The truth is that it's a lot easier to keep a computer malware free
than it is to clean one that is already infected. However, with the
advice given in this article you should be able to remove any type of
malware from your computer and get it back to working order. The main
problem with most malware removal guides is that you have no way of
knowing if all of the infections were removed. However, with my approach
you can easily tell if even just running a single scanner was able to
entirely clean the infection. Thus, this can save you the hassle of
having to run many different scanners and the uncertainty of whether
your computer is really malware free.
Make sure you follow this article in order so as to clean the
infections with as little work as possible. The idea is that most people
won't have to go any further than the first approach in order to clean
their computers of active malware. Thus, effectively this article is
actually much shorter than it appears to be.
However, before attempting to remove any infected files you should
first back up all important files. These may include documents,
pictures, videos, etc... This way if anything goes wrong with the
cleaning process, which is a very real possibility, your important
documents will still be intact. However, do not include any program
files as it is possible that these may be infected. Please note that if
your computer cannot boot you should follow the advice on
this page
in order to back up all important files. Also, while cleaning the
computer it's important to remember that all scanners can sometimes be
guilty of
false positive detections.
Therefore, before removing any files which you believe could possibly
be safe, you should check them using the methods I discuss in
How to Tell if a File is Malicious.
Index
1. Make Sure Computer Is Actually Infected
2. How To Clean Your Computer And Make Sure It's Actually Clean
A) Clean Computer With CCE and TDSSKiller
B) If Still Not Clean Then Scan With HitmanPro, Malwarebytes, And Emsisoft Anti-Malware
C) If Needed Try These More Time Consuming Methods
D) If Necessary Make A Bootable Disk
3. What To Do If The Above Methods Are Unable To Clean Your Computer
4. What To Do After All Malware Is Confirmed To Be Removed
1. Make Sure Computer Is Actually Infected
Before attempting to clean any infections from your computer it's
important to make sure that the computer is actually infected. To do
this please follow the advice I give in
How to Know If Your Computer Is Infected.
If the results of this do in fact show that your computer is infected
then continue to follow the steps in the next section. Make sure that
you follow them in order.
2. How To Clean Your Computer And Make Sure It's Actually Clean
Please note that advanced users may just want to skip to the last part about how to
Make A Bootable Disk and
clean the computer that way. This approach is the one which is most
powerful, but it is also one of the more time consuming approaches. That
said, if you wish you can jump directly to that section and then come
back to the beginning again if the infection is not entirely removed.
A) Clean Computer With CCE and TDSSKiller
Download Comodo Cleaning Essentials (CCE).
Make sure to select the correct version for your operating system. If
you're not sure if your computer is running a 32 or 64 bit operating
system then please see
this FAQ. Also, download Kaspersky TDSSKiller .
Note that if neither will not download correctly, or your internet
connection is not working, you should download them on another computer
and transfer them to the infected one via a flash drive. Make sure there
were no other files on the flash drive. Be careful with the flash drive
as the malware may actually infect it when you plug it into the
computer. Thus, don't plug it into any other computers after
transferring these programs. Also, I would like to point out that both
programs are portable. This means that once you're done using them no
uninstall is required. Just delete their folders and they will be gone.
After downloading CCE unzip the file, open the folder for CCE, and
double click on the file called CCE. This will open the main program for
Comodo Cleaning Essentials. If it refuses to open then hold down the
shift key and, while still holding it down, double click on the file
called CCE. After CCE has successfully opened you can let go of the
shift key. However, do not let go of it until the program has fully
loaded. If you let go of it even during the UAC popup it may not be able
to forcefully open correctly. Holding down shift should allow it to
open, even on heavily infected computers. It does this by killing most
of the unnecessary processes that could be interfering with its launch.
If it still will not launch then download and run a program called
RKill. This program will terminate known malicious processes. Thus, after running it CCE should be able to open fine.
Once it's opened perform a "Smart Scan" with CCE and quarantine
anything it finds. This program also scans for system changes which may
have been caused by malware. These will be shown with the results. I
would advise letting it fix these as well. Restart your computer when
prompted. After the computer restarts run Kaspersky TDSSKiller, perform a
"Smart Scan", and quarantine anything it finds. If anything was
quarantined restart your computer once more.
Also, if your internet connection was previously not working please
check again to see if it is now working. If not then you should go to
this section of
my guide about How to Fix a Malware Infected Computer and follow the
advice given to fix your internet connection. A working internet
connection is required for the remaining steps of this section.
Once you have verified that your internet connection is working,
again open CCE. Hopefully it will open up normally this time, but if not
then open it while holding down shift. Then open up KillSwitch from the
tools menu in CCE. In KillSwitch, select the option to "Hide Safe
Processes" from the "View" menu. Then right click on all processes which
are flagged as suspicious or dangerous and select the option to delete
them. You should also right click on any unknown processes that remain
and select the option to "Kill Process".
Do not delete processes flagged as FLS.Unknown. Next,
open up Comodo Autoruns from the tools menu in CCE, and select the
option to "Hide Safe Entries" from the "View" menu. Then disable any
entries belonging to files which are flagged as suspicious or dangerous.
You can do this by making sure the check box next to the entries is
unchecked. You should also disable any entries flagged as FLS.Unknown,
but which you believe likely belong to malware.
Do not delete any entries.
Now restart your computer. After it reboots, again check your computer using the advice I give in
How to Know If Your Computer Is Infected. If all is well then you can skip to the section about
What To Do After All Malware Is Confirmed To Be Removed.
Remember that a disabled registry entry is not a risk. Also, note that
even if your computer is found to be clean of active infections there
could still be pieces of malware on your computer. These are not
dangerous, but don't be surprised if running another scanning program
still detects malware on your computer. These are the inactive remnants
of what you have just removed. If you are not comfortable having these
remnants on your computer then you can remove the vast majority of them
by scanning with the programs in the next section.
However, if your computer is not yet clean of active infections, but
at least one of the programs was able to run, then go through the steps
outlined in this section once more and see if that is able to remove the
infections. However, if neither program was able to run please continue
to the next section. In addition, if even following the advice in this
section a second time is not enough to clean your computer you should
continue to the
next section.
B) If Still Not Clean Then Scan With HitmanPro, Malwarebytes, And Emsisoft Anti-Malware
If the above steps failed to fully remove the infections then you should download HitmanPro Install the program and run a "Default Scan". Note that if it will not
install please continue to the next paragraph and install Malwarebytes.
During the installation of HitmanPro, when asked I would recommend you
choose the option to only perform a one-time check of the computer. This
should be suitable for most users. Also, if malware prevents it from
loading correctly then open the program while holding down the CTRL key
until the program is loaded. Quarantine any infections it finds. Please
note that this program will only be able to remove infections for 30
days after it is installed. During removal you will be asked to activate
the trial license.
Once all detected infections are removed by HitmanPro, or if Hitman
Pro refused to install, you should download the free version of
Malwarebytes
Note that it has chameleon technology which should allow it to even
install on computers which are heavily infected. During installation I
would advise that you uncheck the box to "Enable free trial of
Malwarebytes Anti-malware Pro". Make sure that it is fully updated and
then run a quick scan. Quarantine any infections that it finds. If asked
by either program to restart your computer, make sure that you restart
it.
Next download Emsisoft Emergency Kit
.
Once it's finished downloading, extract the contents from the zip file.
Then double click on the file called "start" and open the "Emergency
Kit Scanner". When prompted allow it to update the database. Once it's
updated select the option to go "Back To Security Status". Then go to
"Scan now" and select the option to perform a "Smart Scan". Once the
scan is complete quarantine all detected items. Restart whenever
required.
After scanning your computer with these programs you should restart
your computer. Then once again check your computer using the advice I
give in
How to Know If Your Computer Is Infected. If all is well then you can skip to the section about
What To Do After All Malware Is Confirmed To Be Removed.
Remember that a disabled registry entry is not a risk. However, if your
computer is not yet clean then go through the steps outlined in this
section once more and see if that is able to remove the infections. If
the programs in part A of this section were previously not able to run
correctly you should go back and try and run them again. If none of the
above programs were able to run correctly please boot into Safe Mode
with Networking and try scanning from there. However, if they were able
to run correctly, and threats still remain even after following the
advice in this section a second time, then you should continue to the
next section.
C) If Needed Try These More Time Consuming Methods
If the above steps were not able to completely remove the infection
then you likely have some very inhospitable malware inhabiting your
machine. Thus the methods discussed in this section are much more
powerful, but will take much longer to complete. The first thing I would
advise doing is to scan your computer with another anti-rootkit scanner
called GMER. It can be downloaded from Remove anything shaded in red. Make sure you do click on the Scan
button once the program has finished its quick analysis of the system.
Also, if you're running a 32 bit operating system you should download a
program to scan for and remove the ZeroAccess rootkit. Information about
this rootkit, and a link to a program to remove it from 32 bit systems
. The AntiZeroAccess tool can be downloaded from the link in the second paragraph.
After scanning with the above programs you should next open CCE, go
to the options, and select the option to "Scan for suspicious MBR
modification". Then select OK. Now perform a full scan with CCE. Restart
where requested and quarantine anything it finds. Note that this option
can be relatively dangerous as it could possibly identify problems
where there are none. Use it carefully and make sure everything
important is already backed up. Note that in rare cases scanning with
these options may render your system unbootable. This rarely happens,
but even if it does it should be fixable. If running this scan renders
your computer unbootable please see
this section of
an article I wrote about How to Fix a Malware Infected Computer. It
should be able to help make your computer bootable again.
Once CCE has completely finished, again open up CCE while holding
down the SHIFT key. This will kill most unnecessary processes which may
be interfering with your scans. Then open KillSwitch, go to "Tools", and
choose the option to "Hide Safe Processes". Now, once again delete all
dangerous processes. Then, you should also right click on any unknown
processes that remain and select the option to "Kill Process".
Do not delete them.
You should follow the advice in this paragraph each time you restart
your computer in order to make sure that the following scans are as
effective as possible.
After killing all processes not verified to be safe you should open
HitmanPro while holding down the CTRL key. Then perform a "Default Scan"
and quarantine anything it finds. Then perform full scans with
Malwarebytes and Emsisoft Emergency Kit. Quarantine anything they find.
Then download the free version of SUPERAntiSpyware from
this page.
During installation be very careful as other programs come bundled with
the installer. On the first page make sure to uncheck both options
about adding Google Chrome. Then click on the option for "Custom
Install". During the custom install you will once again have to uncheck
two boxes about adding Google Chrome.
Other than that the program will install fine. When asked I would
recommend that you decline the option to start a free trial. Once the
program is fully loaded select the option to do a Complete Scan and
click on the button to "Scan your Computer...". Then click on the button
to "Start Complete Scan>". Remove all detected files and restart
wherever required.
After following these steps you should restart your computer. Then once again check your computer using the advice I give in
How to Know If Your Computer Is Infected. If all is well then you can skip to the section about
What To Do After All Malware Is Confirmed To Be Removed. Remember
that a disabled registry entry is not a risk. However, if your computer
is still not clean then go through the steps outlined in this section
once more and see if that is able to remove the infections. If it is not
then you should continue to the
next section.
D) If Necessary Make A Bootable Disk
If the above methods were not able to completely remove the
infection, or you cannot even boot your computer, then you may need to
use a bootable CD/Flash-Drive, also called a bootable disk, to clean
your computer. I know this may sound complicated, but it's really not
that bad. Just remember to create this disk on a computer that is not
infected. Otherwise the files may be corrupted or even possibly
infected.
Because this is a bootable disk no malware can hide from it, disable
it, or interfere with it in any way. Thus scanning in this way, with
multiple programs, should allow you to clean almost any machine, no
matter how infected it may be. One exception to this is if the system
files on the machine have themselves been infected. If this is the case
then removing the infection may cripple the machine. It's largely for
that reason that you backed up all important documents before starting
the cleaning process. That said, sometimes it's possible to get around
that by following the advice I give below.
To do this you should download the
Shardana Antivirus Rescue Disk Utility (SARDU).
This is an excellent program which will allow you to create a single
rescue disk with multiple antivirus programs on it. It also has many
other useful functions, which I will not be discussing in this article. A
few very useful tutorials for SARDU can be found on
this page. Be
very careful about the added offers now included with the installer.
Sadly, this program now tries to trick people into installing extra
programs, which are largely unnecessary.
After downloading it extract the contents and open the SARDU folder.
Then open the correct executable for your operating system, either sardu
or sardu_x64. Under the Antivirus tab click on whichever antivirus
applications you would like to add to your disk. You can add as many or
as few as you wish. I would recommend that you scan your computer with
at least Dr. Web, Avira AntiVir Rescue System, and Kaspersky Rescue
System. One of the nice things about Dr. Web is that it sometimes has
the option to replace an infected file with a clean version of it
instead of just deleting it. This may allow you to clean some infected
systems without crippling the computer. Thus I'd strongly recommend
including Dr. Web in your bootable disk.
Clicking on the names of the various antivirus applications will
often direct you to a page where you can download the ISO for that
particular antivirus. Sometimes it will instead give you the option to
download it directly through SARDU, which can be found under the
Downloader tab. If given the choice always select the option to download
the ISO. Also, after downloading the ISO you may need to move it to the
ISO folder inside the main SARDU folder. Once you have moved all of the
ISO's, for the antivirus products you would like to include, to the ISO
folder, you are ready to create the rescue disk. To do this go to the
Antivirus tab and make sure that all desired antiviruses have a check
next to them. Then either click the button to make a USB or make an ISO.
Either will work fine. It just depends on whether you want to run this
off of a USB drive or a disk.
After creating your rescue disk you will likely need to change the
bootup sequence in your BIOS settings to ensure that when you insert the
bootable CD, or flash-drive, the computer will boot from it instead of
from the normal operating system. Here is a useful article on
How To Change the Boot Order in BIOS.
For our purposes you should change the order so that the "CD/DVD Rom
drive" is first if you want to boot from a CD or DVD, or that "Removable
Devices" is first if you want to boot from a flash-drive. Once that's
done just follow the advice given in this other article about
How To Boot From a CD, DVD, or BD Disc in order to boot from the rescue disk.
After booting from the disk you can select whichever antivirus you
want to first scan your computer with. As I previously mentioned, I
would recommend starting with Dr. Web. Once it's finished, and you have
repaired or deleted everything it finds, you should shut down the
computer. Then make sure to again boot from the disk and then scan with
another antivirus. Continue this process until you have scanned your
computer with all of the antivirus programs you have put on the rescue
disk.
After cleaning your computer with whichever programs you've put on
the disk you should now try booting your system into Windows again. If
it is able to boot into Windows then check your computer using the
advice I give in
How to Know If Your Computer Is Infected. If all is well then you can skip to the section about
What To Do After All Malware Is Confirmed To Be Removed. Remember that a disabled registry entry is not a risk.
If your computer is not yet clean, but you are able to boot into
Windows, then I would recommend trying to clean your computer from
inside windows, starting from
this section of
this article and following the suggested methods. However, if your
computer is still not able to boot into Windows then again try fixing it
by following the advice in
this section of
an article I wrote about How to Fix a Malware Infected Computer. It
should be able to help make your computer bootable again. If even that
can't make your computer bootable then try adding even more antiviruses
to the boot disk and then rescanning your computer. If doing that still
does not work then please read the
next section.
3. What To Do If The Above Methods Are Unable To Clean Your Computer
If you followed all of the above advice and were still not able to
clean your computer, but you're convinced that the problems are due to
malware, then there's not much more I can do to help. I'm actually
hoping that nobody ever reaches this section. This article is meant to
allow you to completely clean an infected computer. Thus I'd really
appreciate it if you could leave a comment below that explains what you
tried to do in order to clean the computer, and what symptoms remain
that make you think that your computer is not yet clean. This is very
important in order for me to improve the article.
You can also seek advice from a specialized malware removal forum. A forum which I have found to be very helpful is
MalwareTips.
However, if even after seeking help on a malware removal forum your
computer is still not free of malware, it may be necessary to format
your computer and start over. This means that you will lose anything on
the computer which you did not back up. Make sure that if you do this
you do a complete format of your computer before reinstalling Windows.
This will be able to destroy almost any type of malware. Once Windows is
freshly installed please follow the steps in the
next section.
4. What To Do After All Malware Is Confirmed To Be Removed
After confirming that your computer is now clean you can now try to
repair any damage that may have been caused. For this I have written an
article about
How to Fix a Malware Infected Computer.
Please follow the advice in this article in order to fix any damage
that was caused by the infection. If after doing this your computer is
running fine, then you can also open Comodo Autoruns and select the
option to delete those registry items you had previously only disabled.
This way they will no longer be on your computer at all.
Once you have successfully cleaned all infections from your computer,
and repaired any leftover damage, you should take steps to ensure that
it does not happen again. For this reason I have written a guide about
How to Stay Safe While Online. Please read through it and implement whichever methods you feel best fit your needs.
After securing your computer you can now restore any of the
previously backed up files that were lost during the cleanup process.
Hopefully this step is also not necessary. Also, before restoring them
make sure that your computer is very well protected. If you don't lock
the computer down strongly enough then you may inadvertently infect it
and again have to clean the infections from the computer. In addition,
if you used a USB drive to transfer any files to the infected computer
you can now plug that back into the computer and make sure there is no
malware on it. I would recommend doing this by deleting all files left
on it.
If you have any problems, or are confused by my directions, please
leave a comment below and I will try to help you. Trust me, if you are
having a problem then so are many others. I need to know this so that I
can improve the advice in this article. Also, I do realize that there
are a plethora of programs that can be used to clean an infected
computer. I have selected these particular programs, and arranged them
in such a way as to emphasize their positive qualities while at the same
time compensating for their weaknesses, in an attempt to simplify the
malware removal process. Please let me know if you see any problems with
the approach I have outlined.
In addition, please help by
rating this article.
If you believe this article deserves anything less than 5 stars, please
leave a comment below explaining how you think it can be improved or
where you find fault. This article is written by me but fueled by the
community. Thus your opinions and advice are not only much appreciated,
but actually necessary in order for this article to grow and improve.