Introduction, What is Malware?

• Malware is any malicious piece of software that can reside in electronic equipment. Anything that is running on your computer that you did not willingly install can be considered malware. An example of a serious case of malware is:

• Malware is a group term for anything malicious that can run on your computer, such as viruses, spyware, adware, trojan horses, and rootkits.
  • Virus: A program that copies itself, and duplicates itself onto other machines, without your permission.
  • Spyware: A program that tracks what you do on your computer and the web
  • and does things without your knowledge on your computer and the web, sometimes with your personal information.
  • Adware: Software that plays advertisements on your computer.
  • Trojan Horse: An application that says it will do one thing, but actually does something very different.
  • Rootkit: Hides things that are installed on your system, and conceals activities of other applications on your system, allowing those applications to do many things without your knowledge.

  How Did I Get Infected?

• Unfortunately, it’s not very difficult to get infected with malware. Simply visiting an infected website could land hoards of malicious critters onto your machine. However, there are some specific things that will make you more likely to get infected.

1. Downloading: Downloading programs when you are not certain what they are or what they do is likely to lead to a malware infection. This would also include LimeWire or any other Peer to Peer illegal downloading; those files aren’t always what they say they are.
2. Not running antivirus software: Even if you’re extremely careful, viruses can still slip onto your computer. Not running antivirus software is like running around in the snow with no clothes on.
3. Visiting porn sites: Porn sites are notorious for having extremely lethal malware.

Avoiding Rogue Anti-Malware Products

• It is very important that you avoid anti-malware products that are on the Rogue Suspect List of Anti-Spyware Products. Some of these products just aren’t good at getting rid of malware; others are known to actually add malware to your machine.

• A good way to ensure that you never get stuck with a rogue product is to research the product on Google and see what people are saying about it.

Malware Removal for the Mac

• It is possible to get malware on a Mac computer, despite what some people say. Concerned? Here are some great utilities you can use.

Free Mac Malware Removal Software

• ClamXav: ClamXav is a free, open source antivirus client.
• Rootkit Hunter: Trojan Hunter is an excellent utility that will search for and remove rootkits.

Pay Malware Removal Software

• Norton Antivirus: The popular Norton Antivirus client is available for purchase and use on Mac OS X.
• McAfee Virus Scan: The popular McAfee Virus Scan software is also available for use on a Mac.
• Sophos Antivirus: An antivirus client from Sophos that is supposed to detect a number of different malware variants for Mac OS X.

• From this point on this guide focuses on Microsoft Windows Malware.

Step 1: Use Real Time Scanners to Find Malware

• Please note instructions from this point on will not work for Mac OS X. These instructions are only for computers running Microsoft Windows.

• Using a real time scanner (RTS) is a great way to quickly and easily find what malware is on your system. These real time scanners also remove all malware they find, which makes them an invaluable resource when removing malware.

SUPERAntiSpyware Free Edition

• SUPERAntiSpyware Free Edition excels at removing malware on your system. It takes around 30 minutes to fully scan. Please see below for instructions on how to use this very valuable program.

1. Download SUPERAntiSpyware Free Edition from here.
2. Save the file to your desktop for easy access.
3. Double-click on the SUPERAntiSpyware.exe file to launch the installer.
4. Click Next.
5. Put a dot next to I Accept the License Agreement.
6. Click Next.
7. Type your name and click Next.
   

   Running a complete system scan (Photo by Josh)
8. Click Next to leave the default installation path which is C:\Program Files\SUPERAntiSpyware.
9. Click Next to install SUPERAntiSpyware.
10. Please be patient as it installs to your system.
11. After it is done installing, click Finish.
12. Click Yes to the pop-up asking if you want to check for the latest definition updates.
13. Please be patient as it downloads the updates.
14. In the next pop-up window, click Next.
15. Click Next until you see the word Finish, and then click Finish.
16. Click on Protect Home Page (recommended).
17. When the main program control window comes up, click on Scan Your Computer.
18. Put a check next to Perform A Complete System Scan and click Next.
19. It will now scan your system for malware.
20. When SUPERAntiSpyware finishes, remove everything that is found.

A-Squared Free Edition

• A-Squared Free Edition is an excellent malware removing application. It offers a pay version that has real-time monitoring, but that is unnecessary for removing malware. A-Squared Free Edition will remove all the malware that it finds and is also easy to use. This scan will take approximately 45 minutes.

1. Download A-Squared Free Edition from here.
2. Please save the file to your desktop for easy access.
3. Double-click on the a2FreeSetup.exe file.
4. Click OK to select English as the installation language.
5. Click Next.
6. Put a dot next to I Accept the Agreement.
7. Click Next.
8. Keep the default installation path, which is: C:\Program Files\a-squared Free, and click Next.
   

   Selecting a Deep Scan (Photo by Josh)
9. Click Next until you see an Install button, and then click the Install button.
10. After it is done installing, click Finish. This will launch A-Squared Free Edition.
11. When it asks if you want to run an online update, click Yes.
12. It will download the updates. Please be patient.
13. When it says that A-Squared Free Edition needs to be restarted, please click Yes.
14. When the program restarts, click Scan PC in the left column.
15. Put a dot next to Deep Scan; this will tell it to thoroughly scan your hard drive for malware.
16. Please be patient as A-Squared Free Edition scans your computer for malware.
17. Let it remove whatever it finds.

Step 2: Use Online Scanners to Find Malware

• An online scanner will scan your system and report any malware that it finds on your system. The main problem with these Online Scanners is they will not remove any of the malware they find. However, it is very easy to remove the malware yourself
• see the next step for instructions.
• Please do not use your computer while performing these online scans as it will interfere with the scanning process.

Panda Nanoscan

• Panda Nanoscan is one of the quickest, complete online scanners you will find. The trade-off is it’s not as effective as running a longer, more thorough online scanner. However, it does give you a general idea of what is on your system. This scan will take approximately 5-10 minutes.

1. Please go to the Nanoscan site and click NanoScan My PC.
2. It will prompt you to install an ActiveX control. Please allow it to do so.
3. After you finish installing the ActiveX control, it will start to load the scanner. Please be patient.
4. After it loads the scanner, please allow it to run the ActiveX control.
5. Click NanoScan My PC.
6. It will begin to scan your PC. Please do not close the window or it will stop the scan and you will have to start over.
7. When it is done, it will give you a report and list what malware, if any, you have on your PC.
8. If it detects anything, please write down the pathways of the infection, which should be in a format like C:\Documents and Settings\ .
9. If it reports that you have no malware, and you think you might, please continue on with Panda Activescan.

Panda Activescan

• Panda Activescan is a very thorough online scanner. It will detect the majority of the malware that is currently infecting computers. You will need Internet Explorer to use this online scanner. This scan will take approximately 60 minutes.

1. Please go to the Activescan site and click the Scan your PC button.
2. A new window should open.
3. Enter your Country.
4. Enter your State/Province.
5. Enter your e-mail address and click send.
6. Select either Home User or Company.
7. Click the big Scan Now button.
8. It will ask if you want to install an ActiveX control. Please allow it do so.
9. It will now start to download all the necessary files for it to work properly. Let it update. This may take a few minutes depending on your connection speed.
10. After it is done updating, please click on My Computer to start the scan.
11. After the scan is complete, please click on the See Report button.
12. Either write down all the pathways of infections that were found or save the report to your computer.

Kaspersky Webscanner

• Kaspersky Webscanner is one of the deepest, most thorough scans available on the Internet. It has a high detection rate and gives you a detailed report on whether your system contains malware. The trade-off is it has a long scan time. This scan will take approximately 1.5-2 hours. You will need Internet Explorer to use this online scanner.

1. Please go Here and click Scan Now.
2. A pop-up with the license agreement will now open. Please click Accept.
3. You will be prompted to install an ActiveX control. Please do so.
4. Kaspersky Webscanner will now download and install the updated malware definitions. Please be patient.
5. After it is finished downloading and installing the updates, please click Next.
6. Now click on My Computer. It should be the third option in the “Please select a scan target area” menu.
7. It will now begin to scan your computer. Please let the scan finish. It may take a while. Please do not close the window.
8. When the scan finishes, please make sure you click Save Report As… so you can refer to it later. Please save this file to your desktop.

Step 3: Delete and Eradicate Malware

• Now that you have found the malicious files, you are ready to delete the malware.

CCleaner

• CCleaner is a great tool to remove the bad entries and files that are left over by the malware that was on your computer. Please see below for instructions.

1. Please download CCleaner.
2. Please save the file to your desktop.
3. Please double-click on the ccsetup202.exe file.
4. Click OK to select the English language as default.
   

   Using CCleaner to clean up (Photo by Josh)
5. Click Next.
6. Click I Agree to accept the license agreement.
7. Click Next.
8. Click the Install button.
9. CCleaner will now install onto your computer.
10. After it is done installing, click Finish.
11. Double-click on the CCleaner file on your desktop.
12. Click the Analyze button to scan. It may take a few minutes.
13. After it is done scanning, click Run Cleaner to delete all the files it found.
14. On the warning pop-up, click OK and it will remove the files.
15. Click OK to any other messages that you get.
16. Now click the registry button to the left.
17. Click Scan for Issues and then click Fix selected issues….
18. Click Yes to back up the registry. Save it to a convenient location.
19. Now click Fix all selected issues and let it fix the issues. It may take a few minutes. Please be patient.
20. Close CCleaner.

Pocket Killbox

• Pocket Killbox is a very easy to use tool to delete files and folders.

1. Please download Pocket Killbox.
2. Save the file to your desktop.
3. Please double-click on the Killbox file.
   

   Pocket Killbox window (Photo by Josh)
4. Click the Delete on Reboot button, and then click on the All Files button.
5. Please type out all the pathways for your malware into a Notepad file
6. In Notepad, click Edit.
7. Select Select All.
8. Right click and select Copy.
9. Return to Pocket Killbox, and then click on File and choose Paste from Clipboard.
10. Click the red-and-white Delete File button.
11. Click Yes at the Delete on Reboot prompt. This will delete all the files that you had typed out into the Notepad file.
12. Your computer will now reboot and the files will be gone.

LSPFix

• LSPFix is a very useful application that will restore your Internet connection if malware knocks it out. It is also small enough to fit on a floppy drive or any other computer storage peripheral (such as a CD, Flash Drive, DVD, etc).

1. Please download LSPFix from Here.
2. Please save it to your desktop.
3. Put a checkmark next to the I know what I’m doing (or enjoy re-installing my operating system) checkbox.
4. Be very careful; do not move any of the files in the Keep section to the Remove area.
5. ONLY move the entries in the Remove section by clicking the two left arrows (<<).
6. After you are done, close the program and restart your computer and see if you can connect to the Internet.

Step 4: Use HijackThis to Remove Malware

• Please be aware that the instructions from this point on are for experienced computer users, who follow them at their own risk.

• The program of choice for advanced malware removers is HijackThis. HijackThis is a very powerful system manager. It’s also dangerous in the wrong hands; used incorrectly it can cause many dangerous or lethal changes to your system. To use HijackThis, please follow the steps below:

1. Download HijackThis from this location.
2. Save this file to your desktop for easy access.
3. Double-click the HJTInstall.exe file.
4. Keep the default installation directory, which is C:\Program Files\TrendMicro\HijackThis.
5. Click the Install button.
6. Click I Accept after reviewing the license agreement.
7. HijackThis is now installed on your system.
8. You may now close the Program or click Do a scan and save a logfile.
9. The logfile will open in Notepad for easy reading.

Sample HijackThis detections (Photo by Josh)

• Take a look at this above screenshot. How many of these do you think are malware? Surprise! They’re all good. That’s why you need to do the research before you delete anything. Go on to the next step for instructions and tips on researching your malware.

Step 5: Researching Your Detections

• Now that you have a complete listing of entries provided by HijackThis, you are ready to start researching. It is never a good idea to randomly start fixing entries. A good place to start is with the HijackThis Tutorial. This tutorial will thoroughly explain every entry in the logfile that you are presented with.

• If you do not want to go through analyzing it yourself then skip this section and go to Using Hijack Auto-Analyzer.

• Below are some examples of what you may see when you do a scan with HijackThis.

HijackThis logfile entry example 1

• O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
• What does it mean?

1. O2: This tells you the section of this particular entry. O2 means is a Browser Helper Object
2. in other words, anything that will appear on your Internet browser’s window.
3. BHO: (no name): This gives the name of the item that HijackThis is detecting. In this case, it’s a BHO which has no name to it.
4. {7E853D72-626A-48EC-A868-BA8D5E23E045}: This is the most important part of this entry. It is called a CLSID. This is both the name of and the identifier for the particular entry. You would paste the letters and numbers within the brackets into Castlecops.
5. (no file): This means that the file that was present on this entry does not exist anymore. This entry is just a remnant entry on your system.

HijackThis logfile entry example 2

• O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
• What does it mean?

1. O4: Items in the O4 section are automatic startup entries.
2. HKLM\..\Run: This indicates how the program is installed on your system. It is not an extremely important part of malware removal.
3. [igfxhkcmd]: This is the entry’s name, or how it refers to itself. It’s one of the most important parts of the logfile. Research it on Castlecops.
4. C:\WINDOWS\system32\hkcmd.exe: This is the pathway for the file that HijackThis detected. The only important part is the end file name, which is hkcmd.exe; you can research it on the Castlecops website.

• The above entries are just two that you may see when you run a scan with HijackThis. In order to use HijackThis effectively, you need to research every entry thoroughly.

How to Use Castlecops Malware Database

1. Go to the appropriate section number on the Castlecops website. The section number is the first number (the one beginning with O) in your entry. The links, as well as an explanation of each item, are:
   • O2/O3: Browser helper objects and toolbars
   • O4: Automatic startup entries
   • O9: Extra Internet Explorer buttons (these may be added by malware and are often difficult to remove by other scanners)
   • O10: Internet connection files
   • • do not fix any of these entries or you will destroy your Internet connection!
     • O16: Active X controls installed by Internet Explorer
     • O18: Protocol hijackers (very uncommon)
     • O20: Windows startup items
     • O21: Entries with a delayed load time
     • O22: Entries with scheduled tasks
     • O23: Services running on your computer
     • • do not fix before researching
     • Input the entry’s name into the search box and hit search.
     • See the reference chart below to see if your particular entry is malware related. In the Status column you’ll find:
   • “Y” - Normally leave to run at start-up
   • “N” - Not required - typically infrequently-used tasks that can be started manually if necessary
   • “U” - User’s choice - depends whether a user deems it necessary
   • “X” - Definitely not required - typically viruses, spyware, adware and “resource hogs”
   • “?” - Unknown
2. The most important resource that you can use for malware removal advice, besides Castlecops, is Google. All you have to do is copy and paste the complete path of the entry into Google and click Search.

• If you do not want to go through analyzing it yourself, you can paste it into an Auto-Analyzer. It will search many databases and present advice based on your results.

Using HijackThis Auto-Analyzer

• You can have a HijackThis report auto-analyzed for you so you don’t have to do all the research yourself to figure out if a certain entry is malicious.

1. Please doubleclick on the HijackThis file on your desktop.
2. Click Do a System Scan and Save a Logfile.
3. Notepad should open with the resulting logfile.
4. Copy the logfile from Notepad.
5. Go here and paste the log from Notepad.
6. Now click the Parse button, and it will analyze your logfile.
7. Please make sure you research any entry that the Auto-Analyzer flags to make sure that the entry is really malicious.

Step 6: Set Up a Host File

• Setting up a Hosts File is one of the easiest and most effective ways to avoid malware download sites.
• Please note that the below instructions are not for Microsoft Windows Vista. For instructions for Windows Vista, please see Here.

1. Please go Here and download the MVPS Host file.
2. Please save this Zip file to your desktop for easy access.
3. Please doubleclick on the Hosts.zip file on your desktop.
4. Now click on Extract Files and follow the wizard that you are presented with by clicking Next and finally Finish.
   

   Doubleclicking on MVPS.bat (Photo by Josh)
5. Your files have now been extracted to your desktop.
6. In the resulting window, please doubleclick on the mvps MS-Dos Batch File.
7. In the resulting command prompt window, please click Enter on your keyboard.
8. The host file is now installed on your system and will block most harmful websites.
9. To test to make sure it works, please go to http://www.doubleclick.com. It will give you an error message saying it cannot connect to the website or that your browser cannot display the page.
10. The host file has been installed at C:\Windows\System32\Drivers\etc\hosts.

Resources for How to Remove Malware From Your Computer

• TrendSecure: HijackThis
• ClamXav: ClamXav Homepage
• Symantec: Norton Antivirus for Macs
• McAfee: McAfee Virex for Mac
• Sophos: Sophos Antivirus for Macs
• Superantispyware: Superantispyware Homepage
• Emsi Software: A-Squared Free Edition
• Nanoscan: Panda Nanoscan
• Panda Security: Panda Activescan
• Kaspersky: Kaspersky Webscanner
• Killbox.net: Pocket Killbox
• CCleaner: CCleaner Homepage
• Cexx.org: LSPFix
• MVPS.org: MVPS Host File

Malware Removing Software

• You are free to install as many or as little of these malware removal programs as you wish. They all work great and as they are supposed to.

• SuperAntiSpyware
• A-Squared Free Edition
• AVG Anti-Spyware Free Edition
• Spybot Search and Destory

Cleanup Software

• You may install any and all of these that you wish, especially if you feel that your computer needs to be cleaned up a little.

• CCleaner
• ATF Cleaner
• Cleanup!

Free Antivirus Software

• Please make sure you only install ONE Antivirus system. Otherwise you will cause severe system problems and may even destroy your operating system. Any of the suggestions below provide great Antivirus software.

• AVG Free Edition
• Avast! 4 Home Edition
• Comodo Free Antivirus