We are about to get philosophical. Remember how we were just talking about how there is straight up, NO possible way for us to know if your computer is owned? Well we are about to get into the exact same problem, but now for cleaning your computer. If you have evidence that a malicious program ran on your computer, you can never trust this computer ever again. That tiny PUP that kept changing your homepage to some Chinese marketplace could have been bundled with some nation state rootkit that overwrote your computer's foundational code down at the soul of the device and you aren't going to be able to remove that malware unless you return the silicon into sand.
However, that is very, very, very unlikely. As we have said before, you are not going to be targeted by nation states, or really anyone at all. If you get hacked, almost certainly by an untargeted attack, the malware will drop itself off, establish persistence, and then do its thing. While there have been examples in the past of standard malware going for rootkit persistence, that is significantly more difficult on modern operating systems. 99% of the time, if antivirus identifies the malware and removes it, you are good and don't have to worry about any follow on problems. Sure, that does leave room for the next 1%, so my recommendation is remove the malware, let that computer chill for a day or two if you can afford to use another, and then run the malware scan again. If you keep finding malware you have a bigger problem, but the rest of the time, you can just go back to using the computer as normal. It is no life to buy a new computer every time you mess up, and it gets expensive fast.
So with all that said, if you use your computer for nuclear launch codes, critical intellectual property, or managing the crypto wallets of your hoarded wealth in addition to casual internet surfing, don't destroy the pwned computer. Buy a new computer to do your serious business, and then clean up the old one as best you can and use the old computer to surf the web. Compartmentalization is key.
So how do I get it clean again?
Can't do better than this guide. https://blog.malwarebytes.com/101/2015/06/10-easy-steps-to-clean-your-infected-computer/ I might get some heat from some corners for recommending a specific malware remover, but hell, its Malwarebytes or Kaspersky and I'm not big on Russians.
Also, go to a clean computer and change all of your passwords immediately. Allllll of them. Remember, prior to resetting passwords, ensure that you have ended all the sessions your account is showing. If you reset passwords but sessions are still active, the attacker can still have access to your accounts.
What would happen if the malware doesn't all get deleted on the first run?
If all the malware is still there, it means that the anti-virus you're using isn't very good, or that the malware is pretty good. Maybe both. Either way, you are not good enough to go and manually delete everything you need to delete the malware yourself, so best bet is don't use the computer for a few days, then try and delete it again using your tools after their signatures get updated. Think about it this way, if a piece of malware gets by your anti-virus' signatures, there is a good chance that it is somewhat new. If you got hacked by it in an untargeted attack, most likely many other people did as well. This will lead to the anti-virus company identifying the malware as persistent and then analyzing it to identify what it is missing in the first clean. Then they will update the signatures and have a more effective removal process the next time. If the malware's persistence mechanism is so good you, Windows, and Malwarebytes still can't beat it, your best move is to reinstall the operating system. This will work in most cases, though there is a small chance of a rootkit/bookit or worse, firmware malware persisting across OS installs. If this happens... well honestly, you probably won't notice. But if you do think you have a bootkit... you don't, you're not that special.
Let's say you are actually someone important and you think you have a real bootkit (of which like 3 have ever been found in the wild). Get your computer to someone who can get it to the NSA because that's some high quality shit. They'll probably give you a sticker or something.
Repeat Attack Vectors
If you removed the malware, but you keep getting new malware a week or two later, and you are confident it isn't persistent, you need to figure out how you keep getting hit.
- If you haven't patched, you are still vulnerable! You should have auto update on.
- If you, or someone else keeps getting hit with attachments/etc, they need some user training
- Pirated Software
- If you keep downloading pirated shit, you will keep getting popped. That is just how it goes.
- Porn Popups
- Same shit, stop going on sketchy porn sites and downloading things.
- It could be persistent and just sleeps for a week upon install
- Reinstall your OS