It is not usually necessary to read this entire guide. You can skim through it and find the section applicable to your needs.
Investigate Identified Suspicious Files
If you have identified a file that you believe may be malicious the easiest thing to do is to check it online.
If the file is less than 20MB in size then you can upload it online to be checked. Please see this guide:
Methods to Investigate Suspicious FilesIf any of these methods finds a file to be malicious that is not already detected by your AV it should then be reported to the AV that you are using. Please see:
Links to report malware to all major AV'sOn this page are the submission links or email addresses for most of the major AV's. False Positives can also be reported in the same way.
If you are using Comodo please upload it to:
http://internetsecurity.comodo.com/submit.phpThis will insure that the same malware cannot infect you in the future. This same link will also allow you to report false positives to Comodo. Files uploaded through this interface can only be up to 10MB in size.
If you have files that you believe are infected, or false positives, and are larger than 10MB then they can be uploaded using a file hosting website called ifile.it:
http://ifile.it/This can handle files up to 300MB. The download link can then be sent to your AV.
Basic Programs Used to Clean an Infected System
If you believe that your computer is infected it is a good idea to scan it with multiple anti-malware products. This will greatly increase the chances of identifying and removing any infection. Only perform one scan at a time. Before performing a scan with any of these programs always ensure that they are fully updated. If a program ever identifies a file as infected that you believe is clean do not hesitate to report it as a false positive to the security vendor so that they can fix it.
Many malicious programs will hide in temp folders. The easiest way to clean these out is to use CCleaner:
http://download.cnet.com/ccleaner/This program does not scan for malware but merely clears junk files from your computer.
I would first use Comodo Cloud Scanner:
http://www.comodo.com/home/download/download.php?prod=cloud-scannerThis program does not have the capability to clean an infection, but it does do a great job of letting you know if you are infected. If you choose you can use the free trial of Comodo livePC Support that installs with it to have Comodo experts clean the computer for you. Just for your information, installing Comodo Cloud Scanner also installs the program for Comodo livePC Support. It is not dangerous, but you can safely uninstall it if you don't want to use the free trial. After clicking 'Scan Now!' you really only need to look at the malware and suspicious files section. Under this section click the 'Submit All' button and it will send all the running files and processes to CIMA to be analyzed. These results should allow you to tell whether your computer is infected or not.
I would next do a scan with Hitman Pro:
http://www.surfright.nl/en/hitmanproThis scan will only take a few minutes, but scans your computer with 5 major security products. It only scans the most important parts of your computer, but it does not need to be updated as it checks files ‘in the cloud’. The option to 'Scan computer daily during startup' can be disabled if you like.
I would next do a scan with A-squared Free:
http://download.cnet.com/A-squared-Free/3000-8022_4-10262215.htmlThis has excellent detection, but also has a relatively high false positive rate. During almost every scan it will detect tracking cookies. These are not a great threat to your computer security, but there is usually no reason not to remove them. If you believe that a file detected by A-squared is clean then you can report it as a false positive by right clicking on the files reported after it is done scanning. This will give you the option to report it as a false positive.
Next perform a scan using Malwarebytes:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htmlThis program is very good at detecting and removing malicious programs.
Now perform a scan using SuperAntiSpyware Free Edition:
http://www.superantispyware.com/superantispywarefreevspro.htmlThis program is very good at detecting and removing spyware and other malicious programs.
AV Rescue Disk
If you are unable to install and run the programs in this list and you believe that this is caused by the infection then the first thing to do is to boot into safe mode and once again attempt to run these programs. If even this fails then you may need to use an AV Rescue CD/DVD. The idea here is that you burn the ISO image to a disk and then run it on boot of the computer. I would advise using a CD-RW or a flash drive so that you can always burn the newest version. These programs cannot be updated and thus in order to have the latest updates you must have the latest version. Also, don't forget that you should burn the rescue disk on a computer that is clean, otherwise the files may be corrupted or even possibly infected.
One of the best to use is the Avira AntiVir Rescue System:
A very useful tutorial can be read here:
http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163A link in this tutorial allows you to download a program which will burn Avira AntiVir Rescue System to a disk. I would strongly advise reading the tutorial before trying to clean the system yourself.
Another alternative to Avira is Dr. Web:
http://www.freedrweb.com/livecd/Clicking the 'Download Dr.Web LiveCD' will bring up a page. Off of this site you should download both the .iso and the pdf that will explain how to install and run it.
Please be aware that I have not tested these two programs and have in fact never had to use a rescue disk. I have provided links to the tutorials in the hope that they will explain how to use these products well enough.
Programs that Require Assistance of Computer Security Professionals
There are many people on the Comodo forum that have great knowledge of how a computer, and computer security, works:
http://forums.comodo.com/new-member-information-b57.0/For the next few applications the best option is to create a new topic on the forum and seek the help and advice of these experts.
It is a good idea to do a scan with an anti-rootkit application. One of the best is GMER:
http://download.cnet.com/GMER/3000-8022_4-10720107.htmlThis program will quickly scan your computer for hidden files. I would advise, however, that before removing any files with this program that you check with someone who has great understanding of computers. The easiest method is to create a topic in the Comodo forum.
The last and one of the most effective methods to check if your computer is infected is to perform a scan using Trend Micro Hijack This:
http://free.antivirus.com/hijackthis/If it reports suspicious activity then upload the log file to your topic in the Comodo forum. Please note that it must be converted to a .txt file in order to be attached to the post. Please do not remove any files yourself without eliciting advice from the forum.
Remove Files that Don’t Want To Be Removed
If you know a file is malicious and you want to remove it, but it won’t let you (probably the file is locked), then download FileAssassin:
http://www.malwarebytes.org/fileassassin.phpThis will allow you to remove almost any file, but please be careful. Some files are required for the computer to even run. Removing the wrong one may turn your computer into a nonresponsive brick (as most bricks are).
Preventing Another Infection
After cleaning your computer it is now important to ensure that this does not happen again. If you are using a standard AV I can almost guarantee that eventually it will. I would recommend downloading and installing CIS:
http://www.comodo.com/home/internet-security/free-internet-security.phpThis download will download the entire package for CIS, but you have the option not to install the AV. At this time I would advise installing a different AV alongside it. The downside to using Comodo firewall is that the user will be prompted to answer many questions, but it is currently the best free method for ensuring that a computer remains secure. Hopefully with the release of V4.1 and the introduction of the behavioral analyzer this problem will be solved and CIS will be ready for the masses.
Free AntivirusThe Free AV’s that I would recommend running alongside Comodo Firewall are:
Avast:
http://www.avast.com/free-antivirus-downloadThis is the only program in the list that has the ability to run a boot-time scan. Please note that Avast does require you to register in order to get the key to activate the product. This is free and will last for one year. At the end of that year you merely need to register again for the next.
If there is a file that you believe is Suspicious, or a file that is detected by Avast that you believe to be a False Positive, then submit the file to be analyzed. These samples should be sent in a password protected zip file with the password 'infected' to:
virus[at]avast.com
If it is a False Positive please put "False Positive" as the subject. If it is suspicious please put "Suspicious File" as the subject.
Microsoft Security Essentials:
http://www.microsoft.com/security_essentials/Any files that you believe are Suspicious, or files detected by MSE that you believe are False Positives, can be reported via this web interface:
https://www.microsoft.com/security/portal/Submission/Submit.aspxAvira:
http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.htmlAny files that you believe are Suspicious, or files detected by Avira that you believe are False Positives, can be reported via this web interface:
http://analysis.avira.com/samples/index.phpInternet AddonsWhether you are using Internet Explorer or Firefox I would also recommend installing an addon called Web Of Trust:
http://www.mywot.com/This will warn you when you attempt to enter a site that the WOT community has decided is risky.
System VirtualizationIf you engage in practices that could be described as risky I would recommend running some kind of virtualization program. The simplest to use is Sandboxie:
http://download.cnet.com/Sandboxie/3000-2144_4-10371434.htmlThis program is very secure on a 32 bit system. It is now also available for x64, but it appears that it is nowhere near as secure for 64 as for 32. Please see the following:
http://www.sandboxie.com/index.php?NotesAbout64BitEditionIf you are running a 64 bit system I would recommend using Returnil:
http://download.cnet.com/Returnil-Virtual-System-2010-Home-Free/3000-2239_4-10704691.htmlYou can use this program to take a snapshot of your computer and then restore your system to this state when you restart. This is mainly useful if you know that you are going to go somewhere where there is a good chance of infection. I generally prefer Sandboxie, but it does not work correctly on a 64 bit system.
Advanced Configuration of Programs
If you decide to use Avast, Avira, Microsoft Security Essentials, SuperAntiSpyware, or A-squared as only on-demand scanners I would recommend installing them without the real time detection installed or, if this is not possible, disable the real time protection in their options or settings. Please note that if real time protection is set to off for MSE then the real time protection for Windows Defender (if you have it) should be turned on.
It is also a good idea to prevent these programs from starting their processes at boot and using system resources by using AutoRuns:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspxThis is an advanced tool that should only be used by people who know what they are doing. Also, disabling these services may prevent the program from being able to start if the system is thoroughly infected.
Under the Logon tab you can safely disable the entries for Microsoft Security Essentials, Avast, Avira, and SuperAntiSpyware. For my system, which is Windows 7 x64, these have the names of MSSE, avast5, avgnt, and SUPERAntiSpyware.
Under the Services tab you can safely disable the entry for A-squared. For my system this has the name of a2free. It is very important that you do not disable the services for Avira or Avast. If these are disabled then the programs cannot update. For Avira you can disable the daily update option under the scheduler tab in its own GUI.
This will prevent these programs from running processes in the background and eating up system resources. In most cases this will also cause the programs to take significantly longer to load. In the case of SuperAntiSpyware I find that it is necessary to click on the shortcut twice to open the program.
I cannot stress enough how dangerous autoruns can be. It modifies the registry. Be very careful. If you prevent the wrong process from running it can even prevent windows from starting.
If you need assistance in understanding how to run SuperAntiSpyware, Malwarebytes, A-squared Free, or Hijack-This then please see this very informative guide written by
eXPerience:
What to do if you're infected - eXPerience Rev.3If there are any changes that I should make to this guide please let me know. I will update this thread with the most up to date information available to me. I am sure that this guide can be improved in many ways, but I am currently unsure as to what these are. I need your expertise and especially your opinions.
Author