The Complete Malware Removal Guide
Malware is everywhere these days. You only have to sneeze in the wrong café, and you have malware. Okay, maybe not that bad. But as the networked world expands, so does the potential for infection.
This MakeUseOf guide is a step-by-step approach to removing a significant amount of malware. Furthermore, we’re going to show you how to stop malware infecting your system, to begin with. And if you don’t have to worry about malware, you’ll have more time for the finer things in life.
We cannot deliver a guide detailing removal instructions for every piece of malware or ransomware out there. There are simply too many. However, we can aim to remove most malware infections for a Windows 10 machine. Furthermore, many of the fixes and methods detailed are compatible with older Windows versions.
Eradicating malware from your system is a lengthy process. Malware of almost any variety is destructive. Furthermore, malware developers aren’t interested in making removal an easy process — that would be counterproductive. So, for the vast majority of computer users, removing malware requires guidance.
If you think your computer is infected, you need this guide.
- How Do I Know I’m Infected?
- Prepare Your System
- Safe Mode and System Restore
- Malware Removal
- After the Removal Process
- How to Stop Another Malware Infection
- Home and Dry
1. How Do I Know I’m Infected?
Because there are many different varieties of malware, there are many different malware symptoms. The symptoms vary from the extremely obvious to the extremely subtle. Below is a list of common malware symptoms.
- Your computer shows strange error messages or popups
- Your computer takes longer to start and runs more slowly than usual
- Freezes or random crashes affect your computer
- The homepage of your web browser has changed
- Strange or unexpected toolbars appear in your web browser
- Your search results are being redirected
- You start ending up at websites you didn’t intend to go to
- You cannot access security related websites
- New icons and programs appear on the desktop that you did not put there
- The desktop background has changed without your knowledge
- Your programs won’t start
- Your security protection has been disabled for no apparent reason
- You cannot connect to the internet, or it runs very slowly
- Programs and files are suddenly missing
- Your computer is performing actions on its own
- Your files are locked and won’t open
If your system is displaying one or more these symptoms, malware could be the cause.
2. Prepare Your System
The first thing to do before commencing with malware removal is to backup your files to a secure offline location . The removal process is potentially damaging to your system and other important files. Some malware variants become extremely aggressive when they sense the removal process taking place, and aim to take down your important and private documents with it.
In this case, I strongly advise using an external storage device rather than a cloud solution , and for a good reason. Before restoring your private files to your soon-to-be-clean computer, we must thoroughly scan your backup for traces of infection. If the malware is present in your backup, you will copy the infection straight back to your computer — and be back to square one. (Furthermore, there are ransomware variants that encrypt cloud drives — more on ransomware later.)
2.1 How to Scan Your Backup USB Drive
An easy and quick way to save the trouble is to scan your USB drive before connecting. I’ve got two options for you.
USB Disk Security is a handy free tool that delivers a reasonably high level of protection against infected USB drives. Download and install the tool. When you’re ready, open USB Disk Security and select the USB Scan tab. As we are stopping malware, select the large USB Vaccine button. When you insert your backup USB drive, it will automatically scan for potential threats.
Ninja Pendisk is another free tool that will quickly scan and immobilize an infected USB drive . The tool will also create a special autorun.inf with special permissions to protect against reinfection (in case your system isn’t entirely clean).
3. Safe Mode and System Restore
Let’s begin the removal process. This can take some time. Furthermore, success might come from the first fix we try. Malware removal is, at times, a very frustrating process.
Many malware variants meddle with your internet connection. Some malware variants create a proxy to route all of your traffic while others simply hide your network connection. Others stop you accessing your desktop or prevent certain programs from running. In all cases, we boot to Safe Mode. Safe Mode is a limited boot mode accessed through Windows’ Advanced Boot Menu.
To access Safe Mode from within Windows 10, press Windows Key + I. Type advanced start in the Settings panel search bar and select the first option. Select Restart now under Advanced start-up. This will immediately Restart your system. You will arrive at the Startup Settings Menu when your computer restarts. Select Enable Safe Mode with Networking from the list.
Alternatively, restart your system and press F8 during the boot process (but before you see the Windows logo). Due to fast boot (and the rapid boot speeds of SSDs ) this procedure will not work on some newer systems.
3.1 System Restore
Before commencing, let’s check if you have a System Restore point created before your issues started. System Restore allows us to roll the entire system back to a previous point in time. A Restore Point can quickly alleviate some forms of malware.
Type Restore in the Start menu search bar and select the best match. This will open the System Properties panel. Select System Restore. If you have a restore point, check its creation date. If you believe a restore point was created before the malware infection, select it from the list, and select Next. (Select Show more restore points to look further back.)
Unsure about what installation introduced malware to your system? Highlight a restore point and select Scan for affected programs. This lists the programs and drivers installed since the creation of the restore point.
In this instance, it is best to use System Restore in Safe Mode . Some malware variants block System Restore.
3.2 Remove from Programs and Features
Type Control Panel into the Start menu search bar. Head to Programs > Programs and Features. Sort the list by Installed on. Look down the list. Is there anything you don’t recognize? Or with an obscure name? If so, right-click and select Uninstall.
4. Malware Removal
There are numerous malware variants. We’re going to use some of the best tools available to attack as much as possible:
- Kaspersky TDSSKiller
- Malwarebytes Anti-Rootkit BETA
- Malwarebytes 3.x
- Malwarebytes ADWCleaner
Seems like a lot? Malware isn’t easy to obliterate.
First up, we use Rkill to kill any malware processes that have made their way into Safe Mode. Theoretically, Safe Mode stops any malware processes running, but that isn’t always the case. Rkill bypasses and destroys malicious processes that attempt to block the removal process.
Download Rkill and run it. It is an automated process. When Rkill completes be sure to keep your system turned on, or the malicious processes will start again when you restart.
4.2 Preliminary Rootkit Scan
A rootkit is a type of malware that nestles in the very root of the computer. It takes its name from the Admin accounts found on Linux and Unix machines. Rootkits cloak themselves with other software and allow remote control over a system. Rootkits act as a backdoor for other types of malware .
For instance, someone could scan their system with an antivirus. The antivirus picks up “regular” malware and quarantines the infections accordingly. The user restarts their computer in the belief they have cleaned the infection. The rootkit, however, allows the malefactor to reinstall the previously deleted malware automatically — and the user is back where they started.
Rootkits (and the bootkit variant ) are notoriously difficult to detect as they reside in the root directories, latching onto regular processes. 64-bit Windows 10 users are slightly safer than other versions of the operating system due to the signed driver system. Enterprising hackers, however, stole legitimate digital certificates to authenticate their rootkits. You’re not entirely out of the woods!
Luckily, there are two tools we scan your system with. That said, they’re not 100% accurate.
Kaspersky TDSSKiller is a well-known rapid rootkit scanner. It scans for and removes the malware family Rootkit.Win32.TDSS. The link above contains the download page as well as a full list of malicious programs TDSSKiller removes.
Download TDSSKiller and run the file. Follow the on-screen instructions, let the scan complete, and remove anything malicious. Reboot your system into Safe Mode as per the earlier instructions.
Malwarebytes Anti-Rootkit BETA (MBAR) is our second easy-to-use rootkit removal tool. Download and run the program, extracting to your Desktop. MBAR is in beta but has been for years. It is just a disclaimer that the program might not find an infection. Update the database, then Scan your system.
Delete any malicious entries when the scan completes. Restart your system in Safe Mode as per the earlier instructions.
4.2 Malwarebytes 3.x
Malwarebytes is a malware removal mainstay . Malwarebytes scans and quarantines malware, allowing us to clean the system thoroughly. Open Malwarebytes and update your malware definitions. Then hit Scan Now and wait for the process to complete.
Malwarebytes tends to throw up a number of false positives. For instance, certain Bitcoin mining apps will appear as malware. Anything with unsigned digital certification will trigger a warning — understandably, as most malware is, of course, unsigned.
Check down the infected items list when the scan completes. Cross-reference items marked malware with their file name. You can do this by completing an internet search using “[file name] Malwarebytes false positive.” Alternatively, complete an internet search for “[file name] malware.” Quarantine and remove any confirmed malware.
Jotti and Virus Total
I’m just going to throw a word in here regarding online file scanning services Jotti and Virus Total. Both services allow you to upload individual files for scanning against a number of popular antivirus programs. The results are cataloged by the services and made available to antivirus developers to increase the detection accuracy of their products.
They are by no means replacement for antivirus and antimalware products. They can, however, quickly ascertain the status of your false positive.
Malwarebytes AdwCleaner is next on the list. Another Malwarebytes product, AdwCleaner scans and removes adware and browser hijackers. AdwCleaner can throw up a lot of results depending on the level of infection on your system.
The latest version of AdwCleaner bundles issues by the program, listing services, registry issues, malicious shortcuts, browser redirects, and more. For instance, if you use Chrome, issues relating to the browser will all be listed within a drop-down menu. From there you can quarantine malicious extensions and more.
Another handy Malwarebytes AdwCleaner feature is the integrated Winsock reset. The Winsock defines how network services communicate with the wider internet, with a focus on TCP/IP (internet protocols). If your browser searches are being hijacked and redirected, resetting the Winsock can alleviate some of the problems.
HitmaPro is a powerful paid-for secondary malware removal tool. Don’t worry about paying for HitmanPro just yet. You can download and use the free trial to remove your current infection. Select No, I only want to perform a one-time scan, then select Next.
Even after other malware removal efforts, HitmanPro can throw up more results. That’s why we use it last — to pick up anything that has slipped the net. Like some of the other tools we have used, HitmanPro can throw out a false positive or two, so double-check before quarantining.
At this point, we scan the system with your antivirus. If you do not have antivirus installed, I presume you’re using Windows Defender. Windows Defender isn’t the worst product out there by a long shot — it isn’t the best free product, either — but it is certainly better than nothing. Check out our list of the best free antivirus programs around — I suggest Avira or Avast.
Back to business. Complete a full system scan to see what is lurking. Hopefully, the answer is nothing. If so, you’re good to head to the next section.
If not, I’ve some slightly bad news for you. This is where our paths separate. This guide focuses on offering coverall tools for malware removal. But, friend, all is not lost. You have two options:
- Complete the list again, in order. Some malware obfuscates other variants. Running through the list again may catch and remove further nasties.
- Note the specific names of malware families detailed in the results of your antivirus scan. Complete an internet search for “[malware family name/type] removal instructions.” You’ll find much more detailed instructions specifically for the type of infection.
5. After the Removal Process
After you’ve removed the offending malware from your system, there are a few little clean-up jobs to take care of. They don’t take long but can be the difference between recommencing regular operations and succumbing to malware again.
5.1 System Restore
We attempted to use System Restore to roll back your system. If that didn’t work or you have restore points created after the introduction of malware to your system, you must delete them. We’ll use Disk Cleanup to remove all but the most recent restore point.
Type disk clean in the Start menu search bar and select the best match. Select the drive you’d like to clean; in many cases, this will be C:. Select Clean up system files followed by the drive you’d like to clean (the same one as first selected). Select the new More Options tab. Under System Restore and Shadow Copies select Clean up… and proceed with the deletion.
5.2 Temporary Files
Next up, clean your temporary files. We will use CCleaner for this process. Using the link, download the free CCleaner version, and install. CCleaner now has smart cookie detection, leaving your most visited and important cookies in place.
Press Analyze and wait for the scan to complete. Then press Run Cleaner.
5.3 Change Your Passwords
Some malware variants steal private data. That data includes passwords, banking information, emails, and more. I would strongly advise changing all of your passwords immediately.
Using a password manager is an excellent way to keep track of the myriad online accounts. Better still, it allows you to use an extremely strong password in place of others. But if your computer is compromised, you should change your master password for your manager of choice.
5.4 Reset Your Browser
Some malware variants alter your internet browser settings. We can reset your browser settings to ensure anything malicious is removed.
- Chrome: head to Settings > Show advanced settings > Reset settings.
- Firefox: head to Settings. Select Blue Question Mark to open the Help Menu. Select Troubleshooting Information > Reset Firefox > Reset Firefox.
- Opera: close Opera. Open an Elevated Command Prompt by pressing Windows Key + X, and selecting Command Prompt (Admin). Copy the following command into the window: del %AppData%\Opera\Opera\operaprefs.ini. Press Enter.
- Safari: head to Settings > Reset Safari > Reset.
- Edge pre-Fall Creators Update: head to Settings > Clear Browser Data. Select the drop-down menu and check all the boxes.
- Edge post-Fall Creators Update: press Windows Key + I. Open Apps. Scroll down to Microsoft Edge and select Advanced > Reset.
5.5 Check Your Proxy Settings
Adding to the browser reset, it also worth double-checking that there aren’t any unexpected proxies lurking.
Head to Control Panel > Internet Options > Connections > LAN Settings. Check Automatically detect settings and ensure Use a proxy server remains clear. If there is a proxy address (that you didn’t insert), I would suggest rescanning your computer.
5.6 Restore Default File Associations
Sometimes after a malware infection, you’ll find that you cannot run or open any programs at all. This issue usually relates to broken default file associations.
We’ll use a tiny program to fix the broken file associations. Use this link to download exeHelper. You’ll have to accept the forum terms and conditions, but don’t have to sign up to anything. Right-click the downloaded file and select Run as Administrator. Let the process complete.
You can manually replace file associations using a registry entry file. Use this link to download a comprehensive list of file types and protocols, via TenForums. Once downloaded, unzip the file and double-click any association you’d like to restore to default.
5.7 Check Your Hosts File
Every operating system has a hosts file. The hosts file defines which domain names are linked to which websites. The hosts file trumps your DNS server settings. In that sense, you can make a hosts file point anywhere. That is exactly why some malware variants add their own IP redirects — to bring you back to a phishing site or other malicious site again and again.
Find your hosts file:
- Windows: C:\Windows\system32\drivers\etc\hosts
- Mac and Linux: /etc/hosts
You will need administrative access to edit the hosts file. Furthermore, you must edit the hosts file using a text editor.
So, what are you looking for? Anything that looks or sounds untoward. The Windows hosts file should not have anything uncommented in it — that means lines without a “#” in front of it. Resolutions for your localhost and hostname into 127.0.0.1 is completely normal, do not panic if you spot that.
Delete any offending entries (after cross-checking online), save your edits, and exit.
5.8 Unhide and Re-Enable
Some malware infections hide all of your files. Other disable access to core applications, like the Control Panel, Task Manager, or Command Prompt. There are two small applications we use to reverse these issues.
To make your files visible again, download and run Unhide.
To regain access to Control Panel and other vital tools, download and run Re-Enable.
Ransomware is a major issue for internet users around the globe. Like malware, there are numerous ransomware variants each with distinct malicious characteristics. There are, however, a couple of key characteristics that differentiate ransomware from malware.
- A ransomware infection usually begins silently, encrypting your personal and private files using a pre-defined list of target file extensions.
- Ransomware usually locks your system, forcing you to pay a ransom to retrieve the unlock key.
- Finally, even if you remove the ransomware infection, your files do not magically decrypt. (Adding to that, previously encrypted files aren’t safe — they’re just encrypted, along with the rest.)
The rise of ransomware is a scourge that causes a significant amount of trouble. Perhaps the best example of ransomware is WannaCry . The highly virulent WannaCry ransomware swept around the globe encrypting millions of systems in over 100 countries. Security researcher Marcus Hutchins, aka MalwareTechBlog, stopped the spread of the ransomware by registering a domain name found in the ransomware source code.
Ransomware, then, requires a two-pronged approach. Unfortunately, reactive containment only works if you catch the ransomware in process. Removing the ransomware and decrypting files is unachievable for many variants.
6.1 Decrypting Ransomware
As just mentioned, there are a huge number of ransomware variants on there. They use different encryption algorithms to render your private files useless — unless you can decrypt them.
Security researchers have successfully cracked several ransomware algorithms. Other ransomware developers have slipped up and offered clues to the whereabouts of the decryptor, while law enforcement raids have uncovered troves of private encryption keys for major ransomware variants.
If you have a ransomware infection, you need to act swiftly.
Most ransomware variants announce their presence after encrypting your files, along with their name, via a ransom note. If that doesn’t happen, you need to upload an encrypted file to ID Ransomware (the site also accepts ransom notes or hyperlinks included in the ransom). The site will quickly identify the infection.
Find a Decryption Tool
Once you know what you’re facing, you can try to find a tool to fix the damage. Several sites, including ourselves , list decryption tools.
- The No More Ransom Project
- Kaspersky Free Ransomware Decryptors
- Avast Free Ransomware Decryptors
- Fight Ransomware List of Decryption Tools — super list
- WatchPoint Decryptors Collection — super list
If you don’t find the decryption tool you need, try completing an internet search for “[ransomware variant] + decryption tool.” Don’t, however, head deep into the search results — there are phishing sites and other malicious sites that simply insert the name of what you’re searching for to ensnare unsuspecting users.
I’m not going to comment on how to use individual tools. There are simply way too many to offer detailed advice and instructions. The overwhelming majority come with at least some instructions as to their use.
7. How to Stop Another Malware Infection
Now your system is clear of infection it is time to assess how to stop it from happening again. There are so many antiviruses, antimalware, system cleaning, script blocking, process destroying tools out there it is difficult to know where to start.
Rest easy. We’ll show you how to build the best walls to keep malware out.
To start with you need an antivirus suite. If you already had one installed, consider changing it to something better. Honestly, those of you using Windows Defender are receiving a base level of protection. Windows Defender is a much better tool than in previous years, but it isn’t comparable to other third-party options.
Try the excellently priced Bitdefender or Trend Micro suites. Alternatively, if you’re happy with a free solution, try Avast.
Next up we need an antimalware tool. The antimalware tool market has fewer trusted tools than the antivirus market, making our selections easier.
- Malwarebytes Anti-Malware — the Free version is fine, but go for Premium if you can afford the yearly expense.
- Zemana AntiMalware — again, the Free version is fine.
We are building a multi-layered approach to computer security. It is true that having multiple antivirus suites creates an almost neutralizing effect. But having multiple services focusing on different attack vectors is quite the opposite. Anti-ransomware tools focus on stopping ransomware getting into your system in the first place.
7.4 Browser Security
A majorly overlooked vulnerability is your internet browser. There are a vast number of malicious sites out there waiting for you. Adding to that, malvertising campaigns can infect you without you even realizing anything is awry. Taking the time to beef up your browser can stop a large number of malware and ransomware attacks before they get going.
Security tools vary by browser, but there are similar tools for most. The below tools are a great starting point for browser security:
- NoScript: this Firefox extension stops a number of background scripts from running, preventing logging, clickjacking, and more.
- uBlock Origin: this multi-browser extension stops a huge array of tracking, malvertising servers, clickjackers , and more. (Pictured above.)
- Disconnect: allows you to visualize and block the numerous sites tracking your internet use.
- Privacy Badger: blocks trackers and malvertising servers.
- HTTPS Everywhere: forces all websites to use HTTPS , boosts your overall security, prevents man-in-the-middle attacks.
The combination of extensions you use depends on your browsing habits. If, however, you are uncomfortable with the extent of internet tracking, NoScript or uBlock Origin are a must (or our comprehensive guide on avoid internet surveillance! ).
7.5 More Useful Tools
You don’t need all of the above tools. As I said, more than one antivirus suite is the wrong approach. Personally, I combine Bitdefender, Malwarebytes Anti-Malware Premium, and Cybereason RansomFree.
There are, however, a host of really helpful tools for you to consider.
- Emsisoft Emergency Kit: the Emsisoft Emergency Kit is a portable tool that scans for a wide-range of malware, viruses, and more. Handy as part of a USB drive recovery kit.
- SUPERAntiSpyware: the free version of SUPERAntiSpyware detects and removes a huge range of malware, adware, and spyware.
- Spybot Search & Destroy: Spybot is a long-standing anti-spyware tool that repairs and cleans a vast array of potentially malicious entities.
- Kaspersky Anti-Ransomware Tool: the anti-ransomware tool from Kaspersky blocks a wide range of ransomware
7.6 Linux Live CD/USB
Malware is only a problem if you are unprepared. Add a Linux Live CD or USB to your malware doomsday preparation , and you’ll be in good stead. Linux Live operating systems operate over your existing installation. You boot the live operating system from a disc or USB drive, granting yourself access to a powerful array of remedial utilities as well as the infected operating system.
Here are five you should consider making a copy of right now. (Recovering infected computers isn’t the only thing Live CDs and USB drives are good for! )
Once you’ve downloaded one or more of the rescue discs, you will need to burn them to your preferred media .
8. Home and Dry
Theoretically, your computer is now completely clear of malware. Furthermore, you’ve installed some antivirus, antimalware, and an anti-ransomware tool to keep you safe. You’ve also installed a few tools to stop unwanted scripts running in your internet browser. And to top it off, you’ve created a backup Linux Live CD or USB drive to save your bacon next time around.
Overall, your whole system is looking more secure. But don’t be complacent.
One of the biggest battles is user education — the me and the you behind the screen. Spending a small amount of time preparing your system and understanding where threats appear is a great step forward!
Good luck and stay safe.