The Ultimate Malware Removal Guide: Detect and Remove Any Malware

By:
Malware Infections and Warnings

Malware is short for 2 words: Malicious and Software, but this is the only part that is short about this malware removal guide and I’m going to take you step-by-step on a seek and destroy mission to rid you of your malware infection.

A malware is a software or a script that is created by a black hat group with the objective of disrupting your computer’s stability, gathering and distributing sensitive and private information and turning a profit in the process.

You may be infected by visiting a rouge site or opening malicious email attachments. It may be in the form of a file, code, script or bundled with a legit software package.

Malware spans many formats and the most popular ones are ransomware, worms, Trojan horses, rootkits and adware.

Malware Infections and Warnings

Malware Infections and Warnings

It is not easy to determine if your computer is infected by malware or if an issue is caused by other reasons such as a hardware problem or corrupt system files.

The “black hat” guys are on top of their game and they constantly monitor defensive techniques, learn from past mistakes and evolve their cyber-weapons in a way that is not so easy to detect at first glance.

This is and always will be a never-ending game of cat and mouse and your goal is to be the strongest link in the chain so that hackers go after weaker users who are less aware of cyber security and don’t take basic prevention measures to protect their computing and digital assets.

Before we discuss how to remove malware, let's review a few examples of PC behavior (symptoms) that might indicate you've been infected:

  • Websites are not opening even though you are connected to the internet.
  • Computer and browsers freeze.
  • Your online social accounts are repeatedly hacked.
  • Your ISP is complaining that you are sending spam or DDOS traffic.
  • Your web browser default home page is changed.
  • You can’t access security related websites (i.e. your Antivirus support and update page)
  • You are redirected to websites that you didn't intended to visit.
  • Google search result page look different and you see sites that shouldn't be on the first page of Google.
  • Frequent popup windows.
  • New and unrecognized installed programs and/or icons on your desktop
  • You don’t have access to your personal files
  • Your files’ extensions have changes. (ransomware)
  • Your computer restarts without notice (when not related to a Windows update)
  • Unusually frequent error messages
  • Pop ups or sites that try to convince you to urgently install a security product
  • Access to some sections of your PC is blocked (control panel, task manager, registry editor or command line)
  • When one or more of the above symptoms begin to happen after you recently opened a suspicious email attachment or downloaded and executed a file from an unfamiliar site or a non-trusted P2P source.

Site Refusing Connection

Site Refusing Connection

So if you experience one or more of the above symptoms, follow this step-by-step malware removal guide and terminate the malware infection.

A Few Words About this Malware Removal Guide

This is our main and ongoing tutorial for users that have a malware infection on their Windows PC.

We get a lot of questions from users asking us what to do if they're infected by malware, so we decided that this question should be addressed separately with a dedicated and easy to follow tutorial.

This is why I made this tutorial to be as simple as possible and why each stage is carefully documented by screenshots.

It must be very clear even to an extremely non-technical user.

I will update this tutorial when new tools are available online or when new defense or research tools are available for malware detection and removal.

  1. You don’t have to perform all the steps and if one of the steps removed the malware then you can skip to the last step that will help you protect your PC from any future malware.
  2. Our tutorial is based on Windows 10 operating system. I won’t cover every operating system, if you have different version of Windows it should also work with minor adjustments.
  3. Some stages are optional (i.e. disk cloning) and you can skip them although I suggest you follow this protocol as accurately as possible.
  4. If you don’t have time to follow this tutorial or it is overwhelming for you, please send us email with a short description of the problem and how you got infected in the first place and we will send you a “short list” of mandatory steps customized for your unique malware problem.
  5. If one of the tools is not working you can try to rename the file – sometimes malware blocks security tools by not allowing files to be executed by name so changing a file to a random name like run-me-now.exe can help you circumvent the malware’s self-protection.

From my experience, unless you are a high-profile figure and you don’t work for any government agencies this protocol will eliminate most known malware types.

From time to time we see 0-day malware that can’t be detected with traditional tools but the chances that you will get this type of unknown malware is very slim if you follow our guidelines.

If you have more steps in mind that you think we should add to this tutorial or if you find any mistakes, please drop us a line and we promise to update this malware removal guide immediately.

Article Index

Step 1 – Kill Your Network and Internet Connection

Some malware infections are time sensitive because they’re waiting in the background for a right time to do their nasty thing or download a new payload with new malware and a new distraction task.

By disconnecting your PC from the internet and network you give yourself time to regroup and start thinking about what you should do next. Not to mention that if you are connected to a network with more computers and servers they can be infected by your own compromised PC.

Disconnection of your PC from the network can be done physically by disconnecting your network cable or if you are connected via Wi-Fi you should erase you Wi-Fi credentials and make sure you are disconnected from the Wi-Fi network.

Disconnect Network Cable

Disconnect Network Cable

[Optional] Step 2 – Clone Your Infected Hard Disk

This is a very smart step in case you have ransomware or you have very sensitive information on your PC and you don’t want to take any chances with the malware removal process which can be based on trial and error.

This step is not a mandatory part of the removal process and some users decide to skip it but I say that if you have the right hardware available, invest the extra 15 minutes and do it.

What you should do is power off your PC and connect a secondary disk to your computer. This disk should be empty and at least of the same capacity as your infected main disk (or bigger).

You can connect it to a secondary empty SATA port or any other supported connection (i.e. a USB port for external hard drives).

Then, you should boot from a CD or USB drive with one of the following cloning programs:

You can find “all in one” bootable CDs online that give you the option to load many tool-kits some of which include imaging programs. (i.e. hirens boot cd or UBCD)

Ghost Disk To Disk Cloning

Ghost Disk To Disk Cloning

When cloning the disk, I recommend to select “disk” to “disk” imaging so you will end up with 2 disks that are exactly the same (both are infected with malware)

When you finish the cloning process make sure you disconnect the new backup hard-disk and store it in a secure offline location.

WARNING!!! Be 100% sure that you know what you are doing! Don’t clone the new disk to the old one or you will end up with 2 blank disks!

What is the logic behind having 2 disks that are exactly the same?

  1. Should you make a mistake during the malware removal process or if you trigger something and the malware will try to “punish” you, you can always go back to the beginning and try a different approach – this will give you more time or to be more accurate, endless attempts. It’s like the “save” option you have in computer games.
  2. In case of a ransomware infection, you will have the option to recover your files in the future without paying any bitcoin ransom when a decryption tool is released for your ransomware encrypted files.

Step 3 – Does Your Windows Boot Normally?

If you can’t login to your Windows or you get black or blue screen errors, then we need to find a way to boot your PC in safe mode.

In case you are able to login you can skip this step of my malware removal guide.

While your PC is disconnected from the internet, try to boot it up.

Fun fact: The error screen you see below is lovingly named “BSOD” which is an acronym for “Blue Screen of Death”. It doesn't mean that your computer actually died, but it’s a common error when serious hardware or software problems occur.

Windows 10 Blue Screen

Windows 10 Blue Screen

Every operating system is different but the method of entering windows safe mode is to interrupt the boot sequence of your PC after you power it on.

When you enter safe mode on Windows 10 it will load the minimal amount of resources (programs and drivers) needed for you to gain access to the operating system.

Hopefully the malicious process will not be loaded in the first place and then you can clean it without interruption.

On older versions of windows, you could press the F8 key during startup in order to get access to the safe mode selection.

Windows 10 is a very fast operating system and it is very difficult to mange to hit the F8 key at the precise time, and it’s almost impossible to do it on a fast PC with an SSD hard drive.

So a workaround would be to power your PC and after you see the “Blue Screen” or any other error page hold the Power Button to force shutdown of your PC.

Then, turn it back on and wait for the BSOD (Blue Screen of Death) to appear.

Repeat this process until you will get the Recovery screen. Normally, you have to do this 3 times in a row to trigger this recovery window.

When you see this screen select “See advanced repair options” and continue according to the screenshots below:

Windows 10 Recovery Screen

Windows 10 Recovery Screen

Windows 10 Recovery Options

Windows 10 Recovery Options

Windows 10 Recovery Advanced

Windows 10 Recovery Advanced

Windows 10 Recovery Startup Setting

Windows 10 Recovery Startup Setting

Windows 10 Recovery Startup Restart

Windows 10 Recovery Startup Restart

Click “4” to access Safe Mode

Windows 10 Safe Mode

Windows 10 Safe Mode

Windows will now load with the minimal user interface and drivers and you should see now the “safe mode” desktop.

Windows 10 Desktop Safe Mode

Windows 10 Desktop Safe Mode

Now we can actually start removing malware from your PC by moving to the next step.

In the next steps you will need to download several tools from the internet.

In safe mode there are 2 alternative ways to accomplish it:

  1. Use a flash drive to download files from a different computer
  2. Instead of selecting “4” to enable safe mode, you can select “5” to enable safe mode with networking.

Step 4 – Review Active Processes with Process Explorer and Virus Total

Process Explorer is a free and very powerful task manager and system monitoring tool.

It is part of Microsoft’s Sysinternals toolkit.

You get a very slick set of tools that are not part of the built-in Windows process monitor.

VirusTotal is a web service that aggregates multiple malware scan engines on one centralized platform. If you upload a file for inspection to VirusTotal it will use a database of more than 60 Antivirus engines to classify this file.

The combination of Process Explorer and VirusTotal provide you an easy-to-use interface for inspecting all the open process by the majority of the Anti-Virus vendors in one click.

The results come in instantly!

Start by reconnecting your PC to the network and turn it on.

Then, follow the steps below to download and Process Explorer and extract it from the zip file.

Go to Microsoft’s downloads site and download Process Explorer by clicking the highlighted download link and saving the file to your downloads folder.

Download Process Explorer

Download Process Explorer

Right click the ProcessExplorer.zip file and select “extract here” in case you have the WinRAR software installed on your computer. (you can also use windows explorer for the same task)

Extract Process Explorer

Extract Process Explorer

Right click procexp.exe and select “Run as administrator”.

Run Process Explorer

Run Process Explorer

Select Yes in case a UAC (user account control) warning pops up.

Access Warning Process Explorer

Access Warning Process Explorer

When Process Explorer opens for the first time you will see how many processes are active and the company or vendor associated with each process.

So if you see a suspicious name on that list, that is a sign that you might be infected with malware.

Process Explorer User Interface

Process Explorer User Interface

Now, let’s enable the VirusTotal integration in Process Explorer.

When you enable it, Process Explorer will create a signature for each running process and send this signature to VirusTotal for inspection.

In turn VirusTotal will scan this signature with more than 60 Anti-Virus and malware engines.

Select Options > VirusTotal.com > Check VirusTotal.com

Process Explorer Send To Virustotal

Process Explorer Send To Virustotal

Accept the VirusTotal Terms of Service by clicking “Yes”.

Virustotal Terms Of Service

Virustotal Terms Of Service

Again go to Options > VirusTotal.com and enable “Submit Unknown Executables”:

Submit Unknown Executables

Submit Unknown Executables

This may take a few seconds depending on how many processes are running, but you should see a new column with the name VirusTotal appear.

In this column you will see the detection ratio, a number that represent the ratio between the number of antivirus engines which detected a process as malware and the total number of engines that scanned it.

In this case when scanning our Lab PC, you can see that most process got the 0/62 detection ratio, we’d like to see this on every process.

But if you look closely you will see a process with a 6/61 detection ratio, which means that this is potentially a malicious process.

This is definitely a potential candidate for removal.

Results Process Explorer

Results Process Explorer

If you click on the ratio, VirusTotal will open up in your browser, on a page with additional information about the specific malware.

In my opinion, you should review every process that is marked in red and if the detection ratio is above 2/61, it’s most likely an active malware process.

Active Malware Process

Active Malware Process

In case you didn't find any malicious processes, let’s expand the scope of the search and send every DLL behind each process to a VirusTotal scan.

Select View and enable “Show lower pane” or click Ctrl+L

Show Lower Pane

Show Lower Pane

And now for every running process you select you will get a new view on the lower pane with the related DLL and their corresponding detection ratio at VirusTotal.

Related Dll

Related Dll

Now that we detected a file that is identified as a malware we need to remove it.

Double click each detected process and copy the process path and the file name in order to delete the file at a later stage.

Paste each line in Notepad and save it for later.

Process Path

Process Path

Next step is to suspend all the infected processes by right clicking each process and selecting Suspend.

Suspending is very important because often, malicious software contains several instances that monitor the operation state of each other and when you kill one process, another process can restart it or do some tasks that will help him hide itself or even generate a new process.

Suspending Processes

Suspending Processes

The action items are as follows:

  1. Suspend all identified malware processes.
  2. Monitor the process explorer for a few minutes and search for green lines that represent a process that starts or restarts. If you see a new process, re-scan it with VirusTotal.
  3. Terminate all the suspended processes.
  4. Close and open the Process Explorer and check for any process that is identified by VirusTotal as malicious to make sure you didn't miss anything
  5. Erase each file from the locations you saved before

Kill Suspended Process

Kill Suspended Process

Step 5 – Remove Malware Processes from Windows Auto Start

In most cases malware will configure itself to auto start when Windows loads or when a user logs on.

We will once again use a free Sysinternals tool: Autoruns.

Download Autoruns here.

Download Autoruns

Download Autoruns

Extract the downloaded Autoruns zip file with WinRAR or Windows Explorer.

Extrart Autoruns File

Extrart Autoruns File

Right-click “Autoruns.exe” and select “Run as administrator”.

Autoruns Run As Administrator

Autoruns Run As Administrator

Confirm “User Account Control” dialog box for Autoruns.

Confirm User Account Control Autoruns

Confirm User Account Control Autoruns

Now that the program is running you can see a list of applications that are scheduled to run when your computer powers up.

Autoruns User Interface

Autoruns User Interface

First, let’s change a few settings in the program.

Go to “Options” > “Scan Options”

Autoruns Scan Options

Autoruns Scan Options

Check the 2 options “Verify code signatures” & “Check VirusTotal.com” and click on ”Rescan”.

Autoruns Rescan

Autoruns Rescan

Removal protocol:

  1. Search for entries that are related to files we removed in the previous stage via Process Explorer.
  2. Search for entries where the publisher is not recognized and/or unverified.
  3. Search for entries that have VirusTotal detection ratio above 2.

Autoruns Entries Selection

Autoruns Entries Selection

Now let’s delete the auto run entries that are related to the malware.

Right click the entry, select “delete” and confirm the deletion.

Autoruns Entries Deletion

Autoruns Entries Deletion

Now it’s time to reboot your computer and repeat steps 4 and 5 making sure no other malicious process is running or scheduled to auto-run on startup.

Step 6 – Monitor Your Network Connections with TCPview

After we reviewed running processes and auto start processes, let’s monitor what your computer is doing with its network connection.

Download TCPView from Microsoft Sysinternals website.

Tcpview Download

Tcpview Download

Go to your downloads folder and use WinRAR or Windows Explorer to extract TCPView from the downloaded ZIP file.

Tcpview Zip Extract

Tcpview Zip Extract

Right-click Tcpview.exe and select “Run as administrator”.

Tcpview Run As Administrator

Tcpview Run As Administrator

Tcpview User Account Control

Tcpview User Account Control

Before we begin the test we should make sure that network background noise is as low as possible, so let’s do the following before running TCPView again.

  1. Reboot your PC and wait for Windows to load completely
  2. Close all running programs in the system tray (IM, Antivirus,etc)
  3. Close all browser windows and mail clients
  4. Allow 5 minutes for the “old” network sessions to terminate.

Tcpview Close Traffic Clients

Tcpview Close Traffic Clients

When you open TCPView make sure you sort the table by “State”.

The only 2 states that interest us are the ESTABLISHED and LISTENING states.

Tcpview Established Listening

Tcpview Established Listening

Use common sense: look for suspect connections that could be part of a malware or unwanted program.

Watch this window for several minutes and see if green lines appear. They represent newly started connections.

What are we looking for?

Signs of a normal or safe connection:

  1. The remote address is from a known domain (i.e. windows.com)
  2. Protocol TCPV6

Signs of potentially harmful traffic

  1. The remote address is an IP address or an unknown host name.
  2. You don’t recognize the process name.

Following these rules, I highlighted the safe indicators in green, and indications of suspected malware in red.

Tcpview Review Traffic

Tcpview Review Traffic

My example network classification shows one very suspicious process: ResideClient.exe

At this point I can search the file name on Google and see if the information I find allows me to reach a conclusion about this file.

I would also open Process Explorer and check the process’s VirusTotal ratio and company name that signed this file.

If we decide to “kill” this process, you should follow the protocol mentioned in the Process Explorer section in step 4: suspend first, and only then kill.

Step 7 – Malwarebytes Free Malware Scanner

In this step of my malware removal guide we are going to install and perform a manual scan with Malwarebytes free.

You can download the free version from the Malwarebytes website.

Malwarebytes Free Download

Start the installation process and follow this step-by-step guide.

First confirm the “User Account Control” dialog

Malwarebytes User Account Control

Malwarebytes User Account Control

Malwarebytes Select Setup Language

Malwarebytes Select Setup Language

Malwarebytes Version Confirmation

Malwarebytes Version Confirmation

Malwarebytes License Agreement

Malwarebytes License Agreement

Malwarebytes Version Information

Malwarebytes Version Information

Malwarebytes Start Menu

Malwarebytes Start Menu

Malwarebytes Destination Location

Malwarebytes Destination Location

Malwarebytes Additional Tasks

Malwarebytes Additional Tasks

Malwarebytes Ready To Install

Malwarebytes Ready To Install

Malwarebytes Exit Setup

Malwarebytes Exit Setup

Now that the software is installed let’s set it up for optimal detection rates.

First thing we want to do is to update the malware protection database and update the software.

Click on “Current” to trigger software update.

Malwarebytes Software Update

Malwarebytes Software Update

Now let’s go to “Settings” > “Protection”

And change the “Scan for rootkits” to ON.

Malwarebytes Scan For Rootkits

Malwarebytes Scan For Rootkits

Now we are ready to start the Scan.

Select “Scan” > “Threat Scan”

And click “Start Scan”

Malwarebytes Start Scan

Malwarebytes Start Scan

Malwarebytes Scan In Progress

Malwarebytes Scan In Progress

When the scan is finished, you will see a list of threats identified by Malwarebytes.

Click on “Quarantine Selected” to remove the threats.

Malwarebytes Quarantine Selected

Malwarebytes Quarantine Selected

Malwarebytes Restart Your Computer

Malwarebytes Restart Your Computer

You can repeat this step to make sure no malware is detected and your computer is free from any unwanted files and processes.

Step 8 – Zemana Anti-Malware Scanner

In this step we are going to install and perform a manual scan with Zemana Anti-Malware.

You can download the free version from the Zemana website.

Select the “free download” option and tell your browser to accept the file download and keep the file before you run it.

Zemana Website

Zemana Website

Start the installation process by running the file you just downloaded and follow the step-by-step guide below.

First, confirm the “User Account Control” dialog box.

Zemana User Account Control

Zemana User Account Control

Zemana Select Setup Language

Zemana Select Setup Language

Zemana Setup Wizard

Zemana Setup Wizard

Zemana License Agreement

Zemana License Agreement

Zemana Destination Folder

Zemana Destination Folder

Zemana Additional Tasks

Zemana Additional Tasks

After this step the installation is finished and we can see Zemana Control panel running and auto update is preformed automatically without user intervention.

The Zemana user interface is very simple and you just need to click on “Scan” to initiate a full system checkup.

Zemana Control Panel

Zemana Control Panel

Zemana Scanning

Zemana Scanning

When the scan is finished you will see a list of objects that are classified as harmful.

I suggest that to change the action on all the files from “Quarantine” to “delete all”, and click the “next” button to start the removal process.

Zemana Malware Detected

Zemana Malware Detected

Zemana Malware Removal Completed

Zemana Malware Removal Completed

Zemana doesn't require a reboot.

However, at this stage I would always reboot the system and repeat the scan to make sure that Zemana doesn't detect additional threats.

Step 9 – HitManPro Malware Removal Tool

In this step we are going to install and perform a manual scan with HitManPro malware removal tool.

You can download the 30 days trial version from the HitManPro website.

For the purpose of malware removal, we can use the 30 days’ trial and remove the program after the disinfection.

Select the “free 30-day trial” option and allow your browser to accept the file download and save the file before you try to run it.

Hitmanpro Website

Hitmanpro Website

Start the installation process by executing the file you just downloaded and follow the step-by-step guide below.

Confirm the “User Account Control” dialog.

Hitmanpro User Account Control

Hitmanpro User Account Control

Hitmanpro Install Scan

Hitmanpro Install Scan

Hitmanpro License Agreement

Hitmanpro License Agreement

Hitmanpro Onetime Scanning

Hitmanpro Onetime Scanning

Hitmanpro Scanning

Hitmanpro Scanning

HitManPro will immediately detect all known malware and select the delete option by default for all found items.

Please bear in mind that by default it will also delete all tracking cookies you may have in your browser. It’s not as important to delete them because most of them are session based cookies related to advertising, but it also wouldn’t do any harm.

If you are ok with the default selection just click next and HitManPro will remove all the detected objects from your PC.

Hitmanpro Malware Detected

Hitmanpro Malware Detected

At this point, HitManPro will aggressively push you to buy a license but you can continue using the free license for 30 days by selecting the free option.

Hitmanpro Activate Free License

Hitmanpro Activate Free License
It will prompt you to input an email address.

It’s up to you if you want to use your primary email address or a separate email that you use for online registration.

From our experience, it will not use your email for shady marketing campaigns but it will try to offer you the full version.

This is a legitimate trade-off when you receive a free service.

Hitmanpro Activate Email

Hitmanpro Activate Email

No need to enter any product key as you are already in trial mode.

Hitmanpro License Active

Hitmanpro License Active

Hitmanpro Removal Results

Hitmanpro Removal Results

Restart your PC to complete the removal process.

Hitmanpro Restart Your Pc

Hitmanpro Restart Your Pc

Step 10 – Reset Browser Settings

Even if you removed the malware in a previous stage we should make sure that the malware didn’t change the settings of your favorite browser.

The best way is to do a full reset to browser setting.

Go to Chrome Settings:

Click the menu icon next to the address bar and select “Settings”

Chrome Settings

Chrome Settings

Scroll down and select “Show advanced settings”

Chrome Show Advanced Settings

Chrome Show Advanced Settings

Again, scroll down all the way to the bottom and click on “Reset settings”

Chrome Reset Settings

Chrome Reset Settings

Confirm the dialog box by clicking “reset”

Chrome Reset Dialog Box

Chrome Reset Dialog Box

You can now close your chrome browser.

When you reopen it, all the settings will be configured to their default states.

This should be done on all your active browsers (Firefox/Internet Explorer/Edge/Safari/Opera).

Step 11 – Remove all Browser Extensions

Browser extension face less scrutiny than other software even though they gain access to key areas of your computer.

The safest way to make sure an installed extension isn’t the source of a problem is to remove all extensions and add them one by one making sure they are not the source of the issues you’re experiencing.

Go to Chrome Settings again:

Click the menu icon next to the address bar and select “Settings”, then navigate to “More tools” > “Extensions”.

Chrome Remove Extensions

Chrome Remove Extensions

Click the “remove from chrome” trash icon to remove every single extension.

Chrome Remove Icon

Chrome Remove Icon

Chrome Remove Confirm

Chrome Remove Confirm

Once you remove all the extensions  close and open chrome and make sure that no installed extensions are left.

Repeat this step for Firefox, Microsoft Edge and any other browser you’re using.

At a later stage, after your PC is clean, you can add your favorite extensions one by one while making sure that they’re not the reason for your security problems.

Step 12 – Is Something Poisoning Your DNS Service?

DNS (Domain Name System) is a service that translates URL names to IP address and sometimes malware manipulates this service to serve you different website from the one you intended to open.

In some cases, malware  uses this technique to block security related sites.

There are 2 methods to disturb DNS traffic:

The first one is changing your Windows Hosts file and the second one is controlling or manipulating the response you receive from your external DNS provider (step 13).

It orders to view and edit your Hosts file we will need to open notepad in “Run as administrator” mode.

Windows Host Notepad Run As Administrator

Windows Host Notepad Run As Administrator

Windows Host Notepad User Account Control

Windows Host Notepad User Account Control

Windows Host Notepad Open

Windows Host Notepad Open

Select file hosts in C:\Windows\system32\drivers\etc after changing the file type to “All Files (*.*)”

Windows Host Notepad Hosts

Windows Host Notepad Hosts

This is an example of a “clean” hosts file without any active DNS records.

All the lines begin with the # character which tells the operating system to ignore the text/command in that specific line.

If your hosts file is clean you can skip to the next step.

Windows Clean Hosts File

Windows Clean Hosts File

Here’s an example of an “infected” hosts file.

You will see one or more lines with records that don’t have # in the beginning that block or redirect your requests to the listed domains.

Windows Infected Hosts File

Windows Infected Hosts File

Simply erase the records and save the hosts file.

Then you can access the sites that were blocked by the hosts file.

Windows Save Hosts File

Windows Save Hosts File

Step 13 – Change DNS Settings

Instead of changing your Hosts file, some malware can directly take control of your internet gateway or what most home networks have - a network router or a Wi-Fi gateway.

So instead of controlling your PC, they control your gateway to the internet and can manipulate your DNS traffic.

In order to make sure this is not the case you can temporally change your DNS setting to Google’s IP address (8.8.8.8) and see if the problem disappears by bypassing your router or DNS provider.

Open “Network and Sharing Center”

Windows Network And Sharing Center

Windows Network And Sharing Center

Windows Change Adapter Settings

Windows Change Adapter Settings

Right click the network interface that is enabled (the one without the red X)

If you are not sure which one you should select, disconnect your network cable and see which one is changing his status after few seconds.

Windows Change Adapter Properties

Windows Change Adapter Properties

Double click “Internet Protocol Version 4 (TCP/IPV4)”

Windows Change Adapter Tcp Properties

Windows Change Adapter Tcp Properties

Change the DNS Setting and set the IP to 8.8.8.8 and confirm the change by clicking OK on all windows.

Windows New Adapter Tcp Properties

Windows New Adapter Tcp Properties

Test your internet connection and open several sites and test your DNS resolving.

If the problem disappears then you just confirmed that the problem is related to your router.

You should reset your router to factory settings, update your router’s firmware, and change the administration password ASAP.

The steps to perform these actions depend on the make and model of your router.

For the exact steps search the make and model of your router on Google along with the relevant question.

For example: how to update firmware of NetGear router

After you finished, don't forget to change the DNS settings back to "Obtain DNS server address automatically".

Step 14 – Restore from Backup or Reset Your OS

If you reached this step and still didn't manage to eliminate the malware, we will have to move to non-conventional weapons and reset your Windows OS to factory defaults or to restore your system from an uninfected backup.

Before you do this, be 100% sure that about the issues aren't caused by hardware problems or heating/ventilation issues in your computer case.

In case you are going to restore your computer or reset it make sure to back up your data files to an external hard drive before performing this irreversible action.

System reset is a new feature on Windows 10 and you can’t do it in older Windows versions.

Windows Reset This Pc

Windows Reset This Pc

If you have back up, then you can do a full system restore depending on the backup format you have.

Step 15 – Nuke from Orbit: Clean Windows Installation

If you don’t have a backup and you're not using Windows 10, your only hope is to reinstall Windows and reformat your hard drive.

Again, don’t forget to backup your static files (documents and pictures) to external hard drive or to the cloud before you begin the installation.

Just make sure you scan your files with up-to-date anti-virus engine before copying them back to your newly installed Windows system.

Install Windows

Install Windows

Step 16 – Protect Yourself Online

if you reached this step, you're probably pretty weary from reading this seemingly endless malware removal guide.

This step is the most important one!

"An ounce of prevention is worth a pound of cure."     ~ Benjamin Franklin

This is still true today, and especially when it comes to cyber security.

Follow these steps to minimize the risk of infections, and to mitigate damages should such an infection occur: 

  1. Backup – I would suggest having 2 sets of backup: one on the cloud and one on a physical removable drive disconnected from any network.
  2. Update your OS – make sure your Windows is activated and configured to download and install new updates automatically.
  3. Antivirus – install one of the top antivirus software and make your decision is based on our independent lab test scores calculator.
  4. Second opinion malware scannerinstall Malwarebytes free or pro and if you go for the free make sure you remember to perform a weekly manual scan.
  5. Once again, backup.

For a thorough explanation of these steps and additional tips for preventing malware infections, read this article.

We welcome everyone to help us extend and improve this malware removal guide. If you have any steps that you think we should add or modify, please feel free to drop us a line.

Lastly, if you found this guide helpful please share it, or at least bookmark it for future reference. Although we hope that you will never need it again!

By Ami Zivov

A cyber-security expert and researcher

A cyber-security expert with many years of experience in the field. Ami does the majority of our hands-on testing, he writes and contributes to our antivirus reviews, and he leads the innovation for improving our readers’ experience on the site.

More Stories By Ami Zivov

Malwarebytes Review 2017: Top Malware Removal & Protection

Malwarebytes 3.0 offers top-notch malware removal and protection products in free and... More >

Avira Malware Detection Test Video - A Top Performer

Avira performs excellently in our hands-on zero-day malware detection test performed... More >

Bitdefender 2017 Review: The Best in Antivirus Software

Bitdefender is the best antivirus software for home users, providing cross-device... More >

Logo
Fat Security

JOIN OUR MAILING LIST

We promise to only send really good deals and important updates. No spam.