6 Steps To Remove Malware Completely

July 27, 2010 by in The Pit Blog

exterminate1

Today’s virus infections are lean and mean. They are designed to strike fast and avoid removal. Many will block your access to the very sites and programs needed to eradicate them. They’ve learned where to hide and how to morph into an unidentifiable form.

Unless you’re ready to re install Windows and lose all your information, you must act fast. Leaving one small line of code intact will allow the infection to regenerate and strike again tomorrow.

Here’s what I suggest. Develop a complete plan. Once you realize you’re infected you don’t have time to figure out what to do and besides, you won’t be able to get to the sites that offer help. Have everything in place and ready to go. If you do it now, you’ll save your self days of frustration.

First and foremost have a solid and reliable detection and removal program installed on your system. I use and recommend PC Matic everyday. It’s my first line of defense. I run PC Matic once a week and let it check for infections while it cleans and updates my system. The latest virus definitions are updated from our server each time I run the program. I know I’m ahead of the curve for detection.

Next, copy/paste the HOW TO chart below to a word document and save it on a thumb drive. Along with those instructions, download PC Matic, Malwarebytes and the MS Removal tool and keep them on the thumb drive too. Remember the virus will block your access to PC Pitstop, and all the other sites that offer protection. Now if you are infected you will have the tools you need right on the thumb drive and you won’t have to worry about being blocked by the virus. Follow the instructions closely and don’t leave out a step.

style="background-color:#dddddd;*margin:5px*">

1. Boot into SafeMode With Networking by tapping the F8 or F5 key during the boot process.

2. Turn Off System Restore: XP, Vista, Windows 7.

3. Download and install: PC Matic, Malwarebytes, MS Removal Tool.

4. Run all three free programs while in SafeMode With Networking.

5. Reboot

6. Turn on System Restore and create a new restore point.

Why do I suggest multiple programs? Because no single program can cover all infections all the time. Malware can mutate within minutes. While it’s likely that our single program will find it all, the shotgun approach just adds another layer of security.

If you’re infected, clean it fast and clean it completely.

47 Responses to 6 Steps To Remove Malware Completely

  1. I WANT MY MONEY BACK I HAVE NO PATIENCE TO DO ALL THAT.WHEN YOU WATCH IT ON T.V. IT LOOKS SO EASY.THAT IS FALSE ADVERTISING IT IS TOO MUCH WORK FOR ME.PLEASE REIMBURSE ME THANK YOU.


  2. Add ayo utilizo Spybot Search & Destro is good.


  3. TomGL2 says:

    I strongly feel that the best first step is to restart in Safe mode, and use System Restore to revert to at least one day prior to the appearance of the symptoms of infection.


  4. Ryan says:

    Looked like Spyware, but wasn’t:

    As one of the posters already mentioned, I also use MalwareBytes and Spybot S&D in tandem in safe mode and they almost always finds and successfully removes Malware.

    Recently on my personal laptop, I was seeing constant harddrive activity and my system resources were being drained dramatically, usually surefire signs of spyware. I went through all my tricks of removing spyware and nothing worked. I checked everything including the harddrive and other components for problems, chkdsk, drivers for conflicts, software errors, just about everything but to no avail.

    I then decided to check the Event Viewer (system) and I found a message repeating itself seemingly thousands of times starting at the same time I was seeing the problem. This is what it read:

    “The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.”

    It seems that somehow, the telephony service was disabled. So I enabled it and instantly, the harddrive and system resources were back to normal.

    So this service was constantly looking for its dependency service and the cause of what seemed like Malware.

    Just a little insight I thought I would share.


  5. Gerry Freed says:

    If you have Vista or Win7 run in user mode most of the time and keep the adm mode for adm and loading progs.If not well!
    The separate user space lets usually quarantines the malware so that changing to another account can operate the broswer and download. Run the malwarebytes from there even in user mode because it asks for adm privilege anyway. I did it and it cleaned the nasties in the who machine so that I could get back.
    [We can't always run with flash at hand] This is for emergencies because the soluntions above are good.


  6. Jerry in Detroit says:

    This process works well for the easier stuff but will prove inadequate for stuff like Virtu-Monde which hooks into the Windows operating system as soon as it starts. This infection is a combination. It has;

    1. Registry Entries
    2. An infected wallpaper file (Don’t ask me how but it is.)
    3. An Internet Explorer Browser Helper Object or Firefox Add-On
    4. A DLL file that hooks into Windows at startup.

    This particular squad of nasties can be frustrating because unless all are completely removed, the one remaining restores all the others. I haven’t used PC-Matic or Malware Bytes yet. To date, I’ve used Spybot, so my process looks like this.

    Software Required
    Anti-Virus (including firewall)
    Spybot Search & Destroy
    CCleaner
    Glary Utilities or NTRegOpt
    MyDefrag

    Procedure
    Update Windows and the anti-virus software (Don’t be upset if the infection prevents this.)

    Install & update Spybot. (You may have to download the files to a USB Flash drive or CD.)

    Turn off System Restore and the virtual memory. (Yes, they can hide in there.)

    Unplug the computer from the Internet. (This is important. Te infection can’t restore the others without Internet access. Do not connect to the Internet unless you care to start over.)

    Boot up in Safe Mode.

    Remove some of the easily identified junk. (I had one client running no less than 8 toolbars in Explorer and wondered why her computer ran so slowly.)

    Start Spybot in the Advanced Mode and run the Immunize feature. (This creates a list of hosts & ISPs that the computer may not connect to. Quite often this prevents malware from connecting to their host computer.)

    Run Spybot’s Search & Destroy. (This will identify and remove the easier stuff and probably come up with a note that it needs to rerun itself on startup. Do it.)

    Restart the computer and allow Spybot to scan again. (With luck, you’ll clear everything out and the scan will come up clean. This is pretty much how Shogan is doing it and it works for all but the most difficult malware.)

    If you’re clean at this point, start preparing the computer for return to the client,

    If you have a few holdouts, here’s my secret sauce. If you still have a file or two, typically DLL files with rather strange names, that Spybot cannot touch (because it/they hook into the Windows OS at startup), write the name(s) down being careful to get the uppercase, lower case and other charters correct. It’s not a bad idea to check out the filenames using another computer to make sure these particular files are not necessary for the operating system. Assuming they are not, reboot the computer using a live Linux CD. Knoppix works. I use Ubuntu. The survivor protects itself by hooking into Windows. Without Windows, it’s open season. Locate the offending file(s) using the Linux file manager and delete it/them.

    Preparing to return the computer
    Restart the computer in Windows. Run Spybot again. It should come up clean or any remaining registry entries easily removed.

    While still in Spybot, click on the Advanced tab on the lower left. Review the BHOs and delete anything that does not appear to be connected to a legitimate program. On my computer, there is something called a “scriptproxy”. Clicking on this shows a path to my anti-virus. Check the Browser pages for anything suspicious. Finally, check the System Startup for anything suspicious. I even delete the lines that check for updates in programs like Adobe and Divx. The software will check for updates when you use it and these programs delay startup tremendously.

    Run a system optimizer programs like Glary Utilities or CCleaner. Be careful not to install the toolbars during installation. Both will clean the registry. CCLeaner has a registry cleaner as well as a file cleaner and the ability to do a secure delete and wipe empty spaces. In the case of an infected computer, set CCleaner to do a secure delete and to wipe free space. It takes longer but you won’t be sitting in front of the computer.

    Defrag the registry using Glary Utilities or NTRegOpt.
    Finally, defragment the hard drive(s). I use MyDefrag.

    Plug the computer back into the Internet and first make sure the anti-virus software is running and up to date. Update it or restore it as needed. You might even run a scan just to be sure everything is OK. Also check the firewall and delete any permissions for suspect software.

    Update Windows.

    Turn the virtual memory back on.

    Turn the System Restore back on and create a restore point.

    As a final check, I would recommend shutting down the computer, start it back up, open Internet Explorer & let it sit for about an hour. If the desk top & home page comes up unmolested and stays that way, you’re probably good. If you’re really paranoid, you might repeat this two or three times over a day before returning the computer.


  7. robert says:

    PC Matic is a free and thorough scanning tool, BUT it does not remove any viruses, malware, or any other nasties unless the program is purchased. As with any PC cleaning process, proceed carefully!


  8. Mike Manner says:

    XP Home, SP2, 6 years. Norton + PC Pitstop. Regular back-up on external HD. Runs like new. Need to pay attention.


  9. simrick says:

    I have removed a lot of these rogue anti-malware popup viruses and redirectors successfully with Malwarebytes, SuperAntiSpyware and GMER (for rootkits), and I have a slightly different approach when it comes to restore points: After all the cleaning in safe mode, safe mode with networking and finally a regular boot, I then and only then delete the restore points. Reason being, if I get stuck during the cleaning process, at least I can start over – albeit with the virus. But without a restore point left, I am forced to reinstall the operating system if things don’t go right the first time.


  10. Charlie says:

    Bill… here ya go http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&IsNodeId=1&Description=thumb%20drive%2016gb&bop=And&Order=PRICE&PageSize=20

    You can always use one of these for multiple purposes they are very durable. Not that I would recommend it but I have washed and dried mine and all data remained intact!


  11. Kelly says:

    Bill — NO, you do not need a thumb drive. Viruses have been know to jump to external USB devices — called thumb drives, jump drives, USB keys, or external hard drives that attach via USB port. These nasties can then infect the next machine you plug the USB device into. If your program will not run from your internal hard drive, it is being blocked by the virus you have on the machine, IMHO. Try renaming the program, as advised above to see if it will run.

    Kim — if you are fighting a virus or trying to make sure your machine is clean before going on to use it — why would you want Malwarebytes to run in the background? I’d run it and wait before using the machine — just my 2 cents.

    Another point — if you turn off system restore, it deletes all the restore points. Just know that you will not have the option of trying to go back to an older restore point later if your scanning does not do the trick. If an infected machine will allow you to update and run Malwarebytes, it couldn’t hurt to start with running a full scan in Safe Mode with Networking without turning off system restore. Malwarebytes actually does scan the restore points.


  12. BobG says:

    Nice, but why disable System Restore? That’s soooo yesterday. Even an infected restore point is better than none as a fallback position. Clear all points after cleaning, and set a new one with which to go forward.


  13. hal says:

    Thanks for the info

    I also use a free edition of SUPERantiSpyware


  14. Johnny5 says:

    I will add these thoughts, as I am a support tech and run in to this stuff all the time:
    MalwareBytes free, Spybot, HijackThis, and MSRT (Microsoft free tool) are all good, safe mode with networking is good, but sometimes you can think it is clean, and still have a “redirect virus” and what you have is a Rootkit. You will be reinfected if you dont get rid of it. Tdsskiller from Kaspersky is a free remover for one of the more common ones I have run in to recently. After removing the TDSS rootkit, reset Internet Explorer, and do all your scans again.


  15. Bruce says:

    I have used Malware and MS Removal to delete malware many times. Never tried them from safe mode. Would the about process help my XP System Restore which for some reason has recently started deleting all the restore points every 30 days?


  16. elsando says:

    I know nothing – well, very little. Hi, Bill – a thumb drive is a USB drive – a thingie that you buy and shove it into a USB port on your computer and -whoah- you can store stuff on it like it was a floppy or a CD, or an additional drive, etc. It shows up as an additional drive – on my computer as Drive G. I have a 4 GB “thumb drive” I’m looking at that is just a bit larger than my thumb nail and it will hold a bunch of oldies but goodies and other irrelevant stuff. They are pretty cheap and nifty. May be called Flash Drive or other things. Some one please correct me if I am wrong.

    Re: bad stuff – when the siren goes off and I get a glaring screen saying I am infected with a thousand viruses most of which are related to porn and liberal sites and want me to provide credit card, SS, and birth certificate info, I go immediately to control, alt, delete and pull up Windows Task Manager and click on End Task on the offending program. So far it seems to give me control of my computer back. Then I run every virus, malware program that I have. It has worked for me on this kind of issue.


  17. Ray says:

    Bill, Thumbdrive, Flashdrive, there called by different names. There small and can fit on a keychain. there cheep, less than $20.00 at wallmart. I have one that I use just for fix-it-stuff.


  18. Mickie in MN says:

    Read all the great info, but what does someone like me do when all your advice seems like a foreign language to me~? I understood enough to scare the bejeebers out of me, but I did not pick up much of what I could do without thinking I’m going to blow up my ‘puter~!! ;+) Is there any way to boil this down to ‘my level’~? I do have PCMatic & TrendMicro, but from what you’re saying, I shouldn’t rely on it only. Your help would be so very much appreciated~! PS: I am always dealing with the bug: Mal_Hifrm and nothing I have deals with it~!! Grrrrrrrrrrrr~!!


  19. Cal says:

    Bill, a thumb drive is a USB drive. They’re only about $10 for or so for a 2 to 4GB model depending on where you buy from. You can make them bootable and doing so is very worthwhile (see HP’s web site for an excellent utility to make one bootable). Unless you make it bootable, your machine will likely have trouble finding most anything attached to it; thus the problem you’re having with your external HD which I suspect is a USB drive.


  20. Stephen says:

    Nice article and very good instuctions. however I fear I will not be doing it in this order due to the “pimping” of your own product. I can get the exact same thing done with just malwarebytes and portable AV. both of which are free.
    But carry on with your writings as I am sure they help out alot more people than confuse.


  21. Bill says:

    Will someone please respond to my question (above)?


  22. Kim says:

    GREAT advice. I learned the hard way when my laptop became infected with the RANSOME VIRUS “AVSOFT” Since PCMatic does not run real-time in background, it got me. i found out about malwarebytes and RKILL. PCMatic is a great piece of software and i will continue to renew it.

    ps…free malwarebytes will not run in background…only the purchased version!

    thanks for the info..it will greatly help others.


  23. Dennis says:

    Nice ad for PCMatic. Oh, and it’s NOT free.


  24. Don says:

    When an infection is preventing you from opening removal tools, try renaming the removal tool’s executable. Example: Malwarebytes’ executable is named MBAM.EXE. Try renaming it to MBAM.COM or IEXPLORE.EXE before opening it.


  25. Dave says:

    Important to UPDATE after you download and install any of the Anti-malware/spyware programs as well before you scan. Process Explorer from Sysinternals (Microsoft now owns) can help find rogue processes / .dlls that you may find starting in HKLMSoftwareMicrosoftWindowsCurrentVersionRun.
    It’s not as cut and dry, simple or quickly removable in every case. ComboFix I have also found (which includes a root kit scanner) is very good when all else fails. A professional who has experience is your best bet.


  26. Bill says:

    I do not own a thumb drive and never heard of it. But I do have an external hard drive. When I tried to use PC MATIC from that drive in safe mode, the logo for the program appeared for one brief second and then turned into the page that says “cannot find.” This is the same result if I try to open PC MATIC from my internal HD, whether I am in safe mode or not. So is it worthwhile to purchase a thumb drive?


  27. Larry F says:

    Since as part of my business, I clean up infected PCs pretty much daily, I can tell you that there is no virus removal strategy that is as effective as reformatting the hard drive and reinstalling the OS. It’s also the most time effective, because a comprehensive malware removal can take up an entire week.

    To the person who solved their problem by using a restore point… Run an online virus scan like Bitdefender’s (just Google “online virus scan”, and it’ll show up in the top five results). Many malware programs will put an installer into EVERY restore point on the PC, so restoring just restores the malware too.

    To those who just use Malwarebytes and an antispyware tool, you’re not being thorough enough. Different programs are good at removing different threats, but no one program can find them all. I use Malwarebytes too, but only as the first in a chain of programs. First, I use Hijack This to fix the proxy problem if I can’t connect the PC to the internet in safe mode. Then I run Malwarebytes repeatedly until it finds nothing else, then I switch to SuperAntiSpyware, then to Trendmicro’s Housecall, then to Bitdefender’s online scanner. I also delete all temporary files. Guess what? I often find something else on the machine with each different program I run. I also have a handful of removal tools for different specific threats that I run too.

    Trojan downloaders are often hidden behind root kits. So when you can see a problem caused by malware, it’s often just the tip of the iceberg. Don’t presume that just because you’ve gotten rid of the obvious problem, your PC is safe again. Chances are very high that you’re wrong.

    The most efficient thing a person can do to keep their PC safe is to make a master drive image of their PC with all their most important programs installed, and keep it separate from the system. Then keep weekly backups of your personal files on a separate media. If the PC becomes infected, perform a clean restoration of the system with the master image, and restore the data from the weekly backups.

    Why not just do weekly drive images? Because if the PC becomes infected, your image will be the infected system if you don’t notice before the image update runs.


  28. Y kawika says:

    I would not recommend turning off System Restore so early in the process. It’s better to have a “dirty” restore point to go back to in case of a disaster, rather than none at all.

    If, after running all of your scans and the only instances showing detection are at “System Information Volume” (System Restore Points), then flushing System Restore Points would be the next move. Better safe than sorry.
    :) Y


  29. dQQm says:

    I have cured many of the Malware type infections by booting Safe Mode, then use System Restore to a previous date, when the infection was not present. Once the system has been restored, remove all the junk files on the system, i.e. Cookies, Temp and Temporary Internet Files. Then run the tools to make sure all has been removed and turn System Restore on as described. Removing the junk files from the system first will shorten the scan times significantly.


  30. Eric says:

    Very useful information. Thanks.

    You are recommending to run the three ‘free’ programs, but PC Matic is not free on the referred site. There is a free scan avaialble on line, however your strategy is to be ready if the on line access is blocked.

    Is there a PC Matic light that is free?

    Another useful tools is HijackThis. I got rid of several problems with it.


  31. Ken Partlow says:

    I have run into these infections like the one above. Sometimes you get lucky in safe mode and are able to run certain clening programs. For the most part there appears to be in most of my cases a proxy server setup in IE tools/Internet Options/Connections/Lan which does the redirect to porn or other malicious sites. If you disable the proxy and set it to Automatic you will not be redirected to the malicious sites. At this point if you can turn off system restore and boot into safe mode then you can run some of the removal programs. And then there are some of these attacks that are just so deadly that the only way to correct them is to run a repair with the OS disk or a clean install.


  32. Ken says:

    Interestingly enough, the last infection I caught I repaired very simply by using restore. I didnt choose the last restore point I had but several points earlier… Worked perfectly. Comments please!


  33. Niklas says:

    Matt, Try to download and burn and run the AVG Rescue dics hxxp://www.avg.com/us-en/avg-rescue-cd

    It is a bootable cd that runs a scans your windows installation offline. Just backup all your important files first!


  34. Jenna says:

    I run pc matic daily but was hit very quickly yesterday – no discernable reason why I should have picked up the virus but I saw a Java image flick on the screen and I knew something unpleasant was about to happen – and I had to remove it in safe mode. It was an “av” something or other – fake anti virus program(it seemed to be out of Russia). The instructions I found said nothing about system restore – so since you mentioned it I am concerned. My pc is running fine – no malware was found from pc matic, pc cillin malware bytes or ms tool removal today. So I hope i am in the clear. System Restore has various restore points – so it seems ok – but I did not turn it off as you recommend. Should I be concerned?
    Thanks


  35. David Cardner says:

    I eliminated the redirect virus by:
    1. Running Malware bytes (full scan)
    2. Running MS malicious software remover
    At this point still had redirect virus, but an otherwise clean system.
    3. Downloaded latest IE8 from MS website.
    Redirect virus gone.


  36. Matt says:

    I agree with these steps for relatively easy-to-deal-with malware programs, but what do you do when you catch something more advanced?

    My neighbor got something and it was beyond my ability. I couldn’t get into safe mode, system properties, regedit…plus his browser was hijacked (Redirected to porn whenever he tried going anywhere), and on top of that, you couldn’t run or install ANY program without an error dialog popping up.

    In fact, the only thing I could get into that was useful was Task Manager. From here I determined which processes were malware and ended them, but a second later they’d restart themselves. Didn’t get us anywhere.

    So at this point, is there a solution other than reformatting? He doesn’t have his windows disc =X


  37. howiem says:

    Agree with the above, but why get infected in the first place? Do all surfing the web in a sandbox, like Sandboxie, so your operating system won’t get infected from the web. Keep your important data on another drive and backup the data frequently to external media and/or a secure web backup. If you have to reformat, you won’t lose any data unless the hard drive goes bad completely, and you will have backups


  38. Overmann says:

    I find that a lot of systems are also bogged down with gigabytes of temporary internet files, which slow the system to a grinding halt when trying to scan for infections. I first run ccleaner or System Cleanup before doing a MW scan. Also, kill System Restore, as the modern infections poison all your system restore points anyway. Once that is all done, you can proceed with the scan and removal.

    P.S. Some infections require drastic action, such as running Combofix.


  39. Terry says:

    I use all of these 3 faithfully and also a-squared anti-malware free,emco malware destroyer free and ad-aware free.Each one may find something different the others missed.I run these at least once every 2 weeks and do manual update first.These I have found to be the best after repairing slow computers for about 5-6 yrs now.If the computer is extremely slow I download ,update and use Emco malware destroyer first then Malwarebytes followed by the others…..


  40. Bruce Hevner says:

    I never try and fight malware on an active system. Remove and slave the drive to another machine and run MalwareBytes and Spybot on it remotely using a USB adapter. Does a MUCH better job at removal when the drive isn’t active.
    Once I’ve cleaned it I replace it in the original machine, update or install MB and SB and run it again.
    Oh yeah,,, make SURE ALL Windows updates have been done!!
    But HEY,,, that’s just ME!!


  41. Jake says:

    If memory is correct: the last time I had a bug incident the information advised turning OFF the system restore as the 1st step, preceeding safe mode restart.

    Before doing the safe mode scan (with system restore off) I did a quick scan using Malwarebyte. The first scan caught everything, since nothing showed up during the second safemode scan, but of course that isn’t always the case.

    I am no longer overly concerned with infection issues due to the fact I have a back up laptop drive ready to plug in, along with a back up laptop.

    The most “beneficial” aspect of catching a bug involves the necessity of getting acquainted (or revisiting) computer operating issues that are typically foreign to most users. I wasn’t surprised to learn the majority of repair shop issues involve infections. I haven’t had a component failure (laptop or desktop) in six years.

    Any information on the most likely sources of infection?


  42. SKDAD says:

    I need to get right on setting up the above plan before it’s too late.


  43. Mary Lynn Kraft says:

    Good article, Shogan. I’ll try to follow these ideas to protect my system.


  44. Steve Hogan says:

    Ed, the order is correct. There are many instances when entering Safemode with Networking is the only way an infected system can access the Internet.

    Thank you.


  45. ED says:

    Why is download #3 on the list? Step 1 should be download and save executables to a thumb drive, and step 3 should be install from thumb drive, update definitions (if the malware let you), and run. Would that not make more sense?


Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Scan with PC Matic

Sign up for our FREE Newsletter

Our weekly newsletter is packed with computer tips & tricks.
As a bonus, receive monthly emails with exclusive offers.

Which device is the most important to you?

View Results

Loading ... Loading ...


Contributors