Malware never leaves your PC without a fight - and it leaves plenty of litter behind. Jane Hoskyn reveals how to obliterate every last malicious trace
Removing stubborn malware from your PC is one of life’s more satisfying achievements, up there with fixing your own washing machine - you’ve done it by yourself, and everything seems to work properly again.
It can seem very simple, too. All you need to do is run a malware-removing tool like Malwarebytes Anti-Malware Free (www.snipca.com/19192) or even a ransomware remover like Trend Micro’s Anti-Ransomware Tool (www.snipca.com/19191), restart your computer and bask in that malware-free glow. Your PC runs faster, your browser has stopped crashing and you’ve got rid of that big notice that says “Pay £400 to get your data back”.
Litter bugs
But as with so many irritating things in life, deleting malware is never that straightforward.
Malware is simply malicious software (“mal-ware”), and it shares a common irritation with all installable software: it doesn’t uninstall completely. When you remove the program or infection, it leaves a trail of litter behind. These leftover files clog up your hard drive, interfere with your operating system (OS) and browser, and embed themselves in your Registry. The worst malware leftovers can act as mini malware timebombs, waiting to regenerate and relaunch the infection you thought you’d removed.
Simple malware-removers like the free version of Malwarebytes Anti-Malware may help you out of a short-term pickle, but it won’t remove all traces of the infection. Other PC-cleaning favourites like CCleaner and AdwCleaner – brilliant as they are – don’t detect or remove malware at all. Even when they remove adware and dodgy plug-ins, you’ll often find they bounce back the next day.
In this feature we’ll show you how to remove tough, tenacious malware using the most powerful free tools available. We’ll also reveal why your apparently all-powerful antivirus (AV) program is not up to the job. AV’s job is to block and quarantine malware, not remove it - and certainly not hoover up the malicious files it leaves hidden throughout your PC.
FIND AND REMOVE MALWARE
Install a powerful AV companion - but be careful
Serious malware removal requires big guns. Currently, the most powerful malware-obliterator is the free new version of IObit’s Malware Fighter (www.snipca.com/19194). It can tackle Trojans, rootkits and worms and other nasties you’ll find on Kaspersky’s interesting ‘malware classification tree’ (www.snipca.com/19162).
The new version of Malware Fighter (v3.4) launched in November 2015 with full Windows 10 support, and we found it to be one of the most effective malware scanners we’ve used.
However, IObit still hasn’t quite resolved its installation problems. The excellent IObit Uninstaller can now be downloaded and installed directly from IObit’s website, with no PUPs in its installer. But Malware Fighter still has to be downloaded via a download mirror site (the dreaded Cnet, no less). You’re instantly redirected there when you click the big green Free Download button at www.snipca.com/19194.
Click Download Now on the Cnet page, then wait for the installer file (‘IObitMalware-Fighter-Setup.exe’) to download. Click the downloaded file to open it, or click Run, depending on the version of Windows you’re using. In Windows 10, for example, click Run in the bar at bottom of the browser screen. Click Yes if prompted by Windows, and the installer will open.
The Install Options link (top-left corner) doesn’t conceal any nasty PUPs, so you’re safe to skip that and click the green ‘Accept and Install’ button. Ignore the advert for the other IObit tool – it’s unticked by default anyway. During installation you’ll see various adverts for other IObit products but you can ignore them as well. In the final window, don’t enter your email address – it’s completely unnecessary – and don’t click Subscribe. Malware Fighter launches automatically when you close the installer, unlike most programs, which are at least polite enough to ask first.
Ignore the Activate Now button (bottom right) that’s there to tempt you to upgrade to the pro (paid-for) version. Ignore Fix All as well - that’s a blunderbuss that scans, cleans and enables blocking at the same time.
Scan your PC deeper than ever
Hang on. Cnet, an advert-littered installer, desperately nudges you to upgrade to the pro version – so why are we recommending this program?
Because it’s very, very powerful. If we just wanted to remove annoying adware or even a common Trojan, we wouldn’t hesitate to recommend Malwarebytes Anti-Malware Free, and then AdwCleaner to check for leftover files. But if your PC is suddenly behaving strangely, or there’s some other reason to suspect a serious malware infection, IObit Malware Fighter is worth the installation hassle.
In the program window, you should head straight for Smart Scan on the left. Click Full Scan to search your entire PC for malware and malicious files. The scan will take several minutes even on a relatively new PC, so make a cup of tea and sit back with the latest issue of Computeractive while it scours every area of your computer for intruders including keyloggers, worms, Trojans and even signs of zero-day malware.
If you’re in more of a hurry or are confident that you know which part of your PC is infected, use the Custom Scan option and choose which folders to scan. This option is particularly useful for rooting out leftovers once you’ve discovered where they’re hiding.
You can suspend the scan by pressing Pause – simply press Resume to continue. Just never click Activate Now, because that’ll lead you down the road of paid-for extras.
When the scan has finished, you’ll see a pop-up revealing problems found on your PC. Unsurprisingly, our new Windows 10 laptop didn’t contain anything Malware Fighter wanted to remove. If you’ve been using your PC for a while and have found various unwelcome invaders using the tool, click Scan Log to compare the results of previous scans – you may notice there’s one piece of malware that keeps coming back.
If the scan finds any malware or traces of malware, it’ll automatically quarantine the file. Click the menu icon (three bars), then Quarantine List and delete the detained malware.
Blitz malware with 68 tools all at once
The first thing you see on the website of free new tool HerdProtect (www.herdprotect.com) is a herd of elephants. A nice pun on the name, and also an accurate representation of how the tool works.
HerdProtect combines the scanning power of no fewer than 68 anti-malware engines, all stored securely online and put to work simultaneously to find malware and traces of malicious files on your PC, including within your Registry and browser.
The logic of this approach is that no single malware-scanner can find every malicious program or file on your computer, so HerdProtect combines their might to give you the greatest possible chance of weeding out nasties hidden deep undercover in your PC.
HerdProtect comes in installable and portable versions. We used the portable version, because we don’t particularly like installers, and portable programs have many advantages – chiefly the freedom to copy and store them in as many places as you want. For example, store HerdProtect’s EXE file on a USB stick to run on any computer, and there’s no need to download or install anything. To “uninstall” it, just delete the program file.
To get the program, click the Download link and then the small green ‘Download herdProtect (Portable)’ link. Most portable programs come in ZIP folders that need extracting but HerdProtect comes unzipped. However, when you click (or Run, in Windows 10) the file, you have to click Next in a ‘setup’ screen. Don’t worry – it’s not an installer in the usual sense. It just chooses (or lets you choose) a location on your hard drive and then asks you to accept a licence agreement. You can then launch the program immediately.
Click the green Scan button and you’ll see a simple bar-style graph that shows you what’s being scanned, starting with basic browser components and then moving on to installed programs, plug-ins and Windows system data.
When the scan has finished, it reveals how many files were scanned (even on our new Windows 10 laptop it found nearly 10,000) and divides into categories any dubious files found, including malware and PUPs. It didn’t find any malware on our Windows 10 computer, but plenty of unwanted rubbish all the same. Whatever malicious or unwanted files it finds, HerdProtect will remove any ticked items completely when you click ‘Remove checked’.
HerdProtect is still in beta, but we found it to be stable and effective. There’s an active Community (www.snipca.com/19202) and a ‘knowledgeBase’ (www.snipca.com/19201) that lists all the most recent detections – malware accounts for the vast majority, at 79 per cent, with adware at 14 per cent and ‘crapware’ (bloatware) at just seven per cent.
Force-remove programs you don’t trust
After a couple of complex malware scanners that take a long time to scan even relatively clean computers, you’ll be relieved to hear that free, portable program GeekUninstaller (www.geekuninstaller.com) is quick and extremely easy to use - but still very powerful. Click the small Download link at the bottom right of GeekUninstaller’s homepage, then click Download Free. Save the ZIP and extract the EXE file from it, then click it to run the program.
Our favourite feature is its forceremoval tool. If programs or plug-ins keep appearing in your programs list without your permission, it may suggest that your hard drive contains malicious leftovers such as plug-ins installed by malware.
GeekUninstaller still works in Windows 2003, as well as 2008, XP and all the way up to 10, so you can run the EXE from a USB stick to force-remove dodgy programs and plug-ins from your older computers and laptops.
Open the program and scroll down the list for programs you’ve tried to uninstall using your built-in uninstaller, but which keep returning. Take great care when forcibly removing components that you’re not quite sure about. Right-click any item and then click ‘Google for’ to investigate it and its parent company. For example, CentraStage, which had apparently been installed on the day we wrote this feature, was news to us – we’d never heard of it and certainly hadn’t installed it. It turned out to be a remote-management tool that may have been installed by a company that wanted to take control of our computer. You can also click Program Website from the right-click menu for more information.
Once you’re absolutely sure a program or plug-in should not be in your list, right-click it and click Force Removal. This gets rid of the item completely, even tenacious programs other malware removers leave behind. Force removal also clears some Registry entries and other unwanted files.
OBLITERATE TRACES LEFT BEHIND BY MALWARE
Remove rootkits left by Trojans
Even if you use a thorough remover like GeekUninstaller, always follow up with a tool like Malwarebytes Anti-Malware Free (www.snipca.com/19223) and ideally AdwCleaner (www.snipca.com/19224) to check for leftover files. AdwCleaner is particularly good at finding files left in your browser and Registry; Malwarebytes is good for hoovering up the nasties left on your computer by Trojans.
But a tool as quick and easy as Malwarebytes Anti-Malware is unlikely to remove rootkits – collections of malicious files embedded in areas of your PC that you won’t normally have access to (hidden system folders, for example). You can remove the Trojan that smuggled the rootkit in, but hackers won’t care – once the rootkit files are embedded that’s all they need to gain access to your computer’s most sensitive areas. Your AV may be able to help you here. Kaspersky Internet Security, for example, includes tools that can prevent hackers exploiting their rootkits. But it can’t remove the files.
Microsoft’s free Malicious Software Removal Tool (www.snipca.com/19227). can detect and remove some classes of rootkit, and it works in all versions of Windows, including XP (64bit) right up to Windows 10. But many types of rootkit, especially those embedded in the kernel of your OS, can only be removed by reinstalling your system completely, using a trusted source (Microsoft, for example: www.snipca.com/19226).
Find out where dodgy files are hiding
Free portable tool RunScanner (www.runscanner.net) scans all your PC’s startup system files and settings. Malware is fond of installing startup files and leaving them behind, so they run constantly from the moment you boot your PC.
After scanning, the tool reveals which files aren’t behaving as they should, drawing information from its database of over 900,000 system files including EXE, DLL and SYS files – precisely the types of files malware likes to create, infect and/or corrupt, and then leave behind.
To get the program, click Download in the top menu bar, then click the big orange Freeware Download button. Run the file and click Yes if prompted by Windows.
In the small program window, you’re given the choice of using ‘Beginner mode’ or ‘Expert mode’. The difference is that the latter lets you make changes to misbehaving Windows files.
We recommend giving Beginner mode a couple of tries first. In Beginner mode, you can upload suspicious files to a forum, where experts and other users will advise you. Don’t go blitzing files that just look a bit dodgy – they may not be malicious at all, and may in fact be vital Windows components.
Delete locked ransomware leftovers
Ransomware isn’t the only type of malware that leaves locked – and therefore supposedly unremovable – malicious files on your computer after you’ve ‘removed’ the infection.
Many types of malware use this trick. The most common clue is when you try to delete an unusual or unwanted file and see a message like ‘Cannot delete file: Access is denied’ or ‘The source or destination file may be in use’. This doesn’t always mean it’s a malicious file; it may be corrupted (by malware, for example). Either way, you need to unlock it and, assuming your various malware scanners identify it as malicious, you have to remove it.
The best tool for this job is Malwarebytes FileAssassin (www.snipca.com/19230), a free program that lets you delete locked files that have been identified as malicious – or which are simply causing problems and you want to get rid of.
To get the program, click Free Download, then save and run the installer. Accept the agreement and you’re done – there are no configurations to choose or PUPs to avoid. Click Finish to run the tool.
In the basic little window that opens, click the three little dots and navigate to the file you want to unlock, then click Execute. By default, this unlocks the file and terminates any process associated with it.
No files will be deleted by default. This is to give you a buffer just in case you discover it isn’t malicious. It might be an accidentally locked system file or something else that’s crucial to the running of your system.
Our advice is to unlock the file first, then upload it to VirusTotal (https://www.virustotal.com) to find out exactly what it is – and whether it needs to be blitzed. Then you can upload it to FileAsassin again, tick ‘Delete file’ and exterminate it.
Scan specific folders for malicious files
AV company ESET – maker of ESET Smart Security 8, which came a respectable third in the latest lab tests run by our partners at Dennis Technology Labs – has created a free Online Scanner (www.snipca.com/19205) that scours your PC for threats and leftover files. The full scan can take hours, so we find it more useful – especially when deleting malware and its leftovers – to scan certain folders only.
‘Online’ here is a misnomer – this is an installable tool and doesn’t run from your browser, which is a shame because that might have made it a lot easier to use. When you click ‘Run ESET Online Scanner’ a second window opens, inviting you to download ESET Smart Installer. Click the blue ‘esetsmartinstaller_enu.exe’ link, open it and then click Run if prompted by Windows. Tick the ‘Terms of Use’ box and then click Start.
Then you’re led through numerous stages of configuration, scanning and file removal. In the first box, click ‘Enable detection of potentially unwanted applications’ (this should not conflict with your AV, which is not designed to block or remove PUPs). Then open ‘Advanced settings’ and tick ‘Scan archives’ (to scan for leftover files) and ‘Scan for potentially unsafe applications’, and leave the two other boxes ticked.
Here’s where you can select certain folders, alternative destinations and even specific files. The tool has anti-stealth technology built in, which means it can detect and clean hidden files in folders you didn’t even know were there.
There is a disclaimer at the bottom, warning about potential conflicts with your installed AV, but as we’ve said, your AV is there to block malware – while ESET Online Scanner finds and removes threats and their leftovers.
Click Start to update the tool’s virus signature database. That may take a few minutes. Then it automatically scans your PC for malware and any malicious files left behind. On our Windows 7 PC the scan took ages and came up with a few false positives, including some of our favourite portable system tools made by the brilliant NirSoft (www.nirsoft.net).
Remember, before you jettison any file that a scan identifies as malicious, run it past VirusTotal first to make sure it is actually malicious. NirSoft tools aren’t malicious – that’s for sure.
Remove unwanted Registry files
Your PC’s Registry is where all the vital data about your PC’s installed programs, settings and accounts are held. It’s full of organisational jargon like ‘values’, ‘keys’ and ‘entries’, but essentially every piece of data in the Registry is a file. And – you guessed it – some of these files have been put there by malware.
Malware that’s still present on your PC may have added files to the Registry that interfere with your OS and other software, and in the worst cases may do serious damage to your PC.
If you’ve read this far, you’ll know by now that removing malware does not always remove its Registry files. The best tool we’ve found for removing Registry files at the same time as uninstalling unwanted programs is good old IObit Uninstaller.
When we ran IObit Uninstaller it listed programs and plug-ins we hadn’t knowingly installed, such as CentraStage, which GeekUninstaller also dug up for us. GeekUninstaller can remove Registry files, but IObit Uninstaller gives you greater control over this process.
Once you’ve uninstalled the program (CentraStage in this case), IObit Uninstaller scans your Registry for unwanted leftovers. In many cases there are none. But in the case of CentraStage, there were dozen. We ticked the box at the top of the file tree.
You can then obliterate all the files with one click by ticking the top box in the file tree. This automatically selects all the boxes below it. Tick ‘Also shred files’ if you suspect they may contain sensitive data, and then click Delete.
MALWARE SCANNERS Vs ANTIVIRUS
IObit Malware Fighter claims to “block” malware as well as find it, but we’d rather you steered clear of its blocking features. Blocking malware is the job of your antivirus (AV), and if you run another blocking tool at the same time as your AV they will conflict – effectively cancelling each other out.
You should never allow a malwarescanner – whether it’s the powerful IObit Malware Fighter or the easier-to-use Malwarebytes Anti-Malware Free – to run constantly in the background looking for malware to block.
After installing any malware scanner, check that it’s not set to run at startup. If it is, it’ll run in the background continually and conflict with your AV. Download the latest version of free portable tool Autoruns (www.snipca.com/19195), launch it and wait for the list to appear. Then scroll through carefully and untick any malware scanners you find. This doesn’t disable the malware scanner; it simply stops it running at startup and gives you control over when and whether to run it.
Even the best AV – such as Kaspersky Internet Security, which has won the past seven quarterly tests run by our security team at Dennis Technology Labs (www.dennistechnologylabs.com) – is not designed to remove malware. AV and malware scanners are complementary tools – AV tries to block every malware attack, and scanners find and remove any malware your AV missed. They’re a brilliant team, but don’t run them together.
WHY ARE LEFTOVER FILES SO DANGEROUS?
When you remove a malware infection with a tool like Malwarebytes Anti-Malware Free, you’ve only removed the infection. You haven’t removed what it’s left behind. As we’ve seen with rootkits, these leftovers can include items that can be exploited remotely by cybercriminals and are very tough to remove.
Leftover malicious data may also include pieces of code or Registry files that give malware the gift of eternal life by reinstalling it at some point – or even every time you restart your computer.
Ransomware is clever, devious software. Once you think you’ve got it off your PC, there may well be files hidden in your Registry or OS that bring the ransomware bouncing back when you least expect it. Oh, and there’s worse. Leftover ransomware files are often locked by their creators so they can never be removed. Malwarebytes FileAssassin is the best tool to resolve this.