How to clean up viruses, 2013 (4th edition)

Print Friendly, PDF & Email

I first wrote an article about malware in 2009. It was for a government funded organization and spread across five counties in Pennsylvania. It has been updated annually since then with my best suggestions. The previous version is still available here, but this year I wanted to do something a little more direct. I have included the usual screenshots of fake programs you should look out for, but on top of that, I wanted to give you some additional programs that I like to use, including at least one I didn’t mention back when I talked about my IT Toolkit.

First, Shut your computer down. You heard me. Print this out if you need to, but shut it all the way down. With the computer shut all the way down, boot in to “safe mode with networking.” To do this, locate the “F8” key on the top of your keyboard. See it? Hit the power button to turn on your computer and immediately start tapping F8, at least once a second. It should bring you to Windows Advanced Startup Options. There you can use the arrows on the keyboard to select Safe Mode with Networking. Then log in to Windows the way you normally would – safe mode will look a little different, but work with it, you should be safer in here. If the viruses pop up immediately, when in Safe Mode, you’re going to need more help than we can provide in this article. If you’re in safe mode (with networking), keep reading.

Now, we’re going to use a series of tools. First, let’s start with TDSSKiller – this application looks for many of the worst bugs, but it’s very specific in what it looks for. It only takes a few seconds to run, generally, but anything it finds should be removed immediately, and the computer rebooted again in to Safe Mode With Networking.

Second, I suggest SuperAntiSpyware. There is a free version which requires an installation, and a Portable Version – which technically there is a way to download for free, although legally you should purchase a license for the portable version, so I won’t get in to the details of how to download the free Portable Edition here. Either way, the program is great, and as long as you don’t let it overwhelm you, it should be pretty straight forward. There should be a large Scan Your Computer button at the top. Let it remove anything it finds.

Third up, Malware Bytes Anti-Malware. This program is simple to use, don’t bother with the 30 day trial of the pro version, just install the free edition and let it do its magic. The straight forward interface should make it easy to kick off a scan, then to remove what it finds you want to check the boxes and choose Remove All at the bottom of the window when the scan is complete.

At this point, reboot the machine again – things should be looking better. If you’re still experiencing blue-screening or other virus popups, I would encourage you to try RogueKiller by Tigzy. I’ve linked to the less common English page that many people overlook, but the tool should be just as up to date. It is a little overzealous and can close out other running programs that it detects without warning. Once it’s done with a brief initial scan of running applications, it can also check your registry settings, as well as restoring default HOSTS file and DNS settings, which is always advisable. All of these options are on the right side of the screen when you run the RogueKiller application – I just work my way down the line. It will generally leave a series of log files and quarantined items on your desktop, it is safe to delete all of this.

Good luck. For reference, below are just a tiny sample of some of the fake antivirus and warning messages you may see. Always check with your IT person.

It is important to remember that these viruses get on to your computer because you somehow allowed it. It’s not your fault, but you were tricked. Perhaps one of these fake antivirus programs popped up, and you told it to “fix” what it found. By allowing it to run, you allowed it past your system’s defenses. Perhaps it was something telling you that you need to update Flash or Java. Those are very common legitimate updates, but because most people say “yes” without thinking twice, more and more viruses are disguising themselves to look like a Flash Player update! See that below?f

In the above picture, you can see an example of the fake Adobe Flash update. I have inverted the “terms and conditions” text that shows up on the bottom of the web page, which can help you see how these scammers are delivering viruses to you, while legally using the Adobe Flash name. They package all kinds of other things with the fake installer that may not necessarily be classified as a virus, but allow some nefarious programs another way in to your computer.

What you need to know: If you did not tell the computer to do a virus scan, and suddenly it pops up and says you have dozens or even hundreds of viruses, it is almost certainly one of these FAKE pop ups! Most Virus Scanners can find one or two viruses when they’re running their automatic scans in the background. If you did not start a manual Full System Scan, your computer will never tell you that you have 300+ viruses – it can’t find that many without doing a manual scan. So if something randomly tells you that you’re sunk, don’t panic, take a deep breath and laugh it off: you already know their tricks!

If one of these pops up on your computer: your safest practice is to immediately save anything you are working on, and restart your computer. Do not try to close the window that is alerting you of all of the viruses; shutting down the computer will close the pop up. If it does happen to be a legitimate problem or something is actually installed on your computer, and it will pop back up next time you turn on the computer. If it does not come up after a restart – it was likely nothing more than one of these fake pop ups, and nothing has been installed on your computer!

I personally dealt with one of these pop ups, recently, where even when you clicked the “X” in the top right, to close the program, it refused to exit. It would say “are you sure you want to close” then as soon as you clicked “YES” – another window popped up with the same “virus alert!” It is trying to trick you in to clicking the wrong thing, thus installing the “payload” which could do anything from causing the computer to go slow by infecting other computers, to stealing files off of the computer, to even crashing the whole thing, requiring a complete rebuild. That is why I recommend immediately shutting down and/or restarting the computer.

If you have accidentally “installed” one of these “antivirus” programs, in an attempt to solve the problem it created, you might not be entirely out of luck, as the website MalwareBytes.org has an anti-malware “removal tool.” At this time, it is the only recommended removal software I have come accross, earning recognition from several “tech” websites as the best possible solution to those who may have clicked on a fake anti-virus banner, next to wiping the computer clean and rebuilding it (which we may have a set of video instructions on, down the line).