469

What should I do if my Windows computer seems to be infected with a virus or malware?

  • What are the symptoms of an infection?
  • What should I do after noticing an infection?
  • What can I do to get rid of it?
  • how to prevent from infection by malware?

This question comes up frequently, and the suggested solutions are usually the same. This community wiki is an attempt to serve as the definitive, most comprehensive answer possible.

Feel free to add your contributions via edits.

10
  • 78
    One thing to definitely NOT do is to install any of the "anti-malware" tools that you're urged to when you get to a web page that says "Your computer is infected by a virus!" These are almost certainly malware themselves. You must only use tools that are well-vetted -- (presumably) those named below or on another trusted site. Commented Jan 13, 2013 at 23:11
  • @Gnoupi This article maybe of interest maketecheasier.com/…
    – Simon
    Commented Oct 23, 2013 at 16:59
  • 25
    For anyone just coming to this question wanting the tl;dr version... Once infected, there is no way (well... no way that doesn't involve you already being a computer engineer, and investing a few years of your life to performing a digital autopsy on the machine) to get rid of / be sure you've gotten rid of an infection. Malware can hide in your files, your application programs, your operating systems, firmware... Which is why you should never trust a computer that has had an infection. AV vendors will try to convince you their product is the silver bullet that will fix your system. They lie. Commented Jul 29, 2014 at 21:34
  • When we consider the possebility of Virtual Rootkits and Firmware Rootkits then we can pretty much say: You are boned. These two types of Rootkit are saved in areas of your computer you cannot clean. If you want to get rid of them you need to buy a new computer. Firmware Rootkits are rare and Virtual Rootkits don't exist yet but still: The existence of these two Rootkits prove that there is no 100% working one-fit-all solution which will keep your conputer malware free for all eternity and beyond. As a german I would conpare it to an "Eierlegende Wollmilchsau"
    – BlueWizard
    Commented Aug 21, 2015 at 13:48
  • @JonasDralle: if you mean virtual machine rootkits, they do indeed exist. One of the arguments against using .NET when developing an anti-malware solution. Commented Nov 18, 2016 at 11:11

18 Answers 18

293

Here's the thing: Malware in recent years has become both sneakier and nastier:

Sneakier, not only because it's better at hiding with rootkits or EEPROM hacks, but also because it travels in packs. Subtle malware can hide behind more obvious infections. There are lots of good tools listed in answers here that can find 99% of malware, but there's always that 1% they can't find yet. Mostly, that 1% is stuff that is new: the malware tools can't find it because it just came out and is using some new exploit or technique to hide itself that the tools don't know about yet.

Malware also has a short shelf-life. If you're infected, something from that new 1% is very likely to be one part of your infection. It won't be the whole infection: just a part of it. Security tools will help you find and remove the more obvious and well-known malware, and most likely remove all of the visible symptoms (because you can keep digging until you get that far), but they can leave little pieces behind, like a keylogger or rootkit hiding behind some new exploit that the security tool doesn't yet know how to check. The anti-malware tools still have their place, but I'll get to that later.

Nastier, in that it won't just show ads, install a toolbar, or use your computer as a zombie anymore. Modern malware is likely to go right for the banking or credit card information. The people building this stuff are no longer just script kiddies looking for fame; they are now organized professionals motivated by profit, and if they can't steal from you directly, they'll look for something they can turn around and sell. This might be processing or network resources in your computer, but it might also be your social security number or encrypting your files and holding them for ransom.

Put these two factors together, and it's no longer worthwhile to even attempt to remove malware from an installed operating system. I used to be very good at removing this stuff, to the point where I made a significant part of my living that way, and I no longer even make the attempt. I'm not saying it can't be done, but I am saying that the cost/benefit and risk analysis results have changed: it's just not worth it anymore. There's too much at stake, and it's too easy to get results that only seem to be effective.

Lots of people will disagree with me on this, but I challenge they are not weighing consequences of failure strongly enough. Are you willing to wager your life savings, your good credit, even your identity, that you're better at this than crooks who make millions doing it every day? If you try to remove malware and then keep running the old system, that's exactly what you're doing.

I know there are people out there reading this thinking, "Hey, I've removed several infections from various machines and nothing bad ever happened." Me too, friend. Me too. In days past I have cleaned my share of infected systems. Nevertheless, I suggest we now need to add "yet" to the end of that statement. You might be 99% effective, but you only have to be wrong one time, and the consequences of failure are much higher than they once were; the cost of just one failure can easily outweigh all of the other successes. You might even have a machine already out there that still has a ticking time bomb inside, just waiting to be activated or to collect the right information before reporting it back. Even if you have a 100% effective process now, this stuff changes all the time. Remember: you have to be perfect every time; the bad guys only have to get lucky once.

In summary, it's unfortunate, but if you have a confirmed malware infection, a complete re-pave of the computer should be the first place you turn instead of the last.


Here's how to accomplish that:

Before you're infected, make sure you have a way to re-install any purchased software, including the operating system, that does not depend on anything stored on your internal hard disk. For this purpose, that normally just means hanging onto cd/dvds or product keys, but the operating system may require you to create recovery disks yourself.1 Don't rely on a recovery partition for this. If you wait until after an infection to ensure you have what you need to re-install, you may find yourself paying for the same software again. With the rise of ransomware, it's also extremely important to take regular backups of your data (plus, you know, regular non-malicious things like hard drive failure).

When you suspect you have malware, look to other answers here. There are a lot of good tools suggested. My only issue is the best way to use them: I only rely on them for the detection. Install and run the tool, but as soon as it finds evidence of a real infection (more than just "tracking cookies") just stop the scan: the tool has done its job and confirmed your infection.2

At the time of a confirmed infection, take the following steps:

  1. Check your credit and bank accounts. By the time you find out about the infection, real damage may have already been done. Take any steps necessary to secure your cards, bank account, and identity.
  2. Change passwords at any web site you accessed from the compromised computer. Do not use the compromised computer to do any of this.
  3. Take a backup of your data (even better if you already have one).
  4. Re-install the operating system using original media obtained directly from the OS publisher. Make sure the re-install includes a complete re-format of your disk; a system restore or system recovery operation is not enough.
  5. Re-install your applications.
  6. Make sure your operating system and software is fully patched and up to date.
  7. Run a complete anti-virus scan to clean the backup from step three.
  8. Restore the backup.

If done properly, this is likely to take between two and six real hours of your time, spread out over two to three days (or even longer) while you wait for things like apps to install, windows updates to download, or large backup files to transfer... but it's better than finding out later that crooks drained your bank account. Unfortunately, this is something you should do yourself, or a have a techy friend do for you. At a typical consulting rate of around $100/hr, it can be cheaper to buy a new machine than pay a shop to do this. If you have a friend do it for you, do something nice to show your appreciation. Even geeks who love helping you set up new things or fix broken hardware often hate the tedium of clean-up work. It's also best if you take your own backup... your friends aren't going to know where you put what files, or which ones are really important to you. You're in a better position to take a good backup than they are.

Soon even all of this may not be enough, as there is now malware capable of infecting firmware. Even replacing the hard drive may not remove the infection, and buying a new computer will be the only option. Thankfully, at the time I'm writing this we're not to that point yet, but the day is definitely approaching fast.


If you absolutely insist, beyond all reason, that you really want to clean your existing install rather than start over, then for the love of God make sure whatever method you use involves one of the following two procedures:

  • Remove the hard drive and connect it as a guest disk in a different (clean!) computer to run the scan.

OR

  • Boot from a CD/USB key with its own set of tools running its own kernel. Make sure the image for this is obtained and burned on a clean computer. If necessary, have a friend make the disk for you.

Under no circumstances should you try to clean an infected operating system using software running as a guest process of the compromised operating system. That's just plain dumb.


Of course, the best way to fix an infection is to avoid it in the first place, and there are some things you can do to help with that:

  1. Keep your system patched. Make sure you promptly install Windows Updates, Adobe Updates, Java Updates, Apple Updates, etc. This is far more important even than anti-virus software, and for the most part it's not that hard, as long as you keep current. Most of those companies have informally settled on all releasing new patches on the same day each month, so if you keep current it doesn't interrupt you that often. Forced Windows Update reboots typically only happen when you ignore the notices for too long. If this happens to you often, it's on you to change your behavior. These are important, and it's not okay to continually just choose the "install later" option, even if it's easier in the moment.

  2. Do not run as administrator by default. In recent versions of Windows, it's as simple as leaving the UAC feature turned on.

  3. Use a good firewall tool. These days the default firewall in Windows is actually good enough. You may want to supplement this layer with something like WinPatrol that helps stop malicious activity on the front end. Windows Defender works in this capacity to some extent as well. Basic Ad-Blocker browser plugins are also becoming increasingly useful at this level as a security tool.

  4. Set most browser plug-ins (especially Flash and Java) to "Ask to Activate".

  5. Run current anti-virus software. This is a distant fifth to the other options, as traditional A/V software often just isn't that effective anymore. It's also important to emphasize the "current". You could have the best antivirus software in the world, but if it's not up to date, you may just as well uninstall it.

    For this reason, I currently recommend Microsoft Defender. There are likely far better scanning engines out there, but Microsoft Defender is built into Windows and will keep itself up to date via the normal Windows Update mechanism, without ever risking an expired registration. AVG and Avast also work well in this way. I just can't recommend any anti-virus software you have to actually pay for, because it's just far too common a paid subscription lapses and you end up with out-of-date definitions.

    It's also worth noting here that Mac users now need to run antivirus software, too. The days when they could get away without it are long gone. As an aside, I think it's hilarious I now must recommend Mac users buy anti-virus software, but advise Windows users against it.

  6. Avoid torrent sites, warez, pirated software, and pirated movies/videos. This stuff is often injected with malware by the person who cracked or posted it — not always, but often enough to avoid the whole mess. It's part of why a cracker would do this: often they will get a cut of any profits.

  7. Use your head when browsing the web. You are the weakest link in the security chain. If something sounds too good to be true, it probably is. The most obvious download button is rarely the one you want to use any more when downloading new software, so make sure to read and understand everything on the web page before you click that link. If you see a pop up or hear an audible message asking you to call Microsoft or install some security tool, it's a fake.
    Also, prefer to download the software and updates/upgrades directly from vendor or developer rather than third party file hosting websites.


1 Microsoft now publishes the Windows 10 install media so you can legally download and write to an 8GB or larger flash drive for free. You still need a valid license, but you don't need a separate recovery disk for the basic operating system any more.

2 This is a good time to point out that I have softened my approach somewhat. Today, most "infections" fall under the category of PUPs (Potentially Unwanted Programs) and browser extensions included with other downloads. Often these PUPs/extensions can safely be removed through traditional means, and they are now a large enough percentage of malware that I may stop at this point and simply try the Add/Remove Programs feature or normal browser option to remove an extension. However, at the first sign of something deeper — any hint the software won't just uninstall normally — and it's back to repaving the machine.

11
  • 5
    This seems to be the wisest, nowadays, indeed. I would add that there is another reason for some malware to be sneaky: they will remain dormant, and use your computer for other activities. Could be proxying, storing things more or less illegal, or be a part of a DDOS attack.
    – Gnoupi
    Commented Nov 30, 2012 at 15:23
  • 2
    @ConradFrix Too soon to say... I haven't needed to do this to a Windows 8 PC yet... but I'm pessimistic because it doesn't result in reformatting the drive. Windows 8 includes several security improvements, including running antivirus software from time 0 as part of the OS, such that I'm hopeful to never need to do this for Windows 8 at all. Commented Nov 30, 2012 at 20:11
  • 5
    @DanielRHicks read the full sentence. It's two to six hours of your time, spread over a day or three where you are efficient about kicking something off and checking back later. If you're baby-sitting everything, then yeah: it's gonna take a while. Commented Dec 5, 2012 at 22:21
  • 2
    @JoelCoehoorn Is it just me, or malware this advanced would also infect firmware on all kinds of components making any removal effort futile? Commented Oct 6, 2014 at 11:33
  • 5
    Please remember that if you take a backup AFTER you discover the infection, it is highly probable that the backup itself is infected. Please scan the backup before attempting a restore.
    – Tejas Kale
    Commented Aug 14, 2016 at 8:43
206

How can I tell if my PC is infected?

General symptoms for malware can be anything. The usual are:

  • The machine is slower than normal.
  • Random failures and things happening when they shouldn't (e.g. some new viruses put group policy restrictions on your machine to prevent task manager or other diagnostic programs from running).
  • Task manager shows a high CPU when you think your machine should be idle (e.g. <5%).
  • Adverts popping up at random.
  • Virus warnings popping up from an antivirus you don't remember installing (the antivirus program is a fake and tries to claim you have scary sounding viruses with names like 'bankpasswordstealer.vir'. You're encouraged to pay for this program to clean these).
  • Popups/ fake blue screen of death (BSOD) asking you to call a number to fix the infection.
  • Internet pages redirected or blocked, for example, home pages of AV products or support sites (www.symantec.com, www.avg.com, www.microsoft.com) are redirected to sites filled with adverts, or fake sites promoting bogus anti virus / "helpful" removal tools, or are blocked altogether.
  • Increased startup time, when you have not been installing any applications (or patches)... This one is awkward.
  • Your personal files are encrypted and you see a ransom note.
  • Anything out the blue, if you "know" your system, you typically know when something is very wrong.

How do I get rid of this?

Using a Live CD

Since the infected PC's virus scanner might be compromised, it's probably safer to scan the drive from a Live CD. The CD will boot a specialized operating system on your computer, which will then scan the hard drive.

There are, for example, Avira Antivir Rescue System or ubcd4win. More suggestions can be found at FREE Bootable AntiVirus Rescue CDs Download List such as:

  • Kaspersky Rescue CD
  • BitDefender Rescue CD
  • F-Secure Rescue CD
  • Avira Antivir Rescue Disk
  • Trinity Rescue Kit CD
  • AVG Rescue CD

Connecting the hard drive to another PC

If you are connecting the infected hard drive to a clean system in order to scan it, make sure that you update the virus definitions for all the products that you will be using to scan the infected drive. Waiting a week to let the antivirus providers release new virus definitions can improve your chances of detecting all the viruses.

Make sure your infected system remains disconnected from the internet as soon as you find it is infected. This will prevent it from being able to download new editions of viruses (among other things).

Start with a good tool such as Spybot Search and Destroy or Malwarebytes' Anti-Malware and perform a full scan. Also try ComboFix, and SuperAntiSpyware. No single antivirus product will have every virus definition. Using multiple products is key (not for real time protection). If even just one virus remains on the system, it may be able to download and install all the latest editions of new viruses and all the effort so far would have been for nothing.

Remove suspicious programs from boot

  1. Start up in safe mode.
  2. Use msconfig to determine what programs and services start at boot (or startup under task manager in Windows 8).
  3. If there are programs/services that are suspicious, remove them from the boot. Else skip to using a live CD.
  4. Restart.
  5. If the symptoms do not go away and/or the program replaces itself at startup, try using a program called Autoruns to find the program, and remove it from there. If your computer cannot start up, Autoruns has a feature where it can be run from a second PC called "Analyse offline PC". Pay especially close attention to the Logon and Scheduled tasks tabs.
  6. If there is still no success in removing the program, and you are sure that it is the cause of your problems, boot into regular mode, and install a tool called Unlocker
  7. Navigate to the location of the file that is that virus, and attempt to use unlocker to kill it. A few things may happen:
    1. The file is deleted, and does not reappear on restart. This is the best case.
    2. The file is deleted, but immediately reappears. In this case, use a program called Process Monitor to find out the program that re-created the file. You will need to delete that program as well.
    3. The file cannot be deleted, unlocker will prompt you to delete it on reboot. Do that, and see if it reappears. If it does, you must have a program in boot that causes that to happen, and re-examine the list of programs that run in boot.

What to do after restoring

Now it should be safe (hopefully) to boot into your (previously) infected system. Still, keep your eyes open for signs of infection. A virus can leave changes on a computer that would make it easier to re-infect even after the virus has been removed.

For example, if a virus changed DNS or proxy settings, your computer would redirect you to fake versions of legitimate websites, so that downloading what appears to be a well-known and trusted program could actually be downloading a virus.

They could also get your passwords by redirecting you to fake bank account sites or fake email sites. Be sure to check your DNS and proxy settings. In most cases, your DNS should be provided by your ISP or automatically acquired by DHCP. Your proxy settings should be disabled.

Check your hosts file (\%systemroot%\system32\drivers\etc\hosts) for any suspicious entries and remove them immediately. Also make sure your firewall is enabled and that you have all the latest Windows updates.

Next, protect your system with a good antivirus and supplement it with an Anti malware product. Microsoft Security Essentials is often recommended along with other products.

What to do if everything fails

It should be noted that some malware is very good at avoiding scanners. It's possible that once you are infected, it can install rootkits or similar to stay invisible. If things are really bad, the only option is to wipe the disk and reinstall the operating system from scratch. Sometimes a scan using GMER or Kaspersky's TDSS Killer can show you if you have a rootkit.

You may want to do a few runs of Spybot Search and Destroy. If after three runs it is unable to remove an infestation (and you fail to do it manually) consider a re-install.

Another suggestion: Combofix is a very powerful removal tool when rootkits prevent other things from running or installing.

Using multiple scan engines can certainly help to find malwares best hidden, but it's a fastidious task and a good backup/restore strategy will be more efficient and secure.


Bonus: There is an interesting video series beginning with, "Understanding and Fighting Malware: Viruses, Spyware" with Mark Russinovich, the creator of Sysinternals ProcessExplorer & Autoruns, about malware cleaning.

11
  • 75
    Wiping the drive is often the quickest and safest route as is being suggested all over this site as the "best answer"
    – Ivo Flipse
    Commented Jan 25, 2010 at 18:05
  • 2
    From my experience I would not trust spybot as my first choice. Avira, Kaspersky Virus Removal Tool & AVG are good free choice according AV-comparative av-comparatives.org & AV-Test.org: blogs.pcmag.com/securitywatch/2009/12/…
    – fluxtendu
    Commented Feb 20, 2010 at 20:28
  • 18
    One suggestion is that many of these malware programs do steal passwords and bank data, so it's not a bad idea to disconnect from the internet once you do become suspicious of an infection. It very well may be too late, but there's a chance you'll limit data leaks, or prevent the malware from updating itself, until such time as you are successful in your cleaning.
    – emgee
    Commented Apr 15, 2011 at 21:26
  • 5
    @emgee Good rule of thumb on data exfiltration: when in doubt, pull it out (the ethernet plug) Commented Aug 4, 2011 at 17:17
  • 7
    Combofix.org is not the official download location of Combofix, and is not authorized or recommended by Combofix's author. The official download is here. Commented Dec 14, 2011 at 19:13
91

There are some great malware-fighting tips in Jeff Atwood's "How to Clean Up a Windows Spyware Infestation". Here's the basic process (be sure to read through the blog post for screenshots and other details that this summary glosses over):

  1. Stop any spyware currently running. Windows' builtin Task Manager won't cut it; get Sysinternals Process Explorer.
    1. Run Process Explorer.
    2. Sort the process list by Company Name.
    3. Kill any processes that don't have a Company Name (excluding DPCs, Interrupts, System, and System Idle Process), or that have Company Names that you don't recognize.
  2. Stop the spyware from restarting the next time the system is booted. Again, Windows' builtin tool, MSconfig, is a partial solution, but Sysinternals AutoRuns is the tool to use.
    1. Run AutoRuns.
    2. Go through the entire list. Uncheck suspicious entries -- those with blank Publisher names or any Publisher name you don't recognize.
  3. Now reboot.
  4. After rebooting, recheck with Process Explorer and AutoRuns. If something "comes back", you'll have to dig deeper.
    • In Jeff's example, one something that came back was a suspicious driver entry in AutoRuns. He talks through tracking down the process that loaded it in Process Explorer, closing the handle, and physically deleting the rogue driver.
    • He also found an oddly-named DLL file hooking into the Winlogon process, and demonstrates finding and killing the process threads loading that DLL so that AutoRuns can finally remove the entries.
2
  • 3
    Also, Trend Micro HijackThis is a free utility that generates an in depth report of registry and file settings from your computer. I will warn this finds good and bad stuff, and makes no distinction, but Google is our friend if we're suspicious. Commented Jun 24, 2011 at 20:33
  • 1
    Autoruns is fantastic, but the suggestion to rely on the Publisher may not be useful. This stackoverflow question shows how the version information can be easily modified (and therefore spoofed) [stackoverflow.com/questions/284258/…. I tried this on a Java DLL and Autoruns showed the publisher incorrectly.
    – AlainD
    Commented Feb 2, 2016 at 15:50
53

My way of removing malware is effective and I have never seen it fail:

  1. Download Autoruns and if you still run 32-bit download a rootkit scanner.
  2. Boot into Safe Mode and start Autoruns if you are able to, then go to step 5.
  3. If you can't get into Safe Mode, connect the disk to another computer.
  4. Start Autoruns on that computer, go to File -> Analyze Offline System and fill it in.
  5. Wait for the scan to be done.
  6. In the Options menu, select everything.
  7. Let it scan again by pressing F5. This will go quick as things are cached.
  8. Go through the list and uncheck anything that is conspicious or does not have a verified company.
  9. Optional: Run the rootkit scanner.
  10. Let a top virus scanner remove any files that were left.
  11. Optional: Run anti-malware and anti-spyware scanners to get rid of junk.
  12. Optional: Run tools like HijackThis/OTL/ComboFix to get rid of junk.
  13. Reboot and enjoy your clean system.
  14. Optional: Run the rootkit scanner again.
  15. Make sure your computer is sufficiently protected!

Some remarks:

  • Autoruns is written by Microsoft and thus shows any locations of things that automatically start...
  • Once software is unchecked from Autoruns, it will not start and can't prevent you from removing it...
  • There do not exist rootkits for 64-bit operating systems because they would need to be signed...

It is effective because it will disable malware/spyware/viruses from starting,
you are free to run optional tools to clean out any junk that was left on your system.

1
  • I have infected 64-bit Windows 7, with a virus, not letting to run antiviruses and system utils, and Autoruns still didn't help. I did a question about this. superuser.com/questions/1444463/… . I believe a to tool should be run at system boot to control OS behavior.
    – WebComer
    Commented Jul 4, 2019 at 9:20
46

Follow the order given below to disinfect your PC

  1. On a PC that is not infected, make a boot AV disc then boot from the disc on the Infected PC and scan the hard drive, remove any infections it finds. I prefer the Windows Defender Offline boot CD/USB because it can remove boot sector viruses, see "Note" below.

    Or, you can try out some other AV Boot discs.

  2. After you have scanned and removed malware using the boot disc, Install free MBAM, run the program and go to the Update tab and update it, then go to the Scanner Tab and do a quick scan, select and remove anything it finds.

  3. When MBAM is done install SAS free version, run a quick scan, remove what it automatically selects.

  4. If windows system files were infected you may need to run SFC to replace the files, you may have to do this offline if it will not boot due to the removal of the infected system files. I recommend you run SFC after any infection removal is done.

  5. In some instances you may have to run a startup repair (Windows Vista and Windows7 only) to get it booting properly again. In extreme cases 3 startup repairs in a row may be needed.

MBAM and SAS are not AV softwares like Norton, they are on demand scanners that only scan for nasties when you run the program and will not interfere with your installed AV, these can be run once a day or week to ensure you are not infected. Be sure you update them before each daily-weekly scan.

Note: that the Windows Defender Offline product is very good at removing persistent MBR infections which are common these days.

.

For Advanced Users:

If you have a single infection that represents itself as software, ie "System Fix" "AV Security 2012" etc, see this page for specific removal guides

.

5
  • 3
    Having a second pc dedicated to virus scanning is probably the best solution, as you don't rely on the infected drive for your system. However, besides computer support firms, I doubt many people have such ready solution.
    – Gnoupi
    Commented Jun 28, 2010 at 8:42
  • 2
    If no dedicated PC is available, a similar procedure can be carried out by booting the system with a live CD Commented Mar 18, 2011 at 19:28
  • @Ophir: Live CD?
    – user46959
    Commented Jun 20, 2011 at 21:02
  • 1
    for example: http://distro.ibiblio.org/tinycorelinux/welcome.html Commented Jun 20, 2011 at 21:21
  • Just as a note the Microsoft Standalone System Sweeper is just the old name of Windows Defender Offline, in case someone found that too. Commented Mar 16, 2012 at 18:04
38

If you notice any of the symptoms then one thing to check is the DNS settings on your network connection.

If these have been changed either from "Obtain DNS server address automatically" or to a different server from the one it should be, then that's a good sign that you have an infection. This will be the cause of the redirects away from anti-malware sites, or a complete failure to reach the site at all.

It's probably a good idea to take a note of your DNS settings before an infection occurs so you know what they should be. Also the details will be available on the help pages of your ISP's web site.

If you don't have a note of the DNS servers and can't find the information on your ISP site then using the Google DNS servers is a good alternative. They can be found at 8.8.8.8 and 8.8.4.4 for the primary and secondary servers respectively.

While resetting the DNS won't fix the problem it will allow you to a) reach the anti-malware sites to get the software you need to clean the PC and b) spot if the infection recurs as the DNS settings will change again.

0
32

Ransomware

A newer, particularly horrible form of malware is ransomware. This kind of program, usually delivered with a Trojan (e.g. an e-mail attachment) or a browser exploit, goes through your computer's files, encrypts them (rendering them completely unrecognizable and unusable), and demands a ransom to return them to a usable state.

Ransomware generally uses asymmetric-key cryptography, which involves two keys: the public key and the private key. When you get hit by ransomware, the malicious program running on your computer connects to the bad guys' server (the command-and-control, or C&C), which generates both keys. It only sends the public key to the malware on your computer, since that's all it needs to encrypt the files. Unfortunately, the files can only be decrypted with the private key, which never even comes into your computer's memory if the ransomware is well-written. The bad guys usually state that they will give you the private key (thereby letting you decrypt your files) if you pay up, but of course you have to trust them to do so.

What you can do

The best option is to reinstall the OS (to remove every trace of malware) and restore your personal files from backups you made earlier. If you don't have backups now, this will be more challenging. Make a habit of backing up important files.

Paying up will probably let you recover your files, but please don't. Doing so supports their business model. Also, I say "probably let you recover" because I know of at least two strains that are so poorly written that they irreparably mangle your files; even the corresponding decryption program doesn't actually work.

Alternatives

Fortunately, there's a third option. Many ransomware developers have made mistakes that let the good security professionals develop processes that undo the damage. The process for doing that depends entirely on the strain of ransomware, and that list is constantly changing. Some wonderful people have put together a big list of ransomware variants, including the extensions applied to the locked files and the ransom note name, which can help you identify which version you have. For quite a few strains, that list also has a link to a free decryptor! Follow the appropriate instructions (links are in the Decryptor column) to recover your files. Before you begin, use the other answers to this question to make sure the ransomware program is removed from your computer.

If you can't identify what you got hit with from only the extensions and ransom note name, try searching the Internet for a few distinctive phrases from the ransom note. Spelling or grammar mistakes are usually fairly unique, and you'll likely come upon a forum thread that identifies the ransomware.

If your version isn't yet known, or doesn't have a free way to decrypt the files, don't give up hope! Security researchers are working on undoing ransomware and law enforcement is pursuing the developers. It's possible that a decryptor will eventually appear. If the ransom is time-limited, it's conceivable that your files will still be recoverable when the fix is developed. Even if not, please don't pay unless you absolutely have to. While you're waiting, make sure your computer is free of malware, again using the other answers to this question. Consider backing up the encrypted versions of your files to keep them safe until the fix comes out.

Once you recover as much as possible (and make backups of it to external media!), strongly consider installing the OS from scratch. Again, that will blow away any malware that lodged itself deep inside the system.

Additional variant-specific tips

Some ransomware-variant-specific tips that aren't yet in the big spreadsheet:

  • If the decryption tool for LeChiffre doesn't work, you can recover all but the first and last 8KB of each file's data using a hex editor. Jump to address 0x2000 and copy out all but the last 0x2000 bytes. Small files will be completely wrecked, but with some fiddling you might be able to get something helpful out of larger ones.
  • If you've been hit with WannaCrypt and you're running Windows XP, haven't rebooted since the infection, and are lucky, you might be able to extract the private key with Wannakey.
  • Bitdefender has a number of free tools to help identify the variant and to decrypt some specific variants.
  • (others will be added as they are discovered)

Conclusion

Ransomware is nasty, and the sad reality is that it's not always possible to recover from it. To keep yourself safe in the future:

  • Keep your operating system, web browser, and antivirus up to date
  • Do not open e-mail attachments you weren't expecting, especially if you don't know the sender
  • Avoid sketchy web sites (i.e. those featuring illegal or ethically dubious content)
  • Make sure your account only has access to documents you personally need to work with
  • Always have working backups on external media (not connected to your computer)!
4
  • There are a few programs now available that supposedly protect you against ransomware, for example: winpatrol.com/WinAntiRansom (a commercial program). I've never used this because I'm no longer on Windows, but that company's WinPatrol product is one I used for years and have frequently recommended. A few of the antivirus developers have anti-ransomware tools available, sometimes as a higher-cost option.
    – fixer1234
    Commented Sep 13, 2016 at 22:37
  • For information specifically about removing Petya ransomware, also see this question and answer: superuser.com/questions/1063695/…
    – fixer1234
    Commented Sep 14, 2016 at 1:32
  • 2
    I'd add another thing to the list of advice in the conclusion: Avoid visiting sites that promote illegal or amoral behavior, such as media and software piracy; content that is outlawed in most parts of the world; etc. These sites often contract with the least reputable advertising vendors, who make no real effort to filter the content of their "ads" at all, making it easy for criminals to inject your webpage with content that delivers malware or attempts to exploit your browser to gain access to your system. Sometimes even a good adblocker will miss this stuff. Commented Sep 14, 2016 at 17:50
  • @allquicatic I added a bullet point in that vein. Let me know if anything else can be expanded. Thanks!
    – Ben N
    Commented Sep 14, 2016 at 18:18
31

There is a wide variety of malware. Some of it is trivial to find and remove. Some of it is trickier. Some of it is really difficult to find, and very hard to remove.

But even if you have a mild malware you should strongly consider reformating and reinstalling the OS. This is because your security has already failed, and if it failed for a simple malware maybe you're already infected with a vicious malware.

People working with sensitive data or inside networks where sensitive data is held should strongly consider wipe and re-install. People whose time is valuable should strongly consider wipe and re-install (it's quickest and easiest and surest method). People who are not comfortable with advanced tools should strongly consider wipe and re-install.

But people who have the time, and enjoy noodling around, can try methods listed in other posts.

1
  • 3
    Correct. This stuff is designed to go around security and cleaning and mundane OS use. Don't take part in an arms race. Zero tolerance is the only policy.
    – XTL
    Commented Mar 7, 2012 at 12:59
30

The possible solutions for a virus infection are in order: (1) antivirus scans, (2) system repair, (3) total reinstall.

Make first sure that all your data is backed up.

Load and install some antiviruses, make sure they are up to date, and scan deeply your hard disk. I recommend using at least Malwarebytes' Anti-Malware. I also like Avast.

If that doesn't work for any reason, you may use a rescue live-CD virus scanner : I like best Avira AntiVir Rescue System because it gets updated several times a day and so the download CD is up-to-date. As a boot CD it's autonomous and doesn't work using your Windows system.

If no virus is found, use "sfc /scannow" to repair important Windows files.
See this article.

If that also doesn't work, you should Perform a Repair Installation.

If nothing works, you should format the hard disk and reinstall Windows.

1
  • 2
    When infected with a recent virus/trojan I used Knoppix on a USB stick, ran apt-get wine, installed Dr Web Cure-It in my wine session, and ran that to clean my infection. I had to do it this way because my laptop wouldn't boot some of the other live-CD alternatives.
    – PP.
    Commented Feb 24, 2010 at 17:15
23

Another tool I would like to add to the discussion is the Microsoft Safety Scanner. It was just released a few months ago. It is a bit like the Malicious Software Removal Tool, but designed for offline use. It will have the latest definitions as of the moment you download it and will only be useable for 10 days as it will consider its definitions file "too old to use". Download it with another computer and run this in safe mode. It works pretty well.

23

A bit of theory first: please realize that there is no substitute for understanding.

The ultimate antivirus is to understand what you are doing and generally what is going on with your system, with your own mind and in the so-called reality.

No amount of software or hardware will fully protect you from yourself and from your own actions which in most cases is how the malware gets into a system in the first place.

Most modern "production level" malware, adware and spyware rely on various "social engineering" tricks to fool you into installing "useful" apps, add-ons, browser toolbars, 'virus scanners' or clicking big green Download buttons which will install malware on your machine.

Even an installer for a supposedly trusted app, such as e.g. uTorrent, would install by default adware and possibly spyware if you simply click the Next button, and don't take the time to read what all the checkboxes mean.

The best way to fight the social engineering tricks that hackers use is reverse social engineering - if you master this technique you will manage to avoid most types of threats and keep your system clean and healthy even without an antivirus or firewall.

If you have noticed signs of malicious/unsolicited life forms inhabiting your system the only clean solution would be to fully reformat and reinstall your system. Make a backup as described in other answers here, quick format the discs and reinstall your system, or, even better, move the useful data to some external storage, and re-image the system partition from a clean partition dump you have made earlier.

Some computers have a BIOS option to revert the system to the original factory settings. Even if this might seem a bit of an overkill, it will never hurt and, more importantly, this will solve all the other eventual issues, whether you are aware of them or not, without having to handle each issue one by one.

The best way to 'fix' a compromised system is to not fix it at all, but instead revert to a known 'good' snapshot using some kind of partition imaging software, such as Paragon Disk Manager, Paragon HDD Manager, Acronys Disk Manager, or e.g. dd if you made the backup from Linux.

12

With Reference to William Hilsum "How Do I Get Rid Of This: Using A Live CD" above:

A virus won't be able to run in a live CD environment, so you can make temporary use of your computer without fear of further infection. Best of all you can access all your files. On June 20th 2011 Justin Pot wrote a booklet entitled "50 Cool Uses for Live CDs". The beginning of the booklet explains how to boot from CD, Flash Drive or SD Card, and pages 19-20 explain about scanning with different "antimalwares" some that were already mentioned. The advice given is invaluable for this scenario, and is explained in easy to understand English. Of course the rest of the booklet is invaluable for your other computing needs. (the link to the download (in PDF format) is provided from the link below. Always remember to be sensible when using the internet, don't be tempted to stray to "places" where malware is very likely to be lurking, and you should be fine. Any Antivirus, Internet Security Suites etc that you maybe using should have the latest updates, and whichever OS you maybe using should also be kept up to date.

http://www.makeuseof.com/tag/download-50-cool-live-cds/

Once you have clicked on or copied and pasted the above link, please then click on

DOWNLOAD 50 Cool Uses for Live CDs (written in blue)

Please Note I tried to write this in the comments section, but couldn't fit it in. So I have given it in an official answer, as it is invaluable.

1
  • I should disagree: IMHO if a virus is present in one file on the HDD even if the system starts Clean from the livecd it's always possible to execute the malicious code when you execute the infected file. If not detected or stopped it can even spread on other files or devices.
    – Hastur
    Commented Feb 13, 2015 at 12:27
9

Two important points:

  1. Don't get infected in the first place. Use a good firewall and antivirus, and practice "safe computing" -- stay away from questionable sites and avoid downloading stuff when you don't know where it's coming from.
  2. Be aware that many sites on the web will tell you you're "infected" when you aren't -- they want to trick you into buying their junky anti-spyware, or, worse, they want you do download stuff that is, in fact, spyware disguised as a "free antispyware application". Similarly, be aware that many on this site, mostly out of stupidity, will diagnose any "odd" error, particularly the sort of registry corruption that Windows is famous for, as signs of spyware.
8

As suggested before in this topic, if you ARE SURE you are infected, use a linux live CD to boot your computer and immediately backup all your sensitive data.

It is also a good practice to have your sensitive files stored in a hard drive different from your OS boot drive. this way you can safely format the infected system and run a comprehensive scan on your sensitive data just to be on the safe side.

As a matter of fact, there is no best solution than to format the system partition to make sure you run a virus and malware free environment. Even if you run a good tool (and no doubt there are many out there), there are always leftovers left behind and your system may seem clean at the moment, but it surely becomes a time-bomb awaiting to explode later.

7

On December 8th 2012. Remove-Malware released a video tutorial entitled "Remove Malware Free 2013 Edition" together with a complementary Guide outlining how to get rid of malware from your infected PC for free.

They outline

  • Backup – How to backup up your important personal documents just in-case your PC become inaccessible.
  • Gathering the needed software for this guide.
  • Bootable Antivirus – Why bootable antivirus is the best way to remove malware.
  • Bootable Antivirus Disc – How to create a bootable antivirus disc.
  • Bootable Antivirus Disc – How to scan your PC with a bootable antivirus disc.
  • Cleanup – Round up the remnants and remove them.
  • Prevent it from happening again

The Video Tutorial is over 1 hour long in duration and together with the written guide is an excellent resource.

The video tutorial:link

Written Guide:link

Update:

A very informative article written today 1st February 2013 by J. Brodkin entitled "Viruses, Trojans, and worms, oh my: The basics on malware Mobile malware may be trendy, but PC malware is still the big problem." from arstechnica.com highlights the continual problem of malware & different types of malware with explanations of each, highlighting:

  • Backdoors
  • Remote Access Trojans
  • Information stealers
  • Ransomware

The article also highlights the spreading of malware, botnet operation and businesses under attack.

1

SHORT ANSWER:

  1. Backup all your files.
  2. Format your system partition.
  3. Reinstall Windows.
  4. Install antivirus.
  5. Update your windows.
  6. Scan your backup with antivirus before starting to use it.

Today you can never be sure that you've completely removed an infestation, except if you wipe your drive and start over.

0

I do not think that AV programs such as MSE, MCAfee, Norton, Kaspersky, etc. can protect you 100% because their definition files always come after the fact - after the malware is already out there on the web and can have done a lot of damage. And many of those do not protect you against PUPs and Adware.

I also do not think that the scanners like Malwarbytes, Superantispyware, Bitdefender scanner and others can help a lot when the malware has already damaged your system. If you have enough scanners, you will be able to remove the malware but you will not be able to repair the damage that this malware has done.

I therefore have developed a two layer strategy:

  1. I make weekly images (I use free Macrium) of my system partition and my data partition to two external disks that are only connected during the imaging. Thus no malware can get to them. Should something not work in my system, I can always restore the latest image. I usually keep half a dozen full images in case I have to go back further than last week. In addition I have system restore enabled in my OS so that I can quickly set back in case of a faulty update. But system images (shadows) are not very reliable because they can disappear for various reasons. Relying on system images alone does not suffice.

  2. Most of my internet work I do from a virtual Linux partition. Linux itself is not the target of malware and Windows malware cannot effect Linux. With that system I do

all my downloads and checking them with Virus Total before I move them to the Windows system. Virus Total runs the file thru 60 of the best known AV programs and if it comes out clean, chances are very high that it is clean.

all internet access to websites where I am not 100% certain that they are clean - like e.g. this website here.

all my mail. That is the advantage of Gmail and AOL. I can check my mail with my browser. Here I can open any piece of mail without being afraid to get a virus. And attachments I run thru Virus Total.

all my on-line banking. Linux provides me with an extra layer of security

With this approach I have not seen any malware in years. If you like to try a virtual Linux partition, here is how.

3
  • In what way is this an answer to "What should I do if my Windows computer seems to be infected with a virus or malware?" Commented Mar 23, 2015 at 21:59
  • @whs: Andrew Morton is right about this not being an answer to this question, but it is a great answer to a different question, and it would be a real shame if it gets downvoted for being in the wrong place. Ask a new question, like, "How can I avoid getting malware infections beyond just running an A/V program and avoiding shady web sites", and post this answer there.
    – fixer1234
    Commented Mar 23, 2015 at 22:17
  • I know this is an old answer, but I have to add my 2 cents. Linux is not immune to all malware. en.wikipedia.org/wiki/Linux_malware Also, constantly making backups of a personal computer in not within the purview of 99% of the average users. Commented Jan 11, 2018 at 22:06
-15

The problem with scanning malware externally or with a live CD is that many of these nasty pieces of software hook into memory processes, drivers and much more. If the PC's operating system is not loaded neither are they which makes for a frustrating removal process. ALWAYS scan for malware while the infected OS is booted.

With that said, load up Windows with a copy of RKILL on a USB drive. Running this utility kills any malware process chugging away in the background, allowing you to do move forward with the removal. It is VERY effective. I have yet to run into a situation where the program has failed its job and I'm surprised at how many techs have never heard of it.

Next I choose to scan with either Malware bytes or ComboFix. The nice perk about these scanners is rather than utilizing virus definitions, they locate malware relentlessly based on behavior - a very effective technique. A word of warning though - they are also much more dangerous and can REALLY wreck some serious shop on your OS. Make sure you have a backup.

90 percent of the time the above process works for me and I remove a TON of these things on the daily. If your extra paranoid, running a scan with something like AVG, SuperAntiSpyware or Microsoft Security Essentials may not be a bad idea. Although I haven't seen these programs detect much more than the harmless tracker cookie, some people swear by them. Give yourself the peace of mind and do it if you must.

2
  • 11
    ALWAYS scan for malware while the infected OS is booted...that's kinda like saying Always fight the enemy while they're paying attention. If your malware scanner can't find the malicious code while it's at rest in a file, it doesn't stand a chance against the code while it's in memory able to perform it's voodoo cloaking stunts. Commented Nov 1, 2014 at 1:36
  • 1
    So you want to load the OS, so that the malicious processes are running, and THEN you want to kill the processes so you can remove them? That's just backwards in my opinion.
    – svin83
    Commented Dec 3, 2015 at 11:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .