Signs of Malware
Some malware is fairly obvious in its presence, continual pop ups or being re-directed to odd web sites when running your browser. Unfortunately much malware is often hidden and more insidious in its nature, stealing passwords for on-line accounts for example.
Whatever the source or type of malware you do not want to have it on your system. These instructions will help you clean your system of infections and infestations. For more problematic malware contact your local Computer Officer or contact the Service Desk.
Prevention Is Better than Cure
There are a number of things you should be doing to help protect your system from malware. Please review our web page on standalone computer security so, hopefully, you won't need to re-visit these pages.
Disconnect From the Network
Make sure the PC is disconnected from the network, wireless and wired. You do not wish to infect others...
Download Anti Virus Software
You will need access to anti-virus software and definition files. On a clean system download and copy any software you require, including definition files, onto a CD/DVD or a USB drive.
Download all of the following;
- McAfee VirusScan Enterprise 8.8 with spyware module. Make sure you download any additional patches and the latest DAT file.
- Kaspersky Antivirus Tool (free version)
Cleaning The System
Prepare the System
There are some steps you need to do before scanning your system. These will speed up the scanning process and help remove any malware from your system.
- Turn off System Restore. Since malware can be hidden in System Restore points you need to clean these out. If you don't know how to turn off System Restore then McAfee provides instructions on how.
- Delete temporary internet files and Cookies. Malware often hides and runs from temporary file space in your browser. Make sure that you clear out the temporary files from all browsers you use. Disposing of these files will also significantly speed the scanning of your system.
- View All Files and Folders You should make sure that the system is displaying all Files and Folders and not hiding system files. Start by changing your Windows Explorer/My Computer folder options as described in the FAQ How do I display all files in Windows? This should ensure that you can see most files. You should also check that when you search for any files (All files and folders) you go to More advanced options and tick Search hidden files and folders.
Note: If you have problems installing VirusScan or the other products it is likely that the malware on the system is causing problems. At this point you need to review the advanced instructions for malware removal or contact your local computer officer (or the Service Desk) for assistance.
Scan with VirusScan Enterprise
Install McAfee VirusScan 8.8 onto the system and update with the latest DAT file. Run a full scan of the system.
Scan the system with Other Products
No one product is perfect; it is best to scan your system with more than one product. We have suggested additional products but there are many others to choose from if you wish to use them instead.
Run the following in the order listed below
- GetSusp is a tool designed to scan for as yet unknown malware by using heuristic (or best guess based on known types of malware). If the system is connected to the network it will scan the system using an online database and can send samples of potentially malicious files back to McAfee for analysis. If the system is not connected then it will still function but you will have to send any samples of files to McAfee yourself.
- Stinger will scan for a subset of malware (around a thousand specific well know types of malware).
- Malwarebytes requires installation and preferably a network connection to be updated. This is a good all round free product which has an excellent track record of scanning and cleaning an infected machine. It is not for general antivirus use.
- The Kaspersky Virus Removal Tool requires installation and preferably a network connection to be updated. This is a good all round free product which has an excellent track record of scanning and cleaning an infected machine. It is not for general antivirus use.
Rescan the system
Once the scans have completed, re-boot the computer and then do a full scan of the system again with all products, running one scan at a time. If anything is detected, reboot and rescan until nothing is detected.
Note: If after the second round of scans malware is still being detected you will need to go to the advanced instructions or rebuild the system (see below). If you are unable to recover your data contact your local computer support or the firstname.lastname@example.org and arrange an appointment to get your data from your system before wiping and reinstalling.
After the Malware has Been Removed
Once your system is clean you should review our "After the Event" page and our Windows Security for standalone use web page.
Note: Remember you need to re-enable System Restore points and reboot.
Advanced: You Can't Seem to Clean The System
If malware is still being detected you will need to try some of the advanced removal advice here or re-build the system (see below). If you are unable to recover your data contact your local computer support or the email@example.com and arrange an appointment to get your data from your system before wiping and reinstalling.
Advanced Steps For Installing or Running AntiVirus Software
Malware often tries to stop antivirus products from running or being installed. Even if the AntiVirus does detect something it may be unable to remove it. If this happens there are some things you can try to work around the malware.
Boot into Safe Mode
You can try booting the system into safe mode and installing and running the antivirus products. Safe mode will also allow you to remove files which are being locked by a service, driver or process. If you are going to install something you will have to manually start the Windows Installer Service. You should be prompted about what Windows services are required or not running if there is a problem.
Check the Windows System Files
Its possible that malware may have corrupted Windows. If this has happened you are advised to wipe the system and re-install. You can use the System File Checking (SFC) tool to scan Windows files and have them replaced if they are not as expected. From an Administrative Command shell run the command sfc /scannow.
Cleaning up the Registry
A lot of malware will put items into the registry which checks on reboot to see if you have deleted the trojan or rootkits executable(s) and, if you have, puts a copy back from an install location, normally called something else and probably in a different directory like the Recycle Bin.
As a basic check, look in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion and check the following entries:
Check under the same keys in HKEY_CURRENT_USER.
In addition check:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
What is running at startup?
Use the Autoruns program from Microsoft for complete coverage of what starts when the system boots. This application covers all the registry locations, services, and drivers.
There are many different tools available, we list some we have found useful over the years.
Note: These are powerful tools. If you delete the wrong file or registry key you can render Windows unusable.
Use a bootable DVD with AntiVirus line scanner
By booting from a DVD with a clean OS and anti-virus scanner on it you can then scan a badly infected system without interference from the malware. Even if you use something which cannot delete the malware it should at least provide you with a list of files to delete. You can then boot into safe mode and remove any malware infected files.
Rebuild the system
You may find that your system has been so badly infected that it is not possible to clean it, or it is simpler and quicker to wipe the drive and re-install the operating System. In this case you need to backup your files and wipe the system before re-installing Windows.
Before embarking on a system re-build you must ensure you have your Windows operating system disc and any driver or recovery discs. If you don't have a driver disc use the Device manager to make a note of your major components (Video and Network) so you can download drivers for them. You may need to use restore disks/partitions to re-install your software which would have been provided by the manufacturer of your system. If you don't have any restoration/recovery disks or don't know about restore partitions see Recovery Disks and Partitions for details. If this sounds too complicated for you then contact Hardware-Support who offer a charged service in this area.