With preparation, you can. Without? Not so much.
You don’t.
I hate to say it, but there’s an important adage that everyone needs to understand:
Once infected with malware, it’s not your computer anymore.
And that holds true even after you believe you’ve removed the malware.
That’s not to say there isn’t hope of recovery, but it does point out the seriousness of the situation.
Become a Patron of Ask Leo! and go ad-free!
Making sure malware is gone
It’s nearly impossible to be certain that malware is gone. Most scans catch most malware, but nothing guarantees removal except restoring a pre-infection backup or wiping and reinstalling everything. Regular image backups make this easy. Prevention through safe internet habits and backups is the best defense against these scenarios.
It’s not your computer anymore
That’s a strong statement, and I want to clarify what I mean by that.
Once on your computer or other device, malicious software can do anything it wants to. Not all malware does — and indeed, not all malware can — but there is malware that can, will, and does take over your machine in ways you might not expect and in ways that are difficult, if not impossible, to detect.
You don’t want to place bets on whether you have the kind that doesn’t take over your machine or the kind that does. They may look the same as you use your machine. The second, however, could lay in wait to do something nasty, it could be silently doing something nasty you might not notice (like collecting keystrokes), or it might cause unexpected behavior, like system slowdowns as your machine turns into a part of a botnet.
Once it’s on your machine, malware can do whatever it wants. That means it’s become the malware’s computer, not yours.
What about scanning?
The most common advice about removing malware is to scan. Specifically:
- Update your security software.
- Scan with your security software.
- Scan again with your security software.
- Try an additional scan with other security software.
I’ve seen people repeat that last step until their machine is chock full of security packages that end up doing more harm than good.
Even after all that, there’s no guarantee that malware won’t remain.
To be clear, most malware will be caught, flagged, and removed. The tools do work and generally work well. It’s just that nothing’s perfect. All tools miss things.
And some malware tries very hard to be the malware that’s missed.
Running those scans is enough 991 times out of 100. It’s that 1% left that’s of concern. Remember, the question here is how to make sure that the malware is gone.
You want a guarantee.
Guarantee #1: Fairly easy
You can remove malware and be sure you’ve removed it by restoring your machine to an image backup taken prior to the malware’s arrival. After that, avoid doing whatever allowed the malware in to begin with.
This is one of the two most important things image backups are for.2 It’s relatively easy, it’s relatively fast, and it’s guaranteed.
It’s also something you must have been doing before needing it. This is why I so strongly recommend daily image backups.3
A little preparation goes a long, long way.
Guarantee #2: Nuclear
If you haven’t been backing up regularly, the only way to know you’ve removed malware is to erase everything. “Everything” would, by definition, include the malware. Unfortunately, it also means erasing everything else, like your data, installed programs, and the operating system.
The process looks like this:
- Back up your existing hard drive (so as not to lose anything important).
- Reinstall Windows from scratch.
- Reinstall applications from scratch.
- Restore your data from your backup or elsewhere.
All that just to get rid of malware?
No. All that to make certain you got rid of malware.
Anything less is a compromise
I’m not suggesting you drop everything at the first sign of malware and reinstall everything from scratch. (I am, of course, suggesting you begin backing up regularly.)
Sometimes 99% certainty is enough. Sometimes 99% is enough to carry on unless there are other signs that you’re part of the 1% (like whatever caused you to discover you had malware in the first place) and need to take more drastic measures.
But if you want or need a guarantee, you’ve got two options:
- Restore a backup.
- Reinstall from scratch.
A note about BIOS/UEFI compromise
Whenever I talk about recovering from malware and how a full format and reinstall are the only guarantee, I get push-back that they’re not. And it’s true that if your BIOS or UEFI has been compromised, even the nuclear option won’t help, since it doesn’t touch them.
To begin with, there’s no such thing as perfect security. None. It’s a spectrum. The goal is to be on the “as safe as you can be” part of the spectrum.
Second: just because something might be possible doesn’t mean it’s happening to you or that it’s likely to happen to you. BIOS/UEFI compromise is rare4. There are plenty of more common malicious approaches that represent a much greater risk, all of which are covered by the process above.
Put another way: I don’t worry about BIOS/UEFI attacks specifically. I follow safe security practices that keep me safe from all malware, whether it’s a keylogger, ransomware, a bot, or something else entirely, such as some kind of BIOS/UEFI compromise.
I recommend you take the same approach.
Do this
The best thing to do, of course, is to practice safe internet habits so you never need to ask this question.
Regardless, start backing up. Now. Create image backups regularly. As you’ve seen above, that’s the easiest way to get you the guarantee you’re looking for.
And, of course, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: A number I completely made up. I’m pretty certain things are NOT as bad as that. One in 1000 or one in 10,000 is probably closer to reality, but a) we don’t know, and b) I wanted your attention as I made a point.
2: The other is recovery from hardware failure.
3: Typically: Monthly full image backups and daily incremental backups using a tool like EaseUS Todo or Macrium Reflect.
4: Even if your cousin’s friend’s acquaintance heard about how it happened to someone they sort of know, those stories are usually a long string of misleading hearsay.
was a time i could do a DBAN wipe and use an installation disk to do a clean reinstall. but for some reason Micro Soft saw fit to discontinue installation disks. your suggestion means i have to pay for a new OS from them. great con, ain`t it?
No need to pay if you’ve had Windows 8 or higher installed. It will recognize your computer and automatically be activated.
You can download a copy of Windows from Microsoft.
Where Can I Download Windows 11? Or 10? Or 8? – AskLeo!
Thanks Leo and team for all the stuff you teach us, today certainly not withstanding as it is timeless.
Back up your system. I have used Macrium and it had save me a couple of times.
RAB
I have an addition to the nuclear option. I keep a copy of my UEFI firmware on a USB stick (from the last time an update was released). If I ever contract any malware (I haven’t yet AFAIK), after I wipe all my drives, I’ll re-install the UEFI firmware, then re-install Windows and GNU/Linux. Unless I’m mistaken, this should wipe everywhere any malware may find to hide. If I’m wrong, please comment, telling me where else I need to clean things up,
Ernie
Just started using Ease Us Todo. Free version. Last backed up on 1/2/2025. How do I just do an incremental backup? I don’t see anything that allows me to select incremental. Can you refer me to a source for information? If this not the right place to ask this question, please let me know. Thank you.
If instead of “Backup Now” you choose to create a backup plan, and then select daily, you should see it default to incremental.
In this issue you give pretty strong support for EaseUS Todo for backups. It sound great!
But, using backup software from a Chinese company like EaseUS seems risky. I know EaseUS has been in the market for years and is widely used globally, and is feature rich and user-friendly, which is a good draw. However Chinese laws, such as the China Cybersecurity Law, may require companies to cooperate with the government, including access to data, especially if one uses the cloud backup features and the servers are in China. The Chinese government could require the product includes sleeper code for their use later in nefarious ways. Give us a few less risky options.
This article on Kaspersky applies to EaseUS, Tik Tok, and any software from a country with a rogue government.
What to Do About Kaspersky Antivirus
Bottom line. We don’t know yet.
How do you define a rogue government, Mark? Just curious…
Dude Russia and China are agressively imperialistic countries.
Rogue state
“The Chinese government could require…” – do you really think only the Chinese government ‘could require’…? I’m 100% certain that pretty much ANY government could (and probably does) require whatever, very much including that of the US (I’m assuming you’re US based) and certain elements of any government are equally certainly less than benign. It’s not that I’m paranoid, just that I have a suspicious mind – justifiably so on the basis of recent and not so recent revelations!
I’ve long recommended Macrium Reflect as well, which is based in the UK. They no longer have a free version, though.
They sorta do. Paramount isn’t updating it but there’s a legacy version on Major Geeks.
Major Geeks is a reputable site and many freeware and shareware developers offer their apps throug Mjor Geeks.
Because I do not like any longer Chinese or Russian SW companies (I have use them before without problems, I must add) I came across a German company, very close to my wife’s birthplace in Northern Germany, called ASHAMPOO. They have been very good in responses via E-mail (the next day), and their products worked out for me flawlessly, For years now.
Their backups allow FULL, INCREMENTAL, DAILY, or whatever you want.
I fully recommend them. For Win10 or 11.
Karl (German name but born in the Netherlands, The Hague)
If you want to be spammed to death – ASHAMPOO are the company to give your email address to.
In fact, I think they invented SPAM.
I used to use a few of their products many years ago (which I had no problem with I should add) but the amount of SPAM and ADVERTISING via their programs as well as by email was so frustrating, when I bought this machine back in 2020 I made the conscious decision not to load any ASHAMPOO products.
Hi Everyone
Regarding backups I’m surprised Acronis True Image wasn’t included. It has more then enough resorts, (backup to USB/HDD, to cloud)it has a very good anti-malware, full backup, incremental and differential and more.
I used to recommend Acronis, but stopped doing so after many issues with their customer support and forums. The software may be good, but at they time they didn’t seem interested in supporting it properly.