Avoiding and Removing Ransomeware
You’ve probably encountered them - big flashing warning boxes on websites that inform you that your computer is infected with hundreds of viruses or malware or some such. Scary, right? You don’t want your computer to be infected with anything! And these nice people are offering to scan your computer to clean it with their free download - how thoughtful! So you click yes, please clean my computer, and it all goes downhill from there. Now your computer is being held hostage by this rogue “internet security” software that won’t let you open any other programs because they are “infected.” But the only way to clean these infected programs is to cough up $50 for the full security program. You have been the victim of ransomeware, a bit of social engineering that all too many people fall victim to. Here’s how to avoid and, if necessary, defeat ransomeware!
This step is relatively easy but still obviously the point of failure for many afflicted users. The first thing to do is to make sure that you are already running some up-to-date Internet security software and to know exactly what it is called. To some, this step may sound trivial, but over the years I have encountered numerous PC users who have no idea if their computer is protected and, if so, what software they are using. “I guess it’s protected, it came with McAfee, I think . . . ” is something I’ve heard a lot of, as well as “Well, my Internet company sent me a disc with some security software, but I can’t remember if I used it or not.” That lack of awareness will get you into a world of trouble.
Click on your Start Menu and choose All Programs, or, if you’re on Windows 8, right-click on a blank space on the Start Screen and click All Apps in the bottom right of the screen. Look through your programs/apps (same thing) and look for anything that might indicate a security program. Words such as “Internet security”, “antivirus”, “firewall”, “malware”, are all keywords to check for. Software providers might include “Norton” or “Symantec”, “McAfee”, “Kapersky”, “AVG”, “PC Tools”, “Commodo”, “Trend Micro”, “Bit Defender”, “Avast”, “Avira”, “ESET”, “Panda”, “Webroot”, “Ad-Aware”, “Microsoft Security Essentials” and others. Some of these may provide only one facet of security, such as a stand-alone firewall or malware protection. My preferred combination is the free Microsoft Security Essentials suite (which is baked into Windows 8, so no need to download it for such users), Malwarebytes antimalware protection (which will come into play later in the blog - there is a free version, but I highly recommend paying the one-time $25 fee for active malware protection), and the Windows firewall, which is activated by default in most PCs and is sufficient for the majority of users. For a guide to different Internet security suites, check out this PC World article.
Having identified your Internet security programs (or lack thereof) you can identify rogue “security” alerts when they pop-up while you’re surfing the web. So if you see messages like these -
- you’ll know they are fake because they do not correlate with the software you know you have installed. Still, some such alerts will identify themselves as reputable security software and lull you into downloading the ransomeware. In any event, if you get one of these messages, I recommend closing your web browser, restarting your computer without taking any other action, and then running a full-system scan using the security software you know is valid and following the steps it presents after the scan is complete to remove any real threats such messages might have introduced to your PC.
If you’ve never encountered ransomeware before, it can be all-too-easy to become infected. It even happened to me - a long time ago. I have since learned to deal with it and have helped a number of library customers remove it from their PCs. Here’s what I do.
First, have the programs you’ll need to clean your computer already installed and, just in case these programs have since been removed or corrupted, copy their installers to a CD:
Restart your computer and when the manufacturer’s logo appears, start tapping the F8 button at the top of your keyboard repeatedly until this screen appears:
Use the arrow keys to select the option for “Safe Mode with Networking” and press the Enter key. Safe Mode is a troubleshooting version of Windows that is stripped-down to only the absolute essential processes and drivers needed to run the OS. It should, hopefully, load without the ransomeware - that doesn’t mean the ransomeware is gone from your computer, only that it is inactive in Safe Mode. If the ransomeware does load in Safe Mode and prevent you from running any of these security programs, you may want to take your PC to a repair professional; the Fredericksburg area has a number of tech support outfits to consider, as listed on this Google Map.
If Safe Mode allows you to run programs normally, start first with Kapersky TDSSKiller, a rootkit detection and removal tool. To quote the CNET download.com page that hosts this program, “Rootkits burrow into the roots of your Windows operating system, hiding and intercepting Windows API functions, often modifying them for their own purposes, which are seldom benign. TDSSKiller by Kaspersky Labs can find and remove rootkits, either in Normal Mode or Safe Mode. It targets malware where it lurks, including boot records.” Running Kapersky shouldn’t take more than a few minutes and when it is done, it will show you the threats to your PC; choose the option to delete these threats, then reboot your computer, again into Safe Mode.
Next, run Malwarebytes to remove malware on your system. Malware is broad term to include any clandestine software loaded onto your computer without your knowledge that might be simply spying on your online activity, redirecting your web searches, or something more insidious. In Malwarebytes, choose the option to run a full-system scan, not just a quick scan. This process may take more than an hour, depending on your computer and hard drive size. Choose to remove any items that the program has detected. Then restart your computer in Safe Mode again.
Finally, run Microsoft Security Essentials and run a full-system scan and remove any threats detected by the program:
Restart your computer and boot into normal Windows. With any luck, your computer will be running normally. If not, I again refer you to this Google Map link of area professional computer technicians.