malware eyesRemoving Malware

The term "Malware" is a broad, generalised name for software that is installed on your system intended to perform malicious, harmful or undesirable actions.  It is often installed on your system without you realising it – it may be installed by updates, highjacked sites or, most commonly, "piggybacked” onto other programs whose authors receive a fee to have it included with their program or resource.  

 

Here we look first at some removal/cleaning steps and then a bit more at what malware is.

 


 

Removing Malware from your system

There are a number of programs and techniques that are used to kill malware.  None is 100% comprehensive - not even close in fact (some studies show any one program managing to eradicate little more than 30% of all malware however this is extremely hard to assess and measure).  I have found that in many cases a bit of caution and scans with different cleaners can *usually* remove most active malware however this is a very grey area and one that is very poorly addressed by the industry.  In general I recommend that you:

  • Run some basic protection to stop your system from reaching certain sites
  • Run frequent malware scans with a number of different tools
  • Always be suspicious about installing unknown programs and toolbars, especially those which are "bundled" in with a program or utility that you are originally installing
  • if a video link says that you have to "download this player to view this file" - don't, it's often malicious and dangerous
  • I always avoid installing toolbars, search helpers or other things that are “also installed” when you install a program.  Many vendors rely on this revenue – but they also absolve themselves of all responsibility for what that malware can do later on.  Their few cents isn’t worth the months or years of heartache that you could endure

When cleaning a system I tend to use the following programs (sometimes one or two, sometimes all of them).  Their scans often overlap one another but they tend to be fairly good programs in their own right;  you almost always need to download the latest version or at least udpate their database (most include a facility to do this or check for updates).  

IMPORTANT NOTE:  These sites were believed to be correct at time of writing however download locations can change.  Be wary of downloading these programs from other sites too;  there are nefarious programs masquerading as anti-malware scanners or even faked/modified versions of these well known programs which claims to clean your system (while installing their own malware payload).  These steps are intended for Microsoft Windows systems;  I have not included any remedial measures for other enviornments (e.g. Macintosh OSX, Linux, Android, iOS, etc.).  

 

 Download these four programs:

  Installs: Details

 adwcleaner

ADWCleaner

https://toolslib.net/downloads/viewdownload/1-adwcleaner/

 May create a directory on your system's root directory (C:\ in most cases) called AdwCleaner.  This includes logs of scans and removals and also a Quarantine directory where malicious files found during scans are stored (this may be necessary for program or system functionality to be restored if they are removed)  This is a particularly aggressive and effective scanner.  It is simple to use;  it will scan for all entries that it regards as malware of any sort and then marks them for removal dividing them into tabs (one for programs, one for registry entries, one for cookies, etc.).  I often run this program first as its initial clearance rate tends to be very high.  It always requires you to restart your system after its initial sweep as some malware programs stay resident in memory.

jrt-logo
 JRT - Junkware Removal Tool

http://thisisudax.org/
 		 Very basic - this runs in a DOS (console) window.  It can check to see if it has been updated when run.  This is a very small and seemingly basic program with a fairly limited range of malware detection however it has proven to be a useful addition to the scanning suite as it is able to deal with some malware which evades other measures.  It is a useful second scan step as it is small and relativley easy to run.
malware-bytes-icon

Malware Bytes

https://www.malwarebytes.org/

 The freeware version of this program installs a full software installation as a regular program.  The freeware version must be manually updated and scans are performed manually.  This is a larger and more well known anti-malware program.  It has a good detection rate and also contains support to update its internal database and the program core;  it will advise you if it is out of date.  It can peform a range of types of scans and may find malware that has not been picked up by other applications.  The commercial version also has resident protection (that helps avoid re-infection later on) and can also schedule updates and scans automatically.

spyware-blaster

Spyware Blaster 

http://www.brightfort.com/spywareblaster.html

 

  Small program installation - modifications to system HOSTS file This program is different to the others in that it iis not a scanner - it performs special udpates to the system to block malware sites and stop the system being able to find them.  It works by updating the HOSTS file (a local index of sites stored on the system) with a list of known dangerous malware sites and telling the system to look at a local address (called "localhost") to find these sites;  so if the system becomes infected or a website tries to find them it is pointed to the local system. 

 

 

What to do now:

Fighting malware can be difficult – many programs are designed to “fight back” by stopping some well known anti-malware measures from finding them.  Some even block your access to malware busting sites – they do this by masquerading as “security software” and claiming that the legitimate product is “dangerous” when it is not.

Depending on how bad the infestation is – you may be able to return the system to normal with a simple set of scans and removals however I’ve seen some which were so bad that the data had to be carefully evacuated and the system completely wiped and rebuilt from scratch;  obviously a very time consuming exercise.

I’ll outline an approach here that I have used with success on a number of systems (using Windows 7 as the main platform) – you may need to alter some steps for windows 8.x, windows XP, 2000, Vista, etc.  If you’re not sure – it’s best to pay a professional to do this for you.

REMEMBER – ALWAYS BACKUP YOUR DATA FIRST.   Make sure you back it up to somewhere that can be recovered from too – another directory on the same system may not be enough.  If the system is damaged in such a way that it can’t boot,  the infection doesn’t go away or your data files themselves have been infected – you will need professional assistance to recover the system.

As always – I offer no guarantee or warranty for this procedure, it is simply one that I have found to be successful in most cases.  Some infections require additional cleaning measures, often it involves looking for specific behaviour - searching for information on that behaviour from trusted sources only – and then finding utilities and cleaning measures to fix that particular problem.   In most cases however I have found that these programs will work fairly well, more recently I’ve found that they have a fairly good hit-rate for most common malware.

  1. Back up your data to somewhere off the system – make absolutely sure this is secure before you start.  Do not overwrite earlier backups either – if your data files are infected you will be in a more serious situation.
  2.  Download the following programs – I’d bring in all of them, they’re not very large and are either freeware or have freeware versions which you can use without charge
  3. Look at any browers on your system – Internet Explorer, Chrome, Firefox, etc.   Take a note of the home-page that they now go to when you start the system up – any toolbars installed – and look at the search engine configuration.  Typically these have been altered and you may have new unwanted toolbars and other programs installed.  Some of these you can uninstall manually;  you will need to research them on another system usually though as the highjack software that is blocking your browser is often set up to stop you reading about how to remove them.  Either way it’s important to note what the configuration has been set to.

 

Step 1 – run ADWCleaner

Start by installing and running ADWCleaner – this will need to restart your system a few times potentially so be prepared for that.   Click on the SCAN button and below you will see a series of tabs that will start to fill with found services, folders, files, scheduled tasks, etc. – they will be marked for removal by default.  Generally you can click on “Cleaning” after this and then the system may ask to restart as it has to clean some programs which are currently locked (can’t be wiped as they’re actually open). 

After the system has been restarted it should show you a report/log of what was cleaned – if you want to you can run ADWCleaner again however this is usually not necessary.

 

Step 2 – run Malware bytes (freeware version)

This program will install and then ask you to go online to update – do so, it will update itself automatically.  Run a FULL scan – it may find some things that weren’t marked in ADWCleaner.  It too may require a system restart, it doesn’t always do this however.

 

Step 3 – install JRT (Junkware Removal Tool).  This step is optional.

This program may find some things that the others didn’t – it’s a small step to perform and doesn’t take very long so it is worth trying. 

 

Step 4 – run Spyware Blaster. 

This program doesn’t scan or remove infections – what it does is update a local file called “Hosts” which is a bit like a local index for web sites.  It sets the system up so that if the system tries to get to known malware or highjack sites, etc. it will instead be directed to itself;  stopping your system from even going there in the first place.  This program will need to be updated when you first run it too, it has an update button to do this.

 

Step 5 – inspection and review

 Look at ALL of your browers.  Set them to a default home page that you choose – you can use something like www.google.com   Look for any toolbars that you don’t want – make sure they’re removed and not trying to run any more.  Also examine your default search engine in the browser – you may need to remove any “options” that you don’t like the look of;  it the malware put it in the list then it will be unsafe to use at any time, the company is dodgy enough to associate with that type of activity so it should be avoided.

Look at Scheduled Tasks in control panel.  You will have to step through each one – examine them all, look for anything that doesn’t look right.  You can see what it is performing, how often and what triggers it;  there will be quite a few Microsoft entries in here for Office, antivirus updates, etc. however there are some that just don’t look right;  you can disable or better – remove them all together. 

Restart the system and re-inspect everything.  Some malware has special “revival” functionality which is intended to survive this type of cleaning sweep.

Run a full antivirus scan with the system’s AV software.  If you wish an online antivirus scanner can be useful as it may find infections that your local antivirus program missed or doesn’t regard as a risk.

Run these steps in another week or so – this will help you identify any recurrence of infections.  If you find malware running on the system again – and you haven’t installed anything in the period since the last scan – you have an ongoing infection that the programs haven’t found.  Usually this requires a lot more investigation and if you’re not confident that the infection has been removed by that point either seek professional assistance or be prepared to remove all data and rebuild the system.


 

Reducing your risk of infectionwatchtower

  • When you install a program – ANY program – look carefully to see if it’s installing other things as well.  Typically you’ll get asked to install a “search assistant”, toolbar, helper, codec, etc.  ALWAYS select no;  the author (who you presumably trust enough to install their program) has no control over the activity of the 3rd party “piggyback” installation.
  • Check online to see if the program you’re installing has a reputation for malware/spyware.  Search for the program’s name with “Spyware” or “malware” after it – you will always find matches, look to see if there is a reputation for quietly installing malware with that particular program
  • Don’t install programs from “dodgy” sources;  even if it seems legitimate or you were told that it is safe it often is not.  This is a huge risk for programs that have been obtained illegally, e.g. bought on CDs at flea markets, etc.
  • If you go to a site that contains a video clip that you “have to download a player” to watch – don’t do it.  Most legitimate video clips are able to be played with the media players already on your system or with well respected and known media programs.  So-called ‘Special codec packs” and “players” are usually fronts for malicious spyware.
  • If a site demands that you install a toolbar or program to continue – leave it immediately.
  • Some sites offer toolbars and “assistant” apps – I tend to avoid these even if they are legitimate as you have little or no control over them
  • Re-scan your system frequently – at least with one or two of the major scanners.  I recommend scanning with ADWCleaner and Malware Bytes every couple of weeks just to be sure
  • Run a “cleaner” program to clean out temporary files and rubbish from your system.  An excellent freeware one is CCleaner (Crap Cleaner) – www.ccleaner.com (directs to http://www.piriform.com/ccleaner).  This improves system performance and also reduces risks associated with some types of malware that may have been downloaded but isn’t yet “active”

Remember – if you’re unsure ALWAYS SEEK PROFESSIONAL HELP.  The risks with these types of programs and criminal activity associated with them is sharply on the rise;  it now exceeds traditional crime in many countries and the damage of identity theft, etc. can last for many years.

 For a bit more background on what Malware is, continue below.

 


 

What can Malware do?  

Malware can be very nefarious – some steal credit card details, email addresses, personal information, lists of sites you’ve visited and passwords;  some steal every keystroke you type into a system (called Key Loggers).  Others can change your browser’s hope page, search engine, randomly open up sites you don’t want, change ads to ones that they want you to see, stop you reaching some sites and even turning your PC into a “drone” which makes it participate in sending spam, relaying porn or participating in attacks on remote sites. 

Remember - be cautious about what you install.  There are actually quite a few risks to consider:

  • Changing T&C - While some programs may have amenable terms and conditions when you install them these can change over time.  This can be more common for firms who start out with venture capital and funding however their cash flow proves poorer than expected;  and ethical standards can give way to immediate financial considerations.
  • Malware included with updates - In addition there has been software which included malware at a later date (even with normal maintenance updates).  You will see some updates in programs which now ask you, often somewhat forcefully, to install some 3rd party toolbar or application in the process.  Be very careful of these.
  • Malware that starts out more innocently and becomes more nefarious over time – small developers often build applications (and even whole firms) with the intention of being sold to a larger firm in a takeover;  the original design and intention of the program, e.g. a toolbar which directs the user to a particular site, can now be ‘expanded’ to include pop-up advertising, search highjacking and even more malicious activities.
  • Authors who neglect to check bundled packages or “farm out” this responsibility to 3rd party firms.  This is a common problem – some authors simply take a fee from an advertising broker who takes the responsibility for the content of 3rd party inclusions, often doing so in a very poor manner.  It is not uncommon for such a broker to shutter their firm if they are caught including overly dangerous or malicious programs;  they shut up shop and disappear leaving the original author in more of a legal mess than they considered originally

 

Legal Implications

Antivirus companies have traditionally had a hard time combatting malware themselves – some refuse to address this problem all together and stick to viruses and trojans.  One complication is that they are often sued by the malware companies themselves;  they argue that the user agreed to install the application and that someone else has no right treating it as a virus.  They say that users click “accept” at the huge legal disclaimer in many software packages without reading it in detail, this sometimes sneakily includes an agreement to install the malware and let it do bad things in return for installing the program they wanted to install originally (be it a game, free program, etc.).  This can even be the case on programs you’ve paid for – the authors are double-dipping as it were. 

Governments have been reticent to protect their citizens from this type of intrusion – they say it’s too hard, too ambiguous, that it transcends their borders or that it’s not their business to police the internet for every citizen;  unless of course it affects their own interests or political party funding.

 


 

Will my antivirus program protect me from Malware?

While antivirus programs generally have a very good “hit rate” (the number of viruses and trojans in the wild that they can find) the rate of success for malware scanners is much much lower;  the dispute over what is considered to be true “malware” continues to make this a difficult industry to police, also the malware companies constantly evolve and update their nefarious products as something that is new, hard to detect or as yet unknown yields very quick results – and subsequently quick cash.  As soon as it’s widely discovered and known about – its detection and removal rate falls sharply.

Some malware actively fights back – it tries to stop itself from being removed and also tries to ensure it (or one of its later incarnations) is re-installed at a later time.  In truth it’s very hard for most systems to be well protected against this threat;  technical know-how, caution and a lot of vigilance are your most powerful tools.