Linux Dojo

Malware infection of Windows based pc's is a problem that people are asking Sensei's help with at an alarming rate!  The term "malware" refers not just to viruses, but also to unwelcome adware, spyware, and similar forms of infection which, though not technically "viruses", can render your computer totally unusable and, even worse, leak your sensitive, personal, and private information, or even surrender control of your computer, to someone out there in the vast internet cloud.

...

For some advise on what you can do to prevent getting infected with malware in the first place, see my article "Avoiding Malware".  The bottom line is 1) run an alternative operating system such as linux (Ubuntu, Debian, Red Hat, etc.) or Mac OSX - these operating systems are quite good, and fairly impervious to malware, 2) use free software and internet services to block known source of malware from entering your computer network, and 3) if you are dedicated to Windows, the smartest easy thing you can do to prevent malware infection is to install a good quality, reputable anti-malware product that includes "real time" protection.  All three of the anti-malware products I mention further on in this article meet these qualifications, though you might have to pay for realtime protection.  As a rule the traditional names in antivirus software just aren't that good at protecting against other kinds of malware.  Yes, I'm talking about Norton, Symantec, McAfee.  Not only do these products not clean up modern malware very well, their "Internet Security Suite" style offerings have a severe impact on the performance of your computer.  My advice: uninstall them from your computer use a good, lightweight antivirus software  for antivirus protection in tandem with and a good antispyware-specific tool.  (At the end of this article are links to several good products in each category.)

But what to do if you are already infected with malware and you either don't have an anti-malware solution installed, or what you do have is malfunctioning or unable to clean up the infection?

Here is Sensei's "don't spend a dime recipe" for you do-it-yourselfers out there.  This procedure using freely available software has really worked miracles for me, and is the first thing (and often the only thing) I do to computers that are brought to me with malware infections.  Remember, after the infection is cleaned up and your pc is working normally again, you really should be using dedicated realtime anti-malware protection, and you might need to pay for that.

First, in regular Windows mode, or on a computer that is not infected, download the free versions of each of these three programs, then install them on the infected computer:

• Malwarebytes Anti-Malware: http://www.malwarebytes.org/mbam.php
• Superantispyware: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
• Spybot Search and Destroy: http://www.safer-networking.org/en/ownmirrors1/index.html

If your pc does not seem to be able to download them, it could be the malware infection blocking you - use another computer to download the programs and save them to a flash drive, then install them on the infected pc from the flash drive.  In some cases, the malware infection may even block the installation in regular Windows mode, but might install properly in Safe Mode under an administrator level login.  To get into safe mode, tap the F8 key while the computer is booting.  A special menu will appear - select "Safe Mode With Networking" so that you will be able to download the malware program and definition updates.  For more detailed instructions on how to boot into Safe Mode, see this article: http://pcsupport.about.com/od/fixtheproblem/ss/safemodexp.htm

After installing each, start them each up one time to "check for updates" - all three of them have built-in updating mechanisms.  At this time, also run the update utility on your antivirus product.  If your antivirus software is not able to be udpated, not functioning, or you do not have any installed, download and install the free ClamWin software from: http://www.clamwin.com/ .  Before doing a scan with ClamWin, be sure to run the update process immediately, and to go into the preferences and tell it to move infections to the quarantine rather than only report them! Let me say that again - by default, ClamWin only reports the virus infections it finds; you need to go into the options and modify them to quarantine virus infections! Keep in mind that ClamWin is an "on demand" antivirus scanner only - since it does not provide "real time" protection, it is not a good program to prevent virus infections.  It is very good at cleaning them up after the fact, however.  Thus, after your computer is restored from its malware infection, be sure to unistall ClamWin and obtain a high-quality "realtime" antivirus program.

Once all three anti-malware products and your antivirus solution are installed and updated to the latest versions, reboot into safe mode (without networking). Log in with your own username and password.  If prompted, indicate that you do not want to enter "System Restore".

Now run the "Disk Cleanup Wizard" (Start->All Programs->System Tools->Disk Clean Up) and let it delete all files from the Recycle Bin, Temporary Files, and Temporary Internet Files.  If it suggests other types of files to delete, uncheck them - only allow it to delete the above three types.  This will potentially save you significant time waiting for the scans to complete, since they will have fewer files to scan.

Now it's time to start scanning for those nasty malware infections.  This is going to take lots of time and lots of patience.  Hang in there thrifty ninja!

Do a full antivirus scan with your true antivirus scanner (Norton, McAfee, AVG, Avast!, ClamWin, etc.).  Do not reboot after the scan, even if the antivirus software suggests it.  Next run all three of the spyware cleaners back-to-back without rebooting (each of them will probably encourage you to do a reboot after you run it, but do not reboot until all three have run).  Run them in the order listed above: first Malwarebytes Antimalware, then SUPERAntiSpyware, and last, Spybot Search and Destroy.  Some of them have different scanning modes: quick mode or full/thorough mode; make sure to select the full/thorough mode.  Allow them to fix/cleanup all problems found except "cookies" - cookies generally don't cause the kind of problems that make your computer unusable or buggy and in some cases deleting them could affect your ability to use websites that are important to you.  Each of these scans could take hours, hang in there, be patient, let the scans run while you're at work, eating, sleeping, working out in the dojo, etc..

After all three anti-malware scans have run, reboot into regular mode and run each of them successively a second time in the same order.  If any of them continues to find an infection (other than cookies!) after this second round of scans, you have one that is going to take some extra effort to remove.

Footnote: To be absolutely thorough, if you have more than one account / log in on your Windows pc, you should repeat one round of the scanning processes while logged in as each of these users! Some malware's hide within one particular user's account settings area and therefore will not be cleaned up by running the scans as a different user.

Antispyware Tools

• Malwarebytes Anti-Malware: a great commercial antispyware scanner that has a free edition lacking realtime protection.  The paid version includes realtime spyware protection.
• SUPERAntiSpyware: another great commercial antispyware scanner that has a free edition lacking realtime protection.  As with Malwarebytes, the paid version includes realtime spyware protection.
• Spybot Search and Destroy: this one is not great all by itself, but it does find and clean up messes that the others won't, is available for free (all features), and includes a couple forms of realtime protection.  If you want realtime protection, but don't want to spend any money, Spybot S&D is an excellent choice.
• Spyware Terminator - truth be told, Spyware Terminator is not the greatest at cleaning up spyware infections.  BUT, not only is it free, it is really good at realtime protection, and is the only way Sensei knows of to get free realtime protection from both spyware (internal to Spyware Terminator itself) and viruses (through Spyware Terminator's ability to integrate with the excellent open source "Clamwin" antivirus software).  One other great thing about S.T. is that it does extremely fast antispyware scans - much much faster than Malwarebytes, SUPERAntiSpyware, and Sptybot S&D, so it is a good tool for getting a quick feel for whether you have an infection or not; if you do, use S.T. followed by the other three to put the kapowie on it!  This is a very good choice for a thrifty ninja who wants to get free realtime protection that is very light on resources from a single product.

Antivirus Tools

• Clamwin - this is the only known opensource antivirus product available for Microsoft Windows.  It does not have built in realtime protection, but does a good job cleaning up existing virus infections.  For realtime protection utilizing Clamwin, download and install Spyware Terminator.
• Avast! Antivirus - a great antivirus product available for many different situations (server and network protection, single workstation protection, etc.).  It is lighter than most on your computer's resources and is available in a free edition for home users.
• Avira Antivirus - another great antivirus product that is light on resources available in a free or "professional" edition
• AVG Antivirus - like the other two above, an overall good antivirus product available in a free edition.