Leo, I believe that the vast majority of PC users are not exactly sure about what is normal or what’s supposed to happen during the Windows uninstall process; most specifically, or importantly, when dealing with malware. Can the unscrupulous malware writers hijack the process somehow in an attempt to get the PC user to install something else, or worse??
It might be helpful here to start with a definition of the term “uninstall”. “Uninstall” is a term we use to refer to the orderly process of removing software that has been installed. It’s usually performed by the very setup program that put it there in the first place.
And, to be clear, there’s really no such thing as a standard Windows uninstall process.
Become a Patron of Ask Leo! and go ad-free!
Uninstall is up to each application
It really is up to each program how it is going to uninstall itself when you run uninstall software through Control Panel.
When you run an unistall, you really are saying “Run a program that is associated with (whatever it is you’re trying to uninstall), and tell it to uninstall itself”.
What it does then is completely up to it.
To be even clearer, we don’t actually uninstall malware. When it comes to running anti-malware scans, uninstall is typically not what you end up doing because malware doesn’t design itself to be removed.
Thus there’s nothing orderly about getting rid of malware.
Malware can do anything
The ultimate answer to your question is yes. Once there’s malware on your machine; it’s not your machine anymore. Malware authors can do whatever the heck they want to. And that includes making the malware removal process look like it’s working when it’s not, or worse.
Now, in reality, I’ve never really heard of anything that is that benign. Certainly if malware happens to have an uninstall option in Control Panel, it may not be uninstalling even if your computer says it’s uninstalled. But that’s not typically how malware operates.
Instead, when malware affects your security software, it’s going to disable it completely. There’s typically nothing hidden about that at all. Your anti-virus stops working; it stops scanning and it can’t remove or block anything. It’s not uncommon for malware to go so far as to prevent you from actually accessing your anti-malware tools or downloading any new ones. In fact, that’s often one of the first signs that certain types of malware are on your machine: your anti-malware tools stop working and you can’t fix them.
But it’s nothing as subtle as what you describe as “hijacking the process”. Why not? Well, it doesn’t need to be.
The issue is that once the malware is on your machine, it can already do whatever it wants without needing to hijack anything. That malware can and often does install more malware without your needing to do a thing, and often without you noticing immediately. Malware doesn’t need to make your anti-malware tools behave differently when it can disable them completely.
So, if you suspect that this is the case on your machine, solution number one is to restore from the most recent image backup that you took before the infection. It’s quick, it’s easy, and it’s done. Unfortunately, not everybody’s doing image backups like I really wish they would – so solution number two is to use tools like Windows Defender Offline.
These are tools that you boot from. So you’ll need to use a different computer to download the application and burn it to a CD. Then, boot from the CD on the suspect machine so that Windows and the malware on it aren’t actually running. That way, this standalone tool can then scrub what it finds on your hard disk without the malware being able to interfere at all.
But as always, prevention is much less costly than trying to cure the malware infection because, as I said, once you’re infected, it’s really not your machine anymore.