The anti-malware guide
It was around this time a year ago that we posted several tips for removing viruses, along with preventative measures for avoiding future infections. All of that still applies, but what happens when you have a particularly nasty malware infection that manages to evade your best efforts to eradicate it from your PC?That's when you need to kick your efforts up a notch. If things get really bad, the only recourse is a full-blown reinstallation of Windows, but that should be reserved for a last ditch effort. Before you consider the nuclear option, try these next-level tactics we put together to remove even the most stubborn malware.
Depending on the type of infection, you might get away with restoring your system to a previous state. A stubborn malware infection is not necessarily sophisticated, and if that’s what ails your PC, reverting back to a previous restore point (if one exists) can take your system back in time before things went south. In Windows 10, navigate to Control Panel > System and Security > System Protection and click the System Restore button. You will see a list of any restore points that exist, and if you click on one, there will be an option to scan for affected programs before going through with a restore.
In Windows 7, click on Start > All Programs > Accessories > Systems Tools, then click the System Restore program icon.
Shock and Awe
If you’re at your wits end trying to remove malware, then it’s a safe assumption you already tried scanning your PC with an antivirus program, whether it is the one that Microsoft provides (Windows Defender) or a third-party solution such as Kaspersky. If not, start there, then move on to Malwarebytes, which often picks up malicious files that manage to evade traditional anti-virus programs.
At this point, you’ve either eradicated your system of malware, or are ready to pound your keyboard in frustration. Don’t do that. Microsoft offers a lightweight application called Windows Malicious Software Removal Tool (MSRT) that targets prevalent malware families and is frequently updated. Give that a go, and if you need more firepower, there are several free third-party programs you can (and should) try, including SuperAntiSpyware, SpyBot Search & Destroy, Zemana Antimalware, Norton Power Eraser, and Hitman Pro (free 30-day trial).
Some of the more sophisticated malware infections are programmed to recognize certain third-party applications and either evade them or prevent them from properly installing. One way to get around that is by using a portable anti-malware program that can be used without installation. Even if you don’t have an infection, these are handy to have on a USB flash drive in case a family or friend needs your assistance.
There are several options, and it is a good idea to carry around more than one. Ones that we recommend include Emsisoft Emergency Kit, ClamWin Portable, Vipre Rescue, Dr. Web CureIt!, and Trend Micro House Call.
Outwit the Enemy
Malware writers play dirty, but so can you. If you’ve run into a malware infection that prevents your anti-virus program or anti-malware application from loading, you can try changing the program’s filename and extension. In fact, the portable version of SuperAntiSpyware already does this by providing a unique filename each time you download the file. That makes it a bit more difficult for malware to sniff out a program.
For other programs, you can take matters into your own hands by navigating to the directory where it’s installed and renaming the executable that loads it. For example, the default location for Malwarebytes in Windows 10 is C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe. Change the name of mbam.exe to something different, then try to load the program by double-clicking.
You can also try changing the file extension from .exe to .com, which in many cases will not break functionality. To do that, you first have to be able to see the file extension. In Windows 10, open up any folder in Explorer and click the View tab. Go to Options > Change folder and search options, click the View tab, and uncheck the ‘Hide extensions for known file types’ checkbox. Once you’ve done that, you can rename mbam.exe to mbam.com and still load the program by double-clicking it.
That’s a Funny Name
Some malware is considerably easier to remove once you’ve stopped it from running. To do this, type ‘Task Manager’ in the Start menu, and then expand the view by clicking on ‘More details.’ You will see a list of running programs and background processes. Scroll through these and look for any malware programs that might be clearly labeled, which can be the case if you know exactly what type of infection has found its way onto your system. Also be on the lookout for weirdly named programs consisting of a random string of characters. If in doubt, Google the program to make sure it’s not something that is supposed to be running, and if not, right-click and select ‘End Task.’ Do the same thing in the Startup tab. Once the offending program has stopped running, it can be easier to remove using our other tips.
Roll Out RKill
Not all malware programs hide in plain site. If you’re having trouble terminating a malicious program from running in the background, download and run RKill. This handy program was developed by BleepingComputer, a large support community run by volunteers, and a great resource for protecting against and removing malware. RKill is a portable application that doesn’t need to be installed. What it does is terminate known malware processes that are running so you can resume trying to remove an infection. It doesn’t delete any files, so it’s safe to run. That also means you shouldn’t reboot your system after running RKill, as any malware processes it managed to kill will just load back up.
Play It Safe
When all your efforts seem to be in vain because a malware infection is always two steps ahead, boot into Safe Mode. When you enter Safe Mode, Windows loads only the bare essentials. This limits the overall functionality of Windows, but it also means that malicious programs will not have a chance to load, putting you in a better position to clean up your system.
There are different ways of booting into Safe Mode. In Windows 10, go the Start menu and click on the power button. While holding down the Shift key, press Restart. When Windows 10 reboots, it will prompt you to select from a list of options. Choose Troubleshoot, then Advanced Options > Startup Settings > Restart. In the menu that comes up, press the “4” key to choose the Enable Safe Mode option.
An easier way to get there is to type System Configuration in the Start menu. In the Window that pops up, go the Boot tab and check the Safe boot box. Once you’ve booted into Safe Mode, you should be able to run an anti-malware program without any resistance.
Boot From a Live CD
Booting to an infected drive, even in Safe Mode, may seem like walking into the middle of a fire with a pail of water. Why not fight the inferno from afar, using a hose? That is sort of the idea behind a bootable rescue CD, otherwise known as a Live CD. Using a rescue CD, you can boot into an environment that is detached from your infected drive, and run a series of diagnostics and tools to pinpoint and eradicate malware.
There are many different options out there, such as Ultimate Boot CD and SystemRescueCD. Some antivirus vendors offer their own rescue CD images as well, including Bitdefender and AVG. These are all viable options, though one we recommend giving a spin is the All-in-One System Rescue Toolkit. This is one of the newer rescue CDs put together by Paul Bryan Vreeland, a field technician who set out to build a streamlined option with both a bootable repair environment and a handful of Windows utilities in the same package. It’s free to download, though donations are accepted,and it works with several versions of Windows, Linux, and even newer versions of Mac OS.
Time to Reset
If you have gotten to this point and still have not been successful in removing malware, there is one last thing you can try before going nuclear, but only if you’re running Windows 10. One of things Microsoft added to Windows 10 is a Reset option that lets you keep your personal files while reinstalling Windows. It’s a mini-nuke option, in that it removes your programs and settings, but keeps your documents and other items that you might not have backed up (and really, you should back them up anyway).
To go this route, go to Windows Settings > Update & Security and select Recovery from the left-hand side. You can also type Reset my PC in the Start menu. Under the Reset this PC heading, click the Get started button and select the option that lets you keep your files. Follow the prompts and Windows will take care of the rest.