Malware is short for 2 words: Malicious and Software, but this is the only part that is short about this malware removal guide and I’m going to take you step-by-step on a seek and destroy mission to rid you of your malware infection.
A malware is a software or a script that is created by a black hat group with the objective of disrupting your computer’s stability, gathering and distributing sensitive and private information and turning a profit in the process.
You may be infected by visiting a rouge site or opening malicious email attachments. It may be in the form of a file, code, script or bundled with a legit software package.
Malware spans many formats and the most popular ones are ransomware, worms, Trojan horses, rootkits and adware.
It is not easy to determine if your computer is infected by malware or if an issue is caused by other reasons such as a hardware problem or corrupt system files.
The “black hat” guys are on top of their game and they constantly monitor defensive techniques, learn from past mistakes and evolve their cyber-weapons in a way that is not so easy to detect at first glance.
This is and always will be a never-ending game of cat and mouse and your goal is to be the strongest link in the chain so that hackers go after weaker users who are less aware of cyber security and don’t take basic prevention measures to protect their computing and digital assets.
Before we discuss how to remove malware, let's review a few examples of PC behavior (symptoms) that might indicate you've been infected:
So if you experience one or more of the above symptoms, follow this step-by-step malware removal guide and terminate the malware infection.
This is our main and ongoing tutorial for users that have a malware infection on their Windows PC.
We get a lot of questions from users asking us what to do if they're infected by malware, so we decided that this question should be addressed separately with a dedicated and easy to follow tutorial.
This is why I made this tutorial to be as simple as possible and why each stage is carefully documented by screenshots.
It must be very clear even to an extremely non-technical user.
I will update this tutorial when new tools are available online or when new defense or research tools are available for malware detection and removal.
From my experience, unless you are a high-profile figure and you don’t work for any government agencies this protocol will eliminate most known malware types.
From time to time we see 0-day malware that can’t be detected with traditional tools but the chances that you will get this type of unknown malware is very slim if you follow our guidelines.
If you have more steps in mind that you think we should add to this tutorial or if you find any mistakes, please drop us a line and we promise to update this malware removal guide immediately.
Some malware infections are time sensitive because they’re waiting in the background for a right time to do their nasty thing or download a new payload with new malware and a new distraction task.
By disconnecting your PC from the internet and network you give yourself time to regroup and start thinking about what you should do next. Not to mention that if you are connected to a network with more computers and servers they can be infected by your own compromised PC.
Disconnection of your PC from the network can be done physically by disconnecting your network cable or if you are connected via Wi-Fi you should erase you Wi-Fi credentials and make sure you are disconnected from the Wi-Fi network.
This is a very smart step in case you have ransomware or you have very sensitive information on your PC and you don’t want to take any chances with the malware removal process which can be based on trial and error.
This step is not a mandatory part of the removal process and some users decide to skip it but I say that if you have the right hardware available, invest the extra 15 minutes and do it.
What you should do is power off your PC and connect a secondary disk to your computer. This disk should be empty and at least of the same capacity as your infected main disk (or bigger).
You can connect it to a secondary empty SATA port or any other supported connection (i.e. a USB port for external hard drives).
Then, you should boot from a CD or USB drive with one of the following cloning programs:
When cloning the disk, I recommend to select “disk” to “disk” imaging so you will end up with 2 disks that are exactly the same (both are infected with malware)
When you finish the cloning process make sure you disconnect the new backup hard-disk and store it in a secure offline location.
What is the logic behind having 2 disks that are exactly the same?
If you can’t login to your Windows or you get black or blue screen errors, then we need to find a way to boot your PC in safe mode.
In case you are able to login you can skip this step of my malware removal guide.
While your PC is disconnected from the internet, try to boot it up.
Every operating system is different but the method of entering windows safe mode is to interrupt the boot sequence of your PC after you power it on.
When you enter safe mode on Windows 10 it will load the minimal amount of resources (programs and drivers) needed for you to gain access to the operating system.
Hopefully the malicious process will not be loaded in the first place and then you can clean it without interruption.
On older versions of windows, you could press the F8 key during startup in order to get access to the safe mode selection.
Windows 10 is a very fast operating system and it is very difficult to mange to hit the F8 key at the precise time, and it’s almost impossible to do it on a fast PC with an SSD hard drive.
So a workaround would be to power your PC and after you see the “Blue Screen” or any other error page hold the Power Button to force shutdown of your PC.
Then, turn it back on and wait for the BSOD (Blue Screen of Death) to appear.
Repeat this process until you will get the Recovery screen. Normally, you have to do this 3 times in a row to trigger this recovery window.
When you see this screen select “See advanced repair options” and continue according to the screenshots below:
Click “4” to access Safe Mode
Windows will now load with the minimal user interface and drivers and you should see now the “safe mode” desktop.
Now we can actually start removing malware from your PC by moving to the next step.
In the next steps you will need to download several tools from the internet.
In safe mode there are 2 alternative ways to accomplish it:
Process Explorer is a free and very powerful task manager and system monitoring tool.
It is part of Microsoft’s Sysinternals toolkit.
You get a very slick set of tools that are not part of the built-in Windows process monitor.
VirusTotal is a web service that aggregates multiple malware scan engines on one centralized platform. If you upload a file for inspection to VirusTotal it will use a database of more than 60 Antivirus engines to classify this file.
The combination of Process Explorer and VirusTotal provide you an easy-to-use interface for inspecting all the open process by the majority of the Anti-Virus vendors in one click.
The results come in instantly!
Start by reconnecting your PC to the network and turn it on.
Then, follow the steps below to download and Process Explorer and extract it from the zip file.
Go to Microsoft’s downloads site and download Process Explorer by clicking the highlighted download link and saving the file to your downloads folder.
Right click the ProcessExplorer.zip file and select “extract here” in case you have the WinRAR software installed on your computer. (you can also use windows explorer for the same task)
Right click procexp.exe and select “Run as administrator”.
Select Yes in case a UAC (user account control) warning pops up.
When Process Explorer opens for the first time you will see how many processes are active and the company or vendor associated with each process.
So if you see a suspicious name on that list, that is a sign that you might be infected with malware.
Now, let’s enable the VirusTotal integration in Process Explorer.
When you enable it, Process Explorer will create a signature for each running process and send this signature to VirusTotal for inspection.
In turn VirusTotal will scan this signature with more than 60 Anti-Virus and malware engines.
Select Options > VirusTotal.com > Check VirusTotal.com
Accept the VirusTotal Terms of Service by clicking “Yes”.
Again go to Options > VirusTotal.com and enable “Submit Unknown Executables”:
This may take a few seconds depending on how many processes are running, but you should see a new column with the name VirusTotal appear.
In this column you will see the detection ratio, a number that represent the ratio between the number of antivirus engines which detected a process as malware and the total number of engines that scanned it.
In this case when scanning our Lab PC, you can see that most process got the 0/62 detection ratio, we’d like to see this on every process.
But if you look closely you will see a process with a 6/61 detection ratio, which means that this is potentially a malicious process.
This is definitely a potential candidate for removal.
If you click on the ratio, VirusTotal will open up in your browser, on a page with additional information about the specific malware.
In my opinion, you should review every process that is marked in red and if the detection ratio is above 2/61, it’s most likely an active malware process.
In case you didn't find any malicious processes, let’s expand the scope of the search and send every DLL behind each process to a VirusTotal scan.
Select View and enable “Show lower pane” or click Ctrl+L
And now for every running process you select you will get a new view on the lower pane with the related DLL and their corresponding detection ratio at VirusTotal.
Now that we detected a file that is identified as a malware we need to remove it.
Double click each detected process and copy the process path and the file name in order to delete the file at a later stage.
Paste each line in Notepad and save it for later.
Next step is to suspend all the infected processes by right clicking each process and selecting Suspend.
Suspending is very important because often, malicious software contains several instances that monitor the operation state of each other and when you kill one process, another process can restart it or do some tasks that will help him hide itself or even generate a new process.
The action items are as follows:
In most cases malware will configure itself to auto start when Windows loads or when a user logs on.
We will once again use a free Sysinternals tool: Autoruns.
Extract the downloaded Autoruns zip file with WinRAR or Windows Explorer.
Right-click “Autoruns.exe” and select “Run as administrator”.
Confirm “User Account Control” dialog box for Autoruns.
Now that the program is running you can see a list of applications that are scheduled to run when your computer powers up.
First, let’s change a few settings in the program.
Go to “Options” > “Scan Options”
Check the 2 options “Verify code signatures” & “Check VirusTotal.com” and click on ”Rescan”.
Now let’s delete the auto run entries that are related to the malware.
Right click the entry, select “delete” and confirm the deletion.
Now it’s time to reboot your computer and repeat steps 4 and 5 making sure no other malicious process is running or scheduled to auto-run on startup.
After we reviewed running processes and auto start processes, let’s monitor what your computer is doing with its network connection.
Download TCPView from Microsoft Sysinternals website.
Go to your downloads folder and use WinRAR or Windows Explorer to extract TCPView from the downloaded ZIP file.
Right-click Tcpview.exe and select “Run as administrator”.
Before we begin the test we should make sure that network background noise is as low as possible, so let’s do the following before running TCPView again.
When you open TCPView make sure you sort the table by “State”.
The only 2 states that interest us are the ESTABLISHED and LISTENING states.
Use common sense: look for suspect connections that could be part of a malware or unwanted program.
Watch this window for several minutes and see if green lines appear. They represent newly started connections.
What are we looking for?
Signs of a normal or safe connection:
Signs of potentially harmful traffic
Following these rules, I highlighted the safe indicators in green, and indications of suspected malware in red.
My example network classification shows one very suspicious process: ResideClient.exe
At this point I can search the file name on Google and see if the information I find allows me to reach a conclusion about this file.
I would also open Process Explorer and check the process’s VirusTotal ratio and company name that signed this file.
If we decide to “kill” this process, you should follow the protocol mentioned in the Process Explorer section in step 4: suspend first, and only then kill.
In this step of my malware removal guide we are going to install and perform a manual scan with Malwarebytes free.
You can download the free version from the Malwarebytes website.
Start the installation process and follow this step-by-step guide.
First confirm the “User Account Control” dialog
Now that the software is installed let’s set it up for optimal detection rates.
First thing we want to do is to update the malware protection database and update the software.
Click on “Current” to trigger software update.
Now let’s go to “Settings” > “Protection”
And change the “Scan for rootkits” to ON.
Now we are ready to start the Scan.
Select “Scan” > “Threat Scan”
And click “Start Scan”
When the scan is finished, you will see a list of threats identified by Malwarebytes.
Click on “Quarantine Selected” to remove the threats.
You can repeat this step to make sure no malware is detected and your computer is free from any unwanted files and processes.
In this step we are going to install and perform a manual scan with Zemana Anti-Malware.
You can download the free version from the Zemana website.
Select the “free download” option and tell your browser to accept the file download and keep the file before you run it.
Start the installation process by running the file you just downloaded and follow the step-by-step guide below.
First, confirm the “User Account Control” dialog box.
After this step the installation is finished and we can see Zemana Control panel running and auto update is preformed automatically without user intervention.
The Zemana user interface is very simple and you just need to click on “Scan” to initiate a full system checkup.
When the scan is finished you will see a list of objects that are classified as harmful.
I suggest that to change the action on all the files from “Quarantine” to “delete all”, and click the “next” button to start the removal process.
Zemana doesn't require a reboot.
However, at this stage I would always reboot the system and repeat the scan to make sure that Zemana doesn't detect additional threats.
In this step we are going to install and perform a manual scan with HitManPro malware removal tool.
You can download the 30 days trial version from the HitManPro website.
For the purpose of malware removal, we can use the 30 days’ trial and remove the program after the disinfection.
Select the “free 30-day trial” option and allow your browser to accept the file download and save the file before you try to run it.
Start the installation process by executing the file you just downloaded and follow the step-by-step guide below.
Confirm the “User Account Control” dialog.
HitManPro will immediately detect all known malware and select the delete option by default for all found items.
Please bear in mind that by default it will also delete all tracking cookies you may have in your browser. It’s not as important to delete them because most of them are session based cookies related to advertising, but it also wouldn’t do any harm.
If you are ok with the default selection just click next and HitManPro will remove all the detected objects from your PC.
At this point, HitManPro will aggressively push you to buy a license but you can continue using the free license for 30 days by selecting the free option.
It’s up to you if you want to use your primary email address or a separate email that you use for online registration.
From our experience, it will not use your email for shady marketing campaigns but it will try to offer you the full version.
This is a legitimate trade-off when you receive a free service.
No need to enter any product key as you are already in trial mode.
Restart your PC to complete the removal process.
Even if you removed the malware in a previous stage we should make sure that the malware didn’t change the settings of your favorite browser.
The best way is to do a full reset to browser setting.
Go to Chrome Settings:
Click the menu icon next to the address bar and select “Settings”
Scroll down and select “Show advanced settings”
Again, scroll down all the way to the bottom and click on “Reset settings”
Confirm the dialog box by clicking “reset”
You can now close your chrome browser.
When you reopen it, all the settings will be configured to their default states.
This should be done on all your active browsers (Firefox/Internet Explorer/Edge/Safari/Opera).
Browser extension face less scrutiny than other software even though they gain access to key areas of your computer.
The safest way to make sure an installed extension isn’t the source of a problem is to remove all extensions and add them one by one making sure they are not the source of the issues you’re experiencing.
Go to Chrome Settings again:
Click the menu icon next to the address bar and select “Settings”, then navigate to “More tools” > “Extensions”.
Click the “remove from chrome” trash icon to remove every single extension.
Once you remove all the extensions close and open chrome and make sure that no installed extensions are left.
Repeat this step for Firefox, Microsoft Edge and any other browser you’re using.
At a later stage, after your PC is clean, you can add your favorite extensions one by one while making sure that they’re not the reason for your security problems.
DNS (Domain Name System) is a service that translates URL names to IP address and sometimes malware manipulates this service to serve you different website from the one you intended to open.
In some cases, malware uses this technique to block security related sites.
There are 2 methods to disturb DNS traffic:
The first one is changing your Windows Hosts file and the second one is controlling or manipulating the response you receive from your external DNS provider (step 13).
It orders to view and edit your Hosts file we will need to open notepad in “Run as administrator” mode.
Select file hosts in C:\Windows\system32\drivers\etc after changing the file type to “All Files (*.*)”
This is an example of a “clean” hosts file without any active DNS records.
All the lines begin with the # character which tells the operating system to ignore the text/command in that specific line.
If your hosts file is clean you can skip to the next step.
Here’s an example of an “infected” hosts file.
You will see one or more lines with records that don’t have # in the beginning that block or redirect your requests to the listed domains.
Simply erase the records and save the hosts file.
Then you can access the sites that were blocked by the hosts file.
Instead of changing your Hosts file, some malware can directly take control of your internet gateway or what most home networks have - a network router or a Wi-Fi gateway.
So instead of controlling your PC, they control your gateway to the internet and can manipulate your DNS traffic.
In order to make sure this is not the case you can temporally change your DNS setting to Google’s IP address (18.104.22.168) and see if the problem disappears by bypassing your router or DNS provider.
Open “Network and Sharing Center”
Right click the network interface that is enabled (the one without the red X)
If you are not sure which one you should select, disconnect your network cable and see which one is changing his status after few seconds.
Double click “Internet Protocol Version 4 (TCP/IPV4)”
Change the DNS Setting and set the IP to 22.214.171.124 and confirm the change by clicking OK on all windows.
Test your internet connection and open several sites and test your DNS resolving.
If the problem disappears then you just confirmed that the problem is related to your router.
You should reset your router to factory settings, update your router’s firmware, and change the administration password ASAP.
The steps to perform these actions depend on the make and model of your router.
For the exact steps search the make and model of your router on Google along with the relevant question.
For example: how to update firmware of NetGear router
After you finished, don't forget to change the DNS settings back to "Obtain DNS server address automatically".
If you reached this step and still didn't manage to eliminate the malware, we will have to move to non-conventional weapons and reset your Windows OS to factory defaults or to restore your system from an uninfected backup.
In case you are going to restore your computer or reset it make sure to back up your data files to an external hard drive before performing this irreversible action.
System reset is a new feature on Windows 10 and you can’t do it in older Windows versions.
If you have back up, then you can do a full system restore depending on the backup format you have.
If you don’t have a backup and you're not using Windows 10, your only hope is to reinstall Windows and reformat your hard drive.
Just make sure you scan your files with up-to-date anti-virus engine before copying them back to your newly installed Windows system.
if you reached this step, you're probably pretty weary from reading this seemingly endless malware removal guide.
This step is the most important one!
"An ounce of prevention is worth a pound of cure." ~ Benjamin Franklin
This is still true today, and especially when it comes to cyber security.
Follow these steps to minimize the risk of infections, and to mitigate damages should such an infection occur:
For a thorough explanation of these steps and additional tips for preventing malware infections, read this article.
We welcome everyone to help us extend and improve this malware removal guide. If you have any steps that you think we should add or modify, please feel free to drop us a line.
Lastly, if you found this guide helpful please share it, or at least bookmark it for future reference. Although we hope that you will never need it again!
We promise to only send really good deals and important updates. No spam.