How do I remove a virus if it prevents me from downloading or installing anything?

Some malware goes to great lengths to prevent you from downloading, running, or trying to apply a fix. I'll tell you what to do.

//
I am trying to fix a computer that has adware that is preventing me from getting into regedit and task manager. It will not let me boot into safe mode. It will not let me install any anti-spyware or anti-virus software. I’m not sure where to go from here. It has stopped me from doing much of anything to get the malware off the computer. Any suggestions? I am not sure what the malware is, but I keep getting alerts that I am infected and when I click it, it opens a browser window and tries to take me to a website.

Sadly, this is all too common. Malware is getting pretty nasty. At best, it may extort money from you for a real repair. At worst, it’ll extort money from you and do nothing.

I’ll save the “prevention is so much easier than the cure” missive for a moment. We just want this fixed.

There are things that we can try, but unfortunately, there are no guarantees.

The problem: When malware interferes

What you’re seeing is the malware on your machine is actively looking for you to try to remove it and thwarting your attempts.

It’s watching for downloads that “look like” anti-malware tools and web or other access that might be going to anti-malware sites. It’s even monitoring what programs you run. When it sees you doing anything that could lead to its removal, it steps in and either redirects you to sites of its choosing or simply causes the operation to fail.

We’d love to download and run anti-malware tools, but we can’t.

So, we have to get creative.

VirusRun Windows Defender Offline

I’ve changed my original recommendation since this article was first written. Now, I recommend that you begin by downloading Windows Defender Offline.

Windows Defender Offline is an anti-malware tool – essentially a stand-alone version of Microsoft Security Essentials – that you download and burn to CD. You then boot from this to avoid any of the malware that is on your machine. That way, you can run the anti-malware tool directly.

It’s important that you download Windows Defender Offline when you need it – which probably means using a different computer as the existing malware on your machine may prevent you from downloading it. That way, the tool is up-to-date. You should always run the latest version of Windows Defender Offline, so you’re protected from the latest threats.

Let the tool perform a thorough scan of your machine. Hopefully, it will detect and remove the malware that’s causing your problem.

If it doesn’t detect and remove it, if you can’t run Windows Defender Offline, or if you just want to keep scouring your machine with additional tools, we switch to other tactics.

Temporarily kill the malware

One possible solution to the blocking problem is to temporarily kill the malware that’s running. This won’t remove it, but it may allow you to download tools that will.

The folks at BeepingComputer.com have created a tool called RKill that does exactly that.1 You may need to download Rkill on another machine (because it may be blocked on the infected machine), but you can quickly copy it over to your machine using a USB drive or something else.

You may also need to rename rkill.exe to something else (like “notrkill.exe” or “leo.exe”). Once again, the malware may be paying attention to the name of every program being run and may prevent the software from running if it recognizes the name.

Run the program and do not reboot. Rebooting will “undo” the effect of having run Rkill. Any malware that Rkill killed will be back.

Download and run Malwarebytes’ Anti-Malware

Malwarebytes’ Anti-Malware is currently one of the most successful tools at identifying and removing the types of malware that we’re talking about here. It’s not really a replacement for anti-virus software (you’ll find that they say that in their support forums), but in cases of infection, it has a pretty darn good track record.

Download the free version, install and run it, and then see what it turns up. (Once again, you may need to download the tool on another machine and copy the download over as you did with rkill.)

Try other tools

After running Rkill, you may (or may not) be able to run some of the other tools that the malware was blocking. You can try registry editing tools, the task manager, Process Explorer, or others.

You can also try your other anti-virus and anti-spyware tools. Either they will be able to download an update that catches this problem or you can download another tool that will.

But in general, my money’s on Malwarebytes.

What if it doesn’t work?

If none of that works, then things get complicated.

You may consider trying:

  • Boot from another bootable antivirus rescue CD. There are several, including from anti-virus vendors like Avira, AVG and many others. If you have a favorite anti-malware vendor, check with them to see if they provide a bootable scanning solution. These are interesting because they boot from the CD, not your hard drive, like Windows Offline Defender. The malware doesn’t have a chance to operate and block you. You can then run a scan of your hard disk and hopefully clean it off.
  • Remove the hard disk and place it in or connect it to another machine. Hardware issues aside, this needs to be done with care to prevent the malware from spreading. Just like booting from that CD, however, this boots from the new machine’s installation, not yours. You can then run anti-malware tools against your drive and hopefully clean it off.

Restore from backup

If you have a recent system backup, it’s possible that restoring to that will take your machine back to a time before it was infected at all.

Regular backups are wonderful for this. This is yet another reason why I so often harp on backing up.

Be aware that it does have to be the correct type of backup: either a full system or image backup. Simply backing up your data will not be helpful in a scenario like this unless you are forced to take the final solution (see below).

And for the record, my opinion is that System Restore is pretty useless when it comes to bad malware infections like this (if it hasn’t already been completely disabled by the malware). Give it a try if you like, but I don’t have much hope for its success.

The final solution

That subtitle sounds dire, because it is.

As I’ve mentioned before, your machine is no longer yours once it’s infected. You have no idea what’s been done to it. And you also have no idea whether the cleaning steps that you took removed any or all of the malware that was on the machine.

Even if it looks clean, there’s no way to prove that it is.

You know it was infected, but there’s no way to know that it’s not now.

Scary, eh?

The only way for you to know with absolute certainty that the malware is gone  is to reformat your machine and reinstall everything from scratch.

Sadly, it’s also quite often the most pragmatic approach to removing particularly stubborn malware. Sometimes, all of the machinations that we go through with trying to clean up from a malware infection end up taking more time than simply reformatting and reinstalling.

And reformatting and reinstalling is the only approach that’s known to have a 100% success rate at malware removal.

If you don’t have a backup of your data, then before you reformat, at least copy the data off somehow. Boot from a Linux Live CD or DVD if you must (Ubuntu’s a good choice). That’ll give you access to all of the files on your machine and allow you to copy them to a USB device or perhaps even upload them somewhere on the internet.

Aftermath

After things are cleared up and working again, take a few moments to consider how to prevent it from happening again or what you can do to make the next time easier:

  • See if you can identify how the infection occurred and then, to the extent that you can, never do that again. Smile
  • Make sure that you have the most up-to-date security measures that it takes to stay safe on the internet.
  • Consider investing in a backup solution of some sort. Nothing can save you from more different kinds of problems than a good, regular backup.

As I said at the beginning, prevention is much easier than the cure.

This is an update to an article originally posted : December 22, 2010
Footnotes and references

1: Be careful: At times, ads immediately above the download link look like the actual link to download the software. They are not. Be sure to grab Rkill itself.

There are 45 comments:

  1. Michael Horowitz Reply

    Image backup. Image backup. Image backup. Oh, and make image backups :-)

    The worst case is NOT that you pay money to the extortionists and they do nothing. In the worst case they take your credit card information and use it for identity theft.

    There are a couple ways to make the infected hard drive visible to a clean machine on a LAN without physically removing it: (1) Boot the infected machine using Linux (2) Boot the infected machine using the Ultimate Boot CD for Windows. See ubcd4win.com. Either way, after mapping the network drive to a letter, you should be able to use your favorite antimalware software over the LAN.

  2. Doug Brace Reply

    The solution that I use to kill malicious processes that maybe preventing me from installing or running free tools (Malwarebytes or CCleaner) requires another computer with access to your home network (wired or wireless)

    I use the program “Remote Process Explorer” from Lizard Systems. It is a free (for personal use) program that allows you to access “Task Manager” on another computer. It requires a computer name or IP address, an account in the Administrators group and it’s username and password. When you added a computer to monitor, it shows you the process name, user account that started the process, the location of the process and other things.

    The key thing is the ability to kill a process. Find the process, right-click it and select “Kill Process.”

    After that, from the infected computer, you should be able to open CCleaner. Once in CCleaner, go to the “Tools” section and click on “Start Up.” In this area you can easily disable or delete “rogue” entries. I recommend disabling entries because if you accidentally delete an entry that you need, it hard to recreate the entry and CCleaner currently can’t do that for you.

    Try restarting the computer and then run Malwarebytes.

  3. Duane Ferguson Reply

    Two portable tools I’ve used with great success are SUPERAntiSpyware Portable Scanner
    http://www.superantispyware.com/portablescanner.html and Kasperski Portable, available at thia address: http://www.kaspersky.com/virus-removal-tools. Super Anti Spyware Portable runs from a flash drive, while Kaspersky Portable installs in to a folder on your desktop, and uninstalls once it has done its job. I generally run Super Anti Spyware Portable as my first option, then Malwarebytes, followed by Kaspersky. Finish up with Windows Malicious Software Removal Tool http://www.microsoft.com/security/malwareremove/default.aspx and you should be done. That all amounts to at least three hours work on the average hard drive, and there’s no guarantee that what ever infection your computer has picked up has not permanently damaged the registry. As Michael Horowitz states – Image Backup. There’s plenty of free imaging tools available, and the good ones will give you the option of running a backup as a scheduled task. Your only problem then becomes retrieving documents and e-mail created after your last image was taken. I recomend using a ‘Live’ disc such as Puppy Linux http://puppylinux.org/main/Download%20Latest%20Release.htm for this purpose. Boot from the disc, navigate to your profile, then copy ‘My Docs’, ‘Desktop’ etc. to an external drive. Shut down and reboot using your ghost imaging boot disc, rebuild, then return your ‘My Docs’ etc, from those you’ve retrieved.

  4. Sandeep Reply

    tools–>folder options–>view–>show hidden files and folders–>uncheck hide operating files and folders …
    u will find virus folder or autorun.inf
    download unlocker and delete the autorun.inf using that
    dont delete operating system files please

  5. Andrew Fitzgerald Reply

    I had this same problem & found (free) Malwarebytes an excellent fixer. Had to download it from another computer & run it from a thumb drive but it killed the nasty along with loads of others my paid-for virus scanner missed.

  6. Elliot Reply

    One fantastic tool, as Duane has said, is SuperAntiSpyware; it sounds cheap but it works brilliantly.

    If you choose the portable version from their site, it will download with a randomly generated name so that malware can’t detect it as a removal tool. If you still can’t get it directly onto the infected PC then just copy it across from another via a USB drive or similar. Run it (it’s a single file, no installation), make sure to update the definitions database, and then run a scan – it should deal with most things pretty swiftly.

    I would always then follow up with MBAM, that Leo mentions, and/or a commercial tool of your choice. The more scans you run, the better, and the surer you can be that you’ve removed the infection.

  7. Thomas Carranza Reply

    All of these tips are right on. I have used MBAM (excellent at getting those hard ones) and Avast (it’s free and has a pre-boot scanner that catches a lot) and Kasperski. I invested in a USB HDD docking station that allows me to remove the infected HDD and attach it to a computer that I have all of my antivirus-antimalware tools and run it as a USB drive. This does not allow the operating system of the infected drive to load up and I can hunt down and kill those deep rooted infections. Not saying that I get everything 100% of the time, but it has worked many, many times. I also ask (first) if there is anything worth saving on the HDD (usually is), because if there isn’t, I just reformat from the beginning. I only go through the trouble if there are files that need to be saved. Microsoft’s Security Essentials is also good at identifying viruses (sometimes not as good at getting rid of them, i.e. Alureon.B virus). At the minimum, run at least three different scans to make sure you get everything.

  8. Joe Schmidt Reply

    Leo, you’re right on with this one that a full HDD image of C: should be taken first before doing else, and like you I have Acronis. BUT!!!!! If you’re counting on this for an emergency restore, your user will lose all data files which have been saved on C since the image was taken.

    I use a better approach which is to put in a big HDD as drive d: [aka, D for data.] Then, your software has to be trained to place its data files in a suitable directory there. Generally, I like C to be about 80gig
    and D about 1TB, since all so cheap now.

    C is backed up with Acronis, placing the image file on D.

    Then, you also have to back up D regularly, but Acronis imaging will take too long, so I use 4DOS and [1] first time copy all files, thereafter [2] copy only new files back to a chosen date… to an external HDD used only for backups.

    Hope this is helpful, but maybe too complicated for beginners.

    – j

  9. Hub Harrison Reply

    I have had success removing the bogus Windows Police AV 2010 (rootkit) with TDSSKILLER. Hard drive was completely cleaned and running normally within minutes. I had to re-format and re-install 2 other computers before I learned about this free program.

  10. steven Reply

    How come NOBODY has mentioned combofix? It is very quick and works for me. I am unable to figure out how to misuse it, so it is safe. It has two options run or cancel. If your internet is still down, just simply turn off the proxy server, if you do not use it. You may have to rename combofix to get it to run and of course download it from another PC to a USB flash drive. Use safe mode for really nasty infections. Does safe mode stop all viruses and spyware? Combofix is also from bleeping computer.com

  11. Dave Markley Reply

    In the course of being a PC repair tech, I often come across this problem. It seems the first thing these Virus ‘designers’ do is disable your anti-malware and block Windows Installer so no new protection can be added. I have found two solutions that work 90% of the time:

    1. Most virus’ ‘designers’ apparently don’t think about the context menu. If you have any ‘respectable’ Anti-virus or Ant-malware programs installed, they most likely have entries in the context menu (‘right-click’ menu). Open ‘My Computer’ and ‘right-click’ on drive “C”, and when the context menu opens just ‘left-click’ on “Scan with AVG”, or whatever program you have installed. If you have more than one option listed – use them all! This forces your (AVG or whoever you have) Anti-virus to scan ‘only’ drive “C”, but don’t forget that “C” is your main drive and is where the Virus lives. This works 90% of the time.

    2. Download A-Squared Emergency Kit (it’s free). It’s best to do this on a friend’s computer and then put it on a USB drive. This version of A-Squared doesn’t actually ‘install’, so it won’t be blocked and is also the most effective Anti-malware tool I’ve ever used – it finds everything!. It will want updated when it first starts, forget that for now and just scan! When the scan is done, anything threatening will already be checked by default. Just click to ‘quaranteen’ selected objects. (Don’t delete just in case it accidentally grabs a wrong file). After your first scan is done, THEN update it completely and do another full scan. This will remove 99% of known problems.

  12. Terry Hollett Reply

    I had to clean out a computer that would not bot up into safe mode. It would stop at a certain driver. I discovered online that it could be because of a 0kb driver in the “c:windowssystem32drivers” folder, planted by the virus. Used a boot cd to find and delete it and then was able to start up in “Safe Mode With Networking” to run a few scanners to clean it out.

    Just recently, someone bought a laptop to me, it was getting a BSOD. I suspected a corrupted hard drive (my experience with BSOD tells me so). I had to run a scan off a boot cd to check the drive. There where a lot of corrupted files.

    But it still didn’t help. It wouldn’t get pass the BIOS boot logo. I still suspected hardware issues and decided to run a memory tester cd.

    No problems detected. Then I ran a AGV antivirus boot cd. It was severally infected and I now believe that the crap on the system, corrupted the hard drive making it almost impossible to get any control.

    The cleaning did give me a little bit more control. Using a few more utilities on a few more cds I was able to finally get the system running again.

    As usual this person had lots of pictures not backed up. Her main concern. I burned of her pics, 5 GB, to two DVDs.

  13. Ravi Agrawal Reply

    The best way to clean an infected drive will be to slave it to a clean computer with a good up-to-date antivirus installed and then clean with it.

    Particularly helpful are microsoft autoruns where you can disable all startup entries.

    It is recommended not to disable system restore when infected but I would go ahead & disable system restore as pretty much of these nasties make way to hide themselves in the “System volume information” folders on the Drives that contain restore points.

    Clean up the temp folders of Windows by typing %tmp% in the Run dialog box. Select all files & hit delete to clear off all the junk. Repeat it until you manage to clear all of the files.

    Doing that solves pretty much all of the problems. In case you have avast antivirus installed & you do get infected just in case you left it disabled, No worries. Just select a Boot-time Scan & you will get rid of the nasty most of the time.

    Ravi.

  14. Bill Chubb Reply

    Very many thanks, Leo.
    My oldest [at 85 years of age] and dearest friend picked up a bug which appeared identical to the one your correspondent described. Knowing he was coming to my home for New Year and thinking I might be able to help my pal told me on Monday and I have to confess that I really didn’t have any words of comfort or encouragement. Then, along came my weekly Ask Leo! fix and, bingo, the answer to the problem! The rkill and Malwarebytes’ Anti-Malware combination worked fine.

    The timing of the problem and this week’s edition of Ask Leo is quite uncanny. Once again… very many thanks.

    And, a Happy New Year.

  15. Neldon Hester Reply

    I have ran across this problem a few times. I hook the hard drive up to a USB connection on another computer. I use a computer that is mainly used for this purpose. I then click scan on the computer. It ask what i want to scan. I click drive F which in this case is the problem drive. It scans the drive
    every time. I scan it with Avast, AVG, Superantispyware, Iobit Security 360 and Advance System care 3. Have not failed to cure one yet. I use an outside power source and a hard drive connector. This can be done while the hard drive is still mounted in the other set but i usually just pop the drive out an the only connection to the repairing computer is the USB plug. I have never had the repairing computer get infected from the bad drive. Do not under any circumstance open up the problem drive until replaced in the original set.
    Works every time for me. I would guess that more than half the drives thrown away as bad were only full of viruses an spyware. Check Ebay, the outside connection kit can be had for anywhere from 8 bucks to 25 bucks depending on how hard you look.
    Good luck. An thanks Leo. We don’t learn all this stuff by trial an error. We read Ask Leo. You pull a whole lot more of us out than you can ever know.
    You are appreciated.

  16. don rees Reply

    re the above problem i also had this virus ( system tool) it rendered my laptop totally useless.what i did / could not do are.
    start in safe mode / get into task manager ( it flickered crazily) / open another user name/ load rkill / click “run” MSNCONFIG etc/ get a restore point plus some others i cannot remember / run superantispyware / run malwarebytes / did manage to load stopzilla, which made a very very small dent in the virus ( it got me into my inbox but it was frozen anyway) tried to download spydoctor/ tried to run AVG9 /.
    what killed it stone dead was $39.99 ( which was ok for both of my computers ) spent on http://www.spyhunter.com it blew it right out of the laptop, it is now a pleasure to use it again,it keeps both computers clean , they are running faster and for me ,a great product , not cheap but it does what it is supposed to do.
    note i live in a reasonably remote part of australia, i have no association whatsoever with spyhunter at all ( they are in the US ??)
    hope this comment helps

  17. Shahija Reply

    Thnks for the quick update.But I tried to change the values for the registrytools as well as task manager but whenever i refresh the value returns to 1 and cmd too is disabled by the administrator. I did try the malwarebytes Anti Malware and removed some virus but the task manager though gets enabled gets disabled again the very next minute. I don’t have any Cd tor reboot. Pls advs any other option to retrieve all the 3

  18. Shahija Reply

    Forgot to mention I did try the rkill but nothing seems to work out

  19. Peter Nixon Reply

    One thing which might help to download security items is to reset the HOSTS file as this is one of the things that malware will corrupt – here’s the link;

    http://winhelp2002.mvps.org/hosts.htm

    It should also help in avoiding some malware in the first place, by blocking access to some of the sites hosting it.

  20. Dale Reply

    ok, i’ve been scammed. I don’t have a problem with reformating & installing everything from scratch BUT … want to know if it is safe to back up my non-executable files such as outlook express email, picture .jpg files & word .doc files? And can I safely transfer these files via shared files to another computer? Or … will this compromise the other computer? Help ….. dumb then, smarter now!

    I would backup everything, and then restore only what you need – possibly scanning what you’re about to restore first. More here: How do I safely backup an infected drive?

    Leo
    26-Nov-2011
  21. Baba Reply

    It worked for me. I powered up the PC without connecting to network and run the rkill program. Then I was able to run the virus program and remove the virus.
    Thank you

  22. Rhudi Reply

    I have had great luck using Kaspersky Rescue through a bootable USB thumb drive. Failing that, recently I had to remove the HD and connect it though an external USB adapter and scan it from a separate PC (which cleaned it). I had connected the drive that way to get data files off before a factory wipe. My system saw the infected drive and cleaned it.

  23. Snezhana Dimova Reply

    Your suggestion to run renamed Rkill with combination of Malwarebytes’ Anti-Malware succeed!

    Thanks a lot!

  24. Ian Minter Reply

    We use Sophos for our Antivirus package, and they have a linux boot disc, so that windows is not running when you are running the clean up tools, so any windows based malware or virus is not running and stopping you from cleaning it out. But +1 for a malwarebytes solution as well.

  25. Paul Reply

    “I keep getting alerts that I am infected and when I click it, it opens a browser window and tries to take me to a website.” – STOP CLICKING IT!!

  26. Geoff Reply

    How about using the HiRens CD. It boots up in linux but has umpteen utilities including ClamWin and MalWareBytes. It also has browsers, file managers, plus too many others to mention. There is even a standalone mini XP. You don’t need to know anything about linux just follow the menus.

  27. bob price Reply

    One more reason to have a BOOTABLE clone [NOT an image!] second drive, either internal or exterior and you faithfully keep the clone up to date. When infected and nothing works, enter Setup, change boot sequence to cloned drive. Scan and fix the original drive. Simple. The key is making a bootable second drive and that’s the major failure of image backups.

  28. Lanraider Reply

    Tried all suggestions above, but laptop still extremely sluggish. Found one Svchost.exe process using 80% cpu cycles. Read somewhere that this is symptom of rootkit infection. Downloaded Malwarebytes Anti-Rootkit ( http://www.malwarebytes.org/products/mbar/) and ran. It found and deleted rootkit. Laptop purring like a kitten.

    • Mark Jacobs Reply

      Svchost.exe is a Windows host process which runs other applications which are in the form of .dll files. Some viruses install themselves hemselves to be run by Svchost.exe, but Svchost.exe itself is not malware.

  29. Kevin Reply

    As an OAP who still browses quite fearlessly I would like to share one point about malware. It seems to be the norm that when ya even mention a virus people in general will chorus “PORN”. In my experience more viri are downloaded from casual browsing than any other source. Sites that show you how to type for instance can be very dangerous. 4 years ago I decided to do all casual browsing in a sandbox, since then I have had absolutely no prob’s. As you often say Leo prevention is better than the cure, so why do not more people use a sandbox, and there are a variety available. (I use 2 normally)
    On my own comp. I can access my Image Backups before Windows starts so was just thinking as reading article “Am I getting too confident”. On reflection that is now a possibility ????

  30. gary Reply

    Leo, you’re the man. Been spending weeks trying to fix this. I have a back up computer in the box but it was bugging me. Couldn’t download anythig. Started when my downloadhelper on firefox wasn’t working so thought I’d uninstall and reinstall. That’s when I found coldn’t download ANYTHING because it had a “virus” After many searches and tries I came across your site. Finally did the rkill and ran the essentials and it got rid of a bunch of evil sounding stuff and I just got firefox back. Crossing my fingers on the rest but just wanted to thank you for a very promising start. Have a good one!!!!! Gary

  31. Jordan Wills Reply

    This one of the easiest removals, simply crate a standard user, we’ll call him “bob”, now bob has no documents at all no saves, nothing, so after you’ve identified the location (locations can be shown when identified with windows defender or an antivirus) then move it into the bob’s documents, which it can’t stop you from doing, now deleting an account is different from deleting files, file deletion is done not by deleting but marking the space as “free” so other things can put in its place, but when you delete an account you crush and force those files to death, so , delete the account, the malware has no chance of stopping or overiding you.

    • Mark Jacobs Reply

      Setting up another user account wouldn’t normally help in the case of a virus. Viruses operate on the system level and would affect all user accounts.
      Removing an account doesn’t wipe files any more than a simple deletion would.
      The way to bypass those viruses would be to boot up windows in a way that the malware isn’t executed on startup. Windows Defender offline and rescue discs created by other AV programs can accomplish this.

  32. markww Reply

    HERE IS A EASY WAY TO CLEAN THE SYSTEM.
    Unhook from the Internet that kills the host computer from spying and holding and locking the computer down.

    RUN RESTORE go back a day or before you got the virus or malware. That is all you have to do

  33. Shytzedaka Reply

    Well If you have a Secound Computer Or Laptop that is not Infected Try Downloading Avast There and Then Download Rescue disk from the software and it will scan and Remove Viruss On Boot And Avast has a Good Database Founds EvryThing

  34. ahmad Reply

    I cannot download anything from internet even internet browsers

  35. gudrun Reply

    Would it work to download the suggested .exe files on a mac, put them on an ftp server, and the owner of the infected computer can download them via ftp with the infected computer using filezilla, which is installed on the affected computer and seems to work? I faintly remember that macs used to do weird things with win files, but maybe not any more. My mac is a current one running 10.9.2.

    • Leo Reply

      You don’t need to use an ftp server. Use your mac and transfer the files on the network, or using a flash drive. Should work just fine.

      • gudrun Reply

        oh, replied while typing, thanks. Yes, the USB version is not possible because it’s 10000 miles away. If ftp is an option, that would be great.

        • Mark Jacobs Reply

          FTP should work unless somehow the malware happens to prevent it from downloading. The malware might also block the creation of a bootable CD or USB stick, but it’s worth a try. Those rescue disks aren’t actually full OS clones. They’re limited purpose Windows OSes which are limited to removing malware. Clone or image are normally used to refer an exact (more or less) copy of a bootable system drive, although image is also used to refer to any bootable media.

          • gudrun

            ok, I’ll upload it and maybe my friend will try it. Yes, I understand that the rescue stick isn’t a full system. I was referring to the possibility that the computer might have come without true system installation CDs, pointed out here http://askleo.com/i_dont_have_installation_media_for_windows_what_if_i_need_it/ , which would be difficult for me to judge. So I’d rather not suggest to wipe the drive. thank you for answering.

  36. gudrun Reply

    (trying to be of assistance half way around the globe with someone with almost no computer knowledge. I got an email that installing firefox was kind of weird, followed by the link copypasted – well. 50+ “virus removal” sites for this thing with instructions, downloads, fake computer experts etc. I am comfortably using Windows since NT but have no knowledge apart from that. I didn’t even know one could make a bootable clone of win (is an image like a bootable clone?). On mac I’d just zero the drive and reinstall the system, but here it is difficult for me to even figure out whether my friend has real installation CDs or not. Leo sites are great, thanks.)

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise an comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.