Topic Complete Virus/Spyware/Malware Removal Guide
People have a lot of misconceptions and misunderstandings about viruses and malware and I'd like to clear some of that up today. First off there is no virus that a computer repair shop can remove that you cannot remove with legally free tools that I will provide you with. This is because for the most part, they will use the EXACT same programs, I know because I work at one. Worst case scenario is that you succesfully remove the virus and you need to reinstall Windows, but thats OK because now you can safely recover any important data.
Always run your scans in Safe Mode With Networking, to get to this restart your computer and hit F8 repeatedly until the menu comes up giving you the boot options. Always log into the Administrator account.
If you can't run anything in Safe Mode skip down to the Rescue Discs section and the come back here after running some of those. That should clear up whatever's blocking you from running regular scans.
Ok the first thing your going to want to do is run CCleaner (www.Piriform.com) to clear out temporary files. This has the possibility of taking out some weak malware, but the main reason your doing this is just to speed up scan time. If your system doesn't have to waste time scanning temporary files you can get up and running quicker. On the lefthand side of CCleaner select all boxes except Autocomplete Form History and Wipe Free Space, Autocomplete just for your convenience and Wipe Free Space because it can take a long time and doesn't do a whole lot, nothing harmful though if you want to do it.
Second: Download and run [http://www.bleepingcomputer.com/combofix/how-to-use-combofix] Combofix. Press Yes to the disclaimer and then press yes when it asks you twice if you wish to continue running because "_____ antivirus might interfere" don't worry, it won't hurt anything, worst that will happen is combofix won't run. Let it update and install the Recovery Console (if not already on your computer, if it doesn't prompt you for it you've got it), and if it says it detects rootkit activity and needs to reboot, go ahead, just make sure you reboot back into safe mode again, it'll run before the OS fully loads.
Third: Next is the [http://support.kaspersky.com/viruses/avptool2010?level=2] Kaspersky Virus Removal Tool. It will scan and then uninstall after you close it, you don't need to update it as they release new versions every couple of days or so. Make sure you change the area that says "Prompt For Action" to "Select an Action" and then to "Delete" not disenfect and make sure you check all the necessary boxes for all your hard drive partitions.
Fourth: You can run this step and the next step together as they are both relatively light and won't cause conflict with each other. Download [http://malwarebytes.org/] Malwarebytes, install it, update it and then do the Full Scan. After scan is finished, have it remove all infections found.
Fifth: [http://www.safer-networking.org/index2.html] Spybot: Search & Destroy is another anti-malware spyware scanner. Update and then do the immunize section before doing the "Check For Problems" section. When you install it'll ask you to backup your registry, don't do that right now as you may have issues from the infections. After the scan is finished make sure all boxes are checked and click "Fix Selected Problems".
The Rescue Discs
Now to ensure that you've completely cleared out your system I would recommend burning and running at least 1, preferably 2 of the following Rescue Discs, though more scans never hurts. They will boot into their own Linux Based operating system that will stop any viruses from interfering with the scans. Most have a self-contained burner included, but if you need to burn the ISO file and don't have the proper program download the free [http://www.daemon-tools.cc/eng/downloads/dtLite] Daemon Tools Lite.
To boot from these you can either press the hotkey at startup. It's different on different manufacturer systems and even within those it can vary but these are the most common, F12 for Dells, F10 or ESC for HP, F2 or ESC or F12 for Toshiba, F10 Gateway. You may just have to try different ones to figure it out but those are the most common, if you can't find it just boot into bios (most often F2, could be ESC or something else) and change your Boot Device Priority to have CD Boot at the first position.
[http://www.avira.com/en/support-download-avira-antivir-rescue-system] Avira Rescue CD - When the first menu loads up in DOS format select the first option. If you encounter graphical issues loading the CD, restart and select the 5th option. You'll have to just test out different screen sizes to find one compatible. Now once you have the disc loaded you'll have to click the British flag button to get it into English as opposed to german. Go to the update option and attempt to update. Make sure you go to "Configuration" and select "Remove Infected Files". Now go to "Virus Scanner" and click "Start The Scanner".
[http://www.avg.com/us-en/avg-rescue-cd] AVG Rescue CD - Press enter at the first screen to boot it up, accept the license agreement. *Then go ahead and update it. *Select the scan option to scan your entire volume. *After the scan is finished go to "View Scan Report" (if it doesn't come up automatically) and delete all infected files.
[http://download.bitdefender.com/rescue_cd/] Bitdefender Rescue CD - After it loads up select the "Start Knoppix" option for your language, it will update automatically and take you to the screen where you can select a Full Scan of your system.
[http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/] Kaspersky Rescue CD - If the removal tool ran sucesfully theres not much need to run this in addition. But if you couldn't get the safe mode scans to work this is a great one to run first. After you've got it booted up (may take a few for it to fully mount) run the update option. Check the settings and make sure the "Objects Scan" section is set to high. As with the Kaspersky Virus Removal Tool, make sure you change the area that says "Prompt For Action" to "Select an Action" and then to "Delete" not disenfect and make sure you check all the necessary boxes for all your hard drive partitions.
[http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT_DOWNLOAD&front_id=12&lang=en&locale=en] Trinity Rescue Kit - This is a very nice all purprose tool kit but does have some nice virus/malware scanning utilities such as Avast, ClamAV and Bitdefender included. Some basic info on it's scanning utilites can be found Here: [http://trinityhome.org/Home/index.php?wpid=40&front_id=12], but if your not that tech oriented I'd probably stick with the above Rescue CDs.
Here are some final steps for cleaning up your system and making sure the malware/spyware is all gone.
Your going to want to repeat the steps Four and Five in the scan section (Malwarebytes and Spybot) in Safe Mode on each user account on your computer.
READ THIS ONE CAREFULLY!
[http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html] Hijack This - This is a great utility for hunting down processes running that you don't want. Be very careful though because it Does Not descriminate, it tells you everything so don't remove anything until you've checked the log on http://hijackthis.de/.
Load up the program and press the "Do A System Scan and Save A Log File" option. After it scans, copy and paste the entire log into http://hijackthis.de/ and then click the "Analyze" button at the bottom. Check for any processes with a X to the right of it. Anything like that you can safely remove.
After all is said and done, run [www.piriform.com] CCleaner again on each user account just for good measure. Run the Cleaner section and then go to the Registry section and press "Scan For Issues" the click "Fix Selected Issues", you can backup the registry changes if you want but you don't need to, then click "Fix Selected Issues" in the next window.
If you still feel that your computer may have some remaining spyware/malware you can feel free to run any or all of the below scanners as well. Remember, you can never have too many malware/spyware scanners! You never want more than 1 antivirus though.
[http://www.lavasoft.com/products/ad_aware_free.php] Ad-Aware - Tried and true scanner, still very solid.
[http://www.emsisoft.com/en/software/cmd/] Emsisoft Command Line Scanner - This is all that remains of my favorite free malware program of all time, A-squared. Its command line you your going to need to have an idea of what your doing to use it. You can still get the trial for [url=http://www.emsisoft.com/en/software/antimalware/]A-Sqaured[/url] but to be honest I'm not sure how restrictive they've become with what the trial can do.
[http://www.superantispyware.com/] SuperAntiSpyware - Another very solid spyware/malware scanner.
[http://download.cnet.com/Webroot-Spy-Sweeper-2011/3000-8022_4-10192729.html] Webroot Spysweeper - Pretty mediocre, I only use it as a last resort.
Theres a few others that are pretty mediocre like Spy Hunter and Spyware Terminator that I'm not even going to bother to link or recommend.
If you had a bad virus infection it may have caused some damage to your Windows so below I will provide links to the hotfixes for the most common problems you can encounter.
[http://www.dougknox.com/xp/file_assoc.htm] XP File Association Fixes - When you encounter this problem, you will get an error message saying that Windows doesn't know what to do with a given file type, be it .exe, .dll or whatever. That site has registry fixes for restoring the file associations for just about any file type.
[http://www.winhelponline.com/articles/105/1/File-association-fixes-for-Windows-Vista.html] Vista File Association Fixes - Same as above but for Windows Vista, these should work for Windows 7 as well as they are built upon the same architecture.
[http://support.microsoft.com/kb/971058] Windows Update Repair Vista - If your having problems with Windows Updates after clearing out your infections (make sure they are clear by not skimping on the steps because malware can stop windows from updating as well) then this utility provided by Microsoft can do a damn good job at fixing it. It is built for Vista, should work on 7.
[http://support.microsoft.com/fixit] Windows FixIt - Suprisingly Microsoft actually offers a useful tool for repairing issues for once!!! They have fixes for printing problems, cd/dvd, startup and sound.
Now that your all cleaned up, time to make sure you have a good antivirus! DO NOT INSTALL MORE THAN ONE OF THESE! and make sure any other antivirus you had is uninstalled.
[http://www.avira.com/] Avira Antivir - Very good, I use this for myself. It's light running, has high detection rates and easy automated scans.
[http://www.cloudantivirus.com/en/] Panda Cloud - A cloud based scanner, very solid and since it runs in the cloud chances are it won't get corrupted by an infection.
[http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button] Avast - Another tried and true warrior like AVG.
[http://www.microsoft.com/security_essentials/] Microsoft Security Essentials - This is the first Microsoft security program that I feel safe recommending, very good.
Norton, Mcafee, pretty much the same and all have the capability of destroying your operating system by embedding themselves way too deep. Also their detection and removal abilities are sub-par. Norton 360 is the worst as it tries to do a little of everything and doesn't do anything well.
If you have any of these and need to uninstall them I'd recommend using the utility as you will probably encounter problems otherwise.
[http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US] Norton Removal Tools - Just pick which version you have.
[http://service.mcafee.com/FAQDocument.aspx?id=TS100507] Mcafee Removal Tool Instructions - Just follow em.
Now that your system is all clean and back in working order, how do you stop from getting viruses in the first place?
1. Do not click anywhere inside of pop-up ads and don't close through the X in the corner as in some cases that is an "Accept Viruses" button, use ctrl+w or alt+F4 to close out the window.
2. Don't use p2p sharing like limewire, bearshare, frostwire, if you have to download torrentings is slightly safer, really depends on the content though. If your downloading porn theres a good chance no matter where you get it, it could be infected. Whenever downloading something your not sure about, tell your antivirus and/or malwarebytes to scan the downloaded file/folder before doing anything else with it.
3. Keep a firewall up, Windows built in firewall is plenty good enough just make sure it's on.
4. Keep your Flash: http://get.adobe.com/flashplayer/ and Java: http://www.java.com/en/ up to date and never install a shady or fake looking plug-in, especially if its in the form of a popup. Virus coders love to disguise their package as a Flash or Java update or something for your web browser.
5. Trust your instincts, if a website looks like it might contain something malicious or dangerous, then it probably does.
6. Don't download from places you don't trust.
7. For the love of god do not use Internet Explorer, use an alternative browser such as [http://www.mozilla.com/en-US/] Firefox or [http://www.google.com/chrome/intl/en/landing_chrome.html?hl=en]Google Chrome
8. When using Firefox, NoScript: http://noscript.net/ Can be very helpful, as it will prevent malicious scripts from activating when you simply go to a certain web page. The downside is, that it prevents ALL scripts from running, so you'll have to manually allow the ones you actually want running. This can be too much for some novice users, but it is an awesome add-on.
That about it wraps it up for now, if anyone thinks of anything I'm missing here please post and let me know! Also if you have more specific issues feel free to post for help!
Edited by Aragorn on 1/20/11 5:37 PM (PST)
I prefer Malwarebytes' Anti-Malware as "check up" of an infected system. If something is still occurring I suggest HijackThis scan, and if it's severely infected, ComboFix since it's super powerful. On systems that are infected by hijackware, like a malicious software pretending to be an anti-virus with high restrictive settings, I suggest using rKill to stop the process initially and then throw down a Combofix. But this is just personal preference.
I know this guide is now old, and that I'm probably a little late on the uptake, but I felt the need to say this anyway.
I am the geek of the family -- you know, the one who always has to deal with the "OMGZ! I has teh virus 'n' itz takin meh bank pazzwordz" stuff, even it it's just ad-ware or (heaven forbid) a warning about a cookie -- and I have to say, very good stuff there. Definitely a great guide, and I learned about a couple new tools to add to my recovery disk collection :)
I also wanted to say that for anybody using Shaw Internet, Shaw Secure is a great f-secure based antivirus as well and is provided free for all Shaw Internet Services customers. I have been using it for years and it is definitely on-par with Microsoft's Security Essentials.
Also, it's ALWAYS a good idea to have either a recovery disc for every computer that contains the factory-default settings and/or files or the windows disc for your operating system in case for whatever reason your antivirus sweeps have been unable to clean a critical file and are forced to quarantine/delete it. You can always dig in and find the file you need and replace it with the clean from-factory file from the disc. Also note: It is *NOT* illegal to find a disc image and burn it if you plan on using it in this way, so long as your computer was shipped with that version and thus has a licence for a copy of that software. What is illegal, is using that software without licence through a third-party hack/crack/downloaded serial. However, if downloading a disc image, be sure it is from a legit place that did not alter the contents from the original. Your best bet is to find a family member or geek friend or even your child who already has a copy and get a copy from them.
Okay, Anti-Virus from Microsoft, the same makers of your Personal Computer(PC). It is called Microsoft Security essentials, and just like IE9 it blows every other competitor away.
Use that link to download it, it requires a valid version of Windows 7/Vista/XP.
First and foremost,
Use this tool to fully remove your ROOTKIT TDL3/TDL4 out of your MBR memory.
Get the free version and do the Free Scan. You will be set.
Have a Good Day
-Senior Tech Security/Virus Removal
lol I do my own virus removal... I work as a comp. programmer and engineer and I've gotten BSOD like 3 times. I brought my computer back to life xDDD. These steps are also what I do not on a regular basis or anything but, say, once every 2-3 months. That does the job for your computer. A good one (you can DL this and look up how to get the free, full version on google) is Advanced Systemcare. It can clean your computer of junk, defrag and much more reasonably quickly. But if you do choose to use it, DO NOT ACTIVATE REGISTRY CLEANER. That can destroy your computer's software and, to a more severe extent, your hardware, so be sure to switch that off. Otherwise, it's a great little tool and I use its extra features every day just to keep tabs on my ram and CPU usage, so it's handy.
so norton 2012 is not safe? and no its not the norton 360... or does it just lag up the machine im confused.
It says that it doesn't make the computer lag, but it does due to large size (their site lies), It backs up about 2 Gb of online data previously which also lags it, its crash and backup recovery system doesn't work well, and some other stuff. The only good thing is its Virus scan and removal system, and even in that field it is terrible. I use Panda Cloud Antivirus; it does everything I need it to do and since I got it, I've never had a virus since. Plus, part of their funds go to WWF funds, so I'm helping endangered animals too :D. Hope I helped ^^
@BlueCow GJ bro. It is incredibly helpful that you shared this precious amount of data with others who never knew; it saves one more computer out there ^^
Not true. If that was the case, you wouldn't be able to manually remove malware, but it is entirely possible. You just have to know what you are doing. When you find out the name of the malware, find out what exactly it affects and such. Then you can figure out its lethal extent. I'm able to manually remove most (I won't say all) Malware with some hardcoding and programming and with one usb (to deport it if I have to). The only virus where you'd need to reformat is a worm virus and even then, it wouldn't help since it eats literally your whole system and destroys your hard/software altogether. Besides, by zipping the worm into a file before it affects your computer on a mass level, you can get rid of it. Anything's possible bro; you'd be surprised what extent a computer can be taken to. I mean I know enough about notepad alone that can get me 2 years jail time and how to wipe a computer using 2-3 simple lines on a notepad (batch files). It's simple and deadly but it is preventable. Everything is preventable and you don't need to format. Also, whoever told you to format to delete malware is wrong, because the malware can still live in the system. Remember: your data will never be COMPLETELY deleted. Hope I helped ^^