Select Page

Adware / Malware / Virus Removal Tutorial

Viruses, Malware, Adware, Hijackers, Rootkits and More Removal Tutorial 

Updated 9-26-15

The most common service ($80 flat fee) provided to clients is a “Virus Removal” and these are the steps we use to remove infections. If you run into trouble getting these programs or would rather let a Guru handle it then call us at 615-332-2844.

First off the word virus has become a general term that encompasses trojans, worms, and malware but in reality there are many different types just like for humans there are virsus, bacteria and parasites. There are programs out there that focus on just that one “type” so prevention of infections can be tough because there are so many ways a computer can be infected and they are constantly changing.

Below are the terms.

Malware – is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is a program or file that are developed to take over your computer. Often they look like a real computer program but often the security program wanting $50 to fix your computer is the actual infection

Adware – aka Pop-Ups or advertising-supported software, is any software package that automatically renders advertisements in order to generate revenue for its author. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process. A program that generates pop-ups on your computer or displays advertisements. It is important to note that not all adware programs are necessarily considered malware. There are many legitimate programs that are given for free that display ads in their programs in order to generate revenue. As long as this information is provided up front then they are generally not considered malware.

Backdoor – A program that allows a remote user to execute commands and tasks on your computer without your permission. These types of programs are typically used to launch attacks on other computers, distribute copyrighted software or media, or hack other computers.

Dialler – A program that typically dials a premium rate number that has per minute charges over and above the typical call charge. These calls are often with the intent of gaining access to pornographic material.

Hijackers – This is very common in connection with Adware, Hijacks is program that attempts to hijack certain Internet functions like redirecting your start page to the hijacker’s own start page, redirecting search queries to a undesired search engine, or replace search results from popular search engines with their own information.

Rootkit – A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software. Sometime they can infect the master boot record and when removed cause Windows to not start up anymore.

Spyware – A program that monitors your activity or information on your computer and sends that information to a remote computer without your knowledge.

Trojan – A program that has been designed to appear innocent but has been intentionally designed to cause some malicious activity or to provide a backdoor to your system. A common Trojan are malicious media players or fake Adobe Flash installs.

Virus – A virus is very rare now days. A program that when run, has the ability to self-replicate by infecting other programs and files on your computer. These programs can have many effects ranging from wiping your hard drive, displaying a joke in a small box, or doing nothing at all except to replicate itself. These types of infections tend to be localized to your computer and not have the ability to spread to another computer on their own.

Worm – A program that when run, has the ability to spread to other computers on its own using either mass-mailing techniques to email addresses found on your computer or by using the Internet to infect a remote computer using known security holes.


 

Virus / Malware Removal

Every tech has their way of doing it. At Nashville Computer Guru we use the following programs in this order.

Malware removal is mostly a PC problem.

For Apple computers use
1. Malwarebytes for Mac
2. Sophos for Mac
3. Onyx

For PC computers, the process is more involved but it averages me about an hour.

Prep Work

Run CCleaner, CCleaner is a program that will scan your computer for temporary files or private browser information and deletes it from your computer.  This allows you to keep your computer running efficiently, while protecting your sensitive information. Also run the registry scan and uninstall anything suspicious looking or installed the same the infection happened.

Now onward to removal programs.

  1. Rkill – is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.

As RKill only terminates a program’s running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

  1. AdwCleaner– is a program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer.  By using AdwCleaner you can easily remove many of these types of programs for a better user experience on your computer and while browsing the web.

The types of programs that AdwCleaner targets are typically bundled with free programs that you download from the web.  In many cases when you download and install a program, the install will state that these programs will be installed along with the program you downloaded.  Unless you perform a Custom install, these unwanted programs will automatically be installed on your computer leaving you with extra browser toolbars, adware, and other unwanted programs.  AdwCleaner is designed to search for and remove these types of programs.

  1. TDSSKiller is a utility created by Kaspersky Labs that is designed to remove the TDSS rootkit. This rootkit is know under other names such as Rootkit.Win32.TDSS, Tidserv, TDSServ, and Alureon. TDSSKiller will also attempt to remove other rootkits such as the ZeroAccess or ZeroAccess rootkit if it is detected.

A rootkit is a malware program that is designed to hide itself or other computer infections on your computer. These types of programs are typically harder to remove than generic malware, which is the reason that stand-alone utilities such as TDSSKiller have been developed.

  1. Junkware Removal Tool is a security utility that searches for and removes common adware, toolbars, and potentially unwanted programs (PUPs) from your computer.  A common tactics among freeware publishers is to offer their products for free, but bundle them with PUPs in order to earn revenue.  This tool will help you remove these types of programs.

Junkware Removal Tool has the ability to remove the following types of programs:

  • Ask Toolbar
  • Babylon
  • Browser Manager
  • Claro / iSearch
  • Conduit
  • Coupon Printer for Windows
  • Crossrider
  • Facemoods / Funmoods
  • iLivid
  • IncrediBar
  • MyWebSearch
  • Searchqu
  • Web Assistant

When run, Junkware Removal Tool will remove all traces of these programs including their files, Registry keys, and folders.

5.  Malwarebytes Anti-Malware – Malwarebytes is a light-weight anti-malware program that is excellent at removing the latest detections. MBAM is also able to be used along side any other security programs that you may have installed, which allows it to remove malware that was able to sneak through your normal anti-virus solution.

6. Browser Extensions – Remove all the extensions or at least the unknown ones, many persistent infections are extensions.


The computer should be fixed by now.

If necessary I will use the following programs if the problem hasn’t been solved yet.

    7.   ComboFix is a program that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program. Please note that running this program without supervision can cause your computer to not operate correctly. Therefore only run this program at the request of an experienced helper.

This program works with Windows 8, but not Windows 8.1 at this time!

  1. Hijack This – HijackThis is a program that can be used to quickly spot home page hijackers and startup programs that you do not want to start automatically. This program is a not anti-virus program, but rather a enumerator that lists programs that are starting up automatically on your computer as well as other configuration information that is commonly hijacked.
  1. RogueKiller – RogueKiller is a security tool that can be used to terminate and remove malicious processes and programs from your computer.  RogueKiller has the ability to remove infections such as ZeroAccess, TDSS, rogue anti-spyware programs, and Ransomwares.
  1. System File Checker – If those fail, then it is good to run a System File Check which looks for corrupt Windows files and repairs them if possible.

Open Command Prompt as an administrator, often referred to as an “elevated” Command Prompt.

Important: For the sfc /scannow command to work properly, it must be executed from an elevated Command Prompt window in Windows 8, Windows 7 and Windows Vista. This is not required in previous versions of Windows.

Once Command Prompt is open, type the following command and then press Enter.

sfc /scannow


Prevention

Preventing infections is the hard part, just like one vaccine doesn’t cover everything.

You need good overall protection. I strongly dislike Norton and McAfee Anti-Virus, I assume when a computer is infected that Norton or McAfee are already installed.

I recommend the following Antivirus programs.

Kaspersky or AVG Antivirus are great Antivirus programs.

Hitman Pro – Highly recommend the paid version of this in addition a antivirus program. HitmanPro is an anti-virus program that describes itself as a second opinion scanner that should be used in conjunction with another anti-virus program that you may already have installed.  If malware slips past your anti-virus software, HitmanPro will then step in to detect it.  Though SurfRite bills themselves as a second opinion scanner that does not mean that you cannot use the program as your primary anti-virus product.

Malwarebytes Anti-Malware – Malwarebytes Pro version is great to have.

With an Antivirus program, Hitman Pro and Malwarebytes working together you should greatly limit your infections in the future.

Call us today at 615-332-2844 and schedule your malware removal service.


How did you get infected in the first place?

Installing Free Programs or Games

When installing or updating a program, you are often prompted to install additional programs that you may not want. Many people simply click next and I agree when installing programs and not reading that this free music player or picture viewer or game requires you install the other programs or else it won’t work. Don’t just click next and I agree when installing software, stop and look at what the program is trying to install. Sometimes it is good to do “advance” install rather than “express” or “easy” as those will ask fewer questions but may come with more than you wanted.   DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money.

Sometimes even legitimate programs will try to bundle extra, unwanted, software with the program you want – this is done to raise money for the program. Be sure to untick any boxes which may indicate that other programs will be downloaded.

It is very common to clean up computers after “the grandkids” came over, many of these programmers know kids will say yes to everything so that free game they are playing might be the reason your computer is running like it is. I’m constantly removing malware because of games. (Malware is software that is intended to damage or disable computers and computer systems. For example, a fake antivirus program that says you’re infected and won’t leave you alone until you pay for it.)

Downloading any software program, utilities, games, updates, etc can possibly infect your computer. Some of the worst programs are ones that promise to speed up your computer. It isn’t always as easy as running a program to speed up a computer but to many people that easy road can lead to slower computer with even more popups.

Installing plug-ins or extensions.

You are browsing the internet and a Window or advertisements appear that says your computer is infected or the drivers are out of date. Adobe Flash Pro is not real but Adobe Flash is, I recommend only downloading updates for flash at adobe.com and java at java.com. Many popups will get you to install a fake version. How do you know what is real or not. Well it is hard, even I have been fooled before. Beware of sites that say your drivers are out of date and need updated as well, almost always they are fake or a trial that requires payment to work.

Links or Email Attachments

Very common reason for infections will be a link in a email or facebook that may look real but isn’t and when you click on that link you could infect yourself in a second or two. Even when a email comes from someone you know be careful as email addresses can be faked / spoofed. Be cautious when opening an attachment from someone you know, don’t open an attachment from someone you don’t know. A very common email that gets people infected is a fake USPS or UPS tracking email and by opening the links or attachment can lead to problems. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.

Pirated software, music or movies

If you are doing torrents or P2P programs like Frostwire, UseNext or many other methods of “saving money” from not having to buy programs then you are asking to be infected. It is only a matter of time before you are infected, many programs come with cracks in order to install them, many of them are loaded with malware and other stuff. Simply put if you want to avoid being infected every day, week, month then avoid Warez, Crack sites and P2P Programs.

No Antivirus Software

Yes having Antivirus, Malware programs will slow your computer down some at best, a lot at worst. Having no protection is asking for an infection at some point. Even with protection if you click on links and programs then it is a gamble if your protection will detect it in time.

Other Ways To Be Infected

Your browser is hijacked and sending you to sites you didn’t even want. Hijacks and Adware are very common. Not many programs can detect a proxy hijack though.

Do not visit pornographic websites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do, as this can often form part of their funding.

When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person’s contact list that contains a link to an infection. Instead when you receive a message that contains a link you should message back to the person asking if it is legit.

Less Common Reasons

Websites are hacked and infected, I’ve seen where Yahoo.com and other big name sites had Trojans in their ads that AVG picked up and blocked.

Sometimes “Microsoft” will call you or a pop-up says to call this number for support. Many times they are in India and are not legit, especially if they want to remote into your computer. They will often do this, mess up your computer and then charge you a high amount to fix what they just broke or to fix nothing but they give you an impression that it is being fixed.