This post is part of a project to move my old reference material to my blog. Before 2012, when I accessed the same pieces of code or general information multiple times, I would write a quick HTML page for my own reference and put it on a personal site. Later, I published these pages online. Some of the pages still get used and now I want to make them available on my blog.
Photo by Carl Nenzen Loven
This guide describes a method for cleaning up a Windows computer infected with malicious software, also known as malware. It is designed for Windows XP but other versions of Windows may be similar. Follow the steps below, in order, to rid a system of malware.
A Note on Downloading
Many steps in this guide require you to download and install and/or run application from the Internet. However, if the computer is infected with malware, it may have limited or no network connectivity. Keep in mind that you always have the option of downloading on a separate, clean computer and transferring it to the infected one with a flash drive or CD.
It is important to note that many malware applications will attempt to spread themselves by copying themselves to any removable media that is inserted into the machine hosting it. If you insert a flash drive into an infected machine, take care to scan and remove any infections on it before inserting it back into a clean computer. This can be done by scanning the flash drive at the same time as scanning the hard disk(s) as described in the section Installing and Using Anti-Malware below.
Booting Up
Boot the PC into Safe Mode with Networking
Press the power button
Tap F8 until the Windows Advanced Options Menu appears
Use the arrow keys to select Safe Mode with Networking
Press Enter
You may be prompted to select the operating system. If there is more than one option, select the one that is most likely the main operating system
You may be prompted to select a user to log in with. If it is an option, attempt to log in as Administrator. Otherwise, choose the one that is most likely the main user
Let the operating system load completely before continuing
Checking and Fixing Network Connectivity
Many malware applications will attempt to disable network connectivity to prevent themselves from being removed. This includes setting a malicious proxy and/or replacing your HOSTS file with a malicious version. Follow the steps below to resolve the problem.
Removing a Malicious Proxy
Many malware applications will attempt to set a proxy to prevent Internet access. Windows will use this proxy to attempt to reach the Internet. With a malicious proxy in place, this attempt to access the Internet will fail. Follow the steps below to remove a malicious proxy.
Click Start, Control Panel
Double-Click Internet Options
Click the Connections tab
Under Local Area Network (LAN) settings, click the LAN settings button
If checked, uncheck the box labeled Use a proxy server for your LAN
Click OK on the Local Area Network (LAN) Settings dialog box
Click OK on the Internet Properties dialog box
Close the Control Panel window
Reverting the HOSTS File
Many malware applications will replace your HOSTS file with a malicious version. Windows will check the HOSTS file first before accessing any network locations. If a malicious version is in place, this will prevent proper Internet access. Follow the steps below to revert the HOSTS file to its default state.
In this section, you will need to use a downloadable application called hosts-perm.bat. Please refer to the section above labeled A Note on Downloading for more information regarding this topic.
Open a web browser such as Internet Explorer or Firefox
Visit http://download.bleepingcomputer.com/bats/hosts-perm.bat
Save the file to your computer
When the download completes, you can close the web browser
Run downloaded file, hosts-perm.bat
Delete the file C:\Windows\System32\Drivers\etc\HOSTS
Replace HOSTS with one of the following, depending on the operating system:
Kill Running Malware Processes
Some malware processes may already be running. You can attempt to kill them by using a downloadable application called rkill.com. Please refer to the section above labeled A Note on Downloading for more information regarding this topic.
Open a web browser such as Internet Explorer or Firefox
Click the first Download Now button and save the file
When the download is complete, you can close the web browser
Run rkill.com (Note: Many malware applications will prevent executables from running. Therefore, it is strongly recommended to rename rkill.com to iexplore.exe or winlogon.exe as these are the same name as system files that malware will usually allow to run)
Installing and Using Anti-Malware
There are many applications that will attempt to find and remove malware. The steps below will describe how to use the free version of Malwarebytes’ Anti-Malware. However, other free options include:
In this section, you will need to use a downloadable application called Malwarebytes’ Anti-Malware. Please refer to the section above labeled A Note on Downloading for more information regarding this topic.
Open a web browser such as Internet Explorer or Firefox
Click FREE DOWNLOAD
Click FREE DOWNLOAD once again on the next page
When the download is complete, you can close the web browser
Using the downloaded file, install Malwarebytes’ Anti-Malware, following the prompts and accepting all the default options
You may be prompted to update definitions, follow any prompts to do so
Select the option labeled Perform full scan
Click the Scan button
You may be prompted to select which drives you want to scan. Select any attached hard drives
When the scan completes, a message will appear alerting you that the scan completed successfully. Click OK
Click the Show Results button
Click the Remove Selected button
If prompted to restart, accept and restart the computer
What if Malwarebytes’ Anti-Malware was Unsuccessful?
You may come across a piece of malware that Malwarebytes’ was unable to remove. If this is the case, please make sure Malwarebytes’ is completely up-to-date and run the scan again.
Open Malwarebytes’ Anti-Malware
Click the Update tab
Click the Check for Updates button
If Malwarebytes’ is up-to-date and is still unsuccessful at removing the malware, try one of the other applications listed above such as Spybot — Search & Destroy or SUPERAntiSpyware.
If those applications are unsuccessful, you may have to remove the malware manually. Unfortunately, the process is different for each situation. However, if you can identify what piece of malware is infecting the computer, you may be able to research removal instructions online using a search engine. To identify what piece of malware is infecting the computer, find a specific window title or message text generated by the malware and search for that phrase online. Once you know the name of the malware, you can attempt to find removal instructions by searching for the name of the malware followed by “removal instructions.”
Installing Updates
Once the computer has been cleared of any infections, you will want to update Windows and other installed software with the latest updates. This will prevent many infections in the future by closing known security holes.
Updating Windows
Open Internet Explorer
Click the Express button
Follow any prompts and restart as necessary
Repeat steps 1–4 until no further updates are needed
Optional: Set Automatic Updates to run
Click Start, Control Panel
Double-click Automatic Updates
Select the option labeled Automatic (Recommended)
Choose a day and time to install updates
Click OK on the Automatic Updates dialog box
Close the Control Panel window
Updating Other Applications
You will also want to update other installed applications as necessary. This guide will not cover these topics because each application will have its own update procedure. If you need help, research the topic using a search engine such as Google or Bing. A search query like “update Firefox” will usually get good results. Some important applications that you may want to update include:
System Cleanup
There may also be problems with temporary files, registry, and/or startup items. Follow the steps below to use **CCleaner** to clean these files up. This section also includes defragmenting the hard disk(s).
Installing and Running CCleaner
Open a web browser such as Internet Explorer or Firefox
Click Download and save the file to your computer
When the download completes, you can close the web browser
Using the downloaded file, install CCleaner, following the prompts and accepting all the default options
Click the Run Cleaner button
Click OK on the message that appears
When the process completes, click on Registry
Click the Scan for Issues button
When the scan completes, click the Fix selected issues… button
Click Yes on the message that appears
Save the registry backup to a location on the hard drive (in case you need to revert back to it later)
Click the Fix All Selected Issues button
When the process completes, click the Close button
Click Tools
Click the Startup button
Select any unnecessary and/or unsafe processes and click the Disable button (Research processes online to determine whether they are unnecessary and/or unsafe)
Close CCleaner
Defragmenting the Hard Disk(s)
Click Start, All Programs, Accessories, System Tools, Disk Defragmenter
Select the first hard disk in the list that hasn’t been defragmented recently
Click the Defragment button
Repeat steps 2–3 until all disks have been defragmented
Close Disk Defragmenter
Preventative Measures
There are some measures you can take to prevent future infections. These include supplying the user with information about safe browsing habits and installing Firefox with an ad blocker.
Information
You can educate the user on safe browsing habits. Some resources include:
Firefox with uBlock Origin
Another method is to install a secure browser with ad-blocking features to prevent the user from even seeing unsafe download links. Firefox with uBlock Origin is a good solution. This solution requires that you educate the user that they should be using Firefox instead of another browser such as Internet Explorer when they want to access the Internet.
Installing
Open a web browser such as Internet Explorer
Click Free Download and save the file to the computer
When the download completes, you can close the browser
Using the downloaded file, install Firefox (following any prompts along the way)
Once Firefox is installed, click the menu button, then Add-Ons
In the search bar, type “uBlock Orgin” and press Enter
Click the Install button next to uBlock Origin
If you are prompted to restart Firefox, accept and restart
You can close Firefox when these steps are complete
Making Firefox the Default Browser
In Firefox, click the menu button, then Options
Click Advanced
Check the box labeled Always check to see if Firefox is the default browser on startup
Click the Check Now button
If a message appears that alerts you that Firefox is not currently set as your default browser, click Yes
Click OK on the Options dialog box
You can close Firefox when these steps are complete
Once Firefox is set as the default browser, you may want to turn off Internet Explorer’s feature that will check to make sure it’s the default browser on each startup:
Open Internet Explorer
When the message appears informing you that Internet Explorer is not currently the default browser, uncheck the box labeled Always perform this check when starting Internet Explorer. If this message does not appear, skip step 3.
Click No
Close Internet Explorer
Final Steps
Close any open windows
Open and close any newly installed/updated applications and go through any first-run settings wizards in them
Restart the PC to make sure everything is working properly
Shut Down
Related Resources
Bing — Search engine by Microsoft
Bleeping Computer — Computer help and malware removal guides
Google — Search engine
Malwarebytes — Developer of Anti-Malware application
McAfee — Developer of Stinger application
Microsoft Support — Windows help and support
Microsoft TechNet — IT-related support for Microsoft products
Mozilla — Developer of Firefox web browser
Newegg — Online store for computer-related products
Oregon State University — Publisher of Safe Browsing Habits document
PC Pitstop — Publisher of Safe Surfing document
Piriform — Developer of CCleaner application
Safer Networking — Developer of Spybot — Search & Destroy application
SUPERAntiSpyware — Developer of SUPERAntiSpyware application
Tucows — Publisher of How to Prevent Viruses, Beyond the Obvious
Wikipedia — Online, community-edited encyclopedia reference