How to deal with malware or virus infections

[Grauniad]

I have been lucky that computers that I personally take care of rarely gets infected - Being safe is the best defense against computer viruses, same as for real-life viruses. Avoiding infection vectors and being protected is just as important as being able to rid yourself of an infection.

All my computers are behind a router with a NAT firewall. All my computers run Microsoft Security Essentials as anti-virus. (Note that for Windows 8, MSE comes pre-installed as Windows Defender). I also have a paid version of Malwarebytes Anti-malware (MBAM)

I am very careful about where I surf. Many "free" downloads, including many versions of pirated software and games, or sometimes site-specific downloaders to download "free" movies or music are vectors for malware infections.

When I don't know a site, I check the site's reputation with a reputable 3rd party:

Web of Trust (WOT): http://www.mywot.com/
McAfee's Site Advisor: http://www.siteadvisor.com/
Google: http://www.google.com/safebrowsing/diagnostic?site=www.knucklecracker.com  (You can of course replace the knucklecracker  part with the URL for any other site.)

When the worst happens and my computer gets infected, the very best option is to "nuke and pave".  Do a total reformat of the hard drive to destroy any infections in the MBR (Master Boot Record), and then install Windows and all programs from original or restore media.

You can either order recovery software from the manufacturer of your computer, usually costs around $US30. You can also make these when you get a new computer - the recovery software is usually shipped on a separate partition on the hard drive and there are instructions with a new PC on how to create CDs or DVDs from the recovery partition - keep these in a safe place.

If you have your Windows Product key, you can create a Windows Universal Install disk, and enter the product key that is on a sticker on your computer to install the version of Windows that you have a license to. If the sticker is destroyed, you can buy a key-only license from a reputable site and use this method as well.

If you feel brave, you can of course try and remove the virus. While this may work, it may damage a few files and you can never be 100% sure that you have removed the infection.

Start here:

1. Download and run the Microsoft Defender Offline.
 Follow the instructions on that page.

Failing that:
2. From another computer, download Malwarebytes: http://www.malwarebytes.org/mbam.php
Save it to a flash drive.
Rename the program to 123.com
Plug the flash drive into the infected computer.
Then run 123.com from the flash drive.

If that fails:
3. From another computer, download Combofix: http://www.bleepingcomputer.com/download/anti-virus/combofix
Save it to a flash drive.
Rename the program to 456.com
Plug the flash drive into the infected computer.
Then run 456.com from the flash drive.

If you can, it is best to run the programs from Windows Safe Mode:
Reboot the computer
Right after the BIOS flash screen, start pecking at the F8 key.
You will get a Boot Options Menu
Select Safe Mode with Networking
Then follow 1) and 2) above

You can also download the AVG Rescue CD
http://www.avg.com/us-en/avg-rescue-cd
1) from another computer, download the AVG Rescue CD
2) from another computer, download Img Burn
http://www.imgburn.com/index.php?act=download
3) on the other computer, install ImgBurn and create a BOOTABLE CD from the CD Image you downloaded from AVG
4) put the CD in the infected computer and reboot

This will allow the computer to boot from the CD and not Windows, and it will scan and (hopefully) remove the infections.

If you still have an issue, try Hitman Pro: http://www.surfright.nl/en/hitmanpro

Sometimes, it takes doing all of the above, plus more to completely remove a serious or multiple infections.



Here are some more tools:

If you really want to scan a drive, you don't want to scan it from within the infected OS.

You need a scanner that will boot the computer without starting Windows, or you need to remove the drive ans scan it as a slave connected to a different computer.

Windows Defender Offline - http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

AVG Rescue CD - http://www.avg.com/us-en/avg-rescue-cd-download

Avira Rescue CD - http://www.avira.com/en/download/product/avira-antivir-rescue-system/product/avira-antivir-rescue-system/product/avira-antivir-rescue-system

Kaspersky Rescue Disk - http://support.kaspersky.com/faq/?qid=208282173

It is also always good to have a utility boot CD on hand that contains tool other than virus/malware removal. These are all good ones:

Hiren's Boot CD - http://www.hirensbootcd.org/download/
SystemRescue Cd - http://www.sysresccd.org/Download
Trinity Rescue Kit - http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT_DOWNLOAD
Ultimate Boot CD - http://www.ultimatebootcd.com/download.html

For scanning within Windows:

Gmer - http://www.gmer.net/

Rootkit Revealer - http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

TDSS Killer - http://support.kaspersky.com/faq/?qid=208283363

Hijack This - http://www.bleepingcomputer.com/download/hijackthis/

Rkill - http://www.bleepingcomputer.com/download/rkill/

Malwarebytes - http://www.malwarebytes.org/

Combofix - http://www.bleepingcomputer.com/download/combofix/

Linux Live CDs:

Ubuntu - http://www.ubuntu.com/download

Knoppix - http://www.knopper.net/knoppix/index-en.html

Also, remember to ALWAYS write a new MBR, and keep in mind that there are "infections" that no tool is going to detect or cure. For example, there is Malware that rewrites the DNS entries on the ROUTER, which causes all Google searches to be redirected. No matter how many times you scan the computer it won't detect the problem that is on the router.

[Blaze]

Thanks for the topic, already got the computer in safe mode and that "BrowserProtect" removed, running scans to look for others before I go and remove anything on them from the registry.
Sadly, nuke and pave isn't an option here, her little notebook doesn't even have a disc drive! So I'm trying to remove as much as I can dig up on them as possible, and run several different scans.

I'm hoping I can at least get it to where it's at fast enough for her to use for drawing like she wants, until her tablet is fixed.
She's using her phone for Skype to talk to her friends. She said she's buy me a game if I get it back to a usable state, so of course I have to do anything I can to fix it. :D
This is also a good experience for me, pretty good playground for attempting to clean a computer this infected.

[Grauniad]

Do you mean an optical drive? You can boot from a USB drive if that is what you need to do and you can do installs from USB as well.

As usual, if you had posted make and model information, more precise help could have been yours. :(

[Blaze]

Do you mean an optical drive? You can boot from a USB drive if that is what you need to do and you can do installs from USB as well.

As usual, if you had posted make and model information, more precise help could have been yours. :(

Haha, yeah, the more information the better.
Sorry, didn't get any decent sleep at all last night.

Anyhow, it's a Toshiba NB 305 model running Windows 7 Starter, which before now I'd never heard of until this point.
Really thought it was like a stolen OS because the thought of not being able to change the wallpaper baffled me... :D

I've got MalwareBytes running a full scan now, it says it has detected four objects so far.
As for installing an OS from the USB, the issue would still come in of where to get one, I don't think anybody here wants to dump any money into it. ::)
This really is just going to hold her over until her Tablet is back in working order, so putting any money into it doesn't make much sense.

[Grauniad]

http://forums.toshiba.com/t5/System-Recovery-and-Recovery/NB305-Netbook-Recovery/td-p/114297

That will have all the right drivers and stuff. Windows 7 Starter is a trimmed-down Windows that doesn't consume as much HDD space. That limits obvious things like wallpaper, etc.

[Blaze]

http://forums.toshiba.com/t5/System-Recovery-and-Recovery/NB305-Netbook-Recovery/td-p/114297

That will have all the right drivers and stuff. Windows 7 Starter is a trimmed-down Windows that doesn't consume as much HDD space. That limits obvious things like wallpaper, etc.

Apparently it's got a hidden recovery partition already on there.

if you run into a situation where you need to reset your netbook to factory settings, just hold 0 while you press the power key to boot up. from there you can restore everything to when you first loaded up.

within your netbook's main HDD, there's a small partition with all the recovery files you need. you won't need installation keys or codes or any drivers to download from the Toshiba website, it's all there!

That BrowserProtect was actually in that hidden partition, not anymore though.
MalwareBytes and her Avast seem to have removed anything that was on there, so the reset should come next.

Then I'll install Vipre on there since we still have like six keys for that. :D
It's served me well, though common sense is the best protection, it keeps the Tracking Cookies away.

[Blaze]

Yup, it's at 75% now. Edit: With the partition, as of this edit it's making the CRC file and is 75% done as well.

Afterwards I'll install Malwarebytes first and run another full scan, then the Anti Virus with another full scan.
Hopefully that should do the trick.

I want to thank you, Grauniad, for taking time out of your day to help.
I don't think I'd have found out that it has a hidden recovery partition if not for your help.

[Blaze]

Hard Drive is reset, Malwarebytes has been running for over an hour and a half and has still found nothing.
Once that is done, going to install an Anti-Virus and allow windows to finish updating.

Seems it's cleaned out now.
I suspect it'll never get back to full speed, it's old and runs fairly hot so I suspect that may be contributing to it.
But as far as I can tell, it's much better.

[Blaze]

Yep, all clean.
All scans came back negative.
Windows still keeps throwing updates in, but other than that it's done.

It's back in her hands now. Thanks again for all the help.

[DarthVader12]

In addition to Grauniad's post the tool ESET online scanner is very helpful when cleaning a machine.
1) Download link on this page   More information available here
2) Run the program.
3) Accept the terms of use.
4) Wait while the program installs.
5) Click show advanced options and select all check boxes, like in this picture.

6) Click change next to current scan target and place check mark in computer, then press OK.

7) Press start. BE PATIENT! This scan takes a long time, it may need to run overnight.
8) If no threats are found this message will be displayed check uninstall application and hit finish.

   If threats are found you will see this, check uninstall application and hit finish.

9) Close the last window.

___________________________________________________________________________________________________________________________________________________________


I advise you to be very careful when running combofix as G has posted. Here is Bleeping Computer's warning/disclaimer:

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for viruses. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment

Modified download link to product download page and not direct download. -G.
Removed excessive images -G.

[Grauniad]

We'll just have to disagree on the effectiveness of ESET as a anti-malware tool. :)

[Grayzzur]

One I used to use a lot was the free version of Lavasoft's Ad-Aware for scanning and cleaning off some of the spyware problems that plague browsing but aren't detected by the anti-virus packages.

My personal recommendation is to use Chrome or Firefox or any other browser you like that isn't IE. It may be less true with the latest versions as I tend not to use it as much anymore and so have less experience with the newer IE versions, but I've found that in the past malware has an easier time of getting into a Windows system through IE than through other browsers. (Especially on Windows XP, where the latest version of IE available is 8.)

Use an Anti Virus program. If you prefer Norton or McAfee or Kaspersky or AVG... it doesn't matter. Just have some anti-virus package installed on your computer. If you don't have a preference or don't care, get Microsoft Security Essentials. It works with Windows XP on up, and is available "for the low, low price of free."

[Grauniad]

I was a Lavasoft adherent around the turn of the century. Eventually I abandoned them since they bloated so much. I'm on the lookout for the MBAM replacement, since MBAM is now going that route. Unfortunately I don't recall the specifics of why I stopped using Lavasoft.

[DarthVader12]

Sorry grauniad about both of those things. I had a problem getting the images in the correct order and overlooked the link. :-[ Both of these are errors are on my part and I thank you for fixing them.

I like ESET online scanner because it goes after PUPs (Potentially Unwanted Programs) AKA adware. In most case these are bundled with installers and since normal users don't know how to uncheck these add-on programs ESET removes them. I have never used it as my main product in removing a infection. I also do not know how well it works as real time protection as I have always used Avast.

One point I always bring up is not matter how much security you have on the computer, all that matters is your knowledge of internet safety. And please people use an antivirus you DO NOT have to pay for one there are several free ones- Avast, Avira, COMODO, AVG, MSE as well as using the free version of Malwarebytes Anti-Malware and scanning weekly with it.

The most secure way of removing any infection is to:
1) Backup all documents, pictures, videos, and other necessary files to flash drive
2) Boot to dban which will erase all the data on all connected drives
3) Installing the operating system of choice
4) Install all windows updates first
5) Install antivirus and MBAM
6) Scanning all backup files from previous computer before restoring to new computer

[Blaze]

And please people use an antivirus you DO NOT have to pay for one there are several free ones- Avast, Avira, COMODO, AVG, MSE as well as using the free version of Malwarebytes Anti-Malware and scanning weekly with it.

Hehehe, I'm using Vipre since my mother bought it (for whatever reason) as a ten pack so I figured why not, it was there.
Besides that, I like all the little features of it, going to keep using it as long as I have keys left for it for new computers.

One point I always bring up is not matter how much security you have on the computer, all that matters is your knowledge of internet safety.

You can never really be too safe, I always check short links with CheckShortURL, and then peek at the full link with PagePeeker.
Simply to see the site before I visit it if I've never been there before, to decide if I like the look of the site or not.
Some websites just look sketchy, and if they do I don't bother with them. After that it's just a matter of watching where you go, and where you download from.

Sometimes I'm wrong though, or I'm not and Vipre is, but I have it set to block bad websites which will stop the page from loading if it has a bad reputation, or something. :D
If I get that, I don't bother with the site again unless I've been going to it for years or something and suddenly it's being blocked, then I'll try and find out why. That hasn't happened yet thankfully.
I also use Google Chrome which will stop a site from loading if it detects malware, that's saved me twice when a site I regular got a bad advertiser.

Honestly I've only ever gotten three hits of a Trojan from my AV, and two were a false positive, the third was an exe in a download that I'm 98% sure was clean, but I didn't risk it.
All the comments said it was good, and it had 800+ seeders so I'm fairly sure it was another false positive, but again, I didn't risk it. Went and found another that was just as trustworthy and didn't trigger my AV.
Everything else is always just a tracking cookie, it counts the risk traces as individual risks, so it's clocked up to 2,500+ blocks over the time I've had it. :-\