Tools->Options->Advanced. Next, click the “Network” tab. Look for the section labeled “Connection” and click the “Settings…” button. Normally, the option “No Proxy” is selected. If it is set otherwise, try selecting “No Proxy”, click OK, close FireFox and restart it.

Reset Winsock

If neither of the above restores your Internet access, there is another trick, but you need to type something at the Command line. Actually, I’ll give you two approaches to try.

To open a Command Window : Click the “Start” button, then click “All Programs”, then click “Accessories”, then click “Command Prompt”. At the flashing cursor prompt, type the following two commands and press the ENTER key at the end of each line.

netsh winsock reset catalog

exit

This resets Windows Winsock settings to default values. Resetting may disable any third party communications programs that have made additions when they were installed. That is most likely not of primary concern to you at this point. You just need Internet access back so you can fight the virus. Besides, depending on the program that’s affected, it may re-enable the settings automatically. If not, a quick re-install should get things going again.

Now, restart the computer. If that still doesn’t allow Internet access, we can take things a step further. Open a Command Window as before, and type the following list of commands, pressing the ENTER key after each line.

ipconfig /release

ipconfig /renew

ipconfig /flushdns

netsh winsock reset catalog

netsh int ip reset New_IP_Settings.txt

exit

Restart the computer and try your browser now.

Computer won’t Boot

Sometimes your computer will not be able to boot properly. It may freeze before, or just after you login for example. There are a few things you can try. The easiest is to try to boot into “Safe Mode”, or preferably, “Safe Mode with Networking”. Read our short post that explains the basics of getting into Safe Mode.

Safe Mode Doesn’t Work

For those times when you can’t get into Safe Mode, there is another option, but you will need access to another computer that can burn a CD and has Internet access. You can create a bootable CD or DVD that contains the Avira Rescue System. This is very easy to download and create. You just put the CD or DVD into the infected computer and restart the computer. The Avira Rescue System will load a stripped down version of Linux and run Avira. This approach may help resurrect your infected machine and allow you to launch Windows so that you can proceed with the rest of the removal process.

Malwarebytes doesn’t run

I also have a few tips for using Malwarebytes Anti-Malware, which includes things to try when Malwarebytes won’t run.

Keep it Protected

Hopefully at this point, you’ve been able to remove the malware from your computer. Time to re-assess the protection you have. Obviously something needs improvement. Take a look at my recommendations for computer protection.

Final Thoughts

The products I recommend – Combofix, Anti-Malware, and either ESET NOD32 AntiVirus or the ESET online version – proved themselves to me in 2 months of unscientific testing. I used a program called VMWare Workstation and created a Virtual Machine in which I installed Windows XP. I then visited every dark Internet alley I could find to load it with as much malware as I could. Soon the machine was so bogged down with malware it would slow to a crawl due to disk activity and Internet traffic. I saved this machine state so that I could recall it at any time and install different combinations of anti-virus, anti-spyware etc. I tested many programs and combinations of programs. The two that stoood out as being very effective at removing existing malware, preventing future attacks (see note below), and co-existing with each other very well, turned out to be Malwarebytes “Anti-Malware” and ESET’s NOD32 AntiVirus. Which was fantastic, as they are both regarded by many as “best in class”. I know this sounds like an ad – but the results of my tests convinced me that these two were the way to go. They do not slow your computer down the way McAfee, Symantec-Norton, or AVG do. And they play nice with each other.

Note: Please be aware there are two versions of Malwarebytes “Anti-Malware”. There is the free version, and then there is the “Pro” version, which costs about $25 dollars. The “Pro” version has real-time protection, while the free version does not. When I said that NOD32 AntiVirus and “Anti-Malware” were very effective at preventing future attacks, I was referring to the “Pro” version of “Anti-Malware” and not the free version. However, the free version is just as good at removing existing malware as the “Pro” version.

Combofix was not included in the above discussion because it is a different sort of tool. You would only use it to remove very stubborn malware – sort of a “one use” scenario. You wouldn’t use it to protect you from future attacks as it offers no such functionality. It’s the “can of whup-ass” you only use when absolutely necessary.

Let me know if this procedure helps you, or of ways to improve it. Thanks!


Share and Enjoy:
  • Print
  • Digg
  • Facebook
  • Blogplay
  • email
  • Twitter
  • Google Bookmarks
  • Mixx
  • PDF
  • Reddit
  • Tumblr
  • del.icio.us
  • FriendFeed
  • Global Grind
  • LinkedIn
  • Live
  • MySpace