The first thing I would recommend is downloading Comodo Cleaning Essentials (CCE). Do not delete/disable anything with this program as it can be very dangerous if used improperly. We are only using its analytical abilities. Please do not use it to try and clean up any infections or you could inadvertently harm your computer. From the link above, just select the correct version for your operating system type. After it’s finished downloading restart your computer. When it reboots do not open any programs. Just unzip the file and open the folder. Then double click on the file called KillSwitch. This will open KillSwitch which will immediately begin analyzing all your running processes. This analysis should only take a minute or so. The reason I asked you not to open any other programs is because malware will run on system startup whether you wanted it to or not. Many legitimate programs will not. Thus we will have fewer processes to examine.
Now go to “View” and select “Hide Safe Processes”. This will hide all processes that are verified to be safe by Comodo. Now all we are left with are those programs that are either believed to be malicious or are unknown. If KillSwitch now shows that “There are no items to show”, then your computer passed this part of the tests. You can move on to part 2. However, if there are files remaining then it’s best to analyze them following the methods described in How to Tell If a File Is Malicious. These methods are also quick and easy to use. To get to the file, right click on the process in question and select “Properties”. This gives the file location in the box under where it says “Image File Name”. You can use this to navigate to the file.
If your analysis shows that the file is safe I would recommend submitting the program that the file you were analyzing belongs to. Programs can be submitted in this topic of the Comodo forums. In order to do this you need to have an account on the Comodo forums. If you don't already have one, signing up is very easy and rewarding. If you report all the safe programs on your computer the next time you check there should not be any more unknown processes for you to examine. Thus, it becomes an incredibly easy task to ensure that your computer is still clean of infections. In fact, my computer always shows a completely blank screen after selecting the option to “Hide Safe Processes”. This allows me to ensure that my system is clean in less than one minute.
In the same folder as KillSwitch is another program called Autoruns. This program will analyze the registry and show you the files associated with the items. In doing so this program can identify malware and unknown files, even if they aren't running. It may even be useful in identifying rootkits, although that is not its primary purpose. The downside to using this program is that it will likely give you more files to check than the above method. However, if you really want to be sure that your computer is clean then I would advise using this as well. As before, do not delete/disable anything with this program as it can be very dangerous if used improperly. We are only using its analytical abilities. Please do not use it to try and clean up any infections or you could inadvertently harm your computer.
To use this double click on the file for Autoruns. It will immediately start compiling the list. This process could take a couple of minutes to complete. Once it’s done it will automatically begin to analyze them. Go to “View” and select “Hide Safe Entries”. Now wait until all files have been analyzed. If this is the first time you have run this program, you should now close it and then open it again. I find that this often allows Comodo time to analyze some of the unknown files so that this time there will be less to check. If Autoruns now shows that “There are no items to show”, then your computer passed this part of the tests. You can move on to part 3. However, if there are still entries left over you should start analyzing them using the same methods described in How To Tell If A File Is Malicious. To get to the files that these entries are associated with right click on an entry and select “Jump to Folder”. This will open up the folder where the associated file is located, and select the file as well. Also, you will find that often a single file has numerous entries for the same file, which means that there’s not nearly as much analysis to be done as it would seem.
If your analysis shows that the file is safe I would recommend submitting the program that the file you were analyzing belongs to. You can do this by following the same process described above. If you report all the safe programs the next time you check there should not be any unknown entries for you to examine. Thus, it becomes an incredibly easy task to ensure that your computer is still clean of infections. In fact, my computer always shows a completely blank screen, after selecting the option to “Hide Safe Entries”. This allows me to ensure that my system is clean in just a few minutes.
If, after following the above advice, your computer shows no signs of infection you are probably fine. The only thing that could have slipped past you at this point are some types of rootkits. For most people, scanning with Kaspersky TDSSKiller should be sufficient to rule out this possibility. This program will scan your computer for some of the most common types of rootkits. I've also found it to have relatively few false positives. As before, I would recommend you to not delete any files using this program unless you’re sure that they’re malicious. A false positive on the wrong file could destroy your computer, even if you’re not infected.
To use this, download the file and unzip it. Then open the file called TDSSKiller. Next select the option to “Start Scan”. This scan should take less than a minute. If it does not find any rootkit activity then your computer is almost certainly clean. However, if it does find something I would advise that you continue on to the next step. Only if you have reason to doubt that your computer is clean should you feel it necessary to continue on to the next step. Using this program is more difficult then what we’ve been doing so far.
If you are still not confident that your computer is clean there is one more test that you can perform. You can perform a smart scan with CCE. This is found in the same folder as KillSwitch and Autoruns. This will scan for all types of malware, but we are specifically interested in its ability to identify rootkits. The scan should not take too long to complete. As before, I would recommend you to not delete any files using this program unless you’re sure that they’re malicious. The problem with this program is that I do find it to have many false positives. This makes the results more difficult to evaluate.
After the scan is complete it will ask you to restart your computer. Do not remove any files with this program unless you're sure they're malicious. Once it restarts it will pop up telling you the final results. If it did not find anything, and neither did any of the above methods, then your computer is definitely clean.
As I said above, the problem with this program is that it finds many false positives. If you cannot tell from your results whether the entry is an infection or not, you have two options. One is to navigate to the path given by CCE and investigate the files using the methods described in How To Tell If A File Is Malicious. This is not always possible depending on how well the file is hidden. The other option, which I would recommend for most users, is to post your results in a new topic you create in this section of the Comodo forums. Be sure to also mention the results of everything you did above. Of course, you could also post this in other security forums. However, if you’ve already created an account for the above steps you may as well post it there. You will definitely get help in figuring out what’s going on with your computer.
If these methods do show that your computer is infected you should check out this Malware Removal Guide for Windows. Following this advice should allow you to remove almost any infection and get your computer back to working order. Once done, you should again check, using these methods, to ensure that all infections were successfully removed.
Once you're sure that your computer is clean, it's important to keep it that way. For this I would recommend you read my article about How to Stay Safe While Online. It has some very useful advice.
If you have any problems or are confused by my directions please leave a comment below and I will try to help. Trust me, if you are having a problem then so are many others. I need to know this so that I can improve the article and make it usable for everyone. Also, and this is especially important, if you find a situation in which none of these methods shows evidence of an infection, but the system is definitely infected, then please let me know. In that case I will need to rethink my strategy. I would really appreciate any feedback.
In addition, if you believe this article deserves anything less than 5 stars, please leave a comment below explaining how you think it can be improved or where you find fault. In fact, I would appreciate any feedback, positive or negative, so that I can improve the article. Your opinions and advice will be much appreciated.
If you found this article useful then perhaps you'd like to check out some of my others.How to Stay Safe While OnlineHow to Protect Your Online PrivacyHow to Tell if a File is MaliciousHow to Avoid SpamHow to Report SpamHow to Install Comodo FirewallThis software category is maintained by volunteer editor Chiron. Registered members can contact the editor with any comments or suggestions they might have by clicking here.
