How Do I Fix It: Malware Removal and Protection (Part 3 of Anti-Malware)

Steven HarrisCST Manager
In Part 2 of the Anti-Malware series, we looked at an overview of the most common classifications of malware. While many users may believe that there may be a “do-all” software solution that can clean and protect your system, the reality is that no single program is available that can remove all threats from your computer while protecting you from new ones. Here we will learn about a common practice of arsenal-scanning a system with various software titles in order to clean an infected system.

Before we begin, please note that the act of disabling, quarantining and removing unknown files and programs could potentially disable an operating system. If you are uncertain when an anti-malware scanner offers to delete a files or program or if unsure how to use a specific scanner, please seek assistance and further advice from the Experts-Exchange community by opening a Question.

To start out, you will need to create your ‘arsenal’.  Some of the more popular programs like ADWCleaner, Malwarebytes Anti-Rootkit, Hitman Pro and ComboFix** can be downloaded free of charge (or as free trials) from their respective hosts.

For your first scan, I recommended that the PC be booted into Safe Mode*.  Starting with the first program, start your PC scan (full or Deep Scan mode) and follow any prompts that are presented.

Always make sure your databases are updated before running a scan. Most software, such as Malwarebytes Anti-Rootkit will have the option to check for definition database updates before running the scan.

After your definitions database has been updated, run the scan following the prompts in the program.

NOTE – System scans can take a while to complete, and may take considerably longer on an heavily infected machine. Be patient!

If you are presented with any malware threats that are found, follow the steps within the program to remove the threat(s).  Once you are finished, move on to the next program, remembering to update your database definitions.  After all scans have completed while in Safe Mode, and any malware threats have been removed, reboot the system into normal operating mode.  Once you have logged in, repeat the scans with the programs in your arsenal.  If any more threats are found during any of these scans, follow the removal (clean) procedures, rebooting the system after all scans have completed.

Expert Recommendations
Compiled below is a listing of popular software that has been recommended by various Experts from Experts-Exchange, including pmitllc, x66_x72_x65_x65, tmoore1962, aadih and hopeleonie.

For Removal
Junkware Removal Tool

Hitman Pro
Malwarebytes Anti-Malware
Spybot - Search & Destroy
Norton Power Eraser
Microsoft Safety Scanner
Dr.Web CureIt!
Bitdefender Toolbox
Emsisoft Emergency Kit

Kaspersky TDSS Killer
McAfee Labs Rootkit Remover
Trend Micro RootkitBuster
Malwarebytes Anti-Rootkit

ESET Online Virus Scanner
Sophos Virus Removal Tool
VIPRE Antivirus

Once you have removed threats from your computer, it is time to concentrate on making sure your computer is protected from future threats.

When choosing an antivirus solution, your choices seem to be endless; however, you should find a software suite that meets your specific requirements. Depending on your operating system and specific type of usage, you will be able to narrow down a listing of programs.

A user who spends little time on the Internet and does not regularly download programs may find that free versions of antivirus software suites will suit their needs. Suites such as AVG Free Edition, Microsoft Security Essentials, Avast Home Edition, Panda Cloud Antivirus and Comodo Internet Security are popular free choices among basic level users. For more advanced users, or gamers, Symantec Norton Internet Security, Zone Alarm Extreme Security and AVG Internet Security top the list due to their ability to not only provide protection, but include configurable settings and custom gaming modes, without sacrificing the performance of a machine.

The next factor to consider when comparing solutions is the frequency of virus definition database updates. While frequent updates can cause annoyance for some users, in reality, the frequency of updates directly relate to your level of protection. New threats are found every day and if a company does not keep their definitions databases up-to-date on a regular basis, you will not be protected from those threats.

For your last step – test, test, test! Since many vendors offer free trials of their software suites, it is highly recommended that you test the reliability and usability of an antivirus program before making a final commitment. While similar suites from different companies may offer similar protection, verifying their performance with your specific machine is essential. For example, running the same versions of a program on Windows XP and Windows 7 may produce varying results in terms of machine performance.

Once you have decided on a software suite and have your first level of protection set up, it is still recommended to complete regular malware scans with different software, as shown at the top of this page. Many of the scanners, such as Malwarebytes Anti-Rootkit, can also be run from the command line in order to assist in automating your scanning process.

For the more advanced users, there is a process called Multiscanning. Technically speaking, it is not recommended to have two antivirus programs running simultaneously, and in most cases, it is impossible to run more than one software at a time due to conflicts that may lead to freezes and application failures. With this in mind, there are a number of security suites that have been created that use multiple virus definition databases instead of a single database; such as G-Data which combines an in-house engine with the BitDefender engine, or HitmanPro which combines multiple engines and databases from Emsisoft Anti-Malware, IKARUS, G-Data and Kasperky.

For Protection
Panda Security
Windows Security Essentials

*Running scans in Safe Mode is not a popular choice among the IT community.  Many of the posts or articles you find on the internet, or even here on Experts-Exchange, claim that there is no benefit (or point) to scanning in Safe Mode as some process and services are not loaded.  My thoughts on this are two-fold:

1) There are some scanners that will fail to remove a threat if the 'file is in use', requiring multiple machine restarts during a scan process.  Since Safe Mode will inhibit the running of startup programs, where malware likes to hide, you are less likely to encounter these types of errors while in Safe Mode. By installing and scanning first in Safe Mode, the scanner is concentrating on "known" threats based on the virus databases.  A perfect example of this would be the CoolWebSearch spyware.  While the processes and components of this malware are not present in Safe Mode, the file names are known to up-to-date scanners and will be quarantined/disabled and/or removed during the Safe Mode scan.
2)  Many scanners recommend that scans be run in Normal Mode, in the 'hostile' environments, in order to detect and remove the threats that are found, but take into account this is most commonly associated with heuristic scans where the software is looking for malicious or unstable behavioral patterns.  When reading the 'fine print' so to speak, most software also mention that in the event that the software will not run in Normal Mode due to an infection, that you should run the scanner in Safe Mode, then again in Normal Mode, which is my suggested run pattern for scanning with an arsenal.

**ComboFix is a very powerful tool and should only be used under the direction of a trained user.

Special thanks to LHerrou, Jennhp and MASQUERAID, for the insightful comments and suggestions during the creation of this series. I am grateful for the assistance provided.

Comments (1)

Great series of articles!

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.