It is really easy for some bad software to sneak its way onto your computer. I'm going to talk about a few ways to remove these threats. First I'm going to provide you all with a list of free tools that will aid in your computers recovery:
1. Malwarebytes Anti-Malware (MBAM): Effective and easy to use.
2. Spybot: Search & Destory: Sturdy and versatile malware removal
3. ComboFix: Powerful windows repair tool and infection removal
4. RKIll: Stops all processes, such as infections with pop-ups (Fake Anti-virus pop-ups)
5. GMer: Respected Rootkit remover, hard to use.
6. Sophos AntiRootkit: My Rootkit removal favorite
7. SuperAntiSpyware (SAS): Another good choice for malware removal
I use many tools to clean a computer and most are all free. I have yet to run across a software package, free or not, that will remove ALL infections. So finding a good combination that works for you is important. Malwarebytes for example will allow you to run a free trial for their premium package, but I usually just hit the “decline” button and use the free version. That leaves the program with Quick and Full scanning ability, which is exactly what I want it for. Unless you just have plenty of resources on your computer (an over abundance or RAM), then you don’t need or want a bunch of monitoring tools running in the background of your system. You can simply not click on suspicious emails and links, which is a better habit!
Many infections today include “fake antivirus” programs. These are the infections that generate a pop-up screen that looks like a legitimate Anti-virus program and it tells you that you are infected. By purchasing the full version, the application can remove the found threats; just enter your credit card information…see where this is going? Your computer is not necessarily infected with what those applications say they are, they tell all computers that they have those infections.
In addition to the fake antivirus applications, you will also get some that continuously popup some other time of screen or error message. These infections often will keep you from opening other applications or Windows components such as Task Manager.
So what do you do if you can hardly work with the computer because of the popups or limitations? If only you could run your infection removal tools to get rid of them. I wanted to note that for some the infection just won’t allow for you to do anything. In that even, you may want to start some of these processes in Windows Safe Mode (with Networking if possible), however you want to do as much in Normal mode as possible. To get into Safe Mode, reboot your computer. As soon as the computer comes on, hit the F8 key repeatedly until you get the black screen with the options to choose Safe Mode. You actually only have to hit the F8 key once, but the timing is often so hard to catch that I just say keep on hitting it. If the computer starts beeping, just ignore it. If the Windows logo/boot screen pops up before you get a chance to choose Safe Mode, then you missed your window and need to restart.
With a bit of luck, you have a good restore point to go back to, so fire up System Restore by either typing it into the search box at the bottom of the Start Menu or enter "rstrui" (or you can hunt it down manually at C:\Windows\System32\restore\rstrui.exe). If you cannot access this tool due to infection or there are no restore points, see below. Now point to a restore point that is long enough ago that you know the missing icons was not a problem and let System Restore do it's thing.
If successful, that may get you back on track and should now have the ability to remove the infections that lie dormant (for now) on your machine. Remember, System Restore doesn’t remove the infection; it really just replaces the Windows Registry (and perhaps some Windows components) that tells Windows what to load when an event happens such as start up. So if you have gotten this to work, infection removal should be top priority before you go back to your work or games.
If that isn’t an option, try the handy little gem RKill. RKill stops all processes that should not be running on a normal Windows install, causing the fake antivirus popups to cease for the moment. RKill comes in several different variants just in case your infection won’t allow that variation to run. It comes in .exe (executable, standard Windows application), .com (command file, similar to .exe), .scr (Usually a screensaver) and it also comes with various names all in the hopes that you can just run 1 variation. If you can get it to work, RKill will do the job. RKill will then create a log file that pops up after it runs telling you what processes it stopped. If you are fairly sure you know what you are doing and you know for a fact a file in that list is not something that should be running on your system, you can then go and hunt it down for deletion. Might want to try to compress it (.zip) just in case.
Now that RKill has stopped the popups, you are in business. Now is the time to run you removal tools. I suggest running Malwarebytes Anti-Malware (MBAM) at this point and clear the infections. After MBAM has completed, you should be ok to restart your computer so that it can finish its job. Your computer should boot normally now.
Because infections will often do things like hide all of your Desktop shortcuts or worse, at this point I would attempt to try the Windows System Restore route (mentioned above). If that is the way you decide to go, starting the infection removal process will need to start over, but this really is the best way to go.
Once your computer has rebooted after successfully running MBAM, your computer is likely still infected with other fun stuff. Time to fire up a secondary scanning agent such as Spybot: Search & Destroy or SuperAntiSpyware. Once those have completed, you should be pretty safe. Might even want to run the third application just to make sure, but that’s up to you.
Hope this helps out someone. Tune in next week for more fun tips and tricks
