Malware and Virus Removal

If you suspect you are infected with Crypto malware (Cryptowall, Cryptolocker, TeslaCrypt, etc) DO NOT follow this guide! Your files are at stake.

Malware Remediation Steps:

Before proceeding, go into your browser’s extensions and remove all suspicious items. Also go into your browser’s settings and remove any default search providers and unusual homepages. If you are unsure how to do this, proceed to Step 1.

Download and run the following tools in this order. Run all tools unless otherwise instructed. All tools should be run in Normal Mode (not Safe Mode) unless you are unable to boot Normal Mode, or the scans fail in Normal Mode. All tools must be run under an Administrator account. Do not remove any tool-generated logs in the event a helper needs you to post them to further assist you.

1) Run

. Sometimes it takes a few minutes to finish. Do not reboot when done.

  • Kills running malicious processes
  • Removes policies in the registry that prevent normal OS operation
  • Repairs file extension hijacks

2) Download an updated copy Malwarebytes’ Anti-Malware. Turn on the “Scan for Rootkits” option. Then, run a “Threat Scan

  • Successfully removes the vast majority of infections
  • Has an industry-leading built-in rootkit/bootkit scanning engine
  • Has built-in repair tools to fix damage done by malware

3) Run ADWCleaner

using the “Scan” option. Then press “Cleaning” when finished and allow it to  reboot your system.

  • Removes majority of adware, PuPs, Toolbars, and Browser hijacks
  • Fixes proxy settings changed by malware
  • Removes certain non-default browser settings

4) Run Malwarebytes’ Junkware Removal Tool and allow it to finish. Reboot your computer upon completion.

  • Removes adware, PuPs, Toolbars, and Browser hijacks other tools miss
  • Good at removing unneeded AppData directories left behind by infections


Optional, Advanced Step (only run if previous tools fail to solve problem):

5) Run HitmanPro

  • is HitmanPro.

HitmanPro is a phenomenal “second-opinion” malware scanner.

Please note: If malware has prohibited you from browsing the web or downloading files, you can try running the NetAdapter Repair Tool with all options checked which will attempt to restore your internet connection & default browser settings. You may have to download these tools on another computer and move them to a flash drive that you can plug into the infected machine.

Have adware or spyware on your Mac?

Try Malwarebytes Anti-Malware for Mac (formerly Adware Medic)


Follow-up Steps (highly recommended):

  • Using a computer that has not been infected, change passwords to all your online accounts.
  • Consider enabling two-factor authentication.
  • Install a better anti-virus. See recommendations below.


How did I get infected?

It is difficult to track down the source of an infection. Most infections are actually given permission to run unknowingly by the user. It is recommended to keep User Account Control turned on and never give access to something you do not trust or did not open. Many other infections come via exploits in your browser or browser plug-ins on websites you visit. Always be very careful what you install. Make sure you trust the source implicitly. When downloading programs, always use the publisher’s website directly.


How to prevent future infections:

Be very careful what you download and install. Keep programs like Java & Flash up-to-date, but do so using their official websites or Ninite

installers. Use Unchecky to prevent accidental installation of adware & spyware during product installations. Make sure Windows is kept up-to-date as well. Many Windows updates patch exploits and vulnerabilities in your operating system. Most infections are active because the user has unknowingly given it Administrative permission to install and run. The first line of defense starts with you.


The following tools will aide you in keeping your computer clean:


Free Anti-Virus Suggestions:



Helpful Tools:


(FOSS – Automates malware removal and system cleanup)



SSH Tunneling Tutorial: A guide by Stickyboot
Because sometimes you need to rout traffic through servers
Opening, and subsequently routing data through an SSH tunnel is a very useful trick to know about.  I like to think of a tunnel like this:  When you open a tunnel, and direct programs to connect to the internet through the tunnel, it’s as if that program is talking to the internet at the point where your server connects to the internet.  All your ISP/Network provider will see is encrypted traffic to and from your server with respect to the programs you configure to connect through that tunnel.

There are a number of uses for this:

  • Logging into websites using a servers IP address (Good for registering server IP address with sites like this)
  • Getting around network level internet filtering (you naughty high school students you!)
  • Preventing exposure of certain IP’s and domain names while using untrustworthy networks
  • Getting around region based filtering (IE watch your Netflix off your US based server while overseas/out of country)

This tutorial assumes you have SSH access to a server.  This is most likely through your VPS that you rent from a community member here, a seedbox, a website you pay for hosting on, a free terminal access server etc.  Always be aware of the restrictions and rules the server operators have on the server you intend to use.  Also adhere to the community guidelines when it comes to connecting to private site such as this (meaning, make sure you trust the connection you are on, and the connection the server is on, as in don’t connect to private places through public servers).


Step 1: Download PuTTY
Download PuTTY from the official website.  Put it where you put your program files (Like C:\Program Files (x86)\PuTTY).  Also make a start menu shortcut for convenience.
Step 1Step 2: Configure and save a session
We now need to set up a session in putty and save it for future convince.  A session is basically like a configuration profile that lets you quickly recall settings for connecting to different servers.


2.1  Launch PuTTY.  You will see the following screen.  Start by entering the server IP or domain name into the Host Name box.  Also use the correct port, but 22 usually works by default.
Step 2.1

2.2  Next, go to the Connection->Data tab in the sidebar.  Enter the user name of the account you plan on connecting with.  This is purely for convenience.  If you do not do this, you will be prompted for a user name when connecting to the server.  If you are paranoid about someone finding out your user name you might want to leave this blank.
Step 2.2

2.3  Now define a local port to allow programs to tunnel through.  Go to the Connection->SHH->Tunnels section in the sidebar.  Add an unused local port, choose dynamic, and leave it on auto then press add.  I use port 7777, but any unused port will work.
Step 2.3

2.4  You should now see the port number followed by a D (for dynamic) in your forwarded ports list.
Step 2.4

2.5  We are all done.  We now need to save the session.  Go back to the sessions section, type in a name for the session and press save.  To reload a session in the future, select it from this list and press load.  I like to indicate any tunneling settings into the session name so I would have probably called this session “testsession -7777D” to let me know that this session opens a dynamic tunnel on port 7777.
Step 2.5

2.6  The sessions list should look something like this now:
Step 2.6

Step 3: Open your tunnel
Now press open in PuTTY after you did step 2, or loaded a session.  Log in as normal, and leave the terminal session window open in the background.  Your tunnel will remain open as long as your PuTTY session is open (so, as long as your window is open).
Step 3

Step 4: Route traffic through the tunnel
The tunnel is open, but you have to rout traffic through the tunnel for it to do anything useful.  A common use of a tunnel is to run your browser through your tunnel so you can register the servers IP at websites by logging into them through a browser running through your server.  The following steps explain how to rout Firefox through the tunnel.

4.1 Launch Firefox.  Open options. Go to the Advanced tab, then the network subtab and open the connections settings window.
Step 4.1

4.2 Set to “Manual proxy configuration”.  Enter “localhost” into the SOCKS Host box, and set the port to whatever port you used for your SSH tunnel.  In this case, I used port 7777.  Press okay and close preferences.  When you want to close the tunnel, you will have to set this back to no proxy since your browser will not work in this mode without the tunnel running in the background.
Step 4.2

4.3 This step is required if you want to run absolutely all your traffic through your tunnel.  I guess by defualt, firefox does not rout DNS lookups through the proxy settings, but this makes sure it does.  This step is required if you want to hide your traffic from the network you access the internet on to the point of your server.  If you just want to register your servers IP on a website, you do not need perform this step.

imantor said:

Configure Firefox to use the Tunnel also for DNS:

To prevent Firefox from doing NS lookups enter about:config in the URL text field and double click on the network.proxy.socks_remote_dns to set it to true.

You are now routing all of Firefox’s traffic through your SSH tunnel.  Congrats!  You can use this in a number of other applications, but its the same process so go at it!  Just don’t piss off your server admin by running all of your torrent traffic through their connection.