Virus cleanup procedure.

Microsoft has greatly improved user experience in dealing with virus infection by building some fantastic tools into Windows 10. Here’s a fresh procedure for virus cleanup:

1. Determine that the computer is infected.

   • Often viruses don’t have any effect. It’s bad for business to make it clear that you have infected the computer.

   • Common signs there is an infection: pop-ups and messages; computer running very slowly; applications won’t open; files have disappeared; language has changed; or simply the computer has gone crazy.

2. Download and run GMER. This free tool from Avast tells you if you have a rootkit level virus.

   • Unfortunately if you are infected with a rootkit you’ll have to wipe the machine and start from scratch. Rootkits cannot be removed but luckily most infections are not rootkits. Skip to step 7.

3. Unplug the PC from the network to isolate it and stop the infection from spreading to other machines.

   • Unplug all external drives and USB keys. Plugging them back in may result in reinfection so put them aside for now. Cleaning and recovering files from external drives will be the topic of a future blog.

4. Open Windows Settings and go to Update & Security, then Windows Security, and finally Virus and Threat Protection. Select Scan options then choose Windows Defender Offline Scan. Click Scan Now.

5. Your computer will reboot then do an offline scan of the computer. Secure boot will attempt to disable anything that isn’t a rootkit.

6. Reanalyze the computer using the criteria from step 1 that determined the computer was infected. If the machine appears clean of viruses/malware you can return it to production and reconnect it to the network. Skip step 7 and proceed to the Second Opinion section below.

7. If the computer still isn’t clean, go back to Windows Settings -> Update & Security -> Recovery to Reset your PC. You’ll be asked whether you want to keep or delete your files before re-installing Windows.

Second Opinion:

It’s always best to get a second opinion, especially when it comes to virus removal. Malware authors are nefarious so even if you think you’ve eliminated the threat using the procedure above, it’s always best to be certain.

Malwarebytes is very effective at removing the vast majority of infections. They have a free stand-alone scanning tool that will clean detected viruses/malware on Windows machines.

HitmanPro is made by Sophos and is very similar to Malwarebytes. They also offer a free stand-alone scanning tool that will clean detected malware.

Antivirus update:

The last update in our anti-virus competition was in June. After publishing those results we reset the counters to give everyone a fresh start. We still upload newly discovered malware to VirusTotal and record the results but resetting the counters levelled the playing field so newcomers aren’t handicapped by their late arrival.

Here’s an example of one of our submissions (don’t worry, the link is safe to click): https://www.virustotal.com/gui/file/69ec56795972802d5737ae413fb46ab8925f62528c67cf69e7091eeccc03cb66/detection

Notice that only Kaspersky and Zone Alarm detected this virus - it was caught by their heuristics engines as this is the first time it’s been uploaded and thus the first time these products are seeing it. Analysis reveals a Digital Ocean server spreads the virus so I also reported this discovery to Digital Ocean’s abuse email address.

Here’s a look at the standings since the reset. Kaspersky and ZoneAlarm are tied for first place; Avast and AVG are tied for third place.