Some malware goes to great lengths to prevent you from downloading, running, or trying to apply a fix. I'll tell you what to do.
Sadly, this is all too common. Malware is getting pretty nasty. At best, it may extort money from you for a real repair. At worst, it’ll extort money from you and do nothing.
I’ll save the “prevention is so much easier than the cure” missive for a moment. We just want this fixed.
There are things that we can try, but unfortunately, there are no guarantees.
The problem: When malware interferes
What you’re seeing is the malware on your machine is actively looking for you to try to remove it and thwarting your attempts.
It’s watching for downloads that “look like” anti-malware tools and web or other access that might be going to anti-malware sites. It’s even monitoring what programs you run. When it sees you doing anything that could lead to its removal, it steps in and either redirects you to sites of its choosing or simply causes the operation to fail.
We’d love to download and run anti-malware tools, but we can’t.
So, we have to get creative.
Run Windows Defender Offline
I’ve changed my original recommendation since this article was first written. Now, I recommend that you begin by downloading Windows Defender Offline.
Windows Defender Offline is an anti-malware tool – essentially a stand-alone version of Microsoft Security Essentials – that you download and burn to CD. You then boot from this to avoid any of the malware that is on your machine. That way, you can run the anti-malware tool directly.
It’s important that you download Windows Defender Offline when you need it – which probably means using a different computer as the existing malware on your machine may prevent you from downloading it. That way, the tool is up-to-date. You should always run the latest version of Windows Defender Offline, so you’re protected from the latest threats.
Let the tool perform a thorough scan of your machine. Hopefully, it will detect and remove the malware that’s causing your problem.
If it doesn’t detect and remove it, if you can’t run Windows Defender Offline, or if you just want to keep scouring your machine with additional tools, we switch to other tactics.
Temporarily kill the malware
One possible solution to the blocking problem is to temporarily kill the malware that’s running. This won’t remove it, but it may allow you to download tools that will.
The folks at BeepingComputer.com have created a tool called RKill that does exactly that.1 You may need to download Rkill on another machine (because it may be blocked on the infected machine), but you can quickly copy it over to your machine using a USB drive or something else.
You may also need to rename rkill.exe to something else (like “notrkill.exe” or “leo.exe”). Once again, the malware may be paying attention to the name of every program being run and may prevent the software from running if it recognizes the name.
Run the program and do not reboot. Rebooting will “undo” the effect of having run Rkill. Any malware that Rkill killed will be back.
Download and run Malwarebytes’ Anti-Malware
Malwarebytes’ Anti-Malware is currently one of the most successful tools at identifying and removing the types of malware that we’re talking about here. It’s not really a replacement for anti-virus software (you’ll find that they say that in their support forums), but in cases of infection, it has a pretty darn good track record.
Download the free version, install and run it, and then see what it turns up. (Once again, you may need to download the tool on another machine and copy the download over as you did with rkill.)
Try other tools
After running Rkill, you may (or may not) be able to run some of the other tools that the malware was blocking. You can try registry editing tools, the task manager, Process Explorer, or others.
You can also try your other anti-virus and anti-spyware tools. Either they will be able to download an update that catches this problem or you can download another tool that will.
But in general, my money’s on Malwarebytes.
What if it doesn’t work?
If none of that works, then things get complicated.
You may consider trying:
- Boot from another bootable antivirus rescue CD. There are several, including from anti-virus vendors like Avira, AVG and many others. If you have a favorite anti-malware vendor, check with them to see if they provide a bootable scanning solution. These are interesting because they boot from the CD, not your hard drive, like Windows Offline Defender. The malware doesn’t have a chance to operate and block you. You can then run a scan of your hard disk and hopefully clean it off.
- Remove the hard disk and place it in or connect it to another machine. Hardware issues aside, this needs to be done with care to prevent the malware from spreading. Just like booting from that CD, however, this boots from the new machine’s installation, not yours. You can then run anti-malware tools against your drive and hopefully clean it off.
Restore from backup
If you have a recent system backup, it’s possible that restoring to that will take your machine back to a time before it was infected at all.
Regular backups are wonderful for this. This is yet another reason why I so often harp on backing up.
Be aware that it does have to be the correct type of backup: either a full system or image backup. Simply backing up your data will not be helpful in a scenario like this unless you are forced to take the final solution (see below).
And for the record, my opinion is that System Restore is pretty useless when it comes to bad malware infections like this (if it hasn’t already been completely disabled by the malware). Give it a try if you like, but I don’t have much hope for its success.
The final solution
That subtitle sounds dire, because it is.
As I’ve mentioned before, your machine is no longer yours once it’s infected. You have no idea what’s been done to it. And you also have no idea whether the cleaning steps that you took removed any or all of the malware that was on the machine.
Even if it looks clean, there’s no way to prove that it is.
You know it was infected, but there’s no way to know that it’s not now.
The only way for you to know with absolute certainty that the malware is gone is to reformat your machine and reinstall everything from scratch.
Sadly, it’s also quite often the most pragmatic approach to removing particularly stubborn malware. Sometimes, all of the machinations that we go through with trying to clean up from a malware infection end up taking more time than simply reformatting and reinstalling.
And reformatting and reinstalling is the only approach that’s known to have a 100% success rate at malware removal.
If you don’t have a backup of your data, then before you reformat, at least copy the data off somehow. Boot from a Linux Live CD or DVD if you must (Ubuntu’s a good choice). That’ll give you access to all of the files on your machine and allow you to copy them to a USB device or perhaps even upload them somewhere on the internet.
After things are cleared up and working again, take a few moments to consider how to prevent it from happening again or what you can do to make the next time easier:
- See if you can identify how the infection occurred and then, to the extent that you can, never do that again.
- Make sure that you have the most up-to-date security measures that it takes to stay safe on the internet.
- Consider investing in a backup solution of some sort. Nothing can save you from more different kinds of problems than a good, regular backup.
As I said at the beginning, prevention is much easier than the cure.