Article Number: 000129494
The following article provides information on working with Malware or Virus infected systems.
Dell’s standard practice has historically been to recommend a clean install of the Operating System (OS), once Malware or a Virus has been detected. This will resolve an infection issue 100% of the time.
Under a ProSupport warranty our Technical support should always investigate and identify the infection has taken place. They should attempt to get the system to a usable state in order to run antivirus scans or determine if a clean reinstall should take place due to the level of infection on the system.
Malware, or malicious software, has become a catch-all term for several different types of infections. Some will install themselves and create simulated infection, corruption, or hardware failure, therefore tricking you into purchasing their product to resolve the issue. This type is known as hostage-ware, ransom-ware or scare-ware. There are malware infections that simply redirect your browser to sites the creator has chosen or to a website that they are compensated for, based on the number of hits the site receives. Sometimes these infections can hide your entire root drive and all your subdirectories or capture your personal information and communicate back to the creator of the infection.
A virus, which has become a subset of malware, is an actual program that replicates and attaches itself to services or specific applications. Many malware payloads contain a virus file, such as a Trojan or a Worm, to help root the infection. Viruses were once an exclusive type of infection, but now they have been combined into infection packages of malware. Many malware packages incorporate rootkits to embed themselves into the kernel level of the OS, making them stealthy and more difficult to remove.
Many items are often mistaken for system infection. These can include tracking cookies, search hooks, or browser helper objects (BHOs). Although the presence of these can indicate infection, there must be an accompanying loader (EXE) file or kernel mode driver to present to confirm infection.
Although today’s malware can contain multiple payloads, here are some of the most common signs of infection:
Here are some steps to perform to confirm infection :
Ask the question. "Are there any pop ups, redirects, or messages that have been experienced on the desktop or from the system tray?"
Has a recent virus or malware scan been run? If the antivirus or malware removal tools will not run, then this is a positive sign that the system may be infected.
If the internet or system is inoperative due to infection, boot to Safe Mode with Networking. (using LAN only.) You can use the Process Explorer and Autoruns programs to test with. Most malware infections show themselves easily in these tools as long as they Run as Administrator in Windows Vista or Windows 7. Windows XP is always in kernel-mode in an administrator profile.
Process Explorer example :
Autoruns Example of malware infection
These programs or any other malware removal tools will not open, if the shell extension for EXE’s is blocked in the registry. Right-click the .EXE file and rename the extension to .COM. Attempt to run the tool. If it still will not open, boot to Safe Mode and attempt to run the tool again.
If you have an active antivirus subscription, you can attempt to remove the block on the antivirus. Un-checking any malicious entries in Autoruns and rebooting may allow EXE files to run again and you can update and scan with your antivirus. Sometimes a kernel mode driver is installed in Device Manager to block the antivirus software. It usually shows under Plug and Play Devices and you must set Device Manager to Show Hidden Devices.
If positive malware identification is made, you can make use of the options below at this point. Just remember if it doesn't work, we can take you through a clean OS reinstall to resolve the issue.
Disconnect your PC from the Internet and don't use it until you're ready to remove the malware.
Think of it like cutting off all communications or putting a patient into a suspended state.
Boot your PC into Safe Mode. Only the minimum required programs and services are loaded in this option. If any malware is set to startup when Windows starts, booting in safe mode should prevent it.
To boot into Windows Safe Mode, Please follow whichever guide below matches your Operating System (OS). This should bring up the Advanced Boot Options menu. Select Safe Mode with Networking and press the Enter key.
You will find that your PC runs faster in Safe Mode. If it does, it could be a sign that your system has a malware infection or it could mean that you have a lot of legitimate programs that normally start up with Windows.
Delete your temporary files before starting any other steps. Doing this could speed up the virus scanning, but it will clear the downloaded virus files and lessen the amount the scanners will have to check. You can do this through the Disk Cleanup utility or from the internet options menu.
Note: If you are using windows 10 and instead of seeing the safe mode screens, the system gives a prompt asking for the Windows 10 product code - please use the link below to troubleshoot Windows 10 Black Screens.
The following link takes you to an article with general steps to take you through a removal of the most often encountered Malware types:
Sometimes running a scanner is enough to remove most malware infections. You've most likely got an antivirus program active on your PC, you should use another scanner for this check.
If your current antivirus software didn't stop the infection, you can't expect it to find the problem now now and we would recommend trying a new program.
There are two main types of antivirus.
They constantly watch for malware.
They search for malware infections when you open the program manually and run a scan.
The best course of action is to use an on-demand scanner first and then follow up with a full scan by your real-time antivirus program. There are several free and effective on-demand scanners available. You can find a list of the most common ones in the last section of this article.
In this guide I'm going to use Malwarebytes. I'm using this piece of software as it's the one I'm most used to and is freely available. You can find another program to do the same job if you prefer in Section 9 below. If you're following this guide then Download the Malwarebytes program and install it. You will need to reconnect to the Internet for this. Once the download is complete, disconnect from the Internet again. If you can't access the Internet or you can't download Malwarebytes on your PC, then download it on another system and save it to a USB flash drive or CD/DVD and transfer it to the infected PC.
Run the setup and follow the onscreen installshield wizard. Malwarebytes will check for updates and then launch the user interface (UI).
Keep the default scan option 'Perform quick scan' and click the Scan button.
This program offers a full-scan option, however its recommended that you perform the quick scan first. Depending on your PC specifications, the quick scan can take anywhere from 5 to 20 minutes, but the full scan could take up to 60 minutes or more. You can see how many files or objects the software has already scanned, and how many of those files it has identified either as being malware or as being infected by malware.
If Malwarebytes disappears after it begins scanning and won't reopen, then the infection could be more serious and stopping the scanner from running. There are ways around this if you know the type of infection, however you might be better off reinstalling Windows after backing up your files, as it could be quicker, easier and guaranteed to resolve the infection.
If Malwarebytes' quick scan comes up empty, it will display a text file with the scan results. If you still think that your system may have acquired some malware, consider running a full scan with Malwarebytes and you can try other scanners - such as one of the others above. If Malwarebytes finds the infections, it'll show a warning box. To see the suspect files click the Scan Results button. It should automatically select the ones that are dangerous for removal. If you want to remove other detected items, select them as well. Click on the Remove Selected button to get rid of the selected files.
After removing the infections, Malwarebytes will open a log file listing the scan and removal results. Check to confirm that the antivirus program successfully removed each item. Malwarebytes may also prompt you to restart your PC in order to complete the removal process, which you should do.
If your problems persist even after you've run the quick scan and it has found and removed unwanted files, then follow the advice above and run a full scan with Malwarebytes and the with the other scanners mentioned earlier. If the malware appears to be gone, run a full scan with your real-time antivirus program to confirm that result.
If you can't seem to remove the malware or if Windows isn't working properly, you may have to reinstall Windows. Please see the appropriate link below for a guide to suit your particular situation.
To minimise the risk of a repeat infection, please pay attention to the steps below :
Keep your operating system and applications updated with the latest security patches. On Windows Update, these would be the updates marked as critical and security.
When you are reading your email, do not open messages or attachments sent from unknown senders. If you are unsure, it is better to delete it than to expose your system to reinfection.
Make sure that you have a real-time antivirus program running on your PC and see that it stays updated. If you don't want to spend money on a paid service, then you can install one of the free programs that are available.
Scan any removable media before they are used. (This includes, floppies, CDs, DVDs, Flash USBs and External HDDs.)
Do not download unknown software from the web. The chances of infection from an unknown source is too high a risk.
Scan all incoming email attachments or any other file that decide to download - prior to actually using it.
Do not open files received via email or chat with the following extensions. .exe, .pif, .com, and .src,
In addition to installing traditional antivirus software, you might consider consider reading the guide below for some basic rules for safe surfing online.
Always double check any online accounts such as online banking, webmail, email, and social networking sites. Look for suspicious activity and change your passwords, you can't tell what info the malware might have passed on.
If you have an automatic backup for your files you will want to run virus scans on the backups to confirm that it didn't backup the infection as well. If virus scans aren't possible such as online backups, you will probably want to delete your old backups and save new versions.
Keep your software current. Make sure that you update then frequently. If you receive any messages about this and aren't sure of their validity, then always contact the company in questions support to clarify it.
Once an infection is identified, you have decide on your next step.
There are several options for resolution :
We can offer Dell Solution Station for a technician to do the work for you, but this is a pay on point of need service.
We can always reinstall the operating system as well.
If the infection is obvious and can be located easily, then you may be able to attempt a removal.
If you are able to get online or use another system with internet, then you check out the following article and tools for further information :
|Kaspersky Virus Removal Tool||EXE|
|Kaspersky Rescue Disk + WindowsUnlocker||ISO|
|Flashfake Removal Tool||ZIP|
|Anti-Threat Toolkit (/W32)||Link|
|Anti-Threat Toolkit (/W64)||Link|
|Fake AV-Removal Tool GUI (/W32)||Link|
|Fake AV-Removal Took GUI (/W64)||Link|
|Fake AV-Removal Tool CLI (/W32)||Link|
|Fake AV-Removal Took CLI (/W64)||Link|
|Rootkit Buster (/W32)||EXE|
|Rootkit Buster (/W64)||EXE|
Desktops & All-in-Ones, Laptops, Inspiron, Latitude, Vostro, XPS, Tablets, Latitude Tablets, Surface, Venue, XPS Tablets, Fixed Workstations
21 Feb 2021