Hello,
This is a basic guide for removing malware from an infected computer.
Goal:
To restore the computer back to its previous working condition or better.
Rationale:
When malware infects a computer it can do two main things to your files:
1) Delete or modify files
2) Create files
Most of the guides you will read on the internet will tell you to remove malware using some sort of program that will scan and delete malicious files. I would argue that the solely scanner based approach is incomplete because it does next to nothing to restore deleted or modified files to their condition prior to infection. Running scanners alone usually works fine but system restore
Step 1: System Restore
It is fairly common advice to hear that you should delete your system restore points before cleaning a machine. This is usually a mistake.
System restore, when run from the recovery console, is one of the fastest, most effective, and lowest risk ways to start removing malware from a computer. (this is for vista/7 only, If you have Windows XP move to step 2)
Note: System Restore WILL ABSOLUTELY NOT alter any of your personal files.
Note: System Restore will however revert/uninstall any programs that were installed after the restore point date.
How to run system restore from the recovery console:
1) Make sure your computer has been turned off
2) Hit the power button on your computer and immediately after start lightly tapping F8 (2-3 times a second) on your keyboard. You should see a black screen with a list of options. If your computer starts up normally (you have to do this fast enough that you do not see the Windows logo) it means you did not press the button soon enough.
3) Use your arrow keys to navigate to the 'Repair Your Computer' tab. Press enter
4) Your computer will now start booting into the Recovery Console (this will look fairly similar to a normal Windows startup).
5) Once your computer has booted into the recovery console you will see a prompt asking you to select 'keyboard input method' and you just need to hit 'Next'.
6) If you are prompted to log onto a user account please do so (choose your own).
7) A window will appear called 'System Recovery Options'.
8) Now click once on 'System Restore' (note that it can take awhile for the system restore window to open).
9) After 'System Restore' opens click 'Next' and select a restore point before the malware infection and click 'Finish'
Note: Basically you want the most recent restore point before the infection because system restore will run faster but you can chose any point you want
Note: If your computer has no restore points or if none of your restore attempts (I wouldn't bother trying more than 3) are successful (you know it is successful if you see a prompt that says system restore has finished that asks you to restart you computer) then just move onto step 2
10) After the system restore has run start your computer up and log into your user account and see if it looks like the virus is still there -->you should see a message that the computer has had system restore run
Note: After system restore your computer may appear to be malware free. If this is the case for you, it is still very important to continue to go through the steps in this guide. System restore does not always completely remove a virus. The goal of running system restore is to damage the virus and revert and restore your computer's system files.
Step 2: Combofix
1) Download Combofix from the following link:
http://www.bleepingcomputer.com/download/combofix/
2) Disable your antivirus program's real-time protection (don't worry you can turn it back on soon!)
3) Run Combofix (it will do everything itself basically)
Note: Combofix may want to restart your computer to remove some of the malware so make sure you have closed all other programs that you opened. Please take messages from Combofix seriously.
Note: After you have completed this guide please remove Combofix by running 'Combofix /uninstall' from the windows 'Run' box (you hit the Windows Key and R at the same time to make it show up)
Step 3: Malwarebytes Anti-Malware (MBAM)
1) Download MBAM from the following link:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
2) Install MBAM
3) Update virus definitions (under the update tab)
4) Run a full scan (make sure that it scans your hdd)
5) Remove any infected items
Step 4: Kaspersky Virus Removal Tool (KVRT)
1) Download KVRT from the following link:
http://www.kaspersky.com/antivirus-removal-tool?form=1
2) Install KVRT
3) Make sure you check all boxes under the list of options for KVRT to scan
4) Run a scan and remove infected items
5) Hit 'exit' after the scan to unistall KVRT
Step 5: Running your antivirus program
You should install or reinstall (if necessary) antivirus software that you plan to use to keep your computer clean.
Here are a few free antivirus options:
1) Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
2) Avast (http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html)
3) Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html)
After you have the antivirus program of your choice installed on your computer and updated run a full scan of your computer.
Your computer will most likely be free of malware at this
point. However if you would like to run additional scans here are some
options:
Microsoft Security Essentials
Spybot Search and Destroy
Kaspersky Rescue Disk (http://support.kaspersky.com/viruses/rescuedisk?level=2)
Step 6: Preventing future infections
Here are some notes/advice that I recommend you follow:
-only have 1 antivirus program installed on your computer with a real-time scanner (you can keep Malwarebytes Anti-Malware because it is designed to work with other anti-virus programs)
-make sure your antivirus program is up to date and running
-make sure you are using an up to date browser (preferably Mozilla Firefox or Google Chrome)
-make sure you have done all of your Windows Updates
-make sure you have the latest version of Adobe Flash (https://www.adobe.com/software/flash/about/)
-make sure you have the latest version of Java installed (https://www.java.com/en/download/installed.jsp)
-make sure your Adobe Reader is up to date
-if you are unsure if a website is safe: Check it with WebOfTrust (https://www.mywot.com/)
****Additional Safety Precautions****
1) Make an image backup of your computer before you start the malware removal process
Use Ghost4Linux from PartedMagic Live CD from the Ultimate Boot CD (http://www.ultimatebootcd.com/)
2) Create a system restore point before running each virus scan
3) Review the results of malware scans before you delete infected items
****Note****
Due to the huge variance in malware, this guide may not be the best way to treat your computer, so please use at your own discretion.
For example many viruses will try to disable system restore and or safe mode so you cannot use them
If you have any questions please comment, send me a message and/or visit malware removal forums such as:
http://www.spywareinfoforum.com/
http://www.bleepingcomputer.com/
Thanks,
Mark
