Because of the wide variety of security threats confronting Windows computer users in 2010, a fairly large number of effective security measures are needed. The following is a concise list of software necessary for effective protection and removal of malware. These programs are best kept on a thumb drive or portable hard drive that should always be on hand for use by a technician. Additionally, these programs need to be updated with some frequency; scanning with a two-months-outdated set of definitions is very likely not going to fix anything.
Steps for Malware Repair
Upon encountering an infected PC, I take the following steps before attempting to remove any actual malware.
1. Remove any obvious malware vectors such as Limewire. Program named that mention “Coupons” or “Savings”, or wallpaper, screen savers, ringtones or browser tool bars are all good candidates for removal.
If necessary, Revo Uninstaller can be used to facilitate some program removals.
2. Install or open an alternative web browser. Internet Explorer is very often a vector for malware infestation and it is generally a bad idea to continue using it on an infected PC.
Google Chrome is actually a good bet during Malware removal. It’s a small download, updates frequently and always has the latest version of Adobe Flash built in, but the offline-install version of the program has some drawbacks related to update installation that make it impractical to install on computers that are not connected to the internet.
Users who cannot install software on their computer might be better off with Portable Firefox, run from a thumb drive or CD-R.
3. Download the programs listed above and/or any updates available. The programs themselves are all available from Download.com or can be easily obtained via a Google search. If attempts to download do not lead to the proper web sites, or bring up incorrect products, the software should be downloaded on another computer and installed from a write-protected thumb drive or from a CD-R.
I very strongly prefer to download the updates as executable files rather than rely on the built-in update mechanisms. It is fairly common for malware to disrupt or prevent Antivirus and Antispyware from running properly, and even more common for the software to prevent updates with those programs.
On a new or uninfected computer, it’s safe to use the update mechanisms in the programs.
4. Install CCleaner. Run CCleaner to remove temporary files on as many user accounts as you, the technician have access to. If there are three user accounts, log in to each of them in turn and run CCleaner, if possible. CCleaner operates on a per-user account basis. Running it on one account won’t clear temporary data for other users.
This has two very important functions. One is that many malware programs, especially Trojan Horses, reside in Temporary Internet Files folders, and CCleaner does a more thorough job of removing files in those folders. The second is an overall reduction in the amount of data that must be scanned with other programs.
5. Remove ineffective Antivirus/Security software. I typically remove any Norton, Symantec, McAfee, Computer Associates, Trend Micro or Microsoft Antivirus/Antispyware/Firewall program I come across, and most other programs are suspect as well. Business computers with a Business Antivirus program I will typically leave in place; there is normally a server-based management function in place on those machines. At the moment, I trust Kaspersky, Avast, Microsoft Security Essentials/Forefront Security, Avira and NOD32 to provide acceptable antivirus protection.
Some antivirus programs (Norton) are notoriously difficult to remove. Others (Norton) will not operate if Internet Explorer has been damaged. Many Antivirus software vendors have special “removal tools” for their products. It is a good idea to keep these programs on hand as well.
Corporate products may also have passwords or additional software to prevent changing or uninstalling. In a business setting, please follow the IT procedures for your office.
Many times, an infected computer will have off-brand security software installed, as a result of the user attempting to remove the infection themselves. This software should be removed if possible, as should any anti-spyware product already on the computer; we want to work with our fresh, known-good copies. Off-brand security software should be considered suspect to begin with. A high percentage of security products are themselves malware vectors. Particularly sophisticated malware will actually suborn security software already in place, either by adding itself to ignore lists or by configuring programs to detect and prevent other security software from being installed.
Revo Uninstaller can sometimes also be helpful in removing stubborn security software.
If Avast is not being installed, skip to Step 7.
6. Install Avast Antivirus Home Edition. Avast is free for non-commercial use. In theory this means that it is acceptable for home or not-for-profit organizations to use, while commercial entities should pay for a commercial license. These instructions are meant for an individual not working for a business. Businesses should buy decent Antivirus software. I suggest Avast, Avira, Kapersky or NOD32.
Avast requires that the user visit its web site and generate a license code. The license code is E-mailed to the user and is valid for 12 months of use. Un-licensed Avast will operate for 30 days. Avast does not E-mail anything but the license code, nor do they give E-mail addresses to other organizations.
[Insert Link to Using Avast]
[Insert Link to Using Microsoft Security Essentials]
The issue is that the downloaded setup file for Avast! almost never includes the most current set of virus definitions. Scanning with anything other than the latest virus updates is somewhat counter-productive; viruses change on a daily basis. AV software needs to do this also.
Therefore, it’s a good idea to obtain and install the latest VRDB (antivirus database) for Avast! so that it can work from the most current one from the first moment it operates at all.
Avast.com offers a single file which contains the most recent VRDB version. This file is called vpsupd.exe and is more than 30MB. The downloadable version of the update file can be found at http://www.avast.com/eng/updates.html. This file is very useful; for example a person with a slow internet connection at home and a fast one at work could download and copy the file to a thumb drive or a CD-R and update their PC without using Avast!’s built-in updater. It’s also very useful for computers that are already infected with Malware. It is very common for Malware programs to out-and-out disable AV programs and/or connections to web sites for Antivirus software vendors.
7. Disconnect the infected computer from any available Internet Connections. This means wired as well as wireless connections. An infected computer should be disconnected from the internet until the technician can be reasonably certain that it is free of infection.
8. Run a full Antivirus scan using your Antivirus software. If possible, perform the scan at boot time rather than while Windows is running normally.
At this point we are predominantly looking for Trojan Horses and Malware that might prevent us from installing and running other security software. If we find and remove anything else, that’s great, too.
Antivirus scans can take minutes, hours or days, depending on the speed of the computer, its hard disk (laptop drives tend to be slower) and the volume of data being scanned.
9. Install SpyBot Search and Destroy. Do not install TeaTimer, as it is generally more annoying than useful. Tell it not to install updates from the Internet. Do not run the program when installation is finished.
Spybot is a malware removal program. In order for it to work properly, you need to run it twice. Once in “normal” mode to get the latest updates and then again in SAFE MODE to actually remove the crud it’s supposed to remove. Spybot will not install updates for you. You must check for updates fairly regularly (weekly). So, we have to install it first, and then run it.
To install SpyBot
Double-click on the icon for the Install program
Select ENGLISH as the language and click on OK
Click on NEXT on the WELCOME screen
Click on I ACCEPT THE AGREEMENT and then NEXT
Click on NEXT to accept the DESTINATION LOCATION.
On the SELECT COMPONENTS screen, click on NEXT. You may want to un-check the box for DOWNLOAD UPDATES IMMEDIATELY. If your PC does not have an internet connection (and it doesn’t if you’re following this document step by step), the install won’t happen until this box is un-checked.
On the SELECT START MENU FOLDER screen, click on NEXT
When you get to the SELECT ADDITIONAL TASKS screen, make sure that TEATIMER is unchecked. Click on NEXT
Click on INSTALL
Uncheck RUN SPYBOT and click on FINISH. We are unchecking RUN SPYBOT because we do not want to run it now. If we do, a wizard will come up, step through it and we will be done with it for now. The problem with the Wizard is that is the only time you see the Wizard, the first time the program starts. So we want to make sure you know how to run it without the wizard.
RUNNING SPYBOT FOR PURPOSES OF UPDATES ONLY – IN NORMAL MODE
Now let’s run Spybot (for purposes of getting the updates only!). I am assuming that you downloaded the program with the steps above and there is a shortcut on your desktop. I am also assuming that this is the first time you’ve run the program.
Double-click on the SPYBOT icon on your desktop
If there is a legal message, check mark to not show the message again, click on OK
It will ask you to create a registry backup. Create the backup by clicking the button and then NEXT
Continue to click NEXT all the way through until you get to a window with a START USING THE PROGRAM button. We do this because the only time that you will see the wizard is the first time that the program runs. I want to make sure that you know how to use the program without the wizard, hence all the clicking!
Once you click on START USING THE PROGRAM the following screen will appear:
Click on SEARCH FOR UPDATES (in the center of the screen)
Click on SEARCH in the Window that comes up (at the bottom of the screen)
Choose a server location. TDS, SAFER NETWORKING #1 and SECURITYWONKS are the fastest most of the time. Click CONTINUE.
Right Mouse Click on the list of Updates, choose SELECT ALL.
The Icons next to the checkboxes should turn into green checkmarks.
There will be a long pause after you click EXIT to close the Update Window.
Back in the main window of the Program, click the IMMUNIZE button (on the left side, in the middle).
On the Immunize screen, click the green cross IMMUNIZE button. Spybot will install a set of rules that will block your computer from installing unwanted software or visiting sites on the internet that spread malicious software. Depending on the computer and its condition, the immunization process can take as little as 15 seconds and as much as ten minutes.
The number of items blocked generally increases over time, but it also depends on what software is installed on your computer; someone who does not have Firefox installed or has an older version of Internet Explorer might have more or less items than another person might have.
Windows Vista and Windows 7 users: When starting Spybot, right click on its icon and choose Run as Administrator to avoid error messages associated with using or updating Spybot.
10. Install Malwarebytes Anti-Malware. Do not install Updates from the Internet. Install updates from the mbam_rules.exe file from your thumb drive or CD.
Double click on MBAM-SETUP.EXE. You will be prompted for a setup language. Choose English and click OK, unless you’d like a challenge and want to try running the program in Hungarian or something.
You will be greeted with “Welcome to MalwareBytes Anti-Malware Setup Wizard.” Click NEXT.
Choose I ACCEPT for the license agreement and then NEXT.
The next screen is the version changelog. Click NEXT.
Click NEXT again to select the installation folder, NEXT again to select a Start Menu folder name, and NEXT again to set the default icon locations.
When MalwareBytes has finished installing, click the FINISH button. MalwareBytes will try to update and then the program will run.
If you are following my guide exactly, you are not connected to the Internet at this point, and you will need to know how to update MalwareBytes manually.
The location for the MalwareBytes updates file on the internet is http://malwarebytes.gt500.org/database.jsp
This file can be downloaded (from another PC) onto a thumb drive or a CD-R. I like to do this periodically so that I always have a fairly up-to-date copy on hand. Most people are probably better off just doing it when they know they need to scan and remove bad stuff.
Click the download button.
Save the file and copy it to the PC
On the machine you are trying to repair, run the file.
Select the Setup Language. Click OK.
Click NEXT, then INSTALL.
After a second you will get a message that says that the installation has been completed, and you can click FINISH. MalwareBytes is now up-to-date.
Note that on a PC that is not infected with anything, it’s just as easy to open MalwareBytes, click the UPDATES tab and then click the CHECK FOR UPDATES button and, indeed, as a user it’s a good idea to do that once a week or so.
Do not run Malwarebytes
11. Windows XP Users only: Right Click on the My Computer Icon, either on your Start Menu or your Desktop. Click on the System Restore tab. Make sure the box next to TURN OFF SYSTEM RESTORE is ticked. Click OK.
Many malware programs will impregnate System Restore backups. Turning off system restore completely removes all existing system restore backup files.
Windows Vista and Windows 7 users should not remove System Restore Backups, as there is no other effective way to repair a damaged Vista/7 installation other than System Restore.
12. Reboot the infected PC. After its screen goes black, begin tapping repeatedly on the F8 key. A boot-time menu should appear. Use the arrow keys on the keyboard to select Safe Mode. Do not choose Safe Mode Command Line or Safe Mode with Networking.
If the Windows logo graphic appears rather than the boot menu, reboot the PC and tap the F8 key faster.
GETTING TO SAFE MODE
Now that you have all of the programs downloaded and installed and updated, you need to run MALWAREBYTES and SPYBOT in safe mode so that they can do their job. Why safe mode? Because Spyware programs are generally configured to start up with Windows and to run the entire time Windows is running. As long as the programs are running, they are much less likely to be detected or successfully removed. In safe mode, most programs, even important ones configured to start up with the computer, such as Antivirus programs, don’t start up. Safe mode is the bare minimum of software needed for Windows to operate, and it’s supposed to be a clean environment for running maintenance of all sorts.
The directions for entering Safe Mode are the same for all versions of Windows.
Shut down all programs that you are working in and save all of your data.
Restart your computer
As your Computer begins to start back up (when the screen turns black), begin repeatedly tapping the F8 key (located at the top of your keyboard) constantly.
If you catch it, you computer will soon come to a black screen with a menu full of options, including one that is SAFE MODE. If you did not catch it, turn off your computer and try again.
Using the arrow keys on the keyboard, Choose SAFE MODE, hit ENTER and wait a minute or five.
Your system will eventually come up to a black screen, with larger letters and Icons than you are probably used to seeing. This is Safe Mode.
You should see both MALWAREBYTES and SPYBOT on the desktop somewhere.
13. In Safe Mode, only a bare minimum of Operating System software is loaded. Most drivers do not run. Many optional services (such as Antivirus software) do not start. Safe Mode is just enough of Windows to run installed programs. With luck, being in Safe Mode will prevent the majority of non-virus Malware programs from operating, and being in Safe Mode also prevents a large number of Malware self-healing functions from working, which is why we need to use it.
Run Malwarebytes. Choose to do a FULL SCAN if the PC has any indications that it might be infected with something. Otherwise a QUICK SCAN is acceptable. Click the SCAN button.
You will be prompted for which drives to scan. I prefer to scan all the hard disk drives attached to my PC. You should at the very least choose to scan your C: drive. Click the START SCAN button.
This scan will take some time, depending on the speed of the computer, the speed of its disk drives and how many files need to be scanned.
After the scan, click the SHOW RESULTS button to see what the scan found.
Be sure to tell MalwareBytes to delete any infections it finds by making sure that all the infected items have a check mark next to them and then by clicking the REMOVE SELECTED button.
You should then see a message like this:
After removing infections, Malwarebytes may indicate that it needs to run again on reboot. This is acceptable. Close Malwarebytes.
Run Spybot. Click Check for Problems. Malwarebytes scans for infected files on a file-by-file basis. Spybot looks for files known to be associated with 300,000-odd specific Malware programs. Spybot’s scan should take much less time than MalwareBytes’ scan did.
RUNNING SPYBOT IN SAFE MODE
Double-click on SPYBOT. Since we are in SAFE mode, we cannot check for updates, even if we wanted to
Click on SEARCH AND DESTROY
Click on the magnifying glass CHECK FOR PROBLEMS (towards the top)
If you watch the bottom status line, it will tell you where it is checking for all of the bad stuff. This should take about 3-10 minutes.
Click on FIX SELETED PROBLEMS. This step could take five minutes and it could take hours or even longer.
Click on YES when it asks you “Do you want to remove selected problems”
When it is done, all of the boxes should now have GREEN check marks next to them. In some cases, Spybot will inform you that it must run again on system startup to fix a problem.
Close the program down and restart your PC.
It is not uncommon for Spybot to say that it cannot remove a particular software package until Windows is restarted. That is fine. The software will still be removed.
After the scan completes, be sure to tell Spybot to remove detected threats. As with MalwareBytes, Spybot might also request permission to run again on reboot.
We run two AntiSpyware applications with different philosophies for detection and removal to maximize our ability to remove malware; no one application works perfectly or provides truly complete protection. It is my experience that free software such as MalwareBytes and Spybot work much better than for-pay programs from big-name security companies.
14. Reboot the PC. Allow any additional scans to run. Verify that the Window Firewall or whatever third-party firewall software is on the PC is turned on. Re-connect the computer to the internet. At this point, the computer should be clean of malware.
It is possible that fixing Malware might break certain parts of Windows Networking. The reason this happens is somewhat technical, but in essence some Malware will insert itself in the chain of functions that are required for what most people think of as full internet access. Therefore, after completing a Malware repair and reconnecting to the internet, it is important to start a web browser (preferably not Internet Explorer or any browser derived from it such as AOL or MSN) and ensure that the browser can visit normal web sites. I usually visit Google.com, since it is frequently hijacked by Malware, and CNN.com or Fark.com, since those web sites update very frequently every day.
If I get a “This Page Cannot Be Displayed” or “Address not found” error (and I’m sure that the network connection is plugged in and otherwise connected) that suggests that Windows Networking is broken. I then run WinsockXPFix from my Thumb drive or CD. This re-sets a much wider set of networking functions than the normal “repair” button found under Network Connections in Control Panel. After the repair is completed, the computer will need to reboot and network connectivity will have to be re-tested.
15. In rare cases, perhaps 10% of the time, there will be a Malware infection that is not removed by the aforementioned procedure. In this case the technician working on the infected PC must make a judgment whether to make further attempts to repair with other software, or whether it would be faster and easier to wipe the computer’s hard disk and start over. The latter is almost always faster, but capturing and restoring all user files and settings, not to mention device drivers on an infected PC can be daunting all on its own.
In some cases, a particularly nasty malware program might need a specially-made removal tool. SmitFraud is an example of a program that can be particularly tricky to remove. A repair program called SmitFraudfix sometimes works better than all-inclusive malware scanners such as Spybot.
16. Assuming that the PC is no longer behaving in any particularly suspicious fashion, the final steps in repairing Spyware are to turn System Restore back on, if necessary, and to install SpywareBlaster.
Spywareblaster has a straightforward installation. One of the final steps is to select Manual updating (the free version of the program). When the program starts, choose to Download Latest Protection Updates, click Check for Updates, then on Protection Status on the upper left portion of the screen, then Enable All Protection. Spywareblaster is does not scan or remove any threats from a computer; it only establishes some rules that prevent a number of common infections from occurring.
INSTALLING AND RUNNING SPYWARE BLASTER
SpywareBlaster is a simple program that prevents your computer from contacting certain known-bad (bad as in “Installs or supports Spyware”) sites on the Internet. It does not remove any spyware one might already have. To Install SPYWAREBLASTER:
Double-click on the downloads folder on your desktop
Double-click on the icon that says SPYWAREBLASTERSETUPxyz.EXE
Click on NEXT
Click on I ACCEPT THE AGREEMENT and then NEXT
Click on NEXT on the INFORMATION screen
Click on NEXT on the SELECT DESTINATION LOCATION screen
Make sure that there is a check for PUT A SHORTCUT TO SPYWARE BLASTER ON THE DESKTOP
Click on NEXT
Click on INSTALL
Keep the box RUN SPYWAREBLASTER checked and click on FINISH
The first time you run SpywareBlaster, it will run through a series of help screens to explain how to use and update the program just follow along and click. Click NEXT on the SPYWAREBLASTER TUTORIAL screen
Choose MANUAL UPDATING on the UPDATING OPTIONS screen (automatic updates are only in the non-free version of the program), then click NEXT.
Click FINISH on the THANK YOU screen). If this is the second time in, you can simply double-click in the icon on the desktop in order for it to run. It will then look like the following:
SPYWAREBLASTER: PARTS OF THE SCREEN
Under QUICK TASKS
Close down SPYWAREBLASTER
Roughly one time a week, a user should start this program, click “Download Latest Protection Updates”, and then follow through by clicking the “Check for Updates Button” in the updates Window. Once updates have been downloaded, click the “Enable All Protection” button.
If the program is being used properly, there should always be zero items with protection disabled in each of the three categories. Every once in a while, a spyware program will add itself to SpywareBlaster’s exceptions list, so care should be taken that nothing is excepted from protection. “Enable All Protection” removes items from the exceptions list. A for-pay version of SpywareBlaster can update and add protection automatically. Honestly, that’s OK, but spyware is so pervasive that it’s probably better for a user to regularly monitor his or her computer by manually running and updating these programs.
Long term protection
Users should update their Anti-virus software every single day. Better software will do this automatically. Business-type Antivirus programs generally update on a schedule set by the system administrator. Those who are particularly sensitive to virus infection should schedule and run a virus scan on a daily or weekly basis. Ideally, these scans should be done at a time when the PC is on but no one is using the computer (e.g. 4:00AM). Antivirus software that is not able to update because its license has expired or because updates are no longer being supplied should be replaced immediately.
MalwareBytes and Spybot should be opened and updated approximately weekly. If Spybot updates are found, users should click on the Immunize button and re-immunize their computers. Scans in Safe Mode might need to be conducted weekly, bi-weekly or monthly, depending on the needs of the users of that PC.
Internet Explorer should not be used for browsing the Internet. Business users may be forced to use IE because intra-company web sites may depend on functionality found only in IE, but it is that same functionality that is often the cause of Malware infection; businesses often also have a staff of people who work to protect computers from security threats. When possible, browsing should be done with a non-Microsoft-based browser such as Mozilla Firefox, Operasoft Opera, Google Chrome or Apple Safari. A very small number of web sites do not function properly in web browsers other than Internet Explorer. Users should weigh very carefully whether or not they really need to visit those sites. A bank’s web site? Possibly. An online poker web site? Probably not a good idea.
There are a number of techniques for blocking Internet Advertising. Advertising, besides slowing web page loads, are also now a possible vector for Malware infection. Anyone interested in doing this should google “Hosts File” and read the information found on MVPS.org. Firefox users can install an Add-on called Adblock Plus. Opera Users can google for “Blocking Adverts In Opera” for detailed instructions with that browser.
Other possible sources for Malware infection are E-mail, Instant Message Software, any file type that can be viewed through Windows Media Player, and PDF files. Not only is it a good idea to avoid using IE, when possible, users should consider alternatives to other common programs. Instant Messaging can be done with Meebo.com or the Pidgin client program. E-mails can be viewed through web-based services, or with non-Microsoft programs like Eudora or Thunderbird. PDF (“Acrobat”) documents can be read in Foxit Reader or Sumatra PDF Viewer. Movies and Music can be played in any of dozens of players such as WinAmp, Media Player Classic or VLC.