How to remove malware from a Windows PC

happygeek 5 Tallied Votes 820 Views Share

There are two very obvious truths which need to be stated before going any further:

Truth 1 - prevention is better than cure, so don't visit 'dodgy' sites or download anything anyone sends you a link to, and do keep your PC as secure as possible with the help of security software such as real-time malware scanners and firewalls.

Truth 2 - when it comes to malware there is no single 'removes it all' solution, there are far too many malware variations out there from rootkits and zero-day exploits through to long-established malware families which are continuously evolving in order to thwart detection and removal attempts.

That said, there is a third truth which probably also needs mentioning; namely that shit happens and sometimes computers do become infected despite the best efforts of responsible users. So what should you do if you suspect that you have become the latest victim of the malware epidemic? This basic tutorial aims to highlight the procedures and resources available to users of the Windows Operating System, and should help get you on the path towards having a clean PC again; hopefully without having to take the nuke it, format and start again final option. Yes, I know that the real solution to malware is to run Windows within an isolated Virtual Machine environment that allows you to simply delete and restore a new instance if any infection gets in - but we are talking the real world here where very few users would go to those lengths and accept that level of inconvenience in the name of security.

Step 1.

Identify the symptoms and research them. If your browser is redirecting you to random sites, or displaying unwanted pop-ups, toolbars and the like, then Google some of the specifics or ask in the DaniWeb 'Viruses, Spyware and Other Nasties' forum where you may be able to draw on the experience of others to solve the problem quickly and without too much fuss. Iffy browser extensions and unwanted search toolbars are amongst the easiest of malware to deal with, and you can bet you are not the first to get stuck with them. Removal is usually very straightforward indeed, so don't feel embarrassed to ask for help.

Step 2.

Run your scans (see below) from inside Windows Safe Mode, a minimal version of the OS which uses safer generic drivers and will not run all of the startup apps you are used to and which any malware is also using. Hit the F8 key a few times while booting to enter Safe Mode, and then start your scan. It's not foolproof, see truth number 2, but it's your best bet.

Step 3.

If you suspect something more sinister than crapware or adware, which are bad enough, then make sure your security software/anti-virus scanner is updated with the latest files (assuming it's not clever enough to have blocked access to those vendor sites) and then run a full system scan to check for any known infection. If you don't have security software installed then most of the 'usual suspects' in the security vendor space will have free online scanners you can use. It's good practise to run more than one scan, from more than one vendor, anyway if you suspect you have an infection. After all, that very suspicion does suggest that maybe your current scanner (if it cannot detect an infection) isn't altogether trustworthy at this moment in time. The fourth truth, which has just occurred to me, is that n malware scanner is going to be able to detect and remove 100% of threats, so running a scanner combo makes a lot of sense. However, reboot your system after each has run a scan and performed any cleaning before running the next in line.

Step 4.

Be prepared, and have some emergency tools in your offline toolbox just in case the malware won't let you update or connect to an online vendor or use your installed software. One of the simplest ways of doing this is to create an emergency security USB thumb drive which has a copy of MBAM on it (MalwareBytes Anti Malware) which is free to use. If you haven't done this in advance, then use someone else's computer to download the executables onto a USB stick. Oh, and make sure you use the 'Deep Scan' which can take a long time to complete, so have a cup of coffee or three waiting. As I said before, layering your tools is a good idea so install a copy of the Kaspersky TDSSKiller rootkit detection and removal utility alongside MBAM as rootkits are well known for being hard to find (they intercept the Windows API at a low-level.) TDSSKiller won't take long to perform a scan, but if a rootkit is hiding it is an excellent way of finding it and nuking it at the click of a button and a reboot.

If you cannot get into Safe Mode (see step 2) then it's possible to get in and clean up by booting into a Linux environment via CD/USB and manually identifying and deleting rogue files. Possible, but not really a real world option for the vast majority of 'normal' users. Which is where another third party resource comes in; HitmanPro Kickstart can be added to your USB stick toolbox and is free for 30 days use (it comes as part of the HitmanPro scanner software.) Boot the PC from the USB stick and Kickstart will give you a familiar 'live' Windows environment in which to work and access registry keys and files to determine what needs cleaning. The Hitman is fully automated and works pretty well in my experience of testing it out.

Step 5.

This is where, if everything you have tried so far has been to no avail, you go back to step 1 and ask for help. Try the security vendor sites as they will often help people even if they are not users of their software, or dedicated security support forums such as bleepingcomputer or here on DaniWeb of course. Most will want to know details that you cannot supply without running certain forensic detection tools, but don't worry they will all (including us as DaniWeb) give you precise instructions on what to download and how to use them to create logs which can then be posted for analysis by experts.

Step 6.

Unfortunately, sometimes there really is only one option left when dealing with malware and it's the one that some folk choose to use as their preferred Step 1 - namely, the reformat and start again option. There are good reasons for going straight in with this sledgehammer to a nut approach, not least that in most cases it offers the best chance of a truly clean system to use and can even take less time than going through the process of running forensic tools and waiting on others to analyse them, or performing deep scans and cleansing routines. This does depend upon whether you have a known clean system image to restore, and data that is accessible from the cloud or another storage system that isn't tied into your PC of course.

Reverend Jim commented: Definitely bookmarked. +12
Stuugie commented: Great read! +6
henri2398 -1 Newbie Poster

There are several ways through which you can
remove malware from your infected computer.

• First you can use anti-virus program to remove malware and related virus.
• If your computer is infected with malware then you can see unwanted software has been installed on your computer. Just uninstall them.
• You can use free but yet powerful anti-malware tool that will detect the undetected malware and removes them from root out of your computer.

Hope this will help you.

XP78USER 30 Posting Whiz in Training

Pure guts I use no antivirus

zinist 0 Light Poster

Hi,
Thanks for sharing such a valuable information.
Keep sharing

XP78USER 30 Posting Whiz in Training

I read a few articles that Davey Winder talked about in the PC & Tech Authority about Security

y0f4n 3 Newbie Poster

mostly easy for us remove virus or client infected with tools. unfortunely some nasty virus can't be removed. for first step
Disable autorun some unknown application, it can be done from msconfig or by registry are wish

Bill_13 0 Newbie Poster

I've been studying cyber security for about a year now, and I'm really just shaking my head at this article!

A serious malware or rootkit will successfully hide itself from your OS and your AV, so long as you're booting from the infected system.

If your security was so bad that you have a less sophisticated issue (adware, etc.), then you may well have serious malware also, but just not yet be aware of it.

The only secure remedy is to boot from a non-infected thumb drive or disc; scan and clean your critical data, then copy it to other media. Now you have two choices for your remaining drives - especially your OS drive:

  1. Destroy it and replace with a new drive. (Safest option)
  2. Re-partition & format the drive (Fairly safe if done properly).
  3. Before reinstalling your OS and software, rethink your choices so that you don't go down that same bumpy road again!

Really consider Linux Ubuntu. It's free; it's as easy to use as Windows; all the software you're likely to ever need is free;

No matter which OS you use, you'll need a hardware firewall (router in most cases) and a software firewall (both properly configured); good anti-malware program and a regular backup system to offline media or cloud.

Setting your DNS to OpenDNS will help keep you from bad websites.

Once each week, check that your OS and browsers are up-to-date and properly patched.

  • Hank
Cooper_1 0 Newbie Poster

I would also have to agree with Bill13's point above. Many forms of malware can hide from AVs, which is why it is always advisable to pair it with a anti-malware tool of some sort.

Other extra scans for besides HitmanPro and TDSSKiller mentioned in point #4 are RogueKiller and AdwCleaner. The more, the merrier.

I would also suggest having third party instant restore software like deep freeze or drive vaccine.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Hank, some good points but for the record I've been working in and writing about 'cyber security' for more than 20 years now. Much of what you take issue with is covered in step 4 of that article - and it's this advice that you are essentially repeating when you state "The only secure remedy is to boot from a non-infected thumb drive or disc; scan and clean your critical data." However, just to clarify:

Some, not all, malware is of the rootkit variety and some, not all, is sophisticated enough to hide away totally. Much, not all, of the stuff that does can be dealt with as I said by "booting into a Linux environment via CD/USB and manually identifying and deleting rogue files." Much, not all, can also be dealt with using something like HitManPro Kickstart.

Bill_13 0 Newbie Poster

Davey,

Thanks for taking the time to respond. I should have done a little research on you before replying. However -

Your “Step 4” comes over 600 words into the article. The part about booting from a disc comes in its 2nd paragraph, now over 800 words deep! My eyes had glazed over before that point, as perhaps had those of many others.

Your “Step 1” states, “Removal is usually very straightforward..”, and has the user operating from the infected system.

Your response post states, “Some, not all, malware is of the rootkit variety and some, not all, is sophisticated enough to hide away totally.”

Since your article is meant for people who are not particularly experienced in dealing with malware – especially the newest generation of malware, I feel strongly that you should not be giving these particular points of advice here.

First, let me make the distinction between sophisticated hackers and sophisticated malware. The former are (hopefully) few. But the latter, can be readily downloaded by any script-kiddie or wanna-be stalker, etc., and used with less than fifteen minutes of “learning”.

To expect the average user to be able to discern between regular “crapware” and “something more sinister”, well that had me scratching my head. Especially since if you have the one, you might very well have the other as well, yet the article doesn't seem to give advice on how to determine which it is, or whether it's both.

Finally, (I've edited out several other points for brevity's sake) – only near the very end of your 1200 word article (can you tell I'm having fun with LibreOffice's word count?), do you make MY POINT about the “nuclear option” - “ in most cases it offers the best chance of a truly clean system”

I do respect your experience and look forward to reading more of your articles in the future. I'll chalk this article up to possible deadline pressures, since your thoughts later in the process come closer to what we probably now agree (I'm guessing) should have been earlier in the article.

rubberman 1,355 Nearly a Posting Virtuoso Featured Poster

These days, malware can hide in the BIOS flash area, or in disc drive flash memory. They are almost impossible to detect, and remove. The NSA uses these techniques, and they are the most sophisticated "hackers" in the world. If you keep getting infected on reboot, first try erasing/resetting your BIOS flash memory (this may require shorting out physical contacts on your motherboard). If that doesn't work, do that again, and replace your disc drive(s). I don't know of a way to remove malware from a disc drive flash cache. If anyone knows how to do that, I would love to hear about it!

Bill_13 0 Newbie Poster

rubberman - in the case of sophisticated attacks that seem to be "above and beyond", a good case of forensics should be considered. The victim shouldn't assume that removing the discovered threat is the end of the game. Learning the attacker's identity, motive and avenue of attack is going to be very important in preventing a recurrance.

And we should remember, that physical security (i.e.: bank vaults, armored cars, locked doors, etc.) aren't 100% fool-proof, and we have no reason to expect our cyber security to be any better.

As to your question - A hammer is probably the best recourse. Especially considering the cost of harddrives these days.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Hank, you guessed wrong - I'm afraid I don't agree that the article should have simply stated "destroy your hard drive and install Ubuntu" - sorry. :)

goodtaste 0 Junior Poster

I use antivirus and antimalware software, but eventually something comes along that has to be removed manually, I don't know why that is, but that has always been my experience.

IntegratedTweak 16 Junior Poster in Training

There are also tools that can help you out in the malware removal process like Farbar Recovery Tool, HijackThis, RogueKiller and Junkware Removal tool. What this will do is scour your entire system for any suspicious programs and or related adware.

Bill_13 0 Newbie Poster

Re: IntegratedTweak -

It depends on your security needs. Do online banking? Buy stuff online? Then you need to be CERTAIN that all malware has been removed. And the truth is that no program running from your OS can detect today's rootkits, keyloggers, etc. And even running from a disc, can you ever be CERTAIN when they say they found and removed something? Was that the ONLY bad thing on your drive? Even Symantec has admitted that there are things that just aren't detectable any longer. Any thirteen-year-old can download a rootkit, send it as a Word attachment, and have full control over your system from that point on, and it is unlikely to be discovered by any of the programs mentioned in these posts.

greenknight 0 Newbie Poster

Malwarebytes Anti Malware, mentioned in Step 4, is an excellent program - but you failed to mention another important tool from them, Malwarebytes Chameleon. When malware blocks you from installing or running Malwarebytes Anti Malware, this will install it under a random file name so malware can't recognize it.

JacobBrown -4 Newbie Poster

There is one software on my PC, and I cannot remove it, even through the Control Panel. When I remove it, I will enter in a webpage.

Dentalclinic 0 Newbie Poster

Great post!!
Thanks for sharing such a valuable stuff.
:D :D

rinston 0 Light Poster

I have anti-virus but still malwares attack my computer occassionaly. I just discover that when I run full system scan.

goodtaste 0 Junior Poster

Thank you very much for sharing. I try to be very careful, but I have noticed that my new computer gets overwhelmend much too often with malware (in spite of having protection) and I have to be running scans a whole LOT. (I hate Windows 7 and Windows 8!!!) It is very valuable to know what to do.

christine06 0 Newbie Poster

already starts with ccleaner

christine06 0 Newbie Poster

and then you download and you adw cleaner performs cleaning

Stuugie 50 Marketing Strategist

I use Trend Micro as my first line of defense and have been very happy with it during the last 3 or so years. Once in a while I will scan with Malwarebytes and most of the time there are no issues on my PC. The only questionable activities I take part in are the odd torrent downloads but even that is minimal. I believe the best way to avoid malware is to not get clickety with urls and don't fall for social engineering tricks!

If I don't know the email sender and I get a "Click Here" link in an email body, I delete the whole message. Social engineering is still one of the most effective ways for intruders to gain access to people's computers. I have "cleaned up" friends' PCs because they get tricked into a click, download porn torrents or games, or they visit questionable sites.

This is a great thread!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.