How to Identify and Repair Malware or Virus Infected Systems

How to Identify and Repair Malware or Virus Infected Systems



The following article provides information on working with Malware or Virus infected systems.


Table of Contents:

  1. What level of support is possible for Malware and Virus infection Issues?
  2. What is the difference between Malware and a virus?
  3. What are the most common symptoms of a Malware of Virus infection?
  4. Malware Detection/system usability steps
  5. General Removal Guide
  6. Scanning Software
  7. Removing the Infection
  8. Prevent Re-Infection
  9. Other Removal Options

1. What level of support is possible for Malware and Virus infection Issues?

Dell’s standard practice has historically been to recommend a clean install of the Operating System (OS), once Malware or a Virus has been detected. This will resolve an infection issue 100% of the time.

Under a ProSupport warranty our Technical support should always investigate and identify the infection has taken place. They should attempt to get the system to a usable state in order to run antivirus scans or determine if a clean reinstall should take place due to the level of infection on the system.

Note: Granted, some infections are not serious and can be removed using the right tools. This information is provided for informational and educational purposes. Dell is not responsible for any loss of data from your system and you run these tools at your own choice and risk.


Back to Top


2. What is the difference between Malware and a virus?

Malware, or malicious software, has become a catch-all term for several different types of infections. Some will install themselves and create simulated infection, corruption, or hardware failure, therefore tricking you into purchasing their product to resolve the issue. This type is known as hostage-ware, ransom-ware or scare-ware. There are malware infections that simply redirect your browser to sites the creator has chosen or to a website that they are compensated for, based on the number of hits the site receives. Sometimes these infections can hide your entire root drive and all your subdirectories or capture your personal information and communicate back to the creator of the infection.

A virus, which has become a subset of malware, is an actual program that replicates and attaches itself to services or specific applications. Many malware payloads contain a virus file, such as a Trojan or a Worm, to help root the infection. Viruses were once an exclusive type of infection, but now they have been combined into infection packages of malware. Many malware packages incorporate rootkits to embed themselves into the kernel level of the OS, making them stealthy and more difficult to remove.

Many items are often mistaken for system infection. These can include tracking cookies, search hooks, or browser helper objects (BHOs). Although the presence of these can indicate infection, there must be an accompanying loader (EXE) file or kernel mode driver to present to confirm infection.


Back to Top


3. What are the most common symptoms of a Malware of Virus infection?

Although today’s malware can contain multiple payloads, here are some of the most common signs of infection:

  • Onscreen Warnings about system infection from a source other than your antivirus software
  • The browser redirects or a complete hijack of the browser
  • You can't open any EXE or Microsoft Installer (MSI) files
  • The inability to change wallpaper or any desktop settings
  • All entries under Start>Programs are empty and/or the C: drive is blank
  • The Antivirus icon disappears from the system tray or cannot be started
  • Random pop-ups show onscreen either in or out of the browser
  • Unusual icons, erroneous start menu, or Device Manager entries appear


Back to Top


4. Malware Detection/system usability steps

Here are some steps to perform to confirm infection :

  1. Ask the question. "Are there any pop ups, redirects, or messages that have been experienced on the desktop or from the system tray?"

  2. Has a recent virus or malware scan been run? If the antivirus or malware removal tools will not run, then this is a positive sign that the system may be infected.

  3. If the internet or system is inoperative due to infection, boot to Safe Mode with Networking. (using LAN only.) You can use the Process Explorer and Autoruns programs to test with. Most malware infections show themselves easily in these tools as long as they Run as Administrator in Windows Vista or Windows 7. Windows XP is always in kernel-mode in an administrator profile.

Process Explorer example :

Autoruns Example of malware infection

  1. These programs or any other malware removal tools will not open, if the shell extension for EXE’s is blocked in the registry. Right-click the .EXE file and rename the extension to .COM. Attempt to run the tool. If it still will not open, boot to Safe Mode and attempt to run the tool again.

  2. If you have an active antivirus subscription, you can attempt to remove the block on the antivirus. Un-checking any malicious entries in Autoruns and rebooting may allow EXE files to run again and you can update and scan with your antivirus. Sometimes a kernel mode driver is installed in Device Manager to block the antivirus software. It usually shows under Plug and Play Devices and you must set Device Manager to Show Hidden Devices.

If positive malware identification is made, you can make use of the options below at this point. Just remember if it doesn't work, we can take you through a clean OS reinstall to resolve the issue.


Back to Top


5. General Removal Guide

Disconnect your PC from the Internet and don't use it until you're ready to remove the malware.

Think of it like cutting off all communications or putting a patient into a suspended state.

Boot your PC into Safe Mode. Only the minimum required programs and services are loaded in this option. If any malware is set to startup when Windows starts, booting in safe mode should prevent it.

To boot into Windows Safe Mode, Please follow whichever guide below matches your Operating System (OS). This should bring up the Advanced Boot Options menu. Select Safe Mode with Networking and press the Enter key.

You will find that your PC runs faster in Safe Mode. If it does, it could be a sign that your system has a malware infection or it could mean that you have a lot of legitimate programs that normally start up with Windows.

Delete your temporary files before starting any other steps. Doing this could speed up the virus scanning, but it will clear the downloaded virus files and lessen the amount the scanners will have to check. You can do this through the Disk Cleanup utility or from the internet options menu.

Note: If you are using windows 10 and instead of seeing the safe mode screens, the system gives a prompt asking for the Windows 10 product code - please use the link below to troubleshoot Windows 10 Black Screens.

The following link takes you to an article with general steps to take you through a removal of the most often encountered Malware types:


Back to Top


6. Scanning Software

Sometimes running a scanner is enough to remove most malware infections. You've most likely got an antivirus program active on your PC, you should use another scanner for this check.

If your current antivirus software didn't stop the infection, you can't expect it to find the problem now now and we would recommend trying a new program.

Note: No antivirus program can detect 100 percent of the millions of malware types and variants.

There are two main types of antivirus.

Real-time antivirus programs

They constantly watch for malware.

On-demand scanners

They search for malware infections when you open the program manually and run a scan.

Note: You should only run one real-time antivirus program on your PC at the one time. However you can keep a few on-demand scanners stored to run scans with multiple programs.

The best course of action is to use an on-demand scanner first and then follow up with a full scan by your real-time antivirus program. There are several free and effective on-demand scanners available. You can find a list of the most common ones in the last section of this article.


Back to Top


7. Removing the Infection

In this guide I'm going to use Malwarebytes. I'm using this piece of software as it's the one I'm most used to and is freely available. You can find another program to do the same job if you prefer in Section 9 below. If you're following this guide then Download External Link the Malwarebytes program and install it. You will need to reconnect to the Internet for this. Once the download is complete, disconnect from the Internet again. If you can't access the Internet or you can't download Malwarebytes on your PC, then download it on another system and save it to a USB flash drive or CD/DVD and transfer it to the infected PC.

Run the setup and follow the onscreen installshield wizard. Malwarebytes will check for updates and then launch the user interface (UI).

Note: If it reports the database being outdated, choose Yes to download the updates and then click OK when prompted that they have been successfully installed.

Keep the default scan option 'Perform quick scan' and click the Scan button.

This program offers a full-scan option, however its recommended that you perform the quick scan first. Depending on your PC specifications, the quick scan can take anywhere from 5 to 20 minutes, but the full scan could take up to 60 minutes or more. You can see how many files or objects the software has already scanned, and how many of those files it has identified either as being malware or as being infected by malware.

If Malwarebytes disappears after it begins scanning and won't reopen, then the infection could be more serious and stopping the scanner from running. There are ways around this if you know the type of infection, however you might be better off reinstalling Windows after backing up your files, as it could be quicker, easier and guaranteed to resolve the infection.

If Malwarebytes' quick scan comes up empty, it will display a text file with the scan results. If you still think that your system may have acquired some malware, consider running a full scan with Malwarebytes and you can try other scanners - such as one of the others above. If Malwarebytes finds the infections, it'll show a warning box. To see the suspect files click the Scan Results button. It should automatically select the ones that are dangerous for removal. If you want to remove other detected items, select them as well. Click on the Remove Selected button to get rid of the selected files.

After removing the infections, Malwarebytes will open a log file listing the scan and removal results. Check to confirm that the antivirus program successfully removed each item. Malwarebytes may also prompt you to restart your PC in order to complete the removal process, which you should do.

If your problems persist even after you've run the quick scan and it has found and removed unwanted files, then follow the advice above and run a full scan with Malwarebytes and the with the other scanners mentioned earlier. If the malware appears to be gone, run a full scan with your real-time antivirus program to confirm that result.

If you can't seem to remove the malware or if Windows isn't working properly, you may have to reinstall Windows. Please see the appropriate link below for a guide to suit your particular situation.


Back to Top


8. Prevent Re-Infection

To minimise the risk of a repeat infection, please pay attention to the steps below :

  1. Keep your operating system and applications updated with the latest security patches. On Windows Update, these would be the updates marked as critical and security.

  2. When you are reading your email, do not open messages or attachments sent from unknown senders. If you are unsure, it is better to delete it than to expose your system to reinfection.

  3. Make sure that you have a real-time antivirus program running on your PC and see that it stays updated. If you don't want to spend money on a paid service, then you can install one of the free programs that are available.

  4. Scan any removable media before they are used. (This includes, floppies, CDs, DVDs, Flash USBs and External HDDs.)

  5. Do not download unknown software from the web. The chances of infection from an unknown source is too high a risk.

  6. Scan all incoming email attachments or any other file that decide to download - prior to actually using it.

  7. Do not open files received via email or chat with the following extensions. .exe, .pif, .com, and .src,

  8. In addition to installing traditional antivirus software, you might consider consider reading the guide below for some basic rules for safe surfing online.

Always double check any online accounts such as online banking, webmail, email, and social networking sites. Look for suspicious activity and change your passwords, you can't tell what info the malware might have passed on.

If you have an automatic backup for your files you will want to run virus scans on the backups to confirm that it didn't backup the infection as well. If virus scans aren't possible such as online backups, you will probably want to delete your old backups and save new versions.

Keep your software current. Make sure that you update then frequently. If you receive any messages about this and aren't sure of their validity, then always contact the company in questions support to clarify it.


Back to Top


9. Other Removal Options

Once an infection is identified, you have decide on your next step.

There are several options for resolution :

  1. We can offer Dell Solution Station for a technician to do the work for you, but this is a pay on point of need service.

  2. We can always reinstall the operating system as well.

  3. If the infection is obvious and can be located easily, then you may be able to attempt a removal.

If you are able to get online or use another system with internet, then you check out the following article and tools for further information :

Links to Dell's Knowledge Base Articles
Link to Microsoft's online Tool
Links to the various publishers security software uninstall tools from the one source
Useful Links to knowledge about the various security software programs that ship with Dell PC's

Publishers list of Scanner, Cleaner and other Security Utilities

Note: These are 3rd party tools and are not supported by Dell. We are not responsible for any results from using these tools. Dell agents cannot stay on the line and take you through using these tools on the system. You use these tools at your own risk.
Utility Link
VT Hash Check ZIP External Link
Utility Link
Free Edition Link External Link
Utility Link
Hosts-Perm.bat Link External Link
FixExec (/W32) Link External Link
FixExec (/W64) Link External Link
RKill Link External Link
RKill (Download renamed as iExplore.exe) Link External Link
Shortcut Cleaner Link External Link
Unhide Link External Link
Utility Link
AntiMalware EXE External Link
Emergency Kit EXE External Link
Utility Link
GrantPerms (/W32) Link External Link
GrantPerms (/W64) Link External Link
ListParts (/W32) Link External Link
ListParts (/W64) Link External Link
MiniToolBox Link External Link
Recovery Scan Tool (/W32) Link External Link
Recovery Scan Tool (/W64) Link External Link
Service Scanner Link External Link
Utility Link
Defogger Link External Link
Utility Link
TDSSKiller EXE External Link
RectorDecryptor EXE External Link
RakhniDecryptor EXE External Link
RannohDecryptor EXE External Link
ScatterDecryptor ZIP External Link
XoristDecryptor EXE External Link
CapperKiller EXE External Link
KidoKiller EXE External Link
FippKiller EXE External Link
SalityKiller EXE External Link
VirutKiller EXE External Link
XpajKiller EXE External Link
ZbotKiller EXE External Link
RadminerFlashRestorer EXE External Link
Kabasiji EXE External Link
Kabasigi EXE External Link
ScraperDecryptor ZIP External Link
PMaxKiller EXE External Link
DigitaCure EXE External Link
CleanAutoRun EXE External Link
Kaspersky Virus Removal Tool EXE External Link
Kaspersky Rescue Disk + WindowsUnlocker ISO External Link
Flashfake Removal Tool ZIP External Link
Utility Link
Anti-Exploit Link External Link
Anti-Malware Link External Link
MalwareBytes Pro Link External Link
Utility Link
Malicious Software Removal Tool Link External Link
FakeRean Fix it Tool (/W32) Link External Link
Rootkit Revealer (Sysinternals) Link External Link
Utility Link
Malware Cleaner Link External Link
Utility Link
OTL Link External Link
Utility Link
Rootkit Detector ZIP External Link
Utility Link
WinPatrol Link External Link
Utility Link
Security Check EXE External Link
Utility Link
Hitman Pro 3.7 (/32) EXE External Link
Hitman Pro 3.7 (/64) EXE External Link
Utility Link
Junkware Removal Tool Link External Link
Utility Link
RogueKiller Link External Link
Utility Link
AntiRansomware Tool EXE External Link
Anti-Threat Toolkit (/W32) Link External Link
Anti-Threat Toolkit (/W64) Link External Link
Fake AV-Removal Tool GUI (/W32) Link External Link
Fake AV-Removal Took GUI (/W64) Link External Link
Fake AV-Removal Tool CLI (/W32) Link External Link
Fake AV-Removal Took CLI (/W64) Link External Link
HijackThis Link External Link
HouseCall (/W32) EXE External Link
HouseCall (/W64) EXE External Link
Rescue Disk EXE External Link
Rootkit Buster (/W32) EXE External Link
Rootkit Buster (/W64) EXE External Link
Utility Link
Adwcleaner Link External Link
Delfix Link External Link


Back to Top




VIRUS Get general information and guidance to secure your system/data on our Security and Antivirus page.



Artikel-ID: SLN292746

Senast ändrad: 09/13/2017 07:12 AM


Betygsätt den här artikeln

Korrekt
Användbart
Lätt att förstå
Var den här artikeln till nytta?
Ja Nej
Skicka dina synpunkter
Kommentarer får inte innehålla följande specialtecken: <>()\
Vårt feedbacksystem är tyvärr ut funktion just nu. Försök igen senare.

Tack för dina synpunkter.