How to run a full malware checkup

How to run a full malware checkup

This is a tutorial for cleaning up a computer. Aside from Microsoft Defender, the tools used are best for one-time use, and are not the best antivirus software for continuous protection.

Follow as many steps as you can, including the browser checkup tutorial at the end.

Windows and macOS #

First, if on Windows, download and run BleepingComputer RKill. This will kill any actively running malware, so that Malwarebytes can do its job without any interference, as well as temporarily reset certain Windows settings to a predictable state. You will not need to give it any input, just let it run until completion.

Download and install Malwarebytes. Do not install Malwarebytes Browser Guard when installing it (uBlock Origin is a better tool)

(Don't install Malwarebytes Browser Guard)

Click Scan and let it run. Click Next to allow it to fix any issues it finds.

Next, download ADWCleaner. This is a Malwarebytes product, but it catches different malware from the normal Malwarebytes. It is particularly good at weeding out software that breaks Minecraft and other video games. It does not require installation.

Run it, click Scan Now, once it completes the scan click Next and allow it to fix any issues it finds. If it finds none, allow it to run the basic repair.

Reboot your computer and continue following the steps below.

Windows only - Sophos and Defender #

Optional: After the above steps, download and install Sophos HitmanPro. This is a good “second opinion” malware scanner, but it has a restrictive free trial so for free users it can only be used once. In order to download it you must register to have your email address spammed with Sophos products, but this can be cancelled.

Once you are done with these one-time scans, you can remove these tools from your computer.

You should now enable Windows Defender, which is a more lightweight malware scanner that works in the background.

Open Windows Security

Click Virus & threat protection. Click Turn on

You should now be reasonably protected against PC malware.

Firefox and Chrome users #

In the following sections we will be investigating browser malware. First, we’ll start off by checking the signatures on the browser itself. Often malware will circumvent extension signing rules by shipping a fake version of Google Chrome or Firefox. If you don’t do this first, then any malware extensions may get automatically re-installed immediately after removing them.

Finally, we will be investigating the extensions themselves.

macOS instructions #

Download and install WhatsYourSign.

Right click your web browser .Application and click Signing Info

Verify the notarization. The vast majority of web browsers should have Apple Root CA at the bottom of the chain, indicating that Apple has notarized the company that made the browser.

Windows instructions #

Run your web browser. Open task manager.

Find your web browser in the process list. Click the > arrow to expand its subprocesses. Right click one of these, and click Properties

Click on Digital Signatures, and click Details

Does it look legit? For example, here is what “legit” looks like for Google Chrome as of 2022-03-14:

If it says “Chromium” or anything is off, you should reinstall your web browser immediately and change all your passwords. Chromium is a legitimate open source version of Chrome, but it is often compiled with malware to create fake versions of the Google Chrome web browser.

Browser extensions checkup #

Next, go to your extensions settings. In Chrome, go to chrome://extensions. In Firefox, go to about:addons

Remove anything you don’t recognize, especially things related to search engines. You should also uninstall anything you haven’t used in a while. Less extensions = less exploitable surface.

Recommendations for browser extensions to protect from malware #

Do not use your anti-virus’ builtin browser extension. These extensions usually suck and often just do something uBlock Origin can already do.

uBlock Origin #

uBlock Origin is a free and open source content blocker. It has a large quantity of automatically-updating blocklists to prevent ads and many malware websites from loading.

It is available for Chrome, Firefox, Edge, Opera. It works best on Firefox since Firefox is the only browser that allows extensions to block HTTP requests before they even happen.

For an extra-secure way to browse the web, uBlock comes with a Javascript whitelisting feature so you have to manually approve scripts to run on each domain you visit.

StopModReposts #

StopModReposts is a browser extension that specializes in Minecraft-related malware. The team behind it categorizes hundreds of sites known for posting fake versions of popular Minecraft mods. These websites frequently show up on search engines and have been reported to Google dozens of times, but Google won’t do anything about the problem. It is a must-have if young children play Minecraft on your computer.


© lordpipe

Licensed CC BY — copy this document for your own use.