How do I remove malware?

Trying to remove malware? I'll walk you through the steps and options, from simple to hard, including the only approach that's guaranteed to work.

One question that shows up almost every day in the Ask Leo! inbox is how to remove malware.

Every day.

The scenarios may be different, but the problem is the same: a machine has been infected with spyware, a virus, or some other form of malware and that machine’s owner is having a tough time getting rid of it.

And it often happens with anti-malware software installed that “should” have taken care of it before it got to this stage.

Hopefully, that’ll never be you. If it is, let’s review the steps that I recommend for removing malware and reducing the chances that it’ll happen again.

A word about prevention

If there’s only one thing that I would have you take away from this article, it would be this:

Prevention is much less painful than the cure.

As we’ll see in a moment, the steps that may be required to remove malware can be painful and time consuming. While it sometimes might seem like work, keeping your machine and anti-malware software up-to-date, following internet “common sense,” and knowing how to stay safe on the internet is much, much easier in comparison.

So, let’s look at what to do when prevention has failed.

Backup

My strong recommendation is that you start by taking a complete image backup of your system.

Why would you want to backup a system that you know is infected with malware?

Because this backup is an “it-can’t-get-any-worse-than-this” fallback. Some of the techniques that we might use to remove malware can actually break things and make the situation worse instead of better. With this backup at the ready, you can always restore and start over with nothing lost.

If You'd Backed Up You'd be Home by NowRestore a prior backup

If you’ve been taking regular backups, this is often the most expedient step and can save a lot of time and energy.

Simply restore your machine completely from the most recent full system backup, plus any incremental backups, taken before the infection occurred. You can then carefully restore any late-changing data from the backup you took.

And, except for learning from the experience, you’d be done.

Unfortunately, most people don’t have this option available to them. Most people don’t begin backing up until after they’ve experienced data loss or a severe malware infection. One of the lessons they learn is that a recent backup is something that can save them from almost any problem – including malware.

Update the anti-malware database

If you have anti-malware software installed, make sure that it’s up-to-date. I’m talking about more than just the software itself, but the database of malware definitions.

Almost all anti-malware tools use databases of malware definitions, which needs to be updated regularly. New malware is constantly appearing, and as a result, that database of definitions needs to updated often – at least daily.

Many programs will do this automatically, but if for some reason they do not, then the programs will not “know” about newer malware. Make sure that the database is up-to-date so that yours does.

Perform a full scan

Quite often, anti-malware tools will regularly perform a “quick” or fast scan. That’s typically quite sufficient for day-to-day operations.

But not today.

Fire up your anti-malware tools and run a full/advanced/complete scan of your entire system drive – typically the C: drive. If you have a single tool, that might be one run; if you use multiple tools, such as separate anti-virus and anti-spyware tools, then run a full scan with each. This may take some time, but let the tools do their job.

This also covers if your anti-malware tools automated scans have stopped for some reason. If this full scan discovers something, it might be worth checking to make sure that the security software is properly configured to scan automatically as well.

Try another anti-malware tool

No anti-malware tool catches all malware.

I’ll say it again: there is no single tool that will catch every single piece of malware out there. None. Some are better than others, some catch more than others, but none of them catch everything.

So as you might expect, trying additional reputable tools is a reasonable approach.

I recommend the free version of Malwarebytes’ Anti-Malware as the first tool to use. It has a reputation for removing some nasties that other tools apparently miss. Once again, run a full scan.

Regardless of which tool you select, I have to stress: stick with reputable tools. When a machine is infected, most people tend to panic and download just about anything that claims to be an anti-malware tool. Don’t do that. There are many less-than-reputable individuals out there ready to take advantage of your panic.

Do some research before downloading anything or you may well just make the problem worse instead of better.

Research specific removal instructions

If your anti-malware software tells you the name of the specific malware you’re dealing with, that’s good information even if it can’t remove it.

Search for that malware and you’re likely to find specific removal instructions at one or more of the major anti-malware vendor sites. These instructions can often be somewhat technical and intimidating, so take your time to follow them precisely or get a techie friend to help.

They’ll also often come with recommendations that indicate that the vendor’s software will remove the malware – for a price. As long as it’s an option (in other words, the manual removal instructions are provided), then it may be a viable alternative if the company is one you trust. On the other hand, if all you’re presented with is a promise and a price, I’d move on.

Some sites offer free tools that you can download to remove specific malware. Once again, use caution. When the tools are from reputable sources, they’re a quick way to avoid some hassle. When the tools are really just more malware in disguise, they’ll only make your problems worse.

If you download anything to help address the problem, make sure that wherever it is comes from, it’s an organization that you know and trust.

Surrender

Infected!This is the only sure-fire way to remove any virus. 100%. Guaranteed.

In fact, it’s the only way to know that you’ve removed a virus. Once infected, none of the steps above, aside from restoring to a backup taken before the infection, are guaranteed to remove the malware, even if they report that things are clean. Once infected, all bets are off. An infection could fool anti-malware software into thinking that everything is fine even when it’s not.

There’s just no way to know.

The only way to be absolutely positive that you’ve removed any and all viruses is:

  • Back up: If you haven’t already, back up the entire system. You’ll use this to restore your data after we’re done.
  • Reformat: Reformatting erases the entire hard disk of everything: the operating system, your programs, your data, and most important of all, any and all viruses and malware. This may be part of the next step as most Windows setup programs offer to reformat the target hard drive before installing Windows.
  • Reinstall: Yes, reinstall everything from scratch. Reinstall the operating system from your original installation media. (Or restore the system to an image backup you took when you got the machine to preserve the “factory original” state.) Reinstall applications from their original media or saved downloads.
  • Update: Update everything in particular making sure to bring Windows as completely up-to-date as possible for the most current protections against all known and patched vulnerabilities. Applications and particularly your anti-malware tools should be updated as well.
  • Restore: Restore your data by carefully copying it back from the backups you created when we started. By “carefully,” I mean taking care to only copy what you need, so as not to copy back the malware.
  • Learn: Take stock of how this happened, what you might have done to get infected in the first place, and what might have helped you recover more efficiently. Consider instituting a frequent system backup.

Get More Answers!

Each week I publish The Ask Leo! Newsletter where you can find more answers tips and tricks to make your technology "just work"!

Subscribe NOW and get a FREE copy of my special report "10 Reasons Your Computer is Slow (and what to do about it)".

This report will help you identify exactly why your computer is slowing down and the steps you can take to fix it.



My Privacy Pledge

It’s not your fault (but it is your responsibility)

By now, I hope you can see why prevention is so much less painful than the cure.

Taking a few extra steps to keep things up-to-date, avoiding those cute virus-laden downloads and attachments, and just generally learning how to stay safe is much easier than the recovery process that I’ve just outlined.

And having backups can make the recovery process as close to painless as possible if you do get infected.

Yes, it’s not your fault, but it is your responsibility to do the basics to stay safe when you use your computer

In an ideal world, we’d never have to worry about malware or the “bad guys” trying to fool us into doing things we really shouldn’t. But you already know that this isn’t an ideal world; software isn’t perfect and never will be. There will always be someone out to scam the vulnerable.

Even though it’s not your fault, you still need to be the one to get educated and take the steps needed to stay safe.

Right or wrong, it’s just a practical reality.

This is an update to an article originally posted : July 16, 2009

Comments

  1. Robin

    The free version of Malwarebytes is very good – I’ve never used the paid-for version and have successfully cleared all sorts of problems for clients.

  2. A.M.

    The reformat has one tricky part — If the virus gets into the boot sector, a quick format usually won’t dislodge it.

    For that, you have to zero out the drive — using DBAN or something similar.

  3. Michael

    Malwarebytes is in fact free, and a GREAT removal program. The only things extra you get from the payed version is, real-time protection, and automatic updates. But the free version, you can just easily hit the Update button to get all the definitions, and use the On-Demand scans.

    -Mike

  4. Steve Garza

    I had a very bad piece of spyware/malware on my computer and went to Microsoft security update and downloaded the OneCare software online. Yep! This did the trick. It killed it. Thank you, Microsoft.

  5. Carl R. Goodwin

    The only way to truly get rid of a virus is to fully reformat the machine. I keep all my data on an external drive, and anything that I download is on my main drive first. That way, my data is never affected. Backup of course anyway though.

  6. bk

    MY external hard drive; can it be infected too? will moving material back and forth re-infect the re-programmed computer?
    div class=”leocomment”>It is possible, yes. Some malware can, and does, spread through external and portable drives.

    Leo
    18-Nov-2009

  7. lol

    The only way to remove a virus fully is to format your hardrive

    I do believe the article you commented on said something almost exactly like that.

    Leo
    13-Jan-2010

  8. Chris

    First, I would run my anti-virus program, then choose the “check for updates” to make sure that it is, then choose “complete system scan” or “full system scan” to see if it finds anything. Then try a adware scanner. Ad-Aware has a pretty good one you can use manually for free. You do have to buy it if you want continuous automatic protection.

  9. johnpro2

    Reformatting and reinstalling often works out quicker in the long run and gives a very satisfying feeling of victory..
    The only weakness is any reinstalling data ..only do this for critical stuff otherwise you have a higher risk of reinfection.
    Jp

  10. Brian

    I have a virus that won’t allow me to do anything on the computer anymore, once it is up and running. How do I get to the point of reformatting and reinstalling. Don’t I need a boot disk or something?

  11. Andrew

    Good article Leo, very informative. From this article can you please tell me in more detail the steps I need to take from “The only way to be absolutely positive that you’ve removed any and all viruses is: backing up the computer down to restoring the data.” I need a step by step explanation about how to do that. cheers.

  12. Judi

    A few months ago I got an Antivirus Program pop-up and it took over my computer completely. Every single program I clicked on said it had a trojan. It recommended that I purchase their antivirus program to remove the virus (they installed!). They even sent an official-looking Microsoft screen that recommended I buy their program. After 5 hours of trial, error and tears, the easy solution was to reboot in Safe Mode and then choose “no” at one point so I could to go to System Restore while in Safe Mode. I then selected the first date and time (yesterday) when I didn’t have this infection to restore my computer to. I let the computer do it’s restoration and it automatically rebooted, and my computer was clean and working perfectly again. SAFE – EASY – EFFECTIVE SOLUTION! It’s been fine for months now. I hope this helps others.

  13. I am not Leo too

    Forgot situations that you get your bios flashed.:) There is viruses that infect bios too.:) You can’t reformat the drive for those.

  14. johnpro2

    The guy in the computer shop said BIOS virus infections are very rare because not many folk use floppy disks anymore.This is where most of them used to be introduced many years ago ..as I recall.

    Jp

  15. robin

    i am a XP user .but recently i am effacted a virus.i have allready avira its allready updated.but it cant do nothing.the did in my pc like that:- i am working but suddenly everything is close and i dont get time to save.and whan i on task manager i got JIBANU.exe.what can i do

  16. Carlos Coquet

    When viri disable the Task Manager and don’t allow using RegEdit, I have often had success using a third party registry editor. However, occasionally, a virus may monitor the Registry value and set it right back to disable the T M right after you change it.

  17. Johan

    Leo,

    You say:

    “The only way to be absolutely positive that you’ve removed any and all viruses is:
    * Backup […]
    * Reformat […]
    * Reinstall everything, from scratch […]
    * Update everything […]“

    Fine … … were it not for the following:


    * Restore your data by carefully copying it back from the backups you created. By “carefully” I mean taking care to only copy what you need, so as not to copy back the virus.“

    This is the catch.

    For how could one possibly “only copy what you need, so as not to copy back the virus” ???!!!

    Malware could lurk inside a data file that appears legitimate. How do I know that it is not hiding inside any one among hundreds of those nice photo images that I had downloaded over the web long time ago? … …

    Johan

    A good point. Malware tends to infecte executable files much more frequently than data files. (Infected photos are rare – possible, but rare.) Ultimately, though, the best way to deal with malware is to not get infected in the first place.

    Leo
    31-Dec-2010

  18. tim

    Also using Linux, a live cd, ClamAv. Am visually impaired, and one of my brothers machines has the FBI ransomware malware on it and honestly, who knows what else, so safe mode isn’t an option. So, Linux to the rescue :) Most likely, Ubuntu, or GRML since I know the screen reader is built in. That’s another way of removing.

  19. BaliRob

    After a major collapse of my system caused by an electrical storm I have had to re-install 3 times from my LEGAL Windows XP CD. The first time I realised that the disc had been corrupted even though it was the first time since new (over 6 years ago) that it had been used. On that occasion I was able to download SP3 quite simply and not in ISO form – don’t ask me how but I am sure it was from MS. However, the first re-install was hopeless and it has taken two more re-installs to get an almost perfect situation with just the odd cursor freeze, shutdown failure and one or two different BIOS booting requirements – it seems to change its mind whether it wants F8, enable boot login, etc., etc. Still, that is a small price to pay for hours and hours without stalling or shutting down.

    The main problem is that it is impossible to get Windows Automatic Updates from a 2000 System with only SP2 installed. Also, MS now will only download SP3 by ISO. Every form of WINrar, etc., all require a more updated Windows before helping me. I was able to burn the SP3 vide Nero to a disc but, because of Window’s intransigence, it cannot be read to my hard drive yet.

    I am shown as receiving Windows Updates according to my settings but nothing arrives at 3am. Their literature states that SP3 will be received by me automatically – SOME CHANCE !! The only Windows
    update I have received crashed my computer the moment I reached the Welcome screen.

    I have seen many people complaining that they cannot get Windows to install after a re-install – please someone tell me what is going on I am pretty certain that I do not have a virus or trojan aboard.

  20. johnpro2

    Since becoming a convertee to Sandboxie, I & friends have not had malware infections .

    I often browsethe web in and unsafe manner and open all email attachments without fear .
    Providing data is NOT saved out side the protective Sandbox, your computer will be protected …. Look up Youtube vids for more info and initial settings which can sometimes be tricky for the newbie. Sandboxie is free but a 5 second nag screen will appear after 1 month ..no big deal though, just click and it goes away.
    http://www.sandboxie.com/

  21. frankone

    I use Malware Bytes ( paid version). But I boot to the “C” prompt when window do not solve problem. I go into the directory and run Malware Bytes from there, you and also run C Cleaner, AVG, and the majority of Anti Virus programs will run from the “C” prompt, but you have to go into that directory to run the executable file.

  22. RANDALL NELSON

    CAN SOMEONE PLEASE TELL ME WHY MY COMPUTER CRASHES ALL THE TIME? I CLEAN MY SYSTEM ON A REGULAR BASIS.I HAVE ALSO LOST SOME START-UP TONES,MY BACK GROUND TO MY DESK TOP, IS FOR HIGH CONTRAST,(blk. background) AND I CAN’T BRING IT BACK TO ORIGINAL ,SO I CAN PUT MY OWN CHOICES OF DESK-TOP ART ON MY SCREEN.YOU MIGHT HAVE FIGURED I’M COMPUTER ILLITERATE.I APPRECIATE ANY HELP OR TIPS YOU CAN GIVE ME. THANX

  23. Janet

    I use and frequently update the free versions of Avast, Malwarebytes, and CCcleaner, and they seem to keep me in pretty good running order. Each month, just before I pay bills (i.e., go into just about all of the sites that deal with my financial info), I update and run a FULL scan with each of them. Given that the full scans take so much time, I run them at the same time, which they obviously allow me to do. Am I diminishing their effectiveness by failing to run each one individually? And if they should be run individually, is there a recommended order? Thanks for all the great info!

    • Mark Jacobs

      Running more than one disk intensive operations like that can cause the two programs to constantly swap disk usage and cause them to run slower than if they were run sequentially.

  24. Dave Hansen

    I have the free AVG trial. Would I have better luck by just buying a spy where CD from Best Buy for 50 bucks, and installing it immediately after a full system restore?

  25. Dave Hansen

    My laptop just dies at least once a day with the power plugged in. Then it takes me several tries to reset it by unplugging the power, removing the battery and holding the power button in for 10 seconds with the battery out, as per instructions. This is very annoying. any suggestions?

    • This feels like a problem with the battery itself, or the power circuitry in the laptop. I’d probably see about getting it diagnosed and possibly repaired by a technician.

  26. Dave Hansen

    Is it normal for windows to “freeze you out” every morning around 4 am while “windows installs updates”? This process takes anywhere from 1 to 2 hours to do.
    The screen always says “don’t turn off your computer”. Is it actually uploading viruses?

  27. Dave Hansen

    Every time I open up Google the bar at the very top of the page completely fills up with about five or six different search engines, and they’re all spinning. Even even if I go to tools to remove them, they still come back the next time. I just ran a recovery disks two days ago. What did I do wrong? And why is every type of software available over the Internet seem to be connected to some kind of scam or virus.

    I downloaded Microsoft security essentials, Google, and OpenOffice, and that’s it.

    Also, my machine was locked up for three hours with this thing they call loading updates, “configuring service pack do not shut off your computer”

    Three straight hours of that, until finally I pulled the battery out of the back reset it and turned it back on again only to get another half an hour of this same thing?

    Any ideas at all, from anybody?

    • The only thing that strikes me as odd in your comment is that you downloaded “google”. Google isn’t something you download, it’s a web site you visit (unless you downloaded a specific Google product, in which case the name of the product would make more sense).

      Updates can take a while, yes.

      But it definitely sounds like there is malware on your machine – either it’s not getting cleaned off properly, or it’s coming back due to something else that’s happening.

  28. Marg

    I have fileparade bundle in my programs and don’t know how it got there. I want to uninstall it but it gives me a choice what to remove, Web Launcher, Adobe Flash Player 13 Active X, and Adobe Flash Player Plug In. Do I remove all ?

  29. Scoop

    Leo, thanks for the article :). I’ve been affected by malicious intrusions 2-3 times over the years. I’ve used cloning system restoration methods to recover from the intrusions.

    The last time I was affected by a malware intrusion, I removed my original HDD, and installed my cloned HDD. I was running as normal within minutes.

    Then I booted up on a Linux-based boot CD, such a “Gparted” or something similar, to delete the partitions on the infected HDD.

    Then I booted up on one of my cloning/imaging tool CD’s and cloned back to my previously-infected HDD from my replacement HDD. Then I reinstalled my newly-cloned (my original HDD), and continued running my PC as normal.

    I clone my PC periodically, usually once every 2 weeks, so that I’ll have a spare HDD on the shelf to recover from malware and as protection against HDD failure.

    I also Image my HDD occasionally (full-HDD images) to an external storage HDD. The external HDD is connected to my PC only during Image processing. I keep it disconnected to isolate it as a protection against encryption ransomware, such as “Cryptolocker”.

    I prefer Cloning and full-HDD Imaging as malicious-content recovery methods since that eliminates the time required to scan and attempts to clean the infected HDD.

    For those with Desktop PC towers, if you have any expansion bays available, I’d recommend installing Sata Hot-Swap racks. They are great accessories that allow one to remove and install HDD’s in seconds without accessing the internal PC tower area.

    • Cloning is just a different style of image backup – somewhat more cumbersome in my opinion, but absolutely workable. And yes, restoring from a backup image (or clone) from before the infection happened is absolutely the best way to ensure you’re rid of it.

  30. Tony H

    All this talk about Back up and Restore. Yes, it is so important.
    However since I have owned my first computer with Windows 3.1, no back up ever – I repeat EVER worked after a serious computer crash.
    Regardless of software used.
    Nobody seem to post the article with real help for such emergency.
    All articles here take for granted that your OS starts up OK.
    Of course it must do that to run Restore or File back up, as the Windows has to be operational to access your Restore points and drives the back up is stored on.
    So just happened that for no apparent reason my computer could not be re-started, wakened at all – Just black screen, no mouse pointer, no keyboard.
    I am fairly new to following your articles, so not sure if this is the kind of crash that you have not addressed before.
    But not new to serious computer crashes.
    No Windows running (any and all versions especially Windows 8 and 8.1- crappiest and most unstable op system to date.)
    Also my 2 Boot USB flash drives created by Backup software, and Windows specifically for this emergency, would not work.
    They were tested after creation and booted 2 computers just fine.
    Small detail: The computers were working just fine at the time, just the Boot drive was switched in BIOS from HD to USB.
    Please devote an article or two in depth to address this real problem, or send me a link where is the one I have missed.
    Another problem with many “help” articles is that they refer the victim to get/find help/solution online!!
    DUH – if your computer us dead – you do NOT have online. You are OFF line until your OS works.
    Mail the computer ASUS to factory for reinstalling the Windows 8 was the only option at the time.
    Also with this type of crash you have NO access to Cloud backup – you are completely and utterly isolated from the world you know.
    Thanks for taking time to read this, and I hope that you will post it.
    Best regards
    Tony H

    • Mark Jacobs

      Not really. Good backup software lets you download an iso file to create a bootable rescue disk or USB stick. This contains a copy of a program which can restore from your backup. When your disk is damaged, just boot from the CD and run the restore program.

    • “Of course it must do that to run Restore or File back up, as the Windows has to be operational to access your Restore points and drives the back up is stored on.”

      This is flat out WRONG. Two things:

      • Restore Points are not a system backup. They’re handy when they work, but in my experience they cannot be relied on. Please see https://askleo.com/why_i_dont_like_system_restore/
      • Good backup software like Macrium Reflect will allow you to create a bootable disk. You then boot from THAT disk and restore your entire system using a system image that was taken earlier. A system image taken by this type of software is the type of backup I’m constantly referring to. And there are several articles on Ask Leo! that show you exactly how to do this.
  31. Gary J

    I have an old XP desktop PC that I am trying to cleanup, so I can donate it. I want to uninstall all the applications, delete files, reformat and then reinstall Windows XP from the original CDs.

    I got to the point of formatting but got stopped there. When I go to the DOS prompt, it first asks for parameters for the “Format” command. I wasn’t sure about the parameters, so I just tried a few different ones. Every time, I get an error message that tells me the “volume is locked” and the command terminates.

    Can someone enlighten me on how to format the hard drive, before I have to resort to physical destruction on my drill press?

    • That’s correct – the fact that Windows is running FROM the drive means that it’s “in use” and cannot be formatted.

      Boot from the installation media for Windows – part of the install process will include the ability to reformat the drive.

  32. Florsi

    Don’t install the applications from saved downloads!!! These could be infected to (this is what got my PC down for the second time), I reinstalled an old download).

  33. Ray

    Can my recovery partition (D:) that comes installed on my laptop become infected with malware or a virus if the (C:) drive is infected
    My Laptop came with the hard drive partitioned with (C:) being the operating system and (D:) the Recovery . My question is if the (C:) gets malware or a virus can that get into the Recovery Partition ? Would it be safer to Restore the laptop using the Recovery Disks than the recovery partion?

    • It is possible, yes. That’s one reason that I encourage backups to include the recovery partition, even though it’s not something you use day to day.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.

Your email address will not be published. Required fields are marked *