How to remove malware from a Windows PC

There are two very obvious truths which need to be stated before going any further:

Truth 1 - prevention is better than cure, so don't visit 'dodgy' sites or download anything anyone sends you a link to, and do keep your PC as secure as possible with the help of security software such as real-time malware scanners and firewalls.

Truth 2 - when it comes to malware there is no single 'removes it all' solution, there are far too many malware variations out there from rootkits and zero-day exploits through to long-established malware families which are continuously evolving in order to thwart detection and removal attempts.

That said, there is a third truth which probably also needs mentioning; namely that shit happens and sometimes computers do become infected despite the best efforts of responsible users. So what should you do if you suspect that you have become the latest victim of the malware epidemic? This basic tutorial aims to highlight the procedures and resources available to users of the Windows Operating System, and should help get you on the path towards having a clean PC again; hopefully without having to take the nuke it, format and start again final option. Yes, I know that the real solution to malware is to run Windows within an isolated Virtual Machine environment that allows you to simply delete and restore a new instance if any infection gets in - but we are talking the real world here where very few users would go to those lengths and accept that level of inconvenience in the name of security.

Step 1.

Identify the symptoms and research them. If your browser is redirecting you to random sites, or displaying unwanted pop-ups, toolbars and the like, then Google some of the specifics or ask in the DaniWeb 'Viruses, Spyware and Other Nasties' forum where you may be able to draw on the experience of others to solve the problem quickly and without too much fuss. Iffy browser extensions and unwanted search toolbars are amongst the easiest of malware to deal with, and you can bet you are not the first to get stuck with them. Removal is usually very straightforward indeed, so don't feel embarrassed to ask for help.

Step 2.

Run your scans (see below) from inside Windows Safe Mode, a minimal version of the OS which uses safer generic drivers and will not run all of the startup apps you are used to and which any malware is also using. Hit the F8 key a few times while booting to enter Safe Mode, and then start your scan. It's not foolproof, see truth number 2, but it's your best bet.

Step 3.

If you suspect something more sinister than crapware or adware, which are bad enough, then make sure your security software/anti-virus scanner is updated with the latest files (assuming it's not clever enough to have blocked access to those vendor sites) and then run a full system scan to check for any known infection. If you don't have security software installed then most of the 'usual suspects' in the security vendor space will have free online scanners you can use. It's good practise to run more than one scan, from more than one vendor, anyway if you suspect you have an infection. After all, that very suspicion does suggest that maybe your current scanner (if it cannot detect an infection) isn't altogether trustworthy at this moment in time. The fourth truth, which has just occurred to me, is that n malware scanner is going to be able to detect and remove 100% of threats, so running a scanner combo makes a lot of sense. However, reboot your system after each has run a scan and performed any cleaning before running the next in line.

Step 4.

Be prepared, and have some emergency tools in your offline toolbox just in case the malware won't let you update or connect to an online vendor or use your installed software. One of the simplest ways of doing this is to create an emergency security USB thumb drive which has a copy of MBAM on it (MalwareBytes Anti Malware) which is free to use. If you haven't done this in advance, then use someone else's computer to download the executables onto a USB stick. Oh, and make sure you use the 'Deep Scan' which can take a long time to complete, so have a cup of coffee or three waiting. As I said before, layering your tools is a good idea so install a copy of the Kaspersky TDSSKiller rootkit detection and removal utility alongside MBAM as rootkits are well known for being hard to find (they intercept the Windows API at a low-level.) TDSSKiller won't take long to perform a scan, but if a rootkit is hiding it is an excellent way of finding it and nuking it at the click of a button and a reboot.

If you cannot get into Safe Mode (see step 2) then it's possible to get in and clean up by booting into a Linux environment via CD/USB and manually identifying and deleting rogue files. Possible, but not really a real world option for the vast majority of 'normal' users. Which is where another third party resource comes in; HitmanPro Kickstart can be added to your USB stick toolbox and is free for 30 days use (it comes as part of the HitmanPro scanner software.) Boot the PC from the USB stick and Kickstart will give you a familiar 'live' Windows environment in which to work and access registry keys and files to determine what needs cleaning. The Hitman is fully automated and works pretty well in my experience of testing it out.

Step 5.

This is where, if everything you have tried so far has been to no avail, you go back to step 1 and ask for help. Try the security vendor sites as they will often help people even if they are not users of their software, or dedicated security support forums such as bleepingcomputer or here on DaniWeb of course. Most will want to know details that you cannot supply without running certain forensic detection tools, but don't worry they will all (including us as DaniWeb) give you precise instructions on what to download and how to use them to create logs which can then be posted for analysis by experts.

Step 6.

Unfortunately, sometimes there really is only one option left when dealing with malware and it's the one that some folk choose to use as their preferred Step 1 - namely, the reformat and start again option. There are good reasons for going straight in with this sledgehammer to a nut approach, not least that in most cases it offers the best chance of a truly clean system to use and can even take less time than going through the process of running forensic tools and waiting on others to analyse them, or performing deep scans and cleansing routines. This does depend upon whether you have a known clean system image to restore, and data that is accessible from the cloud or another storage system that isn't tied into your PC of course.

Source : daniweb