Here’s the thing: Malware in recent years has become both sneakier and nastier:
Sneakier, not only because it’s better at hiding with rootkits or EEPROM hacks, but also because it travels in packs. Subtle malware can hide behind more obvious infections. There are lots of good tools listed in answers here that can find 99% of malware, but there’s always that 1% they can’t find yet. Mostly, that 1% is stuff that is new: the malware tools can’t find it because it just came out and is using some new exploit or technique to hide itself that the tools don’t know about yet.
Malware also has a short shelf-life. If you’re infected, something from that new 1% is very likely to be one part of your infection. It won’t be the whole infection: just a part of it. Security tools will help you find and remove the more obvious and well-known malware, and most likely remove all of the visible symptoms (because you can keep digging until you get that far), but they can leave little pieces behind, like a keylogger or rootkit hiding behind some new exploit that the security tool doesn’t yet know how to check. The anti-malware tools still have their place, but I’ll get to that later.
Nastier, in that it won’t just show ads, install a toolbar, or use your computer as a zombie anymore. Modern malware is likely to go right for the banking or credit card information. The people building this stuff are no longer just script kiddies looking for fame; they are now organized professionals motivated by profit, and if they can’t steal from you directly, they’ll look for something they can turn around and sell. This might be processing or network resources in your computer, but it might also be your social security number or encrypting your files and holding them for ransom.
Put these two factors together, and it’s no longer worthwhile to even attempt to remove malware from an installed operating system. I used to be very good at removing this stuff, to the point where I made a significant part of my living that way, and I no longer even make the attempt. I’m not saying it can’t be done, but I am saying that the cost/benefit and risk analysis results have changed: it’s just not worth it anymore. There’s too much at stake, and it’s too easy to get results that only seem to be effective.
Lots of people will disagree with me on this, but I challenge they are not weighing consequences of failure strongly enough. Are you willing to wager your life savings, your good credit, even your identity, that you’re better at this than crooks who make millions doing it every day? If you try to remove malware and then keep running the old system, that’s exactly what you’re doing.
I know there are people out there reading this thinking, “Hey, I’ve removed several infections from various machines and nothing bad ever happened.” Me too, friend. Me too. In days past I have cleaned my share of infected systems. Nevertheless, I suggest we now need to add “yet” to the end of that statement. You might be 99% effective, but you only have to be wrong one time, and the consequences of failure are much higher than they once were; the cost of just one failure can easily outweigh all of the other successes. You might even have a machine already out there that still has a ticking time bomb inside, just waiting to be activated or to collect the right information before reporting it back. Even if you have a 100% effective process now, this stuff changes all the time. Remember: you have to be perfect every time; the bad guys only have to get lucky once.
In summary, it’s unfortunate, but if you have a confirmed malware infection, a complete re-pave of the computer should be the first place you turn instead of the last.
Here’s how to accomplish that:
Before you’re infected, make sure you have a way to re-install any purchased software, including the operating system, that does not depend on anything stored on your internal hard disk. For this purpose, that normally just means hanging onto cd/dvds or product keys, but the operating system may require you to create recovery disks yourself.1 Don’t rely on a recovery partition for this. If you wait until after an infection to ensure you have what you need to re-install, you may find yourself paying for the same software again. With the rise of ransomware, it’s also extremely important to take regular backups of your data (plus, you know, regular non-malicious things like hard drive failure).
When you suspect you have malware, look to other answers here. There are a lot of good tools suggested. My only issue is the best way to use them: I only rely on them for the detection. Install and run the tool, but as soon as it finds evidence of a real infection (more than just “tracking cookies”) just stop the scan: the tool has done its job and confirmed your infection.2
At the time of a confirmed infection, take the following steps:
- Check your credit and bank accounts. By the time you find out about the infection, real damage may have already been done. Take any steps necessary to secure your cards, bank account, and identity.
- Change passwords at any web site you accessed from the compromised computer. Do not use the compromised computer to do any of this.
- Take a backup of your data (even better if you already have one).
- Re-install the operating system using original media obtained directly from the OS publisher. Make sure the re-install includes a complete re-format of your disk; a system restore or system recovery operation is not enough.
- Re-install your applications.
- Make sure your operating system and software is fully patched and up to date.
- Run a complete anti-virus scan to clean the backup from step three.
- Restore the backup.
If done properly, this is likely to take between two and six real hours of your time, spread out over two to three days (or even longer) while you wait for things like apps to install, windows updates to download, or large backup files to transfer… but it’s better than finding out later that crooks drained your bank account. Unfortunately, this is something you should do yourself, or a have a techy friend do for you. At a typical consulting rate of around $100/hr, it can be cheaper to buy a new machine than pay a shop to do this. If you have a friend do it for you, do something nice to show your appreciation. Even geeks who love helping you set up new things or fix broken hardware often hate the tedium of clean-up work. It’s also best if you take your own backup… your friends aren’t going to know where you put what files, or which ones are really important to you. You’re in a better position to take a good backup than they are.
Soon even all of this may not be enough, as there is now malware capable of infecting firmware. Even replacing the hard drive may not remove the infection, and buying a new computer will be the only option. Thankfully, at the time I’m writing this we’re not to that point yet, but it’s definitely on the horizon and approaching fast.
If you absolutely insist, beyond all reason, that you really want to clean your existing install rather than start over, then for the love of God make sure whatever method you use involves one of the following two procedures:
- Remove the hard drive and connect it as a guest disk in a different (clean!) computer to run the scan.
- Boot from a CD/USB key with its own set of tools running its own kernel. Make sure the image for this is obtained and burned on a clean computer. If necessary, have a friend make the disk for you.
Under no circumstances should you try to clean an infected operating system using software running as a guest process of the compromised operating system. That’s just plain dumb.
Of course, the best way to fix an infection is to avoid it in the first place, and there are some things you can do to help with that:
- Keep your system patched. Make sure you promptly install Windows Updates, Adobe Updates, Java Updates, Apple Updates, etc. This is far more important even than anti-virus software, and for the most part it’s not that hard, as long as you keep current. Most of those companies have informally settled on all releasing new patches on the same day each month, so if you keep current it doesn’t interrupt you that often. Windows Update interruptions typically only happen when you ignore them for too long. If this happens to you often, it’s on you to change your behavior. These are important, and it’s not okay to continually just choose the “install later” option, even if it’s easier in the moment.
- Do not run as administrator by default. In recent versions of Windows, it’s as simple as leaving the UAC feature turned on.
- Use a good firewall tool. These days the default firewall in Windows is actually good enough. You may want to supplement this layer with something like WinPatrol that helps stop malicious activity on the front end. Windows Defender works in this capacity to some extent as well. Basic Ad-Blocker browser plugins are also becoming increasingly useful at this level as a security tool.
- Set most browser plug-ins (especially Flash and Java) to “Ask to Activate”.
Run current anti-virus software. This is a distant fifth to the other options, as traditional A/V software often just isn’t that effective anymore. It’s also important to emphasize the “current”. You could have the best antivirus software in the world, but if it’s not up to date, you may just as well uninstall it.
For this reason, I currently recommend Microsoft Security Essentials. (Since Windows 8, Microsoft Security Essentials is part of Windows Defender.) There are likely far better scanning engines out there, but Security Essentials will keep itself up to date, without ever risking an expired registration. AVG and Avast also work well in this way. I just can’t recommend any anti-virus software you have to actually pay for, because it’s just far too common that a paid subscription lapses and you end up with out-of-date definitions.
It’s also worth noting here that Mac users now need to run antivirus software, too. The days when they could get away without it are long gone. As an aside, I think it’s hilarious I now must recommend Mac users buy anti-virus software, but advise Windows users against it.
- Avoid torrent sites, warez, pirated software, and pirated movies/videos. This stuff is often injected with malware by the person who cracked or posted it — not always, but often enough to avoid the whole mess. It’s part of why a cracker would do this: often they will get a cut of any profits.
- Use your head when browsing the web. You are the weakest link in the security chain. If something sounds too good to be true, it probably is. The most obvious download button is rarely the one you want to use any more when downloading new software, so make sure to read and understand everything on the web page before you click that link. If you see a pop up or hear an audible message asking you to call Microsoft or install some security tool, it’s a fake.
Also, prefer to download the software and updates/upgrades directly from vendor or developer rather than third party file hosting websites.
1 Microsoft now publishes the Windows 10 install media so you can legally download and write to an 8GB or larger flash drive for free. You still need a valid license, but you don’t need a separate recovery disk for the basic operating system any more.
2 This is a good time to point out that I have softened my approach somewhat. Today, most “infections” fall under the category of PUPs (Potentially Unwanted Programs) and browser extensions included with other downloads. Often these PUPs/extensions can safely be removed through traditional means, and they are now a large enough percentage of malware that I may stop at this point and simply try the Add/Remove Programs feature or normal browser option to remove an extension. However, at the first sign of something deeper — any hint the software won’t just uninstall normally — and it’s back to repaving the machine.
How can I tell if my PC is infected?
General symptoms for malware can be anything. The usual are:
- The machine is slower than normal.
- Random failures and things happening when they shouldn’t (e.g. some new viruses put group policy restrictions on your machine to prevent task manager or other diagnostic programs from running).
- Task manager shows a high CPU when you think your machine should be idle (e.g. <5%).
- Adverts popping up at random.
- Virus warnings popping up from an antivirus you don’t remember installing (the antivirus program is a fake and tries to claim you have scary sounding viruses with names like ‘bankpasswordstealer.vir’. You’re encouraged to pay for this program to clean these).
- Popups/ fake blue screen of death (BSOD) asking you to call a number to fix the infection.
- Internet pages redirected or blocked, for example, home pages of AV products or support sites (www.symantec.com, www.avg.com, www.microsoft.com) are redirected to sites filled with adverts, or fake sites promoting bogus anti virus / “helpful” removal tools, or are blocked altogether.
- Increased startup time, when you have not been installing any applications (or patches)… This one is awkward.
- Your personal files are encrypted and you see a ransom note.
- Anything out the blue, if you “know” your system, you typically know when something is very wrong.
How do I get rid of this?
Using a Live CD
Since the infected PC’s virus scanner might be compromised, it’s probably safer to scan the drive from a Live CD. The CD will boot a specialized operating system on your computer, which will then scan the hard drive.
There are, for example, Avira Antivir Rescue System or ubcd4win. More suggestions can be found at FREE Bootable AntiVirus Rescue CDs Download List such as:
- Kaspersky Rescue CD
- BitDefender Rescue CD
- F-Secure Rescue CD
- Avira Antivir Rescue Disk
- Trinity Rescue Kit CD
- AVG Rescue CD
Connecting the hard drive to another PC
If you are connecting the infected hard drive to a clean system in order to scan it, make sure that you update the virus definitions for all the products that you will be using to scan the infected drive. Waiting a week to let the antivirus providers release new virus definitions can improve your chances of detecting all the viruses.
Make sure your infected system remains disconnected from the internet as soon as you find it is infected. This will prevent it from being able to download new editions of viruses (among other things).
Start with a good tool such as Spybot Search and Destroy or Malwarebytes’ Anti-Malware and perform a full scan. Also try ComboFix, and SuperAntiSpyware. No single antivirus product will have every virus definition. Using multiple products is key (not for real time protection). If even just one virus remains on the system, it may be able to download and install all the latest editions of new viruses and all the effort so far would have been for nothing.
Remove suspicious programs from boot
- Start up in safe mode.
msconfigto determine what programs and services start at boot (or startup under task manager in Windows 8).
- If there are programs/services that are suspicious, remove them from the boot. Else skip to using a live CD.
- If the symptoms do not go away and/or the program replaces itself at startup, try using a program called Autoruns to find the program, and remove it from there. If your computer cannot start up, Autoruns has a feature where it can be run from a second PC called “Analyse offline PC”. Pay especially close attention to the
- If there is still no success in removing the program, and you are sure that it is the cause of your problems, boot into regular mode, and install a tool called Unlocker
- Navigate to the location of the file that is that virus, and attempt to use unlocker to kill it. A few things may happen:
- The file is deleted, and does not reappear on restart. This is the best case.
- The file is deleted, but immediately reappears. In this case, use a program called Process Monitor to find out the program that re-created the file. You will need to delete that program as well.
- The file cannot be deleted, unlocker will prompt you to delete it on reboot. Do that, and see if it reappears. If it does, you must have a program in boot that causes that to happen, and re-examine the list of programs that run in boot.
What to do after restoring
Now it should be safe (hopefully) to boot into your (previously) infected system. Still, keep your eyes open for signs of infection. A virus can leave changes on a computer that would make it easier to re-infect even after the virus has been removed.
For example, if a virus changed DNS or proxy settings, your computer would redirect you to fake versions of legitimate websites, so that downloading what appears to be a well-known and trusted program could actually be downloading a virus.
They could also get your passwords by redirecting you to fake bank account sites or fake email sites. Be sure to check your DNS and proxy settings. In most cases, your DNS should be provided by your ISP or automatically acquired by DHCP. Your proxy settings should be disabled.
hosts file (
%systemroot%system32driversetchosts) for any suspicious entries and remove them immediately. Also make sure your firewall is enabled and that you have all the latest Windows updates.
Next, protect your system with a good antivirus and supplement it with an Anti malware product. Microsoft Security Essentials is often recommended along with other products.
What to do if everything fails
It should be noted that some malware is very good at avoiding scanners. It’s possible that once you are infected, it can install rootkits or similar to stay invisible. If things are really bad, the only option is to wipe the disk and reinstall the operating system from scratch. Sometimes a scan using GMER or Kaspersky’s TDSS Killer can show you if you have a rootkit.
You may want to do a few runs of Spybot Search and Destroy. If after three runs it is unable to remove an infestation (and you fail to do it manually) consider a re-install.
Another suggestion: Combofix is a very powerful removal tool when rootkits prevent other things from running or installing.
Using multiple scan engines can certainly help to find malwares best hidden, but it’s a fastidious task and a good backup/restore strategy will be more efficient and secure.
Bonus: There is an interesting video series beginning with, “Understanding and Fighting Malware: Viruses, Spyware” with Mark Russinovich, the creator of Sysinternals ProcessExplorer & Autoruns, about malware cleaning.
There are some great malware-fighting tips in Jeff Atwood’s “How to Clean Up a Windows Spyware Infestation”. Here’s the basic process (be sure to read through the blog post for screenshots and other details that this summary glosses over):
- Stop any spyware currently running. Windows’ builtin Task Manager won’t cut it; get Sysinternals Process Explorer.
- Run Process Explorer.
- Sort the process list by Company Name.
- Kill any processes that don’t have a Company Name (excluding DPCs, Interrupts, System, and System Idle Process), or that have Company Names that you don’t recognize.
- Stop the spyware from restarting the next time the system is booted. Again, Windows’ builtin tool, MSconfig, is a partial solution, but Sysinternals AutoRuns is the tool to use.
- Run AutoRuns.
- Go through the entire list. Uncheck suspicious entries — those with blank Publisher names or any Publisher name you don’t recognize.
- Now reboot.
- After rebooting, recheck with Process Explorer and AutoRuns. If something “comes back”, you’ll have to dig deeper.
- In Jeff’s example, one something that came back was a suspicious driver entry in AutoRuns. He talks through tracking down the process that loaded it in Process Explorer, closing the handle, and physically deleting the rogue driver.
- He also found an oddly-named DLL file hooking into the Winlogon process, and demonstrates finding and killing the process threads loading that DLL so that AutoRuns can finally remove the entries.