Archive for the ‘IT - How To’ Category
Do it yourself malware cleaning guide:
Introduction: In my career as a business computer network engineer I am often asked by customers about how to best remove malware from their home computers. Since I have made a business decision not to work on home computers, I generally refer folks who ask me about this to one of several good IT guys I know locally who are willing to work on home PCs. However, I get asked about this enough that I think it is worth my time to document the process and tools that I would use to try and remove such an infection.
Version 1.0 / November 5th 2009: This document comes with no warranty expressed or implied.
Credit where credit is due: My good friend Todd Bartlett is responsible for turning me on to most (if not all) of the tools mentioned here. Todd – I am grateful for your friendship, and your good work in finding, testing and telling me about these tools.
Theory and warning: From a purely theoretical standpoint, once your PC has been infected by such malware the only 100% positive way to be totally sure you are rid of it, is to rebuild your machine from the ground up (backup all data, virus scan all data on a known clean machine, wipe hard disk drive, reinstall OS, reinstall applications, and restore clean data). If you happened to work in the government or a large corporation in a position where you deal with sensitive information this is almost certainly the route that your IT department would take. However, many folks simply do not want to invest the time to do all of that. They are satisfied with what I would gauge to be a 99% solution. If you don’t deal with any particularly sensitive data on your PC it may also be a reasonable option for you. That decision is for you and you alone to make. The reason for that is this: All of the products that you are about to run (assuming you continue) including your anti-virus software are designed to detect and remove “known” malware. That means malware that someone else has been previously infected with that has since been included into the signatures of the products you are about to run. So, it is theoretically possible that your computer has been infected with something that the cleaning tools are not yet able to clean, or even detect. I would say the odds of this are low, but not impossible. So, if you deal with sensitive data from the PC that has become infected my suggestion would be that you rebuild it from the ground up. However, my experience tells me that 95% of you will want to simply clean up and move on. So, with that in mind I will do my best to help you do just that.
Assumptions and Preparation: So, assuming you are interested in cleaning your machine instead of rebuilding it totally, this article will assume you are running Windows XP. If you are running Windows Vista, or Windows 7 the steps will be similar enough that you should be able to follow along. Before we begin please make sure that you have a current backup of all of your data. If you don’t have such a backup I would stop and make one now. If you don’t know how to do that I would strongly recommend that you ask someone who does to help you.
Lets get started! First – you will want to turn your computer totally off. Next – turn power on to your machine and begin pressing the F8 key on your keyboard immediately about twice per second. This will interrupt the Windows boot process and present you with a boot options menu. Using your arrow keys choose the option labeled “Safe Mode with Network Support” and click enter. When Windows boots click “Yes” to proceed to work in safe mode.
Now we need to download the free tools we will use to clean your machine. Some of the newer malware programs are actually aware of some of these tools and will actively block your attempts to download and install them. If that is the case I would suggest downloading these tools from a clean PC and copying them to a flash drive that you can connect to the infected PC.
First: Download CleanUp from here: http://www.stevengould.org/index.php?option=com_content&task=view&id=29&Itemid=223
This program is a wonderful program that deletes many of the “temp” files from your PC. Not only does this save disk space, and make your PC run faster, it will also make the other tools I am going to suggest you run next run faster as well. I have used this program on lots of Windows XP machines, however I do not know if it is compatible with Vista or Windows 7.
Next download: TrojanRemover (30 day trial) from here: http://www.simplysup.com/tremover/download.html
Next download: Malware Bytes (free version) from here: http://www.malwarebytes.org/
Next, you will want to install and run those tools in the order I had you download them in above. TrojanRemover and Malware Bytes need to be “updated” before you run them. So, install them, then update them, then run them. I am not going to go into detail on how to run each tool. It is fairly obvious and basic documentation may be provided on the sites listed above. However, I would recommend that you run each tool until it comes back and reports that it did not find a problem.
Generally, if you run a full scan with both Trojan Remover and Malware Bytes and they both report that your machine is clean, you should be all set. However, if both of these pieces of software report no problems yet you still see evidence (popups etc) of a problem, or they continue to report the same problem which they seem unable to resolve, I recommend running one last tool.
That tools is: ComboFix which you can get from here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix. Combofix is a more aggressive tool and I prefer to run it only as a last resort. However, I have seen it remove infections that Malware Bytes and Trojan Remover could not remove.
What if after doing all of that I am still infected? Unfortunately, if that is the case I would recommend that you go the route of backing up your data and rebuilding your PC from the ground up.
If doing this worked for you there are a few other things I would suggest. First, I would run a full scan with your antivirus software. You do have antivirus software — right? If so, make sure it is up to date and do a full scan of your PC. Obviously you will want to clean any infections that you find. If you do not have antivirus software, and you are a non-commercial (home) user I would recommend that you download and install AVG Free from here: http://free.avg.com/us-en/homepage . AVG Free provides an excellent antivirus / antispyware package for free to home users.
Next, I would recommend that you double check to make sure you are up to date with all of the latest security patches for your opperating system. This can usually be easily done by opening Internet Explorer and clicking tools – windows update. Then simply run through the express windows update session and install any critical updates you may be missing. It would also be a good idea to check for any application security updates for any other software you might have installed on your system.
Last, I would recommend that you consider using an alternative browser instead of Internet Explorer. Personally, I really like FireFox which you can get for free from here: http://www.getfirefox.com . Because of some architectural differences in the way Firefox is designed you are much less likely to become infected with spyware by visiting a web site when using it.
I hope this article was helpful to you. If it was – would you consider posting a comment and letting me know that?
In addition, if you found this helpful and would like to share this information I would encourage your to do so. However, I would also request that you respect the time that I put into writing this, and not simply copy and paste my work and claim it as your own. If you find this information helpful, please feel free to link directly to this article. In return I will do my best to keep this as up to date as possible.
Thanks,
David Winslow