Sadly, this is all too common. Malware can be pretty sophisticated, and it can work hard to prevent you from removing it. That means you may be blocked from downloading or running anti-malware software, or be prevented from running tools already on your machine that might help.
I’ll save the “prevention is so much easier than the cure” missive for a moment. We just want this fixed.
There are things that we can try, but unfortunately, there are no guarantees.
The problem: when malware interferes
What you’re seeing is the malware on your machine actively watching for you to try to remove it, and thwarting your attempts.
It’s watching for downloads that “look like” anti-malware tools, and web (or other) access that might be going to anti-malware sites. It’s even monitoring what programs you run. When it sees you doing anything that could lead to its removal, it steps in to either redirect you to sites of its choosing, or simply cause the operation to fail.
We’d love to download and run anti-malware tools, but we can’t.
So, we have to get creative.
Run Windows Defender Offline
Windows Defender Offline is an anti-malware tool – essentially a stand-alone version of Windows Defender (also known as Microsoft Security Essentials in older Windows versions) – that you download and burn to CD or install on a USB flash drive. You then boot from this to avoid running the malware on your machine. As a result, you’re able to run the anti-malware tool directly.
It’s important that you download Windows Defender Offline when you need it – which probably means using a different computer, as the existing malware on your machine may prevent you from downloading it. You should always run the latest version of Windows Defender Offline, so you’re protected from the latest threats.
Let the tool perform a thorough scan of your machine. Hopefully, it will detect and remove the malware that’s causing your problem.
If it doesn’t detect and remove it, if you can’t run Windows Defender Offline, or if you just want to keep scouring your machine with additional tools, there are other tactics.
Temporarily kill the malware
One possible solution to the blocking problem is to temporarily kill the malware. This won’t remove it, but it may allow you to download tools that will.
The folks at BleepingComputer.com have created a tool called RKill that does exactly that.2 You may need to download Rkill on another machine (because it may be blocked on the infected machine), but you can quickly copy it over to your machine using a USB drive or something else.
You may also need to rename Rkill.exe to something else (like “notRkill.exe” or “leo.exe”). Once again, the malware may be paying attention to the name of every program being run, and may prevent the software from running if it recognizes the name.
Run the program, and do not reboot. Rebooting will “undo” the effect of having run Rkill. Any malware Rkill killed will return if you reboot.
Download and run Malwarebytes Anti-Malware
With the malware temporarily killed, you may be able to download and run anti-malware tools.
Malwarebytes Anti-Malware is currently one of the most successful tools at identifying and removing the types of malware that we’re talking about here.
Download the free version, install and run it, and see what it turns up. Once again, you may need to download the tool on another machine and copy the download over, as you did with Rkill.
Try other tools
After running Rkill, you may (or may not) be able to run some of the other tools the malware was blocking. You can try registry editing tools, Task Manager, Process Explorer, and others.
You can also try your other anti-malware tools. Either they will be able to download an update that catches this problem, or you can download another tool that will.
But in general, my money’s on Malwarebytes.
What if it doesn’t work?
If none of what I’ve discussed so far works, then things get complicated.
You may consider these options:
- Boot from another bootable antivirus rescue CD. There are several, including anti-virus vendors like Avira, AVG, and many others. If you have a favorite anti-malware vendor, check with them to see if they provide a bootable scanning solution. These are interesting because they boot from the CD, not your hard drive, like Windows Defender Offline. That means the malware doesn’t have a chance to operate and block you. You can then run a scan of your hard disk and hopefully clean it off.
- Remove the hard disk and place it in or connect it to another machine. Hardware issues aside, this needs to be done with care to prevent the malware from spreading. Just like booting from that CD, however, this boots from the other machine’s installation, not yours. You can then run anti-malware tools against your drive and hopefully clean it off.
Restore from backup
One of the best – and often quickest – solutions is to restore your machine using a recent image back up.
Assuming you have one, of course.
Regular backups are wonderful for this. They return your machine to the state it was in prior to the malware infection. It’s as if the infection never happened.
This is another reason why I harp on backing up so often.
It does have to be the correct type of backup: either a full-system or image backup. Simply backing up your data will not be helpful in a scenario like this, unless you are forced to take the final solution (see below).
For the record, my opinion is that Window’s System Restore is pretty useless when it comes to bad malware infections like this (if it hasn’t already been completely disabled by the malware). Give it a try if you like, but I don’t have much hope for its success.
The final solution
That subtitle sounds dire because it is.
As I’ve mentioned before, once it’s infected with malware, your machine is no longer yours. You have no idea what’s been done to it. You also have no idea whether the cleaning steps that you took removed any or all of the malware that was on the machine.
Even if it looks clean and acts clean, there’s no way to prove it is clean.
You know it was infected, but there’s no way to know that it’s not now.
The only way for you to know with absolute certainty that the malware is gone is to reformat your machine and reinstall everything from scratch.
Sadly, it’s quite often the most pragmatic approach to removing particularly stubborn malware. Sometimes, all of the machinations that we go through trying to clean up from a malware infection end up taking much more time than simply reformatting and reinstalling.
And reformatting and reinstalling is the only approach known to have a 100% success rate at malware removal.
If you don’t have a backup of your data, then at least copy the data off somehow before you reformat. Boot from a Linux Live CD or DVD if you must (Ubuntu’s a good choice). That’ll give you access to all of the files on your machine and allow you to copy them to a USB device, or perhaps even upload them somewhere on the internet.
After things are cleared up and working again, take a few moments to consider how to prevent this from happening again, as well as what you can do to make the next time easier:
- See if you can identify how the infection occurred and then, to whatever extent you can, never do that again.
- Make sure you have the most up-to-date security measures to stay safe on the internet.
- Invest in a backup solution of some sort. Nothing can save you from more different kinds of problems than a good, regular backup.
As I said at the beginning, prevention is much, much easier than the cure.