Gamarue malware: How it works and how to remove it


Gamarue is an invasive and one of the most severe malware strains around. Dubbed Win32/Gamarue Malware by Microsoft Software Security, the program literally works to take over your computer. The malware can change your PC’s security settings as well as download malicious files from the internet and install them onto your computer.

This family of malware will download and install files and folders directly onto your PC’s Registry to disable some functions and get permissions for others. The Gamarue malware will also make changes to your web browser’s settings as well as add tool bars, adware, browser redirects, add-ons, and extensions. All of this without ever asking for your permission.

How Gamarue Malware infects computers

There are many possible ways the Gamarue malware can worm itself into your computer system. It can be through infected USB drives and external hard drives you connect to your computer, as well as through attachments to spammy emails that show up in your inbox. The malware will then download malicious files onto your computer and make registry changes.

Perhaps most disturbingly, Gamarue’s first act once it infects your computer is to make changes to the startup folder in the registry so all the rogue software it installs launches on startup. Once this happens you are literally at the mercy of the malware. Microsoft cites a few signs you can use to tell if Gamarue has infected your computer:

 is an invasive and one of the most severe malware strains around Gamarue malware: How it works and how to remove it

The malware opens you up to all manner of threats. For one, it can give hackers remote access to your computer. They will use plugins and other add-ons the malware installs on your computer to harvest your personal information, including passwords and banking information.

Besides exposing you to these threats, the malware will also make changes to your computer and browser that can open the door to viruses that harm your computer and corrupt your files.

Win32/Gamarue is known to target major browsers like Google Chrome, Internet Explorer, and Mozilla Firefox. By adding extensions and dubious browsers, the malware can unleash spammy adware that slows your computer and disturbs your browsing experience.

How to remove Gamarue malware from your computer

Needless to say, the moment you notice your computer behaving unusually, see any suspect extensions and add-ons on your browser, or have opened a suspicious looking email, you will want to immediately investigate the reason.

Before you do anything, you will want to neutralize the malware threat and stop it from spreading to the rest of your files. The best way to do that is by restarting your computer in Safe Mode. Safe Mode will start the PC with only the basic services running, which prevents the malicious software installed by the malware from launching on startup.

Microsoft has several free tools you can use to prevent malware attacks. For users of Windows 7 and Windows Vista, there is Microsoft Security Essentials. If you use Windows versions 8 and 10 there is Windows Defender antivirus tool. But in case, for some reason, you had your antivirus apps turned off, Microsoft has a free tool for removing malicious software, which is the solution we will discuss first:

Solution 1 – Scan your computer

There are several tools you can use to scan your computer for possible malware infection. Some, like Malwarebytes, are paid for, but some are free to download and use. For the free tools, you can do no better than using Microsoft’s own tools. And the Microsoft Malicious Software Removal Tool is a good one.

READ :  Start Menu and TaskBar Registry Tweaks for Windows 7

Once you download the tool and allow installation, it will ask you to select a scan option. I chose the Quick Scan option:

 is an invasive and one of the most severe malware strains around Gamarue malware: How it works and how to remove it

The full scan can take several hours. The Quick Scan, which I chose, was complete in under a minute.

 is an invasive and one of the most severe malware strains around Gamarue malware: How it works and how to remove it

After the scan, a message will display with the scan results. The tool will give you the option to open the full report. I took the option. This is part of the report:

 is an invasive and one of the most severe malware strains around Gamarue malware: How it works and how to remove it

As you can see Win3/Gamarue, which is the third item on the list in the image above was highlighted as not posing a threat. For now, my computer is free from the malware. Another way of scanning your computer, and deleting malicious  software installed by Gamarue, is by manually searching for it in the Windows Registry:

Solution 2 – Manually search the Windows Registry for malicious malware

The fact the Gamarue family of malware will infect your computer by adding malicious files to your computer’s registry means you can manually search the registry and remove them from there.

But beware, deleting or making changes to the wrong files in your registry will harm your computer. Before you proceed, backup your registry so can easily restore it if something goes wrong. Be sure to give your backup file a name you can easily recall.

To open the Registry Editor, click the Windows start icon, type regedit in the search bar, and hit enter. After you give the application the necessary permission, it will open the Registry Editor. Once there, navigate the following sequence:

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion

Double click the Current Version folder to reveal a drop down menu. Browse the drop down menu from top to bottom and look for all folders with Run in the title. Depending on your computer, there could be folders like Run, Run Once, and others. These are programs that are set to run automatically, as soon as you start the PC.

 is an invasive and one of the most severe malware strains around Gamarue malware: How it works and how to remove it

Once you locate one, click on it once. A list of files will show in the column to the right. Scan these files to pick any that may look suspicious. To be sure the files are indeed malicious, google and read up on each of them. There is always a chance some may well be important system files that you should never delete or alter.

Quit and seek help from a professional if you are unsure what you are dealing with. If you are sure the file is malicious, right click on it to get the delete option. Repeat the process with all the other Run folders, deleting all malware, until the registry is clean.

Solution 3 – Reset your browser settings

After removing the Gamarue infection from your computer’s registry and other file folders, you will need to install a good anti-malware software. But before you do that though, you may want to undo all the changes made to your browser settings. The easiest way to remove all those extensions and spammy add-ons is to reset your browser’s settings to its original defaults.

Head over to your browser’s settings and navigate to the Reset folder. In Chrome, the Reset button is the very last under Advanced settings. This will strip your browser of all extensions and add-ons. Sadly, even those extensions you added yourself will be removed. You will thus need to add them all from scratch.

READ :  Fix: PS3 Media Server Windows Problems

Solution 4 – Disable autorun in Windows

We have discussed how USB thumb drives and other portable drives can be used to spread malware like Win32Gamarue. Infection is usually a consequence of the Autorun or Autoplay feature that is set as default on most Windows PCs. Every time you connect an external drive to your computer the PC will use the option you chose the last time you connected a similar external drive to open the files on the drive.

The consequence is, without Windows Defender or similar protection, the Autorun feature will inadvertently run malicious software that will infect your computer. The malware will then make harmful changes to your PC’s registry and install plugins that steal your passwords and other important personal information. One way of avoid running this risk is to disable Autorun on your computer.

 is an invasive and one of the most severe malware strains around Gamarue malware: How it works and how to remove it

With the Autorun feature turned off, as in the image above, you can be sure your computer will not automatically run any malicious software attached to the portable drives you may connect to your computer. There is always a risk these portable drives will have malware on them, especially if you sometimes use them on other people’s machines or if you use them to store files you download off the internet.

How to prevent Gamarue infections

Replace your passwords with stronger ones

Cleaning your PC of the Gamarue malware and all the malicious add-ons, plugins, and extensions it may have added to your PC and browser will likely be a draining exercise that will take time. Even though that will remove any immediate threat on your machine, but there is a risk your personal information may already have fallen into the wrong hands.

To protect yourself, make sure you replace all your passwords with new, stronger ones. Also, check your e-banking accounts for any unauthorized purchases that may have been made against your credit cards.  Notify your bank or credit card issuer if you notice any suspicious activity on your credit cards. It may not be a bad idea to check if your social media accounts haven’t been breached also.

Scan all removable drives

But, perhaps to totally eliminate the threat posed by malware that come through your portable drives, always scan USB drives, and any media device, before you connect them to your computer. It is also a good practice to periodically clean your computer to remove all malware, viruses, and bugs you pick up through your web browser.

Importantly, make sure all your antivirus software is up-to-date and that it is always enabled, especially when you are working online. Otherwise, always be vigilant and avoid visiting websites with expired security certificates. Today it can be Gamarue, tomorrow it may be a totally new malware, with a different mode of infection.




Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.