I originally wrote this when the most dominate malware around where those fake anti-virus programs. They block your system and try to bully you into paying for a scanner to remove the so-called virus it finds. In reality, it is probably the only virus on you system.
Then came the scareware messages claiming to be from law enforcement agency, locking your system with the message that you have something illegal on your system. Pay up or go to jail.
Now, in my case at least, the main problems seem to be PUPs or Potentially Unwanted Programs like toolbars and web browser hijackers.
Most people get these by installing programs without paying attention to the install screens and unchecking the options for additional software. Another way is when people get their browser hijacked (usually by the previous mentioned method) and get taken to a new search page that displays ads claiming that there are problems with the computer, or promises to speed up the system or the Internet. Another culprit I suspect is these, "You Got To See What This Celebrity Is Doing With That One!" type videos on Facebook.
I have to adapt my procedures according to the situations. Here are my latest.
First I use Ccleaner www.piriform.com/ccleaner
Usually Ccleaner was not just to clean up temp files but to go to the Tools menu and then the Startup options. Then I disable any start up items, extensions and Scheduled Tasks that I think are not needed. Only experience and/or a good search engine can tell you what to keep or not. Mainly get rid of toolbars, their updaters, optimization programs, any program promising to speed up your system or to prevent future problems. And registration cleaners.
Warning: as of this writing Ccleaner has come under attack for taking private data from cutomers even when the option not to is selected in the setings. Use at your own descrition. Another option would be for cleaning out the temperary files would be Privazer - privazer.com/
Another option for viewing background processes would be Autoruns - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
Then I would download, install, update, and run the following:
I use to include Combofix as one of my chosen scanners especially if I suspected a serious infection or rootkit. Unfortunately Combofix will not work on Windows 8.1 and Windows 2000. And more likely not Windows 10. If you have an older system, use at your own descrition.
I always go for Safe Mode with Networking gives you Internet access in safe mode, comes in handy for updating anti-virus and anti-malware programs.
To start up in Safe mode if your computer originally came with XP, 7 or Vista: Restart your computer and keep pressing the F8 key on your keyboard. It's a bit tricky but when done right you will be taken to a screen that gives you the Windows Advanced Options Menu.
If you have a Windows 8 or 10 computer: Restart your PC. When you get to the sign-in screen, hold the Shift key down while you select Power button. Click on Restart.
Then select Troubleshoot
Then Advanced options
Then Startup Settings
Then Restart.
After your PC restarts, you'll see a list of options. Select 4 or F4 to start your PC in Safe Mode. Or if you'll need to use the Internet, select 5 or F5 for Safe Mode with Networking.
We can all thank Microsoft for making such a simple procedure a lot more complex.
With Windows XP you would be presented with option to system restore. Your choice. When presented with the login screen choose your account. A info box will pop up eventually giving you the option to continue using safe mode or use system restore. Click yes to continue in safe mode. Clicking No will start up the system restore wizard that will allow you to reset your computer to an earlier point hopefully before the infection.
First lets reset the browsers, even the ones you don't use.
You might need a cleared out browser to download the previous mentioned scanners otherwise you might be blocked from goinf to these scanner sites.
Click on Restore settings to their original defaults and on the little box that opens click on Reset.
There is a virus called SMART HDD that hides all files on your hard drive and then tries to convince you that your drive is damaged. It copies all the shortcuts from the Start Menu . Shortcuts are saved in folder %Temp%\smtmp folder and are needed to restore the Start menu icons. I only encountered this on XP systems. So if all your Start menu icons are missing, don't delete the temparary files.
If you can't or don't want to download any third party cleaner try cleanmgr. Just type it and hit enter in the search or run bar. It opens Windows own Disk Cleanup utility. Should work with most versions of Windows.
Then on to the scanning.
How to use Malwarebytes: https://support.malwarebytes.com/docs/DOC-1709
First download and run Malwarebytes. One of the first things I do before running a scan is click on the Settings button down the left hand menu. Then click on the Protection tab across the top and in the Scan Options and enable or click on Scan for rootkits. Then on the same leftt hand menu click on Dashboard. And then the big Blue Scan Now button.
When it's finished it will show you the Threat Scan Results. At this point I like to mark everything for deletion. So make sure everything is checked. If you have a lot of items listed bit they are not all checked just put a check by the word Threat, this automatically checks everything on the list. Then click on the large Remove Selected button.
It should automatically start deleting everything after that. You'll be taken to a screen where it shows 0 threats quarantined but that number will eventually climb to match the actual number of threats found. After you'll may get a message to restart your computer, let it do it if prompted.
I like picture guides to: http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial
Next, AdwCleaner.
This scanner I run next now owned my Malwarebytes, is pretty straight forward. Just open and click on the Scan button. It's a lot quicker than Malwarebytes. When it's finished scanning just click on the Clean button. This one always requests a restart after scanning. Make it so. Accept any prompts.
Then, tdsskiller
Update if you can, Accept the end license agreements, there are two, the click on the Start scan button. It's quick and will give you the option to delete anything it finds. Restart may be requested.
Then finally SUPERAntiSpyware
When you get to their site, click on the link to the Portable Version. Don't let the Portable name fool you. Usually portable software refers to software designed to install on something like a flash drive. This version, you download the installer, copy the installer to a flash drive, copy to the infected system and run it from there. It supposed to contain all the latest updates so you don't have to worry about updating it on a computer with no Internet access.
First click down in the lower right hand corner where it says Click here to check for updates. Then toward the top left, click on Scan This Computer. At this point, you can do a Quick scan or Complete Scan. Again delete anything it finds.
Normally I would go into Safe Mode and remove it from there. But lately it seems to be a trend for these viral programs to be able to start up even in safe mode, it was only a matter of time.
The only way around it is to use a Boot CD/DVD. My experience with these in the past have been Hit-or-Miss. Most anti-virus boot CD/DVDs are based on one anti-virus program or another. In the past I use to use UBCD4Windows. Problems now, it hasn't been updated in awhile, it's based on Windows XP, you need a copy of Windows XP because you have to compile the CD yourself from it.
A few other anti-virus boot cd:
Then comes the tricky part, booting of the CD/DVD.
These links give you some idea how to boot of a CD/DVD/USB drive. Unfortunately, Microsoft has complicated this issue as well by developing Secure Boot. You'll need to do some research and see how to disable it in the BIOS / UEFI of your computer. Otherwise you will not be able to boot of an external device.
here are some links to give you some idea what to look for.
Most computers will give you an option like Hit F2 or F12 for boot menu. Different computers will have different setup keys. It's usually on the first screen that displays the computer logo when you first turn it on. On my Acer Win7 desktop, I have to use the Delete key to go into the BIOS and F12 for the boot menu.
If your lucky, your computer may be already be set up to boot of your CD/DVD drive. :-)
So, download the rescue CD/DVD/USB image of your choice. Burn of the image. ISO images need to be burned of properly. Try using this simple program to do so: Imgburn - www.imgburn.com/
Boot of the image in question and just follow through from there. The first thing you want to do is try to update it. Even if you can't update it try to run a scan anyway. It might not clean your system up completely but it might break the virus to get enough control of the system to do further scans.
Sometimes an extra step or two are needed to clean out a system. In these cases, here are a few suggestions.
Try to isolate the name of the infection and do some research online too try and get the right data to remove it. Sometimes there are scanners designed to remove only a specific infection.
You can manually check for suspicious files and processes using Autoruns - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and HijackThis - http://filehippo.com/download_hijackthis/
I recommend Autoruns first.
Using these requires a bit of knowledge and understanding. It doesn't automatically delete anything but shows you just about everything that is running on your computer giving you the option to manually delete anything you don't want running.
If all else fails you can try a system restore. It's a last resort to me but I managed to fix one laptop by using it. If you do get back to a non-infected point, you may still want to run a few scans just to be sure.
Another trend that I've noticed other than the Starting Up In Safe Mode thing, is that these malware programs change the exe association.
When you double click on a file like a picture it may have a .jpg extension, indicating it's a JPG picture format. The jpg extension tells the computer to open up your default picture viewer.
Newer malware changes your default program startups so that every program you try to open initiates the startup of the malware program. So if you manage to successfully delete a malware program then all your programs will not start up because when you try to open one, it asks you to associate or chose a program to open it with.
So now you have to fix the EXE file association.
I have the fixes for XP, VISTA, and WINDOWS 7. I have them burned on a CD so I can just copy them over to the computer in question and merge them into the system of the infected system.
Just copy and paste the following into notepad, call it fix_exe.reg The name is not important, changing the .txt extension to .reg is.
Open up notepad, copy and paste the following info to it. Then click on save as and make sure to change the file types option to all file. Save the file name and put .reg at the end of the name. The copy the file to the infected system and double click on it. It will ask you to confirm. Make it so.
Windows XP - copy and paste between the lines
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
Windows Vista - copy and paste between the lines
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]
Windows 7 - copy and paste between the lines
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\.exe]
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
"HasLUAShield"=""
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runasuser]
@="@shell32.dll,-50944"
"Extended"=""
"SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"
[HKEY_CLASSES_ROOT\exefile\shell\runasuser\command]
"DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers]
@="Compatibility"
[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility]
@="{1d27f844-3a1f-4410-85ac-14651078412d}"
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[-HKEY_CLASSES_ROOT\SystemFileAssociations\.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.exe]
"FullDetails"="prop:System.PropGroup.Description;System.FileDescription;System.ItemTypeText;System.FileVersion;System.Software.ProductName;System.Software.ProductVersion;System.Copyright;*System.Category;*System.Comment;System.Size;System.DateModified;System.Language;*System.Trademarks;*System.OriginalFileName"
"InfoTip"="prop:System.FileDescription;System.Company;System.FileVersion;System.DateCreated;System.Size"
"TileInfo"="prop:System.FileDescription;System.Company;System.FileVersion;System.DateCreated;System.Size"
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids]
"exefile"=hex(0):
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
Windows 8 or 10
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile] @="Application" "EditFlags"=hex:38,07,00,00 "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\ 00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\ 32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\ 00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00
[HKEY_CLASSES_ROOT\exefile\DefaultIcon] @="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open] "EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas] "HasLUAShield"=""
[HKEY_CLASSES_ROOT\exefile\shell\runas\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runasuser] @="@shell32.dll,-50944" "Extended"="" "SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"
[HKEY_CLASSES_ROOT\exefile\shell\runasuser\command] "DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers] @="Compatibility"
[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility] @="{1d27f844-3a1f-4410-85ac-14651078412d}"
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler] @="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page] @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}] @=""
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}] @=""
Some extra links:
www.thewindowsclub.com/fix-unable-to-open-exe-lnk-files-windows-7
Finally delete all the old restore points but only after you are convinced the system is clean. Click on Start button > Control Panel >System > Advanced System settings > System Protection tab > Configure... > Delete > OK
This will delete all old points that still may be infected and you can use the Create... button to create a new clean restore point.
Just a note: To date I have not had to deal with a case of Ransomware.
Ransomware seems to be on the rise. It infects your system then encrypts your files (like scrambling your files and putting a very strong password on it) and then tries to blackmail you into paying them to unlock your system for you. Getting rid of the virus should be easy enough getting your files back, another story. Breaking encryption, even for pros, could take days, months or even years. It's, unfortunately, not like in the movies with a few key clicks in a few seconds.
Most Important Thing To Do: DON'T EVER PAY. If you do, then it only encourages them to do it more. This is where it's important to have backups of your important files. It's usually recommended to format or reset your computer, restore your files from backup and move on. If you don't have backups I have a list of a few resources that may help you but otherwise, treat your system like your hard drive crashed and you lost everything, and move on.
https://noransom.kaspersky.com/
https://thehackernews.com/2018/06/free-ransomware-decryption-tools.html
www.makeuseof.com/tag/will-petya-ransomware-crack-bring-back-files
www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key
A program that may help you recover some files. www.shadowexplorer.com
Your best bit is to try not get infected anyway. Don't open attachments from unknown emails. I've gotten a few emails with attachments claiming to be invoices, bills, undelivered parcels, etc. Even on Facebook be careful what links you click on.
This link is for the download of a PDF file with some useful info. If link doesn't work, go to the link above from nakedsecurity.sophos.com and scroll to around the middle of the page. https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en
Programs to try and block ransomware. Having an updated anti-virus will help some to.
This one is Free. - www.mcafee.com/us/downloads/free-tools/interceptor.aspx
This one you have to pay for - https://www.winpatrol.com/winantiransom/