FREE Virus Malware Removal Guide Including Scareware Rogues and Google Redirects

This guide will save you the time and hassle of reinstalling Windows, using System Restore or restoring to factory settings in the event of a virus attack.

Tools Required:

All TOOLS ARE FREE TO HOME USERS

Essential Tools:

You will need the following FREE tools to remove most viruses / malware:

Read EACH Step below for instructions on using each specific tool

DO NOT just run the tools randomly hoping for the best!

DOWNLOAD AND RUN THE TOOLS IN THE ORDER LISTED BELOW

• RKill - Use if you cannot run any programs / icons or your desktop is masked with warnings. Instructions below.
• TFC - Empty your temp files making scans run faster and eliminate any malware in your temp files.
• XP / Vista Users - Create a new System Restore Point easily with SysRestorePoint
• Windows Vista / 7 Users -  Create a new System Restore Point easily with: Quick Restore Maker or System Restore Manager 
• ERUNT - XP / 2003 Users Only - Registry backup - Better than System Restore - Recommended
• TDSSKiller - Anti-rootkit / Google redirect virus removal utility
• Malware Bytes Anti Malware (MBAM). - Malware removal - Probably the most important tool in this guide and we highly recommend purchasing a Lifetime Consumer License from us at the discounted rate of £15 per PC to prevent infections in future.
• ESET - ESET Online Scanner - DISABLE ANY ANTI-VIRUS SOFTWARE YOU HAVE BEFORE SCANNING

Once you have downloaded the above tools begin at Step 1 below:

Step 1: - Can You Access Your Desktop?

If you can access your desktop / Start button then skip this step and proceed to Step 2.

You can also try this method in Safe Mode with Networking - To do this:

Restart the system and keep pressing the F8 key then Choose Safe Mode with Networking.

A lot of malware will display fake system / security warnings that will prevent you from accessing your desktop. Other variants will render your desktop icons useless or hide them completely.

If you cannot access your desktop then you need to kill the processes that the malware is running with a process killing tool such as:

• RKill

The easiest way is to download rkill on another uninfected machine and copy to USB pen / thumb / flash drive then copy rkill to the infected machine's desktop.

If you don't have access to another machine then please try each of the following on the infected machine:

Start > Programs > Accessories > System Tools > Internet Explorer with No Add-ons

Then type www.bleepingcomputer.com/download/anti-virus/rkill in to the address bar and press Enter

If the No Add-ons option isn't listed then you are using an older version of Internet Explorer

Or try typing Ctrl + Alt + Delete keys then select Task Manager then:

Select File then New Task (Run) and type iexplore.exe and press Enter

More info on internet connection problems in Step 2

Once rkill has been downloaded double click to run it or if that isn't possible then try the following:

Windows 7 / Windows Vista Users, click on the Start button and then in the search field enter %userprofile%\desktop\rkill.com and then press the Enter key on your keyboard. If you Windows prompts you to allow it to run, please allow it to do so.

Windows XP Users, click on the Start button and then click on the Run menu option. In the Open: field enter %userprofile%\desktop\rkill.com and press the OK button. If you Windows prompts you to allow it to run, please allow it to do so.

You will be presented with the following screen:

 

Please be patient and let the tool finish.

DO NOT REBOOT YOUR MACHINE AFTER RUNNING Rkill OTHERWISE THE MALWARE WILL START AGAIN

 

 

Step 2: - Check You Can Get Online

If you can still get online then proceed to Step 3.

You can also try this method in Safe Mode with Networking - To do this:

Restart the system and keep pressing the F8 key  then Choose Safe Mode with Networking.

Most malware will change your Internet Explorer and or network settings resulting in the dreaded "This page cannot be displayed" error or pages not loading properly. This will prevent you from getting online, downloading any removal programs or updating any current security programs you have. If this is the case then you can fix these settings in Internet Explorer.

First check you have an internet connection by doing the following:

Go to Start > Programs > Accessories > Command Prompt

At the Command Prompt type: ping google.com then press the Enter key

If you get a reply then you have a connection

Next try opening Internet Explorer

If that doesn't work try opening Internet Explorer with NO Add-ons

Go to Start > Programs > Accessories > System Tools > Internet Explorer (No Add-ons)

If the No Add-ons option isn't listed then you are using an older version of Internet Explorer

If that doesn't work then carry out the following:

Open Internet Explorer and navigate to Tools > Internet Options.

Now select the Connections tab and choose LAN settings as in the picture:

Make sure the 2 boxes shown for Proxy Settings are UNCHECKED

Press OK to close this screen and OK to close IE Settings screen

Also try these steps:

IE - Tools - Internet Options - Advanced Tab - click Restore then click Reset - Apply / OK

IE - Tools - Internet Options - Security Tab -  click reset all zones to default - Apply / OK

Close and reopen Internet Explorer

Now proceed to the next step

 

 

Step 3: - Clear Your Temp Files

*IMPORTANT* SKIP THIS STEP OF YOUR START MENU ITEMS ETC ARE MISSING / DO NOT WORK

Get rid of any temp files from your system as these will make the anti virus / malware scans run quicker and rid your system of any viruses / malware hiding in your temp files. Use a temp file cleaner such as:

• TFC

 

Step 4: - Create A New System Restore Point

Despite what some "experts" say DO NOT TURN SYSTEM RESTORE OFF. For some people this will be the ONLY means of recovery they have and should anything go wrong with the cleaning process then you always have a safe point to return to. Use the following tools below:

• XP / Vista Users - Create a new System Restore Point easily with SysRestorePoint
• Windows Vista / 7 Users - Quick Restore Maker or  System Restore Manager

 

Step 5: - Backup Your Registry

Windows XP / Server 2003 ONLY

Windows Vista / 7 USERS PLEASE SKIP THIS STEP BUT COMPLETE SYSTEM RESTORE STEP ABOVE

As removing viruses / malware etc requires changes to the Windows Registry then it is advised to back this up BEFORE any changes are made. Then, like the system restore method above, should anything go wrong you can always revert back to a working copy of the registry. Failure to do this could leave your system unbootable / usable. 

Should anything go wrong with the cleaning process then you can restore your system via ERUNT registry backup / Windows XP Recovery Console quite easily so please complete this step

Portable / No Installer / easier to use version here

• Download ERUNT
• Double click erunt_setup.exe and select Run
• Choose English as the language
• At the ERUNT setup wizard click Next, install in C:\Program Files\ERUNT (the default), click Next and Next and Next again then Install
• Choose NO to create an ERUNT entry in the Startup Folder unless you want to backup your registry each time the computer starts
• Untick Show Documentation and leave Launch ERUNT checked
• ERUNT will launch with the following screen:

• Choose the same settings as shown above
• ERUNT will prompt you to create the folder if it doesn't exist (mostly likely won't)
• ERUNT will start backing up the registry to the desired location as shown:

 

• Once this has been done you should get the following output:

 

• This output screen tells you that the registry backup was successful and how  / where to restore it in future. Your registry can then be restored to original state even if Windows won't boot.

 

Step 6: - Scan For Rootkit Activity

This tool will help remove Google Redirects / TDSS / TDL3 / Alureon rootkit

Download TDSSKIller - Save to desktop then double click to run

Tick both boxes as shown and select start scan:

If the scan finds anything please select Cure - If Cure is NOT listed then select Skip

DO NOT USE THE DELETE / QUARANTINE FUNCTIONS AS THIS MIGHT DELETE / QUARANTINE FILES THAT WINDOWS NEEDS TO BOOT / FUNCTION

 

Step 7: Spyware / Malware Removal

Download and install Malware Bytes Anti Malware (MBAM).

The FREE version WILL be fine for malware removal however we recommend purchasing a Lifetime Consumer License.

Update MBAM to latest database and do a QUICK scan as shown:

DO NOT DO A FULL SCAN

ONLY USE MBAM IN SAFE MODE IF NORMAL MODE WON'T WORK

If nothing is found proceed to the next step.

If anything is found, click Show Results, check the items and select Remove Selected as shown:

If Malwarebytes Anti-Malware prompts for a reboot then please do so.

Optional but recommended: Scan your system with SuperAntiSpyware Portable with the following settings:

Or run:

• SuperAntiSpyware Online Scanner - Useful when no other scanners will install / run
  

 

Step 8: - Scan For Viruses / Trojans

Scan for viruses with an up to date anti-virus program. If you don't have one installed here are some FREE ones:

• Microsoft Security Essentials
• Avast Free Edition - FREE FOR HOME / PERSONAL USE
  
• Avira Free Edition - FREE FOR HOME / PERSONAL USE

Remember only ever install 1 anti-virus program as more than 1 will slow your system down and cause conflicts.

We recommend uninstalling an anti-virus program and rebooting BEFORE installing another.

• Run ESET online anti-virus scanner with the following settings then click Start:

• Disable your real time anti-virus BEFORE running ESET.

• How to temporarly disable your Anti-Virus / Malware / Firewall software

• Optional (Useful when you can only boot into Safe Mode): Boot in to Safe Mode and scan for viruses / rootkits with Kaspersky Anti Viral Toolkit Pro (AVP)

• Scan suspicious / unknown files with VirusTotal

• 
  

Step 9: Reset Your HOSTS File

A lot of infections, especially rogue anti-virus infections such as System Tool will make changes to your HOSTS file. So this file will have to be replaced to a new clean one (the one that comes with Windows originally.

Also some infections will try to protect themselves by preventing you from making any changes to the HOSTS file.

This can easily be resolved by downloading:

hosts-perm.bat

Download it to your desktop and double click it to Run it. A small black window will appear then disappear. This is normal and you should now be able to edit / delete the infected HOSTS file.

Now you will have to delete and replace the infected HOSTS file at this location:

C:\Windows\System32\Drivers\etc\HOSTS

Delete the HOSTS file from the above location and replace it with the appropriate HOSTS file for your operating system as listed below:

XP HOSTS File

Vista HOSTS File

Windows 7 HOSTS File

 

Step 10: - Restart System and Test

Restart your system and see how the performance is doing.

Step 11: System Restore Point

Create a new system restore point with:

SysRestorePoint - XP / Vista users

System Restore Manager - Windows 7 users

Get rid of all old, possibly infected system restore points. XP guide here. Vista guide here. Or use System Restore Manager above.

Once done see our guide on protecting your system in future

The above method will rid your system of most viruses / malware etc but if you are still experiencing problems then please Contact Us for further instructions.

Should you NOT feel comfortable with these steps, then we can carry them out on your machine, securely over the internet for you FOR A FEE OF £35. Just click here to get started. Click Run and wait for us to connect.