Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Do I Remove Malware?

One question that shows up almost every day in the Ask Leo! inbox is how to remove malware.

Every day.

The scenarios differ, but the problem is the same: a machine has been infected with spyware, a virus, or some other form of malware, and that machine’s owner is having a tough time getting rid of it.

And often there is anti-malware software installed that “should” have taken care of it before it got to this stage.

Hopefully, that’ll never be you. If it is, let’s review the steps I recommend for removing malware and reducing the chances it’ll happen again.

Become a Patron of Ask Leo! and go ad-free!

A word about prevention

If there’s only one thing I would have you take away from this article, it would be this:

Prevention is much less painful than the cure.

As we’ll see in a moment, the steps to remove malware can be painful and time consuming. While it might seem like work, knowing how to stay safe on the internet is much, much easier in comparison.

So, let’s look at what to do when prevention has failed.

Back up

My strong recommendation is that you start by taking a complete image backup of your system.

Why would you want to back up a system you know is infected with malware?

A backup taken now is an “it-can’t-get-any-worse-than-this” fallback. Some of the techniques we use to remove malware run the risk of breaking things and making the situation worse. With this backup at the ready, you can always restore and start over with nothing lost.

If You'd Backed Up You'd be Home by NowRestore a prior backup

If you’ve been taking regular backups, this is often the most expedient step, and can save a lot of time and energy.

Simply restore your machine completely from the most recent full system backup, plus any incremental backups (often handled transparently by your backup software) taken before the infection occurred.

And, except for learning from the experience, you’re done.

Unfortunately, most people don’t have this option available to them. Most people don’t begin backing up until after they’ve experienced data loss or a severe malware infection. One of the lessons they learn is that a recent backup can save them from almost any problem — including malware.

Update your anti-malware database

If you have anti-malware software installed, make sure it’s up-to-date. This includes more than just the software itself: the database of malware definitions must also be current.

Almost all anti-malware tools use databases of malware definitions, which change daily, if not more often. As a result, they must be updated regularly.

Many programs do this automatically, but if for some reason they do not, then the program will not “know” about the most recent forms of malware. Make sure the database is up-to-date so yours does.

Perform a full scan

Quite often, anti-malware tools regularly perform a “quick” or fast scan. That’s typically quite sufficient for day-to-day operations.

But not today.

Fire up your anti-malware tools and run a full/advanced/complete scan of your entire system drive (typically the C: drive). If you have a single tool, that might be one run; if you use multiple tools, such as separate anti-virus and anti-spyware tools, then run a full scan with each. This may take some time, but let the tools do their job.

This also applies if your anti-malware automated scans have stopped working for some reason (that reason often being malware). If this full scan discovers something, it might be worth checking to make sure the security software is properly configured to scan automatically as well.

Try another anti-malware tool

No anti-malware tool catches all malware.

I’ll say it again: there is no single tool that will catch every single piece of malware out there. None. Some catch more than others, but none of them catch everything.

So trying additional reputable tools is a reasonable approach.

I recommend the free version of Malwarebytes’ Anti-Malware as the first tool to use. It has a reputation for removing some nasties other tools apparently miss. Once again, run a full scan.

Regardless of which tool you select, I have to stress: stick with reputable tools. When a machine is infected, most people tend to panic and download just about anything and everything that claims to be an anti-malware tool. Don’t do that. There are many less-than-reputable individuals out there ready to take advantage of your panic.

Do some research before downloading anything, or you may just make the problem worse instead of better.

Research specific removal instructions

If your anti-malware software tells you the name of the specific malware you’re dealing with, that’s good information, even if it can’t remove it.

Search for that malware, and you’re likely to find specific removal instructions at one or more of the major anti-malware vendor sites. These instructions can be somewhat technical and intimidating, so take your time to follow them precisely, or get a techie friend to help.

The instructions often come with recommendations that the vendor’s software will remove the malware — for a price. As long as it’s an option (in other words, the manual removal instructions are provided), then it may be a viable alternative, if the company is one you trust. On the other hand, if all you’re presented with is a promise and a price, I’d move on.

Some sites offer free tools you can download to remove specific malware. Once again, use caution. When the tools are from reputable sources, they’re a quick way to avoid some hassle. When the tools are really just more malware in disguise, they’ll only make your problems worse.

If you download anything to help address the problem, make sure that wherever it is comes from, it’s an organization you know and trust.

Surrender

Infected!This is the only sure-fire way to remove any virus. 100%. Guaranteed.

In fact, it’s the only way to know you’ve removed a virus. Once infected, none of the steps above, aside from restoring from a backup taken before the infection, are guaranteed to remove the malware, even if they report your machine is clean. Once infected, all bets are off. An infection can fool anti-malware software into thinking that everything is fine even when it’s not.

There’s just no way to know.

The only way to be absolutely positive you’ve removed any and all viruses is:

  • Back up. If you haven’t already, back up the entire system. You’ll use this to restore your data after we’re done.
  • Reformat. Reformatting erases the entire hard disk of everything: the operating system, your programs, your data, and most important of all, any and all viruses and malware. This may be part of the next step, as most Windows set-up programs offer to reformat the target hard drive before installing Windows.
  • Reinstall. Yes, reinstall everything from scratch. Reinstall the operating system from your original installation media. (Or restore the system to an image backup you took when you got the machine, which preserved the “factory original” state.) Reinstall applications from their original media or saved downloads.
  • Update. Update everything. In particular, make sure to bring Windows as completely up-to-date as possible for the most current protections against all known and patched vulnerabilities. Applications, particularly your anti-malware tools, should be updated as well.
  • Restore. Restore your data by carefully copying it from the backups you created when we started. By “carefully,” I mean take care to only copy the data you need, so as not to copy back the malware — don’t copy programs, downloads, or other potential sources of infection.
  • Learn. Take stock of how this happened, what you might have done to get infected in the first place, and what might have helped you recover more efficiently. Institute a frequent system backup.

It’s not your fault, but it is your responsibility

By now, I hope you can see why prevention is so much less painful than the cure.

Taking a few extra steps to keep things up to date, avoiding those cute virus-laden downloads and attachments, and just generally learning how to stay safe is much easier than the recovery process I just outlined.

And having backups can make the recovery process as close to painless as possible if you do get infected.

Yes, it’s not your fault. But it is your responsibility to learn the basics about staying safe when you use your computer.

In an ideal world, we’d never have to worry about malware or “bad guys” trying to fool us into doing things we really shouldn’t. But you already know this isn’t an ideal world; software isn’t perfect and never will be. There will always be someone out to scam the vulnerable.

Even though it’s not your fault, you still need to be the one to get educated and take the steps needed to stay safe.

Right or wrong, it’s just a practical reality.

Podcast audio

Play

102 comments on “How Do I Remove Malware?”

  1. The free version of Malwarebytes is very good – I’ve never used the paid-for version and have successfully cleared all sorts of problems for clients.

  2. The reformat has one tricky part — If the virus gets into the boot sector, a quick format usually won’t dislodge it.

    For that, you have to zero out the drive — using DBAN or something similar.

  3. Malwarebytes is in fact free, and a GREAT removal program. The only things extra you get from the payed version is, real-time protection, and automatic updates. But the free version, you can just easily hit the Update button to get all the definitions, and use the On-Demand scans.

    -Mike

  4. I had a very bad piece of spyware/malware on my computer and went to Microsoft security update and downloaded the OneCare software online. Yep! This did the trick. It killed it. Thank you, Microsoft.

  5. The only way to truly get rid of a virus is to fully reformat the machine. I keep all my data on an external drive, and anything that I download is on my main drive first. That way, my data is never affected. Backup of course anyway though.

  6. MY external hard drive; can it be infected too? will moving material back and forth re-infect the re-programmed computer?
    div class=”leocomment”>It is possible, yes. Some malware can, and does, spread through external and portable drives.

    Leo
    18-Nov-2009

  7. The only way to remove a virus fully is to format your hardrive

    I do believe the article you commented on said something almost exactly like that.

    Leo
    13-Jan-2010

  8. First, I would run my anti-virus program, then choose the “check for updates” to make sure that it is, then choose “complete system scan” or “full system scan” to see if it finds anything. Then try a adware scanner. Ad-Aware has a pretty good one you can use manually for free. You do have to buy it if you want continuous automatic protection.

  9. Reformatting and reinstalling often works out quicker in the long run and gives a very satisfying feeling of victory..
    The only weakness is any reinstalling data ..only do this for critical stuff otherwise you have a higher risk of reinfection.
    Jp

  10. I have a virus that won’t allow me to do anything on the computer anymore, once it is up and running. How do I get to the point of reformatting and reinstalling. Don’t I need a boot disk or something?

    • You were required to make your Restore disks, as soon as you turned on the PC for the first time. That means it may be too late. Some manufactures may sell the disks for $20. I never bought them from HP, but it can’t hurt to try. You may have a recovery partition. Windows 10 erased mine, so all I have is refresh to OS and a new set of Recovery DVD’s.

  11. Good article Leo, very informative. From this article can you please tell me in more detail the steps I need to take from “The only way to be absolutely positive that you’ve removed any and all viruses is: backing up the computer down to restoring the data.” I need a step by step explanation about how to do that. cheers.

  12. A few months ago I got an Antivirus Program pop-up and it took over my computer completely. Every single program I clicked on said it had a trojan. It recommended that I purchase their antivirus program to remove the virus (they installed!). They even sent an official-looking Microsoft screen that recommended I buy their program. After 5 hours of trial, error and tears, the easy solution was to reboot in Safe Mode and then choose “no” at one point so I could to go to System Restore while in Safe Mode. I then selected the first date and time (yesterday) when I didn’t have this infection to restore my computer to. I let the computer do it’s restoration and it automatically rebooted, and my computer was clean and working perfectly again. SAFE – EASY – EFFECTIVE SOLUTION! It’s been fine for months now. I hope this helps others.

  13. Forgot situations that you get your bios flashed.:) There is viruses that infect bios too.:) You can’t reformat the drive for those.

  14. The guy in the computer shop said BIOS virus infections are very rare because not many folk use floppy disks anymore.This is where most of them used to be introduced many years ago ..as I recall.

    Jp

  15. i am a XP user .but recently i am effacted a virus.i have allready avira its allready updated.but it cant do nothing.the did in my pc like that:- i am working but suddenly everything is close and i dont get time to save.and whan i on task manager i got JIBANU.exe.what can i do

  16. When viri disable the Task Manager and don’t allow using RegEdit, I have often had success using a third party registry editor. However, occasionally, a virus may monitor the Registry value and set it right back to disable the T M right after you change it.

  17. Leo,

    You say:

    “The only way to be absolutely positive that you’ve removed any and all viruses is:
    * Backup […]
    * Reformat […]
    * Reinstall everything, from scratch […]
    * Update everything […]“

    Fine … … were it not for the following:


    * Restore your data by carefully copying it back from the backups you created. By “carefully” I mean taking care to only copy what you need, so as not to copy back the virus.“

    This is the catch.

    For how could one possibly “only copy what you need, so as not to copy back the virus” ???!!!

    Malware could lurk inside a data file that appears legitimate. How do I know that it is not hiding inside any one among hundreds of those nice photo images that I had downloaded over the web long time ago? … …

    Johan

    A good point. Malware tends to infecte executable files much more frequently than data files. (Infected photos are rare – possible, but rare.) Ultimately, though, the best way to deal with malware is to not get infected in the first place.

    Leo
    31-Dec-2010

  18. Also using Linux, a live cd, ClamAv. Am visually impaired, and one of my brothers machines has the FBI ransomware malware on it and honestly, who knows what else, so safe mode isn’t an option. So, Linux to the rescue 🙂 Most likely, Ubuntu, or GRML since I know the screen reader is built in. That’s another way of removing.

  19. After a major collapse of my system caused by an electrical storm I have had to re-install 3 times from my LEGAL Windows XP CD. The first time I realised that the disc had been corrupted even though it was the first time since new (over 6 years ago) that it had been used. On that occasion I was able to download SP3 quite simply and not in ISO form – don’t ask me how but I am sure it was from MS. However, the first re-install was hopeless and it has taken two more re-installs to get an almost perfect situation with just the odd cursor freeze, shutdown failure and one or two different BIOS booting requirements – it seems to change its mind whether it wants F8, enable boot login, etc., etc. Still, that is a small price to pay for hours and hours without stalling or shutting down.

    The main problem is that it is impossible to get Windows Automatic Updates from a 2000 System with only SP2 installed. Also, MS now will only download SP3 by ISO. Every form of WINrar, etc., all require a more updated Windows before helping me. I was able to burn the SP3 vide Nero to a disc but, because of Window’s intransigence, it cannot be read to my hard drive yet.

    I am shown as receiving Windows Updates according to my settings but nothing arrives at 3am. Their literature states that SP3 will be received by me automatically – SOME CHANCE !! The only Windows
    update I have received crashed my computer the moment I reached the Welcome screen.

    I have seen many people complaining that they cannot get Windows to install after a re-install – please someone tell me what is going on I am pretty certain that I do not have a virus or trojan aboard.

  20. Since becoming a convertee to Sandboxie, I & friends have not had malware infections .

    I often browsethe web in and unsafe manner and open all email attachments without fear .
    Providing data is NOT saved out side the protective Sandbox, your computer will be protected …. Look up Youtube vids for more info and initial settings which can sometimes be tricky for the newbie. Sandboxie is free but a 5 second nag screen will appear after 1 month ..no big deal though, just click and it goes away.
    http://www.sandboxie.com/

  21. I use Malware Bytes ( paid version). But I boot to the “C” prompt when window do not solve problem. I go into the directory and run Malware Bytes from there, you and also run C Cleaner, AVG, and the majority of Anti Virus programs will run from the “C” prompt, but you have to go into that directory to run the executable file.

  22. CAN SOMEONE PLEASE TELL ME WHY MY COMPUTER CRASHES ALL THE TIME? I CLEAN MY SYSTEM ON A REGULAR BASIS.I HAVE ALSO LOST SOME START-UP TONES,MY BACK GROUND TO MY DESK TOP, IS FOR HIGH CONTRAST,(blk. background) AND I CAN’T BRING IT BACK TO ORIGINAL ,SO I CAN PUT MY OWN CHOICES OF DESK-TOP ART ON MY SCREEN.YOU MIGHT HAVE FIGURED I’M COMPUTER ILLITERATE.I APPRECIATE ANY HELP OR TIPS YOU CAN GIVE ME. THANX

  23. I use and frequently update the free versions of Avast, Malwarebytes, and CCcleaner, and they seem to keep me in pretty good running order. Each month, just before I pay bills (i.e., go into just about all of the sites that deal with my financial info), I update and run a FULL scan with each of them. Given that the full scans take so much time, I run them at the same time, which they obviously allow me to do. Am I diminishing their effectiveness by failing to run each one individually? And if they should be run individually, is there a recommended order? Thanks for all the great info!

    • Running more than one disk intensive operations like that can cause the two programs to constantly swap disk usage and cause them to run slower than if they were run sequentially.

  24. I have the free AVG trial. Would I have better luck by just buying a spy where CD from Best Buy for 50 bucks, and installing it immediately after a full system restore?

  25. My laptop just dies at least once a day with the power plugged in. Then it takes me several tries to reset it by unplugging the power, removing the battery and holding the power button in for 10 seconds with the battery out, as per instructions. This is very annoying. any suggestions?

    • This feels like a problem with the battery itself, or the power circuitry in the laptop. I’d probably see about getting it diagnosed and possibly repaired by a technician.

  26. Is it normal for windows to “freeze you out” every morning around 4 am while “windows installs updates”? This process takes anywhere from 1 to 2 hours to do.
    The screen always says “don’t turn off your computer”. Is it actually uploading viruses?

  27. Every time I open up Google the bar at the very top of the page completely fills up with about five or six different search engines, and they’re all spinning. Even even if I go to tools to remove them, they still come back the next time. I just ran a recovery disks two days ago. What did I do wrong? And why is every type of software available over the Internet seem to be connected to some kind of scam or virus.

    I downloaded Microsoft security essentials, Google, and OpenOffice, and that’s it.

    Also, my machine was locked up for three hours with this thing they call loading updates, “configuring service pack do not shut off your computer”

    Three straight hours of that, until finally I pulled the battery out of the back reset it and turned it back on again only to get another half an hour of this same thing?

    Any ideas at all, from anybody?

    • The only thing that strikes me as odd in your comment is that you downloaded “google”. Google isn’t something you download, it’s a web site you visit (unless you downloaded a specific Google product, in which case the name of the product would make more sense).

      Updates can take a while, yes.

      But it definitely sounds like there is malware on your machine – either it’s not getting cleaned off properly, or it’s coming back due to something else that’s happening.

  28. I have fileparade bundle in my programs and don’t know how it got there. I want to uninstall it but it gives me a choice what to remove, Web Launcher, Adobe Flash Player 13 Active X, and Adobe Flash Player Plug In. Do I remove all ?

  29. Leo, thanks for the article :). I’ve been affected by malicious intrusions 2-3 times over the years. I’ve used cloning system restoration methods to recover from the intrusions.

    The last time I was affected by a malware intrusion, I removed my original HDD, and installed my cloned HDD. I was running as normal within minutes.

    Then I booted up on a Linux-based boot CD, such a “Gparted” or something similar, to delete the partitions on the infected HDD.

    Then I booted up on one of my cloning/imaging tool CD’s and cloned back to my previously-infected HDD from my replacement HDD. Then I reinstalled my newly-cloned (my original HDD), and continued running my PC as normal.

    I clone my PC periodically, usually once every 2 weeks, so that I’ll have a spare HDD on the shelf to recover from malware and as protection against HDD failure.

    I also Image my HDD occasionally (full-HDD images) to an external storage HDD. The external HDD is connected to my PC only during Image processing. I keep it disconnected to isolate it as a protection against encryption ransomware, such as “Cryptolocker”.

    I prefer Cloning and full-HDD Imaging as malicious-content recovery methods since that eliminates the time required to scan and attempts to clean the infected HDD.

    For those with Desktop PC towers, if you have any expansion bays available, I’d recommend installing Sata Hot-Swap racks. They are great accessories that allow one to remove and install HDD’s in seconds without accessing the internal PC tower area.

    • Cloning is just a different style of image backup – somewhat more cumbersome in my opinion, but absolutely workable. And yes, restoring from a backup image (or clone) from before the infection happened is absolutely the best way to ensure you’re rid of it.

  30. All this talk about Back up and Restore. Yes, it is so important.
    However since I have owned my first computer with Windows 3.1, no back up ever – I repeat EVER worked after a serious computer crash.
    Regardless of software used.
    Nobody seem to post the article with real help for such emergency.
    All articles here take for granted that your OS starts up OK.
    Of course it must do that to run Restore or File back up, as the Windows has to be operational to access your Restore points and drives the back up is stored on.
    So just happened that for no apparent reason my computer could not be re-started, wakened at all – Just black screen, no mouse pointer, no keyboard.
    I am fairly new to following your articles, so not sure if this is the kind of crash that you have not addressed before.
    But not new to serious computer crashes.
    No Windows running (any and all versions especially Windows 8 and 8.1- crappiest and most unstable op system to date.)
    Also my 2 Boot USB flash drives created by Backup software, and Windows specifically for this emergency, would not work.
    They were tested after creation and booted 2 computers just fine.
    Small detail: The computers were working just fine at the time, just the Boot drive was switched in BIOS from HD to USB.
    Please devote an article or two in depth to address this real problem, or send me a link where is the one I have missed.
    Another problem with many “help” articles is that they refer the victim to get/find help/solution online!!
    DUH – if your computer us dead – you do NOT have online. You are OFF line until your OS works.
    Mail the computer ASUS to factory for reinstalling the Windows 8 was the only option at the time.
    Also with this type of crash you have NO access to Cloud backup – you are completely and utterly isolated from the world you know.
    Thanks for taking time to read this, and I hope that you will post it.
    Best regards
    Tony H

    • Not really. Good backup software lets you download an iso file to create a bootable rescue disk or USB stick. This contains a copy of a program which can restore from your backup. When your disk is damaged, just boot from the CD and run the restore program.

    • “Of course it must do that to run Restore or File back up, as the Windows has to be operational to access your Restore points and drives the back up is stored on.”

      This is flat out WRONG. Two things:

      • Restore Points are not a system backup. They’re handy when they work, but in my experience they cannot be relied on. Please see https://askleo.com/why_i_dont_like_system_restore/
      • Good backup software like Macrium Reflect will allow you to create a bootable disk. You then boot from THAT disk and restore your entire system using a system image that was taken earlier. A system image taken by this type of software is the type of backup I’m constantly referring to. And there are several articles on Ask Leo! that show you exactly how to do this.
  31. I have an old XP desktop PC that I am trying to cleanup, so I can donate it. I want to uninstall all the applications, delete files, reformat and then reinstall Windows XP from the original CDs.

    I got to the point of formatting but got stopped there. When I go to the DOS prompt, it first asks for parameters for the “Format” command. I wasn’t sure about the parameters, so I just tried a few different ones. Every time, I get an error message that tells me the “volume is locked” and the command terminates.

    Can someone enlighten me on how to format the hard drive, before I have to resort to physical destruction on my drill press?

    • That’s correct – the fact that Windows is running FROM the drive means that it’s “in use” and cannot be formatted.

      Boot from the installation media for Windows – part of the install process will include the ability to reformat the drive.

  32. Don’t install the applications from saved downloads!!! These could be infected to (this is what got my PC down for the second time), I reinstalled an old download).

  33. Can my recovery partition (D:) that comes installed on my laptop become infected with malware or a virus if the (C:) drive is infected
    My Laptop came with the hard drive partitioned with (C:) being the operating system and (D:) the Recovery . My question is if the (C:) gets malware or a virus can that get into the Recovery Partition ? Would it be safer to Restore the laptop using the Recovery Disks than the recovery partion?

    • It is possible, yes. That’s one reason that I encourage backups to include the recovery partition, even though it’s not something you use day to day.

  34. I am running Windows 8.1 Pro on a HP Envy Phoenix desktop computer with just one administrator account. Suppose I add a second administrator account. Suppose I install a second copy of MalWare Bytes on my second administrator account. If my computer gets infected with ransomware on my first administrator account. Do you think I could remove and defeat the ransomware by using MalWare Bytes on my second administrator account? If you believe the answer might be yes, could you please give us a tutorial? Thanks For Reading This!

    • Of course I don’t know exactly what Leo will answer. But I do know that once a hacker gains control of your computer they can do whatever they want. So this just doesn’t sound like it will work. A better approach would be to have a full image backup. Revert to that image and you are back in business. As Leo says, avoiding malware is a great idea as well.

    • Different administrator accounts are not isolated from each other. Any administrator account has full access to all files and folders on the machine, including other Administrator accounts, so this technique you mentioned would not work. Ransomware is a form of malware which encrypts your data and can’t be removed or repaired by any AV program.

      Anyway, it’s not really possible to install an additional installation of Malwarebytes without some hacking, as programs are installed in the same Programs folder for all users. You may be confusing the message you get with some program installations which asks if it should install for all users or just the current user. That only tells it whether to place a shortcut in the Start Menu for all users of just the current user, and in some cases places some information some information in the appropriate Registry location. As Connie said, backups are your best protection. A daily incremental backup will allow you to revert your system to a state before the malware hit. You might also want to use something like Dropbox to have a backup of your data between the time of the last backup and the time you restore from the backup.

  35. Malwarebytes is the best of the best! If you don’t have it, you definitely want to get it. The site is secure and it’s the real deal. It’s saved me from 16 PUP’S so far. 🙂

  36. Leo, I have learned a lot of useful tips from you. I think you’re a genius! Thank you! I’d also like to thank you for being one of the rare KIND Computer Techs in the world. I come across so many snarky, know-it-all, think users are just natural born blooming idiots whoa re wasting THEIR time techs I was beginning to think it was a conspiracy. There are a couple of techs at Opera who can both best be described as The Devil in disguise. Thanks for all your patience, all your knowledge and just for being YOU! Whoever says nice guys finish last must be the king of the scumbags. God Bless you! Peace. 🙂

  37. “Prevention is much less painful than the cure.” – Not only less painful, but much more important too. In fact, the rise of financially-motivated malware means that the cure may not really be a cure at all. Sure, you can remove malware – but by the time you do, it may have encrypted your data or stolen your online banking credentials and emptied your accounts.

  38. I would like to add a comment: even though MOST malware can indeed be removed by a deep format of the full system disk, including the boot record, certain malware will reside in the firmware. If that’s the case, it will be extremely difficult to get rid off, and moreover there might be a doubt about the cleanup (if several firmware containers are simultaneously infected, you don’t know in what order to reflash them, if even you can reflash them). This is then the moment to sell your hardware second hand on e-bay and buy new material 🙂

    • In the case of frimware infection, you should absolutely not sell that to ANYONE! If you sell it, you only contribute in spreading the frimware maleware around, and it may come back to you in the long run.
      Do something to fry the hardware, like rubbing whires connected to the sector across the motherboard, then, send it to some recycling facility.

        • This can be harder to do than you might think. Suppose that your computer has, say, 3 build-in USB devices (like the webcam), and suppose that two of them have been infected by a USB-propagating firmware worm because they are on the list of devices the worm can handle.
          Now, in the very hypothetic case that you can get hold of a flashing program that can reset the original firmware to one of them, by the time that you are going to try to flash the second one, this second one has re-infected the first, reflashed device. And you cannot read back the firmware to check.
          You would actually need to disconnect internal USB devices except for one at a time, but hardware wise, this is not always possible.
          But the worst part is that you can never check whether you have the right firmware or not, as most firmware cannot be read out. If you can get a check sum, that would be OK, but very often, you can’t.

    • I’ll add too that people really don’t need to be concerned about this type of malware: it’s super-specialized stuff that’s used by cyberespionage groups – and governments too, I’m sure – in very targeted attacks. In other words, it’s not something that Fred Bloggs or Joe Sixpack is going to encounter. Or, at least, they’re not going to encounter it today. As for what the future holds – your guess is as good as mine!

      • I think that the BIOS / UEFI firmware is too tricky to infect. However, hard disk drive firmware, and USB things firmware are the future for malware in my opinion.

        Look at things like this:
        http://null-byte.wonderhowto.com/how-to/make-your-own-bad-usb-0165419/

        Ok, this is not yet “infecting the firmware of a USB component of a computer”, but you’re not very far, and it is in fact quite easily done. Find the same trick for a popular hard disk, spread it with a USB key’s firmware, and mass infection is not far away.

        I don’t want to panic people, but firmware infection is, in my opinion, where malware (serious malware that is) will go, and there’s, for the moment, not much that can be done about it. That last point is the reason for my belief in the success of firmware-malware: we’re not prepared for this, and there’s no easy solution for the installed park of hardware the day we see that it is going to become a problem. Software can be easily changed. Firmware *protection* on a system that wasn’t designed with that in mind, is almost impossible, and most firmware cannot be checked (most devices allow to flash firmware, but not to read it out).

        • “I don’t want to panic people, but firmware infection is, in my opinion, where malware (serious malware that is) will go.” – Actually, I suspect such malware will remain niche/specialized. Long gone are the days of mischief-causing script kiddies. Nowadays, it’s all about the bucks. And, from a financial perspective, it makes more sense to target OSes rather than specific hardware/firmware configurations.

    • While this is possible it remains very rare. I don’t want frustrated or panicked people to jump to this conclusion. 99.99% of all malware will be removed by a reformat.

  39. Leo mentioned backups. He continually mentions backups. He was the one that convinced me to take regular backups long before I joined team Leo. The last time I was hit with malware, I didn’t need bother to look for a solution. I backed up ma Documents folder, ran a restore to the previous night’s backup, went shopping and when I returned, everything was back to normal. I might have repaired the virus in 5 minutes or 5 hours, but restoring from backup was painless and sure. So I’ll mention backups again. Just do it. It’s the best protection against malware and so many other problems.
    https://askleo.com/how_do_i_backup_my_computer/

    • “I might have repaired the virus in 5 minutes or 5 hours, but restoring from backup was painless and sure.” – Indeed. Additionally, you really don’t want to take any chances with today’s data-encrypting, password-stealing, bank account-emptying financially motivated malware. Your antivirus program may be able to clean up an infection completely, or it may not. You really have no way of knowing. The absolute best option is to nuke and reimage.

  40. Suppose that I found that I had a malware doing its’ “thing” on my PC.
    (I perform daily incremental images using Macrium).
    I would restore to the incremental before the infection.
    But, if the attack was scheduled for a future time from the time it was placed on the PC, How to know which incremental to restore?

    The question becomes: Is there anyway to know when the malware was initially downloaded and/or when it was actuated?
    I’d hate to have to try a full months of incrementals, one at a time.
    Maybe that’s the only way?

    Your articles are always full of great tips and info, thanks, Leo

    • “But, if the attack was scheduled for a future time from the time it was placed on the PC, How to know which incremental to restore?” – The question should really be: how can you tell how long your PC has been infected so that you know which backups can safely be restored. The answer, unfortunately, is that you can’t – at least, not with any certainty. Consequently, in the case of a system being seriously compromised – and by “seriously”, I mean hit by something nastier than an unwanted toolbar or tracking cookies – I wouldn’t use an image to restore. Instead, I’d backup my files, reinstall via the manufacturers’ recovery partition or via the Refresh Your PC option (Windows 8/10), reload my programs and then restore my files from the backup. It’s certainly not as speedy as restoring from an image, but it’s the only to know your PC is clean.

        • Indeed. And prevention has also become increasingly important. In the past, the majority of malware simply represented a nuisance for home users – it’d redirect homepages, insert a quote from The Simpsons in to Word documents, etc., etc.. These days, however, it’ll steal their banking credentials or encrypt their data and hold it to ransom. In other words, the consequences of an infection can be much, much worse than in the past.

    • There’s no simple answer to this, as malware is always changing its techniques and ways. I would work backwards, carefully, using the latest updates to my security software to scan for malware at each step.

      • The problem with this is that your security software didn’t detect the malware during the initial install – perhaps because it was concealed by a rootkit – and so may not detect it if an infected image is restored. Additionally, you have no way of knowing whether the malware was installed by – or has since itself installed – other malware and whether that other malware may also be masked by a rootkit. If you’re going to go this route, you should at least scan with tools other than the ones which failed to prevent the system being compromised.

        However, in the case of seriously compromised systems, the best advice is, as I said, to restore using the manufacturer’s recovery partition or Refresh option rather than an image. It’s less convenient, but it’s the only way to be 100% sure that your system is clean.

        • Unless, of course, the malware damaged your recovery partition (not unlikely). It’s best to take a system image backup now when you know your machine is virus free, and then take regular system backups. As long as you have a system image backup of a working virus free system, your OK.

          • “Unless, of course, the malware damaged your recovery partition (not unlikely).” – Actually, it is unlikely. Extremely unlikely. While it’s technically possible, I’ve never once encountered malware that has been designed to infect recovery partitions. In fact, as far as I know, such stuff simply does not exist.

          • “It’s best to take a system image backup now when you know your machine is virus free.” – The thing is, you don’t know that it *is* malware-free. And if you do discover that your machine has been compromised, you have no way of knowing when it became compromised. It could have occurred in the last hour, the last month, the last 6 months, or…..

            Let’s say, for example, that your AV pops up a warning that your system is infected with the credential-stealing Gameover bot AKA Zeus P2P. The fact that it’s only now being detected doesn’t necessarily mean that your system has just been compromised. It could have been compromised for months. Gameover could be being detected now because you’ve just rebooted for the first time in a year. Or it could be being detected because it’s just been updated via the backdoor it created to the GOZ botnet. Or it could be being detected because your AV’s signatures or heuristic engine have just been updated to detect the kernel-mode rootkit that’s used to conceal Gamebot’s processes. Or maybe it has just been installed, but it’s downloader has been on your system for months – possibly downloading other malware that’s going undetected on your system.

            As I said, in cases of serious infection, the safest option is to assume that your computer has been infected all along and to restore from the recovery partition rather than your own image backup.

          • I was actually aware that it’s possible the machine may be infected, but the vast majority of people reading this are not infected and should start backing up NOW. I thought about mentioning what you said, but I didn’t want to provoke any computer hypochondria :). If anyone is already infected it’s too late anyway.

  41. I hate to be picky, Leo, but you wrote “start by taking a complete image backup of your system”.

    Surely it is best to do a thorough scan (I use AVG Free followed by Malwarebytes) BEFORE backing up, otherwise any malware not cleaned will be copied across to the backup as well.

    Furthermore, you shouldn’t leave your backup drive plugged in to your machine with the settings on “incremental backups”, otherwise any infections may be automatically copied across to the backup drive. Best to unplug it altogether until you want to do a backup.

    • “Surely it is best to do a thorough scan (I use AVG Free followed by Malwarebytes) BEFORE backing up.” – Not really, as image backups are not the best way to recover your OS from a malware infection. See the comments I made above. You have no way of knowing when your system became infected and, therefore, no way of knowing which backups may also be infected.

      “Furthermore, you shouldn’t leave your backup drive plugged in to your machine with the settings on “incremental backups”, otherwise any infections may be automatically copied across to the backup drive.” – Given that it’s best not to use images to recover from an infection, it makes sense to leave the drive connected so that backups do not get missed/overlooked (at least, until if/when backup-encrypting ransomware becomes commonplace – then it may make sense to disconnect backup drives).

  42. I have the Malwarebytes program and twice I have just deleted all of the non malware PUPS. Apparently some were extensions of my brouser and then the brouser wouldn’t work. It was such a time consuming thing to get it straightened out that I have been afraid to delete the PUPS. I would like to know what to look for so I could only delete the things that are not related to my brouser

    • You could try researching items Malwarebytes detects to see what other removal options may be available. For example, removing extensions from within the browser or uninstalling programs via Add/Remove may, if the option is available, be less problematic.

      As you’ve discovered, malware/PUP removal isn’t always a smooth process and can cause a variety of problems such as broken apps, loss of internet connection or even your PC not booting. Consequently, prevention really is the best option and, if you’re careful about what you install and exercise caution with email attachments, neither your antivirus program nor Malwarebytes should ever need to spring into action.

  43. excellent advise sir. i have tried every junky and nasty software before. but all was in vain. i thought the only solution now was to format the hard disk. but you just saved me a whole lot of trouble, time and energy sir. thank you.

    the malware also affected other programs previously installed. it was a one stop solution and no hectic work involved.

    i have also followed your advice for other complaints and my computer is now just perfect. for the low specs i have , it couldn’t get any better. thank you sir.

  44. I would like to learn how to back-up my data, have no idea how to start and complete the whole idea, is there a place I can go to to learn how to do this? (I am not a computer smart person, it’s almost all greek to me :o) ) Thank You so much.

  45. MalwareBytes anti malware give me a pop-up “Malisious website blocked” and js.users.51.la
    What kind of malware is this, and how do I get rid of it ?

    Thanks

    • Malwarebytes will have an option to quarantine or remove the malware. Best bet is to let Malwarebytes take care of it.

  46. How do I reset windows 10 ( the device is new; has been restored, but getting it back, I touched it, because I don’t see my administrative capabilities,
    Now, it’s a mess: graphics, programs, my local account has me, default, and other temp files. How do I restore it w/o a disk? I am so upset with this computer. Should I take it to the geek squad? Much money has been lost. What should I do?

    • Leo.
      February 22 1917, 12:pm. I posted a request for help over a network hacking. I have all the evidence; illustrated with digital photos, and anything needed for an answer to a crucial problem beginning on July 18 2013.
      I’m writing because I JUST SAW MY POST ABOVE IN THIS LIST. It floored me, but the problems have gotten increasingly worse. All devices, cell, computers, are compromised.
      Can you help me?
      Annette G.

      • I can’t help you with the hacking — that’s something for law enforcement or private investigators. As to resetting Windows 10 — reinstall from a installation disk is all I can offer. It sounds like you tried that and it didn’t meet your needs, so I’m afraid I’m at a loss there as well.

  47. Leo, you’re the best. I never thought how computer illiterate I was until I read these articles.
    I have a problem so intense, I’ll have to mail it by postal mail.
    I hope you can direct me.
    Annette

    • It would be because you are either on a site that advertises porn, or because the ad software running on that site “thinks” you will respond to porn. In either case the answer is: The popup happens because someone somewhere wants you to click on it.

      • But i dont watch porn so why would they recommand such ad? Is is possible to get porn ads even if you are viewing in incognito mode?

        • There may have been certain key words on a page you visited which triggered the ad generated on that page to send an ad for porn even though that page had nothing to do with porn. Or it may be that others who viewed that page also visited a porn site, or any number of reasons. That shows that targeted ads are still in an infantile stage of development. . Bottom line; an ad is just an ad.

          • What do you mean by “others visited porn site”? Who are the others? I am the only one using my pc.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.