If you suspect you are infected with Crypto malware (Cryptowall, Cryptolocker, TeslaCrypt, etc) DO NOT follow this guide!
This guide is heavily based on a Reddit post by: /u/cuddlychops06. I have reviewed it and given it two thumbs up!
Purpose & Scope of this Guide:
This guide is designed to assist you in removing malware from an infected system that successfully boots. If you perform the following steps exactly as described, this will solve your problem in over 90% of scenarios. That said, not all malware is created equal, and there will be times that this guide fails in removing malware. It is recommended to only accept advice from a “Trusted” technician. (W0HC is a CompTIA A+ Certified Technician). This guide is written in layman’s terms so that most people will be able to understand it with ease.
The following instructions are recommendations only. You take full responsibility for any steps you choose to perform on your computer. While the following recommendations are performed without issue on countless machines, there is always a risk of damaging your Operating System or experiencing data loss on any machine. It is solely YOUR responsibility to save all work and back up any and all important data on your system before proceeding. Also note that once a computer has been compromised with malware, it should not be considered clean until a complete reformat has taken place.
Malware Remediation Steps:
Before proceeding, go into your browser’s extensions and remove all suspicious items. Also go into your browser’s settings and remove any default search providers and unusual homepages. If you are unsure how to do this, proceed to Step 1.
Download and run the following tools in this order. Run all tools unless otherwise instructed. All tools should be run in Normal Mode (not Safe Mode) unless you are unable to boot Normal Mode, or the scans fail in Normal Mode. All tools must be run under an Administrator account. Do not remove any tool-generated logs in the event a helper needs you to post them to further assist you.
1) Run rkill.com. Sometimes it takes a few minutes to finish. Do not reboot when done.
- Kills running malicious processes
- Removes policies in the registry that prevent normal OS operation
- Repairs file extension hijacks
2) Download an updated copy Malwarebytes Anti-Malware. Turn on the “Scan for Rootkits” option.
Then, run a “Threat Scan”
- Successfully removes the vast majority of infections
- Has an industry-leading built-in rootkit/bootkit scanning engine
- Has built-in repair tools to fix damage done by malware
3) Run ADWCleaner using the “Scan” option. Then press “Cleaning” when finished and allow it to reboot your system.
- Removes majority of adware, PuPs, Toolbars, and Browser hijacks
- Fixes proxy settings changed by malware
- Removes certain non-default browser settings
4) Run Junkware Removal Tool and allow it to finish. Reboot your computer upon completion.
- Removes adware, PuPs, Toolbars, and Browser hijacks other tools miss
- Good at removing unneeded AppData directories left behind by infections
Optional, Advanced Step (only run if previous tools fail to solve problem):
5) Run RogueKiller
Please note: If malware has prohibited you from browsing the web or downloading files, you can try running the NetAdapter Repair Tool with all options checked which will attempt to restore your internet connection & default browser settings. You may have to download these tools on another computer and move them to a flash drive that you can plug into the infected machine.
If you have run all of the above tools successfully, you should be malware-free.
Follow-up Steps (highly recommended):
- Using a computer that has not been infected, change passwords to all your online accounts.
- Consider enabling two-factor authentication on supported apps & sites.
- Revoke app-specific passwords to things like gchat, Facebook, etc
- Consider resetting your Windows user account password
- Install a better anti-virus.