The steps you need to take in the face of infection.
One question that shows up almost every day in the Ask Leo! inbox is how to remove malware.
The scenarios differ, but the problem’s always the same: a machine has been infected with some form of malware, and the machine’s owner is having a tough time getting rid of it.
Often there’s even anti-malware software installed that “should” have taken care of it before things got to this stage.
Hopefully, that’ll never be you.
Let’s review the steps I recommend for removing malware and reducing the chances it’ll happen again.
Become a Patron of Ask Leo! and go ad-free!
Removing malware
- Back up the infected machine for an additional safety net and data recovery later.
- Restore to backups taken prior to the infection if you can.
- Update your security software database and run full scans of your disks.
- Try additional anti-malware tools.
- Look for removal instructions specific to the malware you have, if possible.
- If unsuccessful, give up: back up, reformat, and reinstall everything from scratch.
- Prevention (and preparation in the form of a backup) are by far the easiest solutions.
A word about prevention
If there’s one thing I would have you take away from this, it would be this: Prevention is less painful than the cure.
As we’ll see shortly, the steps to remove malware can be painful and time consuming. You run the risk of losing data.
Knowing how to stay safe on the internet is much, much easier in comparison.
Let’s look at what to do when prevention has failed.
Back up
My strong recommendation is to start by taking a complete image backup of your system.
Why would you want to back up a system you know is infected with malware?
A backup taken now is an “it-can’t-get-any-worse-than-this” fallback. Some of the techniques we use to remove malware run the risk of breaking things and making the situation worse. With this backup at the ready, you can always restore and start over with nothing lost.
Restore a prior backup
If you’ve been taking regular backups, this is the most expedient step, and can save a lot of time and energy.
Simply restore your machine completely from the most recent full system backup plus any incremental backups (often handled transparently by your backup software) taken before the infection occurred.
Except for learning from the experience, you’re done.
Unfortunately, most people don’t have this option available. Most people don’t begin backing up until after they’ve experienced data loss or a severe malware infection. One of the lessons they learn is that a recent backup can save them from almost any problem, including malware.
Update your anti-malware database
If you have anti-malware software installed, make sure it’s up to date. This includes more than just the software itself; the database of malware definitions must also be current.
Almost all anti-malware tools use databases of malware definitions. They change daily, if not more often. As a result, they must be updated regularly.
Many programs do this automatically, but if for some reason they do not, then the program will not “know” about the most recent forms of malware. Make sure the database is up to date so yours does.
Perform a full scan
Anti-malware tools regularly perform a “quick” or fast scan. That’s typically sufficient for day-to-day operations.
But not today.
Fire up your anti-malware tools and run a full/advanced/complete scan of your entire system drive. If you have a single tool, that might be one run; if you use multiple tools, then run a full scan with each. This may take some time, but let the tools do their job.
This also applies if your anti-malware automated scans have stopped working for some reason (that reason often being malware). If this full scan discovers something, it might be worth checking to make sure the security software is properly configured to still scan automatically.
Try another anti-malware tool
No anti-malware tool catches all malware.
I’ll say it again: there is no single tool that will catch every single piece of malware out there. None. Some catch more than others, but none of them catch everything.
So using additional reputable tools is a reasonable approach.
I recommend the free1 version of Malwarebytes’ Anti-Malware as the first tool to use. It has a reputation for removing some nasties other tools apparently miss. Once again, run a full scan.
Regardless of which tool you select, stick with reputable tools. When a machine is infected, some people tend to panic and download just about anything and everything claiming to be an anti-malware tool. Don’t do that. There are many less-than-reputable individuals out there ready to take advantage of your panic.
Do some research before downloading anything, or you may just make the problem worse instead of better.
Research specific removal instructions
If your anti-malware software tells you the name of the specific malware you’re dealing with, that’s good information, even if it can’t remove it.
Search for that malware, and you may find specific removal instructions at one or more of the major anti-malware vendor sites. These instructions can be somewhat technical and intimidating, so take your time to follow them precisely, or get a techie friend to help.
The instructions often come with offers to remove the malware for a price. As long as it’s an option (in other words, the manual removal instructions are also provided), then it may be a viable alternative if the company is one you trust. On the other hand, if all you’re presented with is a promise and a price, move on.
Some sites offer free tools you can download to remove specific malware. Once again, use caution. When the tools are from reputable sources, they’re a quick way to avoid some hassle. When the tools are really just more malware in disguise, they’ll make your problems worse.
If you download anything to help address the problem, make sure it comes from an organization you know and trust.
Surrender
This is the only sure-fire way to remove any virus. 100%. Guaranteed.
In fact, it’s the only way to know you’ve removed a virus. Once infected, none of the steps above are guaranteed to remove malware even if they report your machine is clean. Once infected, all bets are off. An infection can fool anti-malware software into thinking everything is fine even when it’s not.
There’s just no way to know.
The only way to be absolutely positive you’ve removed any and all viruses is:
- Back up. If you haven’t already, back up the entire system. You’ll use this to restore your data after we’re done.
- Reformat. Reformatting erases the entire hard disk of everything: the operating system, your programs, your data, and most important of all, all malware. This may be part of the next step, as Windows set-up often offers to reformat the hard drive before installing.
- Reinstall. Yes, reinstall everything from scratch. Reinstall the operating system from your original installation media or download. Reinstall applications from their original media or downloads saved elsewhere.
- Update. Update everything. In particular, make sure to bring Windows as completely up-to-date as possible for the most current protections against all known and patched vulnerabilities. Applications, particularly your anti-malware tools, should be updated as well.
- Restore. Restore your data by carefully copying it from the backups you created when we started. By “carefully,” I mean take care to only copy the data you need, so as not to copy back the malware — don’t copy potential sources of infection. There is no guarantee you won’t copy the malware back, so copy only what’s absolutely needed, and make sure your anti-malware tools are running and up to date.
- Learn. Take stock of how this happened, what you might have done to get infected in the first place, and what might have helped you recover more efficiently. Institute a frequent system backup.
It’s not your fault, but it is your responsibility
By now, I hope you can see why prevention is so much less painful than the cure.
Taking a few extra steps to keep things up to date, avoiding those cute virus-laden downloads and attachments, and just generally learning how to stay safe is much easier than the recovery process I just outlined.
And having backups can make the recovery process as close to painless as possible if you do get infected.
It’s not your fault. But it is your responsibility to learn the basics about staying safe when you use your computer.
In an ideal world, we’d never have to worry about malware or “bad guys” trying to fool us into doing things we really shouldn’t. But you already know this isn’t an ideal world; software isn’t perfect and never will be. There will always be someone out to scam the vulnerable.
Even though it’s not your fault, you still need to be the one to get educated and take the steps needed to stay safe.
Right or wrong, it’s practical reality.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: Yes, there is a truly free version. See the Malwarebytes article for details.
The free version of Malwarebytes is very good – I’ve never used the paid-for version and have successfully cleared all sorts of problems for clients.
The reformat has one tricky part — If the virus gets into the boot sector, a quick format usually won’t dislodge it.
For that, you have to zero out the drive — using DBAN or something similar.
Malwarebytes is in fact free, and a GREAT removal program. The only things extra you get from the payed version is, real-time protection, and automatic updates. But the free version, you can just easily hit the Update button to get all the definitions, and use the On-Demand scans.
-Mike
Good article, but surprised you didnt mention rolling back your XP/Vista to a system restore point before the date you noticed the pop up, its worked for me, and a lot easier task for most people than full system restore.
22-Jul-2009
The only way to truly get rid of a virus is to fully reformat the machine. I keep all my data on an external drive, and anything that I download is on my main drive first. That way, my data is never affected. Backup of course anyway though.
There is another approach, one that is more reliable than using anti-malware software from inside the infected OS and less drastic than a total re-format -> scan for malware from outside the infected OS, without actually running the infected OS. I wrote a trio of articles on this which are summarized here:
Removing malware is best done from the outside
Updated link: https://www.computerworld.com/article/2467245/removing-malware-is-best-done-from-the-outside.html
When I tried to visit that site that you are referring to, namely: “http://blogs.computerworld.com/removing_malware_is_best_done_from_the_outside”, I received an error message from both Google Chrome and MSN Edge, “404 PAGE NOT FOUND. Page not found.
The Computerworld page that you have requested cannot be found by our friendly robots. The page you are looking for may have been removed, had its name changed, or may be temporarily unavailable. If you followed this link from outside our site, we’d appreciate if you’d let the owner of the referring site know.” So, unsure what the issue is, at my end, as everything is working ok with me.
The comment you are commenting on is 11 1/2 years old. It’s no major surprise the link is broken.I removed the link.
And I replaced your removal with the updated link. :-)
Best way is to remove hard drive, put in different computer and run anti-virus on it.
Most antivirus programs have a rescue disc which boots into a limited operating system and can remove the malware which is prevented from being removed.
Microsoft offers the free Windows Defender Offline which you can download and boot from.
How Do I Remove Malware that Blocks Downloads
MY external hard drive; can it be infected too? will moving material back and forth re-infect the re-programmed computer?
div class=”leocomment”>It is possible, yes. Some malware can, and does, spread through external and portable drives.
18-Nov-2009
First, I would run my anti-virus program, then choose the “check for updates” to make sure that it is, then choose “complete system scan” or “full system scan” to see if it finds anything. Then try a adware scanner. Ad-Aware has a pretty good one you can use manually for free. You do have to buy it if you want continuous automatic protection.
Reformatting and reinstalling often works out quicker in the long run and gives a very satisfying feeling of victory..
The only weakness is any reinstalling data ..only do this for critical stuff otherwise you have a higher risk of reinfection.
Jp
I have a virus that won’t allow me to do anything on the computer anymore, once it is up and running. How do I get to the point of reformatting and reinstalling. Don’t I need a boot disk or something?
You were required to make your Restore disks, as soon as you turned on the PC for the first time. That means it may be too late. Some manufactures may sell the disks for $20. I never bought them from HP, but it can’t hurt to try. You may have a recovery partition. Windows 10 erased mine, so all I have is refresh to OS and a new set of Recovery DVD’s.
Good article Leo, very informative. From this article can you please tell me in more detail the steps I need to take from “The only way to be absolutely positive that you’ve removed any and all viruses is: backing up the computer down to restoring the data.” I need a step by step explanation about how to do that. cheers.
A few months ago I got an Antivirus Program pop-up and it took over my computer completely. Every single program I clicked on said it had a trojan. It recommended that I purchase their antivirus program to remove the virus (they installed!). They even sent an official-looking Microsoft screen that recommended I buy their program. After 5 hours of trial, error and tears, the easy solution was to reboot in Safe Mode and then choose “no” at one point so I could to go to System Restore while in Safe Mode. I then selected the first date and time (yesterday) when I didn’t have this infection to restore my computer to. I let the computer do it’s restoration and it automatically rebooted, and my computer was clean and working perfectly again. SAFE – EASY – EFFECTIVE SOLUTION! It’s been fine for months now. I hope this helps others.
The guy in the computer shop said BIOS virus infections are very rare because not many folk use floppy disks anymore.This is where most of them used to be introduced many years ago ..as I recall.
Jp
When viri disable the Task Manager and don’t allow using RegEdit, I have often had success using a third party registry editor. However, occasionally, a virus may monitor the Registry value and set it right back to disable the T M right after you change it.
Leo,
You say:
“The only way to be absolutely positive that you’ve removed any and all viruses is:
* Backup […]
* Reformat […]
* Reinstall everything, from scratch […]
* Update everything […]“
Fine … … were it not for the following:
“
* Restore your data by carefully copying it back from the backups you created. By “carefully” I mean taking care to only copy what you need, so as not to copy back the virus.“
This is the catch.
For how could one possibly “only copy what you need, so as not to copy back the virus” ???!!!
Malware could lurk inside a data file that appears legitimate. How do I know that it is not hiding inside any one among hundreds of those nice photo images that I had downloaded over the web long time ago? … …
Johan
31-Dec-2010
Also using Linux, a live cd, ClamAv. Am visually impaired, and one of my brothers machines has the FBI ransomware malware on it and honestly, who knows what else, so safe mode isn’t an option. So, Linux to the rescue :) Most likely, Ubuntu, or GRML since I know the screen reader is built in. That’s another way of removing.
Since becoming a convertee to Sandboxie, I & friends have not had malware infections .
I often browsethe web in and unsafe manner and open all email attachments without fear .
Providing data is NOT saved out side the protective Sandbox, your computer will be protected …. Look up Youtube vids for more info and initial settings which can sometimes be tricky for the newbie. Sandboxie is free but a 5 second nag screen will appear after 1 month ..no big deal though, just click and it goes away.
http://www.sandboxie.com/
I use Malware Bytes ( paid version). But I boot to the “C” prompt when window do not solve problem. I go into the directory and run Malware Bytes from there, you and also run C Cleaner, AVG, and the majority of Anti Virus programs will run from the “C” prompt, but you have to go into that directory to run the executable file.
CAN SOMEONE PLEASE TELL ME WHY MY COMPUTER CRASHES ALL THE TIME? I CLEAN MY SYSTEM ON A REGULAR BASIS.I HAVE ALSO LOST SOME START-UP TONES,MY BACK GROUND TO MY DESK TOP, IS FOR HIGH CONTRAST,(blk. background) AND I CAN’T BRING IT BACK TO ORIGINAL ,SO I CAN PUT MY OWN CHOICES OF DESK-TOP ART ON MY SCREEN.YOU MIGHT HAVE FIGURED I’M COMPUTER ILLITERATE.I APPRECIATE ANY HELP OR TIPS YOU CAN GIVE ME. THANX
Randall,
That sounds like a pretty serious condition. If it was me I’d try formatting the machine, and make sure you have any important data backed up.
By the way, when someone types in all caps IT LOOKS LIKE SHOUTING. So you may find you get lots of grumpy replies when you chat with people in that way. :)
Sounds like this article is what you want: Why does my computer crash at random times?
I use and frequently update the free versions of Avast, Malwarebytes, and CCcleaner, and they seem to keep me in pretty good running order. Each month, just before I pay bills (i.e., go into just about all of the sites that deal with my financial info), I update and run a FULL scan with each of them. Given that the full scans take so much time, I run them at the same time, which they obviously allow me to do. Am I diminishing their effectiveness by failing to run each one individually? And if they should be run individually, is there a recommended order? Thanks for all the great info!
Running more than one disk intensive operations like that can cause the two programs to constantly swap disk usage and cause them to run slower than if they were run sequentially.
I have the free AVG trial. Would I have better luck by just buying a spy where CD from Best Buy for 50 bucks, and installing it immediately after a full system restore?
One thing that Leo always says is that the way we operated on the internet is as important as the anti-virus software we run. AVG is a fine anti-virus program, and Leo actually recommends the free Microsoft Security Essentials. Here are two articles that will help you:
http://askleo.com/internet_safety_8_steps_to_keeping_your_computer_safe_on_the_internet/
http://askleo.com/what_security_software_do_you_recommend/
My laptop just dies at least once a day with the power plugged in. Then it takes me several tries to reset it by unplugging the power, removing the battery and holding the power button in for 10 seconds with the battery out, as per instructions. This is very annoying. any suggestions?
This feels like a problem with the battery itself, or the power circuitry in the laptop. I’d probably see about getting it diagnosed and possibly repaired by a technician.
Is it normal for windows to “freeze you out” every morning around 4 am while “windows installs updates”? This process takes anywhere from 1 to 2 hours to do.
The screen always says “don’t turn off your computer”. Is it actually uploading viruses?
Every time I open up Google the bar at the very top of the page completely fills up with about five or six different search engines, and they’re all spinning. Even even if I go to tools to remove them, they still come back the next time. I just ran a recovery disks two days ago. What did I do wrong? And why is every type of software available over the Internet seem to be connected to some kind of scam or virus.
I downloaded Microsoft security essentials, Google, and OpenOffice, and that’s it.
Also, my machine was locked up for three hours with this thing they call loading updates, “configuring service pack do not shut off your computer”
Three straight hours of that, until finally I pulled the battery out of the back reset it and turned it back on again only to get another half an hour of this same thing?
Any ideas at all, from anybody?
The only thing that strikes me as odd in your comment is that you downloaded “google”. Google isn’t something you download, it’s a web site you visit (unless you downloaded a specific Google product, in which case the name of the product would make more sense).
Updates can take a while, yes.
But it definitely sounds like there is malware on your machine – either it’s not getting cleaned off properly, or it’s coming back due to something else that’s happening.
Leo, thanks for the article :). I’ve been affected by malicious intrusions 2-3 times over the years. I’ve used cloning system restoration methods to recover from the intrusions.
The last time I was affected by a malware intrusion, I removed my original HDD, and installed my cloned HDD. I was running as normal within minutes.
Then I booted up on a Linux-based boot CD, such a “Gparted” or something similar, to delete the partitions on the infected HDD.
Then I booted up on one of my cloning/imaging tool CD’s and cloned back to my previously-infected HDD from my replacement HDD. Then I reinstalled my newly-cloned (my original HDD), and continued running my PC as normal.
I clone my PC periodically, usually once every 2 weeks, so that I’ll have a spare HDD on the shelf to recover from malware and as protection against HDD failure.
I also Image my HDD occasionally (full-HDD images) to an external storage HDD. The external HDD is connected to my PC only during Image processing. I keep it disconnected to isolate it as a protection against encryption ransomware, such as “Cryptolocker”.
I prefer Cloning and full-HDD Imaging as malicious-content recovery methods since that eliminates the time required to scan and attempts to clean the infected HDD.
For those with Desktop PC towers, if you have any expansion bays available, I’d recommend installing Sata Hot-Swap racks. They are great accessories that allow one to remove and install HDD’s in seconds without accessing the internal PC tower area.
Cloning is just a different style of image backup – somewhat more cumbersome in my opinion, but absolutely workable. And yes, restoring from a backup image (or clone) from before the infection happened is absolutely the best way to ensure you’re rid of it.
All this talk about Back up and Restore. Yes, it is so important.
However since I have owned my first computer with Windows 3.1, no back up ever – I repeat EVER worked after a serious computer crash.
Regardless of software used.
Nobody seem to post the article with real help for such emergency.
All articles here take for granted that your OS starts up OK.
Of course it must do that to run Restore or File back up, as the Windows has to be operational to access your Restore points and drives the back up is stored on.
So just happened that for no apparent reason my computer could not be re-started, wakened at all – Just black screen, no mouse pointer, no keyboard.
I am fairly new to following your articles, so not sure if this is the kind of crash that you have not addressed before.
But not new to serious computer crashes.
No Windows running (any and all versions especially Windows 8 and 8.1- crappiest and most unstable op system to date.)
Also my 2 Boot USB flash drives created by Backup software, and Windows specifically for this emergency, would not work.
They were tested after creation and booted 2 computers just fine.
Small detail: The computers were working just fine at the time, just the Boot drive was switched in BIOS from HD to USB.
Please devote an article or two in depth to address this real problem, or send me a link where is the one I have missed.
Another problem with many “help” articles is that they refer the victim to get/find help/solution online!!
DUH – if your computer us dead – you do NOT have online. You are OFF line until your OS works.
Mail the computer ASUS to factory for reinstalling the Windows 8 was the only option at the time.
Also with this type of crash you have NO access to Cloud backup – you are completely and utterly isolated from the world you know.
Thanks for taking time to read this, and I hope that you will post it.
Best regards
Tony H
Not really. Good backup software lets you download an iso file to create a bootable rescue disk or USB stick. This contains a copy of a program which can restore from your backup. When your disk is damaged, just boot from the CD and run the restore program.
“Of course it must do that to run Restore or File back up, as the Windows has to be operational to access your Restore points and drives the back up is stored on.”
This is flat out WRONG. Two things:
I have an old XP desktop PC that I am trying to cleanup, so I can donate it. I want to uninstall all the applications, delete files, reformat and then reinstall Windows XP from the original CDs.
I got to the point of formatting but got stopped there. When I go to the DOS prompt, it first asks for parameters for the “Format” command. I wasn’t sure about the parameters, so I just tried a few different ones. Every time, I get an error message that tells me the “volume is locked” and the command terminates.
Can someone enlighten me on how to format the hard drive, before I have to resort to physical destruction on my drill press?
That’s correct – the fact that Windows is running FROM the drive means that it’s “in use” and cannot be formatted.
Boot from the installation media for Windows – part of the install process will include the ability to reformat the drive.
Can my recovery partition (D:) that comes installed on my laptop become infected with malware or a virus if the (C:) drive is infected
My Laptop came with the hard drive partitioned with (C:) being the operating system and (D:) the Recovery . My question is if the (C:) gets malware or a virus can that get into the Recovery Partition ? Would it be safer to Restore the laptop using the Recovery Disks than the recovery partion?
It is possible, yes. That’s one reason that I encourage backups to include the recovery partition, even though it’s not something you use day to day.
I am running Windows 8.1 Pro on a HP Envy Phoenix desktop computer with just one administrator account. Suppose I add a second administrator account. Suppose I install a second copy of MalWare Bytes on my second administrator account. If my computer gets infected with ransomware on my first administrator account. Do you think I could remove and defeat the ransomware by using MalWare Bytes on my second administrator account? If you believe the answer might be yes, could you please give us a tutorial? Thanks For Reading This!
Of course I don’t know exactly what Leo will answer. But I do know that once a hacker gains control of your computer they can do whatever they want. So this just doesn’t sound like it will work. A better approach would be to have a full image backup. Revert to that image and you are back in business. As Leo says, avoiding malware is a great idea as well.
Different administrator accounts are not isolated from each other. Any administrator account has full access to all files and folders on the machine, including other Administrator accounts, so this technique you mentioned would not work. Ransomware is a form of malware which encrypts your data and can’t be removed or repaired by any AV program.
Anyway, it’s not really possible to install an additional installation of Malwarebytes without some hacking, as programs are installed in the same Programs folder for all users. You may be confusing the message you get with some program installations which asks if it should install for all users or just the current user. That only tells it whether to place a shortcut in the Start Menu for all users of just the current user, and in some cases places some information some information in the appropriate Registry location. As Connie said, backups are your best protection. A daily incremental backup will allow you to revert your system to a state before the malware hit. You might also want to use something like Dropbox to have a backup of your data between the time of the last backup and the time you restore from the backup.
No. Once your files are encrypted they’re encrypted. There is no “removal” of ransomware.
Malwarebytes is the best of the best! If you don’t have it, you definitely want to get it. The site is secure and it’s the real deal. It’s saved me from 16 PUP’S so far. :)
Leo, I have learned a lot of useful tips from you. I think you’re a genius! Thank you! I’d also like to thank you for being one of the rare KIND Computer Techs in the world. I come across so many snarky, know-it-all, think users are just natural born blooming idiots whoa re wasting THEIR time techs I was beginning to think it was a conspiracy. There are a couple of techs at Opera who can both best be described as The Devil in disguise. Thanks for all your patience, all your knowledge and just for being YOU! Whoever says nice guys finish last must be the king of the scumbags. God Bless you! Peace. :)
I would like to add a comment: even though MOST malware can indeed be removed by a deep format of the full system disk, including the boot record, certain malware will reside in the firmware. If that’s the case, it will be extremely difficult to get rid off, and moreover there might be a doubt about the cleanup (if several firmware containers are simultaneously infected, you don’t know in what order to reflash them, if even you can reflash them). This is then the moment to sell your hardware second hand on e-bay and buy new material :-)
In the case of frimware infection, you should absolutely not sell that to ANYONE! If you sell it, you only contribute in spreading the frimware maleware around, and it may come back to you in the long run.
Do something to fry the hardware, like rubbing whires connected to the sector across the motherboard, then, send it to some recycling facility.
Actually try resetting the firmware before you give up.
This can be harder to do than you might think. Suppose that your computer has, say, 3 build-in USB devices (like the webcam), and suppose that two of them have been infected by a USB-propagating firmware worm because they are on the list of devices the worm can handle.
Now, in the very hypothetic case that you can get hold of a flashing program that can reset the original firmware to one of them, by the time that you are going to try to flash the second one, this second one has re-infected the first, reflashed device. And you cannot read back the firmware to check.
You would actually need to disconnect internal USB devices except for one at a time, but hardware wise, this is not always possible.
But the worst part is that you can never check whether you have the right firmware or not, as most firmware cannot be read out. If you can get a check sum, that would be OK, but very often, you can’t.
Yeah, while such malware is far from common and the chance of encountering it is close to zero (unless you do something to get on the NSA’s radar, that is) it does indeed exist. For example:
https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
*makes a mental note to never buy hardware on eBay from people called Patrick*
I’ll add too that people really don’t need to be concerned about this type of malware: it’s super-specialized stuff that’s used by cyberespionage groups – and governments too, I’m sure – in very targeted attacks. In other words, it’s not something that Fred Bloggs or Joe Sixpack is going to encounter. Or, at least, they’re not going to encounter it today. As for what the future holds – your guess is as good as mine!
I think that the BIOS / UEFI firmware is too tricky to infect. However, hard disk drive firmware, and USB things firmware are the future for malware in my opinion.
Look at things like this:
http://null-byte.wonderhowto.com/how-to/make-your-own-bad-usb-0165419/
Ok, this is not yet “infecting the firmware of a USB component of a computer”, but you’re not very far, and it is in fact quite easily done. Find the same trick for a popular hard disk, spread it with a USB key’s firmware, and mass infection is not far away.
I don’t want to panic people, but firmware infection is, in my opinion, where malware (serious malware that is) will go, and there’s, for the moment, not much that can be done about it. That last point is the reason for my belief in the success of firmware-malware: we’re not prepared for this, and there’s no easy solution for the installed park of hardware the day we see that it is going to become a problem. Software can be easily changed. Firmware *protection* on a system that wasn’t designed with that in mind, is almost impossible, and most firmware cannot be checked (most devices allow to flash firmware, but not to read it out).
While this is possible it remains very rare. I don’t want frustrated or panicked people to jump to this conclusion. 99.99% of all malware will be removed by a reformat.
Leo mentioned backups. He continually mentions backups. He was the one that convinced me to take regular backups long before I joined team Leo. The last time I was hit with malware, I didn’t need bother to look for a solution. I backed up ma Documents folder, ran a restore to the previous night’s backup, went shopping and when I returned, everything was back to normal. I might have repaired the virus in 5 minutes or 5 hours, but restoring from backup was painless and sure. So I’ll mention backups again. Just do it. It’s the best protection against malware and so many other problems.
https://askleo.com/how_do_i_backup_my_computer/
Suppose that I found that I had a malware doing its’ “thing” on my PC.
(I perform daily incremental images using Macrium).
I would restore to the incremental before the infection.
But, if the attack was scheduled for a future time from the time it was placed on the PC, How to know which incremental to restore?
The question becomes: Is there anyway to know when the malware was initially downloaded and/or when it was actuated?
I’d hate to have to try a full months of incrementals, one at a time.
Maybe that’s the only way?
Your articles are always full of great tips and info, thanks, Leo
“But, if the attack was scheduled for a future time from the time it was placed on the PC, How to know which incremental to restore?” – The question should really be: how can you tell how long your PC has been infected so that you know which backups can safely be restored. The answer, unfortunately, is that you can’t – at least, not with any certainty. Consequently, in the case of a system being seriously compromised – and by “seriously”, I mean hit by something nastier than an unwanted toolbar or tracking cookies – I wouldn’t use an image to restore. Instead, I’d backup my files, reinstall via the manufacturers’ recovery partition or via the Refresh Your PC option (Windows 8/10), reload my programs and then restore my files from the backup. It’s certainly not as speedy as restoring from an image, but it’s the only to know your PC is clean.
You wouldn’t. Back to “prevention is the best cure.”
Indeed. And prevention has also become increasingly important. In the past, the majority of malware simply represented a nuisance for home users – it’d redirect homepages, insert a quote from The Simpsons in to Word documents, etc., etc.. These days, however, it’ll steal their banking credentials or encrypt their data and hold it to ransom. In other words, the consequences of an infection can be much, much worse than in the past.
There’s no simple answer to this, as malware is always changing its techniques and ways. I would work backwards, carefully, using the latest updates to my security software to scan for malware at each step.
The problem with this is that your security software didn’t detect the malware during the initial install – perhaps because it was concealed by a rootkit – and so may not detect it if an infected image is restored. Additionally, you have no way of knowing whether the malware was installed by – or has since itself installed – other malware and whether that other malware may also be masked by a rootkit. If you’re going to go this route, you should at least scan with tools other than the ones which failed to prevent the system being compromised.
However, in the case of seriously compromised systems, the best advice is, as I said, to restore using the manufacturer’s recovery partition or Refresh option rather than an image. It’s less convenient, but it’s the only way to be 100% sure that your system is clean.
Unless, of course, the malware damaged your recovery partition (not unlikely). It’s best to take a system image backup now when you know your machine is virus free, and then take regular system backups. As long as you have a system image backup of a working virus free system, your OK.
“It’s best to take a system image backup now when you know your machine is virus free.” – The thing is, you don’t know that it *is* malware-free. And if you do discover that your machine has been compromised, you have no way of knowing when it became compromised. It could have occurred in the last hour, the last month, the last 6 months, or…..
Let’s say, for example, that your AV pops up a warning that your system is infected with the credential-stealing Gameover bot AKA Zeus P2P. The fact that it’s only now being detected doesn’t necessarily mean that your system has just been compromised. It could have been compromised for months. Gameover could be being detected now because you’ve just rebooted for the first time in a year. Or it could be being detected because it’s just been updated via the backdoor it created to the GOZ botnet. Or it could be being detected because your AV’s signatures or heuristic engine have just been updated to detect the kernel-mode rootkit that’s used to conceal Gamebot’s processes. Or maybe it has just been installed, but it’s downloader has been on your system for months – possibly downloading other malware that’s going undetected on your system.
As I said, in cases of serious infection, the safest option is to assume that your computer has been infected all along and to restore from the recovery partition rather than your own image backup.
I was actually aware that it’s possible the machine may be infected, but the vast majority of people reading this are not infected and should start backing up NOW. I thought about mentioning what you said, but I didn’t want to provoke any computer hypochondria :). If anyone is already infected it’s too late anyway.
I hate to be picky, Leo, but you wrote “start by taking a complete image backup of your system”.
Surely it is best to do a thorough scan (I use AVG Free followed by Malwarebytes) BEFORE backing up, otherwise any malware not cleaned will be copied across to the backup as well.
Furthermore, you shouldn’t leave your backup drive plugged in to your machine with the settings on “incremental backups”, otherwise any infections may be automatically copied across to the backup drive. Best to unplug it altogether until you want to do a backup.
Actually backing up an infected machine is a good and even necessary step if done correctly, and probably best performed before running virus removal software to prevent data loss caused by the virus removal procedure.
https://askleo.com/should-i-backup-if-my-machine-is-infected/
http://ask-leo.com/how_do_i_safely_backup_an_infected_drive.html
“Surely it is best to do a thorough scan (I use AVG Free followed by Malwarebytes) BEFORE backing up.” – Not really, as image backups are not the best way to recover your OS from a malware infection. See the comments I made above. You have no way of knowing when your system became infected and, therefore, no way of knowing which backups may also be infected.
“Furthermore, you shouldn’t leave your backup drive plugged in to your machine with the settings on “incremental backups”, otherwise any infections may be automatically copied across to the backup drive.” – Given that it’s best not to use images to recover from an infection, it makes sense to leave the drive connected so that backups do not get missed/overlooked (at least, until if/when backup-encrypting ransomware becomes commonplace – then it may make sense to disconnect backup drives).
I have the Malwarebytes program and twice I have just deleted all of the non malware PUPS. Apparently some were extensions of my brouser and then the brouser wouldn’t work. It was such a time consuming thing to get it straightened out that I have been afraid to delete the PUPS. I would like to know what to look for so I could only delete the things that are not related to my brouser
You could try researching items Malwarebytes detects to see what other removal options may be available. For example, removing extensions from within the browser or uninstalling programs via Add/Remove may, if the option is available, be less problematic.
As you’ve discovered, malware/PUP removal isn’t always a smooth process and can cause a variety of problems such as broken apps, loss of internet connection or even your PC not booting. Consequently, prevention really is the best option and, if you’re careful about what you install and exercise caution with email attachments, neither your antivirus program nor Malwarebytes should ever need to spring into action.
excellent advise sir. i have tried every junky and nasty software before. but all was in vain. i thought the only solution now was to format the hard disk. but you just saved me a whole lot of trouble, time and energy sir. thank you.
the malware also affected other programs previously installed. it was a one stop solution and no hectic work involved.
i have also followed your advice for other complaints and my computer is now just perfect. for the low specs i have , it couldn’t get any better. thank you sir.
I would like to learn how to back-up my data, have no idea how to start and complete the whole idea, is there a place I can go to to learn how to do this? (I am not a computer smart person, it’s almost all greek to me :o) ) Thank You so much.
Search Ask Leo!. I have dozens of articles on backing up.
MalwareBytes anti malware give me a pop-up “Malisious website blocked” and js.users.51.la
What kind of malware is this, and how do I get rid of it ?
Thanks
Malwarebytes will have an option to quarantine or remove the malware. Best bet is to let Malwarebytes take care of it.
How do I reset windows 10 ( the device is new; has been restored, but getting it back, I touched it, because I don’t see my administrative capabilities,
Now, it’s a mess: graphics, programs, my local account has me, default, and other temp files. How do I restore it w/o a disk? I am so upset with this computer. Should I take it to the geek squad? Much money has been lost. What should I do?
Leo.
February 22 1917, 12:pm. I posted a request for help over a network hacking. I have all the evidence; illustrated with digital photos, and anything needed for an answer to a crucial problem beginning on July 18 2013.
I’m writing because I JUST SAW MY POST ABOVE IN THIS LIST. It floored me, but the problems have gotten increasingly worse. All devices, cell, computers, are compromised.
Can you help me?
Annette G.
I can’t help you with the hacking — that’s something for law enforcement or private investigators. As to resetting Windows 10 — reinstall from a installation disk is all I can offer. It sounds like you tried that and it didn’t meet your needs, so I’m afraid I’m at a loss there as well.
Why do i have porn site pop up on page where you watch series if i dont have malware?
It would be because you are either on a site that advertises porn, or because the ad software running on that site “thinks” you will respond to porn. In either case the answer is: The popup happens because someone somewhere wants you to click on it.
But i dont watch porn so why would they recommand such ad? Is is possible to get porn ads even if you are viewing in incognito mode?
There may have been certain key words on a page you visited which triggered the ad generated on that page to send an ad for porn even though that page had nothing to do with porn. Or it may be that others who viewed that page also visited a porn site, or any number of reasons. That shows that targeted ads are still in an infantile stage of development. . Bottom line; an ad is just an ad.
Potentially because it’s advertising provided by the site on which you’re watching the series.
Apart from ransomware and adware that make their presence obvious, how on earth are users supposed to know they’re infected with something? If the malware is sophisticated enough to avoid detection by AV/AM software, then users are none the wiser even after carrying out a full system scan with several reputable AV/AM products. They might have malware, they might not, but they’d never know for certain unless they use a product like DeepFreeze or an equivalent like RebootRestoreRx.
Another thing is how are users supposed to protect themselves from malware that modifies reputable software as happened with CCleaner and Linux Mint a while back? At least with Linux Mint users could have checked checksums, but that option wasn’t available to the CCleaner users (assuming they’d know what a checksum is or how to check one in the first place).
“Give up: backup, reformat, and reinstall everything from scratch.”
That tends to sum up my mindset and is probably the all-around best choice anyways as it’s possible it might take up less of ones time vs messing with with a computer loaded up with junk running all kinds of software in a attempt to remove it and, not only that, but wiping the drive and installing the OS from scratch will pretty much guarantee it’s in optimal running order and free of junk/viruses etc. it’s simply the best all around option.
because personally if someone even has a chance they were infected with random stuff of that sort, I simply would not trust the computer again (at least not doing anything important on it) until the OS is clean installed (i.e. wipe drive and install the OS from scratch).
or if I got a hold of a used computer… the first thing I would do is wipe the drive, probably with ‘secure erase’ (or maybe ‘dban’) for good measure to make sure whatever was previously on the computer is permanently gone and not recoverable, then install the OS from scratch. then maybe update BIOS if a newer one is available etc.
————————————————-
Drew Peacock said, “Another thing is how are users supposed to protect themselves from malware that modifies reputable software as happened with CCleaner and Linux Mint a while back? At least with Linux Mint users could have checked checksums, but that option wasn’t available to the CCleaner users (assuming they’d know what a checksum is or how to check one in the first place).”
Yeah, but in cases like these with CCleaner the user probably can’t do much. but that’s why I am of the mindset not to run any unnecessary software on ones computer (CCleaner can be nice but it’s not really needed) as it helps limit the attack surface.
even with browser extensions the same principle applies in that I would say the less the better not only for browser responsiveness but it lowers the risk of being compromised.
Where you say “Reformatting erases the entire hard disk of everything” – true, if doing Full Format. Often “Quick Format” is checked, erasing only the File Table. The data remains, and be recovered by malware.
This is very true, in theory. But I have yet to hear of malware that examines hard disk free space. Normally full format (or free space wiping) is more about maintaining privacy than it is about dealing with malware.
I agree Leo.
One issue with re-installs: sometimes you can’t. I tried to do a bare metal reinstall of my Windows 7 laptop, including the Adobe Acrobat full version that previously worked fine with Windows 7. (This was before Windows 7 reached end-of-life.) However, the validation server for that version of Acrobat was no longer in operation and, even though I had properly registered the software with Adobe when I bought it, I could reinstall it but not activate it.
Check out on the Adobe website for their support page. If you’ve paid for the license, there must be a way to get human support. I once did that with Microsoft when I changed my HDD and Windows was invalidated. They manually activated it for me.
When setting up our new computer we took an early (Macrium) system image and again when everything was installed, but not used, as you have recommended previously.
Could this second image be used in this instance instead of reinstalling everything from scratch?
Yup. Perfect use for it.
Yes, but do a system image backup of your computer before restoring so you don’t lose any data.
I haven’t had a lot of experience with malware other than a few PUPs that affected my browser non-seriously. In 40 years of PC use, I’ve only had 2 real malware infections. Both times, I restored from an earlier backup and everything was running well in an hour or two.
I can’t stress enough the necessity to back up. It is a silver bullet against malware and other disk failures. Obviously, prevention has played a great part as 2 infections in 40 years is probably not bad.