Malware - prevention and removal
14 January 2015
Get help when your Windows computer is infected with malicious malware or adware software.
Despite the wide availability of software to prevent malware and virus infections on your PC or laptop we continue to see a big increase in infections. Every week we take calls from our customers who then bring in computers they need fixing - most often these are home use laptops. Malware is changing everyday to try and get around the common software designed to block it. Malware varies from the barely noticeable, to adware that bombards you with spam adverts, to the kind that prevents your computer working correctly and includes dangerous phishing software that can seriously compromise your security. If you suspect your computer has Malware then it's best to act immediately rather than leave your security to chance.
Malware gets in via infected websites and e-mail attachments. One of the most common causes of infection is following a link in an e-mail to a website that then attempts to install malicious software. Almost always these links and the websites themselves present themselves as a legitimate website trying to help you out. Don't be fooled! If you are not expecting an e-mail, or it is warning you of some danger, it is highly likely to be fake. The ones telling you you've won the lottery are easy to pick out as fakes, but some look so realistic it's hard not to take notice. Before you click any link look out for any poor formatting or spelling mistakes. Check the URL to see if it is genuine. If you follow a link from an e-mail that takes you to a web page requesting personal details never complete the form. If the link attempts to get you to install something to your PC always immediately close the window.
It's easy to avoid most infections with careful use, but what if you do get infected? You can certainly try some basic things yourself before consulting an IT expert or IT support company like Oscura. Nearly every case is slightly different in some way, but there are some initial things to check. Some computers that we are asked to work on can be fixed in an hour or two - others can take much longer as we unravel the tricks used to embed the malware. In some instances the malware causes so much damage it is safer to re-install the computer to avoid risk and reach a faster resolution. This is probably a good time to mention that you should always keep a regular back-up to an external disk for disaster recovery purposes - we will happily advise you on that too.
Microsoft Windows XP, Windows 7 and Windows 8 all provide a simple way to remove unwanted software. This is useful for the more basic malware but is still a good first step in cleaning up your computer. Click "Start" -> "Control Panel" -> "Programs and Features". On Windows 7 and 8 you can click on the "installed on" column to see recently installed software. Start with the most obvious unwanted programs - right click on the program name and select to "Uninstall". You may need to run through the process on multiple programs and do multiple reboots to remove the software. Common titles to look out for that you should remove include "search" programs or anything offering a "deal". Check the Publisher column - generally if it's not something from a recognised company or software you recognise that you have installed it may be worth removing.
There is a lot of anti-malware software than can be used to prevent infection and to treat infection after the event. We still love Malwarebytes as a simple tool to remove the most common malware software. This can be downloaded from https://www.malwarebytes.org/ Remember that malware may try and trick you into visiting another website - so always check the address is what you intend before completing your download. It is worth downloading the software before an infection but of course that it not always possible. A full scan should be run and all found malware should be quarantined before your machine is rebooted.
Malware likes to change your web browser settings. Some of these changes can be undone by changing back your home page and changing your search provider. You should also check the plug-ins or add-ins and remove any that are unwanted. If you launch your browser from a specific shortcut in your taskbar or start menu then check the "Target" by right clicking and selecting "Properties". The "Target" should be the location of the web browser application file only. There shouldn't be additional text after the end of "firefox.exe", "chrome.exe" or "iexplorer.exe" which might be taking you to a malicious website.
Another common malware trick is to change your network settings to prevent you getting to website you intend. This is used both to prevent you getting tools to remove the malware and to direct you to spam / junk websites that may also have malicious content. Unless you have specific network settings you will usually find it safe to change your network adapters to use default settings and remove any malware set DNS. Unfortunately this is where it all starts getting technical and this is where we are available to help by getting our hands on your PC or laptop to fix.
We have seen a lot of malware that sets a proxy in your network settings. This means that when you try and access websites it sends all your details via another service and sends you back different content - which is very dangerous to your security. Proxies can be removed via "Control Panel" and "Internet Options" (or just type "Internet Options" into your Windows search bar). Under "Connections" and "LAN Settings" un-tick "Use a proxy server for your LAN". This will almost never need to be ticked for home or small office networks.
Often the malware may prevent you from changing your network settings to remove the threat. If you go back into your "Network Adapter" or "Internet Options" settings you may find that your changes have been ignored and the malware is still in control. Now we're starting to get into situations that require a closer look at the specific problem and we have a long list of things that may need to be done to resolve the problem. It may be at this point to skip to the end of this article until you're technically minded and confident with your PC skills!
Starting the machine in safe mode (F8 at boot) allows the registry to be modified (via "regedit") and proxies to be removed. Do not make any changes you are unsure of. If you search for the ProxyEnable key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings) this can be set from 1 to 0 to disable the proxy. You can also search the proxy that you saw in Internet Explorer or in your Internet Options (e.g. 127.0.0.1:8800). On reboot running "Internet Options" as administrator will allow you to clean up any remaining proxy details.
After removing malware you may find you have a clean but non-functioning machine. Try running the sfc tool via the repair console command prompt to resolve common broken windows libraries. This can be run with "sfc /scannow". We have also found that malware can break your network connection. This can be repaired by removing the network adapter via "Device Manager" and then re-installing the adapter. You can also try resetting winsock and the TCP/IP stack. There are utilities for these kind of repairs but it can also be done via an elevated command prompt and the following commands: "netsh winsock reset catalog" and "netsh int ip reset reset.log hit".
This article could continue to run for a very long time with hints on tips on malware removal. Unfortunately there's so many possibilities and never a single solution. However, we'll dip back into this article and update it with more common solutions as malware continues to evolve.
All of the things mentioned in this blog post should be considered at your own risk. If in any doubt at all consult a professional IT support company that have experience on fixing malware problems. If you have a malware problem and are in the Reading or Thames Valley area you can call us on 0118 959 7200 for help.