WINDOWS MALWARE REMOVAL GUIDE 2017-18

Viruses are annoying, often misdiagnosed and some are hard to find. Like Viruses in the body, computer viruses are seemingly invisible and self replicating. Viruses are encompassed in the term Malware, however, malware isn’t always a virus, it can cover anything from Spyware, PUP and Rootkits. While not all malware is the same, it is important to stay vigilant in your routine maintenance and security on vulnerable systems, because each one brings its own bad behavior. Whether you’re a technician or an average computer user, here are some tips on how to deal with the threat and stay safe, also a list of common infections.

Malware, as previously mentioned, often encompasses many different types of infections. These infections each do something different, but the end goal is usually similar. Some malware relies on other malware that it downloads from another server after having been installed, other malware is just a carrier of something even worse already packed inside it(payload), still other malware can self replicate and or may call home and send user data to the creator’s server half way across the world. These types of malware are sometimes handled differently depending upon severity by antiviruses and antimalware products. The malware in reference often includes:

• TROJAN- Trojans use the disguise and conquer technique, they are often bad software disguised as good. The trojan usually grants outside persons access to a machine(may include payload).
• ADWARE- Usually more annoying than harmful, though some adware can contain viruses and spyware. Adware is tricky for some antiviruses to remove because it doesn’t often directly harm a system. Adware tracks users over various sites Some free software includes adware.
• ROOTKITS- Rootkits are typically planted in a hidden system folder like System32 or something similar. They usually are quiet, but they do make changes to system boot files and the like. Rootkits are often unseen by antiviruses, but they can make your life hell. They can even cause you to lose data to other individuals.
• PUPS- These programs are usually installed in the form of a free trial, or maybe they come bundled with other software. They are usually unwanted, but sometimes not directly harmful to your system. Antimalware can often find them, Malwarebytes is good about this.
• SELF-REPLICATING VIRUSES- These buggers can replicate and infect more systems that way. Certain Viruses can attach themselves to every file in your system and encrypt or overwrite the file much in the way the sality virus did. Viruses can create botnets, but often they steal data, cause high cpu load for no reason and pretty much overwrite your system files to run their executables.
• WORMS- Worms are often pretty insidious. They can contain payloads which do more than they do. They burrow their way in much like a worm by finding holes in software and operating system security. They travel across the network from device to device. Much like viruses, worms can multiply, however, unlike viruses they do this independently.
• SPYWARE- Spyware is often used to track anything from browsing habits to keystrokes. Spyware can be spread via other software. It can make changes to hosts files and network settings. Spyware can often steal user login information when a user merely opens a browser with saved passwords or logs into their accounts. Sometimes Adware uses Spyware to steal data or spy.
• BOT- Botnets are often a network consisting of various computer or internet connected devices in a “zombie” state, being controlled by malware to randomly ping servers in the hopes to bring these servers down and collect ransom from their owners. Bot malware creators don’t care about you, they only want your device and bandwidth. People have gotten in trouble with law enforcement due to their devices being part of a botnet.
• BUGS- Often this could include what are known as exploits. Bugs are often discovered as missing or incorrect code in a piece of software and this can range from alterations in expected software behavior to damaging security holes that allow attackers to gain access to other parts of your system through the use of this software. While exploits are usually thought of as in a browser, they can indeed be considered bugs in other software as well.

Whether you have any of these types of Malware or not, it might be a wise idea to run frequent scans on your system. Often users might not know where to look, but learning where to look for these files can make removal more complete and easier in the future. Often antivirus software is recommended, but antivirus software can only detect what it knows about. Usually antivirus software relies on definition updates which happen sometimes twice a day. Antimalware is often a completely different piece of software for removing leftovers. Antivirus and antimalware solutions have adapted to ridding the system of more and more widespread types of malware. Neither only works on trojans or PUPS anymore, both work on Viruses. But often antimalware like Malwarebytes is good for getting up whatever popular antivirus solutions miss. I often run this application first.

What makes Malwarebytes different is that they study and work on more services and apps outside of their antimalware. They usually are like first responders. They typically know what other antimalware companies know when they know them. They acquired Hpguru hosts in an attempt to further harden their website based exploit and malware blocking. They acquired other tools that were not well known. They used these tools to learn new ways to remove and clean infections. Malwarebytes has always been the best software that I have ever used at removing infections from my PC, but they are now even better. Malwarebytes started out with less features, but the same great signatures. These signature were often updated faster than antivirus definitions. They now include an antiexploit, antirootkit and shields which protect users from intrusion. They use advance heuristics in a way beyond antivirus as antivirus still has issues with this.

Adwcleaner is another tool that was recently acquired by Malwarebytes, but it searches the registry for common malware keys and related browser extensions associated with malware. It then removes the folders that the registry items point to as well and reboots the system to enforce the changes. Adwcleaner is a very simple, yet very powerful tool for removing things that antivirus software doesn’t get. This is often my second scan. Portable.

Junkware Removal Tool(JRT) is a tool in Malwarebytes arsenal that digs deeper in the system to uncover stray registry files, empty folders, leftover pieces, maybe even certain types of toolbars. JRT was discontinued as of October 26^th 2017 by Malwarebytes. Adwcleaner does many things that this does, but then so does Malwarebytes now. Portable.

Superantispyware is older than Malwarebytes. It seems that this application has been around forever, in recent times it has kept itself relevant. Superantispyware has shields as well that monitor installation of new software. Often this antimalware is best at detecting Trojans, but it also deletes tracking cookies and some forms of adware also. Offers a portable solution.

TDSSKILLER is an antirootkit actively developed by Kaspersky labs, a Russian antivirus and antimalware company. Kaspersky solutions might cost a rather descent amount of money, but for the price, you do get remarkable protection. Kaspersky can uncover a broad range of malware. Their rootkit uses their reknown heuristics to search in folders and system files often associated with rootkit installations. A good thing to keep in your toolbox. I usually scan with this after Superantispyware on a really infected machine. Portable.

Emsisoft Emergency Kit is a free removal tool by the creators of Emsisoft antimalware products. This powerful tool should have topped the list. It scrubs deep with a regular file search and then also runs an antirootkit check. It also has other tools such as a hijackthis type tool for those who remember and a registry scanner for malware traces. Truly a remarkable tool for removing malware in tough to reach places. I often run this first, but It’s hard to top Malwarebytes. This is a portable solution in case you don’t want to install Malwarebytes to your pc.

RKILL An application that runs stop or kill signals on other applications. This tool is good for a highly infected machine, because it often seeks out only malware and stops it. Sometimes it may stop other unimportant system services from running, but nothing significant to running the machine. It often allows the user to halt malicious processes that prevent him/her from accessing Malwarebytes or other malware removal tools on this list. It is sometimes key to saving a computer outside of safe mode with networking, however, I believe this tool can be ran in safe mode as well. Portable.

Here are the links to these powerful tools in no particular order:

https://www.bleepingcomputer.com/download/tdsskiller/

https://www.malwarebytes.com/adwcleaner/

https://www.malwarebytes.com

https://www.emsisoft.com/en/software/eek/

http://www.superantispyware.com

https://www.malwarebytes.com/junkwareremovaltool/

https://www.bleepingcomputer.com/download/rkill/

For a descent antivirus I recommend Windows 10’s very own Windows Defender, however, if you want something stronger:

https://www.bitdefender.com/solutions/free.html

Sometimes, if your computer is really infected, you might not be able to boot into Windows to run these applications. One tool that I highly recommend having is:

https://support.kaspersky.com/4162

I also recommend a free linux distribution on hand such as:

https://linuxmint.com/edition.php?id=248

This can help with backing up or copying important files from your hard drive.

If you run each of these tools listed above, you should be clean of malware, however, it’s often recommended that you reinstall Windows, sometimes that’s just not an option though. If you run monthly scans with malwarebytes and yearly scans with the others, set your antivirus to scan weekly, you should be safe. Nothing can replace common sense. Stay safe on the net, use relatively few browser extensions, change your browser search from Google or Yahoo to something like DuckDuckGo, block third party cookies and I’d also recommend using a known hosts file like:

http://winhelp2002.mvps.org/hosts.htm.

Malware changes the Hosts file, so replacing the current one with this after an infection is a great idea. 

1. Go to START > notepad 
2. Right-click notepad and click Run as administrator
3. Click file and open in notepad
4. In the dialog box navigate to C:\Windows\System32\drivers\etc\hosts.
5. Once there, make sure there are no more lines after localhost 127.0.0.1 and ::1 localhost.  

After all of that is finished, it is a good idea to copy and paste the new hosts file contents into the file.

Don’t open email links unless you are sure of their validity and try to acquire a router with a descent firewall. Most routers these days have a good firewall and most homes have a router. To access the router configuration page, read your router’s documentation that came with it. Once there, it’s usually under security tab or firewall. Just enable it.

When following this guide, you will need to reboot your computer to make the changes permanent. I don’t recommend doing this after each step, but you can if you wish. Please know that sometimes restarting after each step gives the malware the chance to change system files or boot files that are vital to your system before it has been properly removed. This could allow a half removed imfection to come back. For this reason, I recommend only rebooting once after each step in the list is completed. Treat each application in the list as a step.

It is also a good idea to go to Start> Settings> Update and Security and once there, configure how the updates are installed. Often Malware will try to target this and shut this off. It is important that it says install updates automatically. While in the Security center, also look for firewall settings and antivirus and make sure both of these are turned on. Occasionally these get shutdown as well. If everything is green you’re ok. A good portable tool to help with all of this would be:

https://www.bleepingcomputer.com/download/windows-repair-all-in-one/. This tool tries to restart halted Windows services and reset permissions, among other things.

Oh no, we’re not finished yet. Delete old system restore points. Go to Start> Control Panel> System and Security> System and then go down and click the desired disk, in most cases this is C: the one with the Hosts file on it. Go down again and click configure. This will open the system restore window and just go down and click Delete. This will properly delete all current restore points. It might also be wise to create a new one at this time.

You may also want to run your Windows disk cleaning program as well. To do this go to Start, on older systems use the left Window key + R keyboard buttons and type cleanmgr. Click the icon with a brush ontop of a hard drive and check every box in the available list after it populates. Click ok. Click on the button to delete files and then wait. Once this finishes you can optionally reboot again and then you’re finished.

Have a favorite tool not mentioned above? Share!

Good Luck!!!!