Is your computer running slowly, crashing frequently and generally behaving a little oddly? If you fire up your web browser, are you redirected to sites you haven’t asked to visit? Do pop-ups appear even when you’re not using your browser?
If you’ve checked for rogue search-engine add-ons and other undesirable browser extensions, and you’ve run a “crap cleaner” to rid your system of temporary files and other bloat, and it’s made little to no difference, it may be time to think about infection detection and removal.
If that’s the case, follow our guide below: it explains what to do to get your PC back up and running.
How to remove a virus – step one: disconnect router
There’s plenty of advice out there suggesting that your first move should be to go online and run a scan using one of the many free tools available from OS and antivirus vendors.
While this appears to be common sense – after all, you need to know what you’ve been infected with in order to remove it effectively – the truth is that malware has evolved to the point where an active internet connection is the last thing you should do during a potential live infection.
Besides, it’s likely that some malware will block the best-known security vendor sites, as well as those offering the tools to scan for and remove infections, making going online a waste of time. Err on the side of caution as far as internet connectivity is concerned and simply pull the plug on your router to prevent further data compromise.
How to remove a virus – step two: download malware scanner
If you do have an antivirus scanner running, but malware is running on your system, assume that the software has been compromised: it could be that the malware has managed to disable updates or prevent it from loading properly.
Whatever the situation, you’d be silly to trust the scanner during the malware identification and removal process.
Regular PC Pro readers will be aware from our Labs tests and reviews that no security suite or antivirus scanner is perfect, and none can detect every malware threat.
Combining two or three free tools will serve you better: run one, follow any removal recommendations, then – once the system has rebooted – do the same with the next antivirus tool, and so on.
At the end of this process, if all three show a clean system, you should be able to get on with your life. I have a licensed copy of Malwarebytes Anti-Malware (MBAM) sitting on a USB thumbdrive for such an emergency situation, but a free version that features all the necessary malware-removal functionality is available for non-commercial use; all it’s missing compared to the Pro version is real-time prevention and priority updates.
If you don’t have the necessary tools to hand, download the executables onto a clean (newly formatted) USB drive from another computer that’s free from infection. Don’t expect the scanning process to be quick: you want the full, deep-scan option ticked, so be prepared to wait a few hours for the results.
Alongside MBAM, I also recommend using Kaspersky TDSSKiller, which is a free malicious-
rootkit detection and removal utility. Rootkits can be particularly troublesome, since they penetrate deeply and intercept the Windows API at a low level.
By hiding folders, files, processes and Registry keys, a rootkit can ensure that malware remains invisible to the user and antivirus scanners alike. Unlike most malware scans, a rootkit scan is quick – it only takes a minute or so – and TDSSKiller makes removal a simple matter of pressing a button and rebooting the PC after it’s finished.
Continue reading to learn how to remove a virus in Safe Mode and what to do when all else fails
How to remove a virus – step three: start Safe Mode
Using a dedicated malware scanner is a must, but doing so outside of Safe Mode is a big no-no. Running from inside Safe Mode is always a good idea, since this minimal version of the Windows OS basically uses generic drivers and nothing else; it certainly doesn’t look to the startup apps that most malware relies on. It isn’t 100% guaranteed, however: some advanced malware will be able to bypass these restrictions (more on that in a moment).
Generally speaking, Safe Mode is started by hitting the F8 key repeatedly during booting – unless you’re using Windows 8, that is, since Microsoft helpfully removed that option to speed up PC booting.
Windows 8 users can access Safe Mode by pressing Windows+R, typing MSCONFIG, pressing Enter, then selecting the Boot tab and clicking the Safe Mode checkbox under the Boot Options setting. This will get you into Safe Mode when you restart the computer. (Windows 8 calls normal Safe Mode “Minimal”, by the way; starting Safe Mode with a command prompt is called “alternate shell”, and starting with networking is called “network”.)
After you’ve successfully cleared the malware infection, you’ll need to repeat the MSCONFIG process to return to normal booting.
What if you can’t get into Safe Mode? Some malware, such as the recent FBI ransomware, will lock down your computer and prevent you from accessing it in Safe Mode with command prompt in an effort to prevent removal. However, there are still ways to get in and remove the infection.
Most experts will advise rebooting your PC into a Linux environment from a CD or USB drive, after which you can manually identify and remove the rogue files. Unfortunately, though, this is a classic case of “expertitis”.
In the real world, the people most likely to have been infected by ransomware are also those least likely to be able to boot into and navigate a Linux environment, let alone be in a position to start deleting system files by hand.
Luckily, third-party tools can help. I’d recommend adding HitmanPro.Kickstart to your malware-recovery toolkit.
It’s free to use for 30 days as part of the HitmanPro “second opinion” malware scanner. Sure, you still have to download this to a USB drive and then boot your computer from it, but there are video guides and step-by-step instructions available from the download site to offer guidance.
Retaining a familiar Windows environment in HitmanPro.Kickstart not only makes running the cleanup process easier for the user, but also for the software itself. Since it uses a “live”, ransomed Windows environment, it has access to all the forensic information of the processes that have been started, the processes that are running in full-screen to block access to the desktop and so on. This means it can determine which files and Registry keys belong to the malware, and therefore enable an automated removal process.
Once you’ve finished removing the malware, run all your scans again in “deep” mode. This will be time-consuming, but it’s a required final step in the process to ensure that the malware hasn’t been reinstalled in a different location.
Some malware is highly resistant to removal. If further scans show a re-infection, the only safe option left is the full “nuke and pave” – involving a disk format and reinstallation of Windows, along with real-time protection. If your PC still show signs of infection after this, you need to move to the next step, which is often the hardest to swallow: asking for help.
How to remove a virus – step four: what to do when all else fails?
Ask for help
Modern malware leaves behind an often complex web of hooks into the operating system, but luckily there’s plenty of help available. It’s dangerous to click stuff and hope for the best; after all, that’s probably what got you into this mess in the first place.
If you know the name of the malware that’s on the infected PC, go online – using a clean computer – and visit the antivirus vendor websites for removal advice relating to specific threats. If you don’t, head to dedicated forums of security-savvy helpers.
The DSLReports security forum, Bleeping Computer and the DaniWeb “Viruses, spyware and other nasties” forum are all excellent ways to get free help from expert users.
Be prepared to follow the rules at each forum, and don’t be surprised if the first thing you’re asked to do is download free diagnostic tools and run a few scans. This will produce log files that the security gurus can decipher in order to advise on the cleanup procedure.
Ignore system restore
If you’ve fallen victim to malware, disable System Restore instead of using it. I know, it sounds like daft advice, since System Restore exists to help you get back to an earlier point in time when your PC was running smoothly.
The flaw in this logic is that you don’t know when your computer was infected, and System Restore will quite happily back up and then restore the infection for you. It may well be that your malware has helpfully disabled access to the function anyway, but if not, go into the control panel and disable it via System | Performance | Troubleshooting until after the cleanup process. Also, delete all restore points for good measure before you start it up again.
I wouldn’t suggest this as the first step, however – rather one to consider after having tried to identify and remove the infection yourself. Forums are never a quick fix: it can take days – if not weeks – to resolve a malware issue.
Nuke and pave
If you can’t wait that long to get your PC back up and running, or everything that you’ve tried has failed, the only realistic option left is “nuke and pave”.
Many IT security consultants will tell you that today’s malware has become so tenacious that the only way to clean an infected machine properly is to completely wipe the computer’s hard drive and reinstall a fresh copy of the operating system. I count myself among this group.
Assuming you have data backups and a clean system image, this can be accomplished in less time than it takes to complete a deep malware scan. Even if you don’t have the backups and imaging, the nuke-and-pave approach of wiping and reformatting your drive(s) and then reinstalling the OS makes sense at this point.
You can guarantee you’re starting afresh with a clean system, and once all the core applications are reinstalled, the creation of a system image will ensure it’s relatively straightforward to bring the PC back online in future.
If you’re a bit of a freeware junkie, take a look at Ninite, which will create a single installer to reinstall the latest updated versions of all your apps in one fell swoop and save hours of your time.
Post-compromise
Don’t forget that the post-compromise cleanup operation extends beyond simply removing all traces of the infection from your computer. You also need to consider the risk to your data that the malware may continue to pose.
Yes, I’m talking about passwords. This advice is especially important if you’re one of the many who reuse the same passwords for multiple sites and services, but it’s pertinent for everyone. Change the passwords for all your email, social networking and financial services. This is easy if you use password-management software such as 1Password or LastPass; if you don’t, now is a good time to get on top of this aspect of your data security and start doing so.
Prevention isn’t something we’ve talked about, but if you ever find yourself in a position where you need to use the advice from this feature, you’ll almost certainly agree it’s better than cure. Make sure your “clean PC” operating system is kept up to date via Windows Update, and that all your software is updated whenever a new version becomes available.
Use real-time anti-malware protection, and educate yourself about how malware is distributed. Oh, and don’t forget to use a Windows standard user account rather than an administrative account for your day-to-day computing needs, since this will greatly restrict the ability of malware to install itself in the first place.
Related Posts
The Best Malware Removal Software
How to Use Your PC Computer or Laptop as a Wireless Router
How to Keep Your Laptop On and Use It When Closed
How to Rotate a Laptop or PC Screen: Flip Your Display on Its Side
How to use Chromecast on a PC or Laptop
How to Listen to Spotify on a Windows PC or Laptop
How to Use Your Phone as a Speaker for Your PC or Laptop
How to Find the Model Number on a Laptop
How To Disable a Laptop Keyboard
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
