This is the 2nd part of the series, the Part One can be found here.
In the first part of the article, I tried to describe the types of infections you can get, what problems and limitations you’ll experience, as well as preliminary techniques to try to keep you computer clean. But at this point, you are probably already infected. Let’s deal with that part now.
First, we need to see if we can do a preliminary cleanup. SuperAntiSpyware (SAS) and MalwareBytes (MWB) are both good candidates for the first pass. The advantage for SAS is that it is faster than MWB. The advantage for MWB is that you can install it in Safe Mode if necessary. Both will want to update their internal databases, so reboot your computer into “Safe Mode with Network Support” after installing them. You do this by tapping the F5 or F8 keys after you see the BIOS startup screen or logo.
When you run the cleaner the first time, it will want to go online to get the latest definitions. If possible, I strongly recommend this. When it completes the update, you can then begin. I suggest you do the Complete Scan or Full Scan first. SAS will actually show you what it has found as it finds it. MWB will only show the number of things it found until it finishes and then you can view a detailed log of the results. After the scan and fix is complete, you’ll usually be requested to reboot the computer. Please do so. When rebooting, I suggest you keep coming back to “Safe Mode with Network Support” and running the cleaner until it doesn’t find anything else (except for cookies, perhaps). Some of you may have more than one user on the computer. If this is so, you really need to log into each user, one by one, and run the cleanup program in Complete or Full Scan mode in order to check everything. Once these steps are completed and the results come back with just cookies or less, you can reboot into normal mode.
At this point, you’ll need an Antivirus program. There are many good ones out there, but no matter which one you use, you need to make sure it has its latest updates downloaded. Because they are free, you have two good choices.
You can use AVG, (currently at version 8, available at http://free.avg.com/.
Like the SAS and MWB programs mentioned above, after you install an AV product, please get all available updates before scanning. Of course, if you already have an AV program installed (such as Norton, McAfee, PC-Cillin, please use it. Just make sure you have it get any virus definition updates and program updates first. As the AV scanner is doing its job, it may find further infections. If you are given a choice of deleting or quarantining the infected item, you should normally choose quarantine. That way you’ll have the best chance to avoid losing any of your data files. Be aware some sometimes you’ll need to run your AV a second (or third) time in order to make sure that all infections have been cleaned up. Once you’ve gotten the preliminary Anti-Spyware and Anti-Virus scans complete, you can now go in and try to clean out the rest of things.
The HiJack-This utility is good at this point because it can point out bad startup items that have had their files removed, but that have entries in Startup locations still in place. When you run HiJack-This, have it do a scan. Work your way down the list looking for any items that have “(file missing)” on the end of the line and put checkmarks at the start of those lines. Then, at the bottom left, you can click on FIX to remove those orphaned entries. Scan again when it has finished. You will see many entries prefaced by O4. Windows runs these automatic startup entries when it boots up. I’m not going to go into a long discussion on what each of the other entries in this list means because there are many websites that will help you interpret your HiJack-This log file. CastleCops.com and BleepingComputer.com come to mind as good sources. If there are any bad things you recognize in this list and if you know what you’re doing, you can checkmark and FIX them. Hijack this will make a backup so that it can restore them if needed. Because HiJack-This puts all the control in your hands, you have to be extra careful about what you remove from your computer. It lists bad as well as good things on your computer and it puts the responsibility to determine which is which in your hands. Please exercise caution when removing entries.
The work that has been done so far is the lion’s share of the brute force work. Most (all?) of the malware should be gone. However, all Anti-Spyware and Anti-Virus programs are not equal and there is no one single program that will prevent, find, or fix all possible infections. So you are now in a position of needing a second or third opinion that your computer is truly cleaned up. Yes, you could install another one or two Anti-Virus or Anti-Spyware programs and run them, but perhaps an easier solution is to use some of the online scanners out there. That way, you can just visit their websites and they will scan your entire computer for you in an attempt to give you a clean bill of health.
In the final part of the article, I’ll talk about the tidying up and finalizing of the cleanup procedure.