It can be done, but it might take effort.
Sadly, this is all too common. Malware can be pretty sophisticated, and it can work hard to prevent you from removing it. That means you may be blocked from downloading or running anti-malware tools, or be prevented from running tools already on your machine that might help.
I’ll save the “prevention is so much easier than the cure” missive for a moment. We just want this fixed.
There are things that we can try, but unfortunately, there are no guarantees.
Become a Patron of Ask Leo! and go ad-free!
Malware can interfere with your attempts to remove it. Start with Microsoft Defender Offline. If needed, move on to RKill, which kills much of the malware that may be stopping you, and allow you to run the anti-malware tools you have. If that fails, try other anti-malware tools. If still unsuccessful, restore to the most recent image backup taken prior to the infection. When all else fails, the nuclear option of a reformat and reinstall is the most pragmatic, last-ditch effort.
The problem: when malware interferes
What you’re seeing is the malware on your machine actively watching for you to try to remove it and thwarting your attempts.
It’s watching for downloads that “look like” anti-malware tools, and web (or other) access that might be going to anti-malware sites. It’s even monitoring what programs you run. When it sees you doing anything that could lead to its removal, it steps in to either redirect you to sites of its choosing, or simply causes the operation to fail.
We’d love to download and run up-to-date anti-malware tools, but we can’t.
So we have to get creative.
Run Windows Defender Offline
I recommend that you begin by running an offline malware scan. In previous versions of Windows, this involved downloading and running Windows Defender Offline1, but it’s built in to Windows Security in Windows 10.
Click the Start button and search for “offline scan”. Click on Virus & threat protection when it appears. Click on Scan options, select “Microsoft Defender Offline scan”, and finally click Scan now.
Your computer will reboot and run Microsoft Defender Offline.
Let the tool perform a thorough scan of your machine. Hopefully, it will detect and remove the malware that’s causing your problem.
If it doesn’t detect and remove it, or if you can’t run Windows Defender Offline, or if you just want to keep scouring your machine with additional tools, there are other tactics.
Temporarily kill the malware
One possible solution to the blocking problem is to temporarily kill the malware. This won’t remove it, but it may allow you to download tools that will.
The folks at BleepingComputer.com have created a tool called RKill that does exactly that.2 You may need to download RKill on another machine (because it may be blocked on the infected machine), but you can copy it to your machine using a USB thumb drive.
You may also need to rename RKill.exe to something else (like “notRKill.exe” or “leo.exe”). Once again, malware may be paying attention to the name of every program being run and may prevent the software from running if it recognizes the name.
Run the program, and do not reboot. Rebooting will “undo” the effect of having run RKill. Any malware RKill killed will return if you reboot.
Download and run Malwarebytes Anti-Malware
With the malware temporarily killed, you may be able to download and run anti-malware tools.
Download the free version, install and run it, and see what turns up. Once again, you may need to download the tool on another machine and copy the download over, as you did with Rkill.
Try other tools
After running RKill, you may (or may not) be able to run some of the other tools the malware was blocking. You can try your already-installed anti-malware tools, registry-editing tools, Task Manager, Process Explorer, and others.
You can also try your other anti-malware tools. Either they will be able to download an update that catches this problem, or you can download another tool that will.
But in general, my money is on Malwarebytes.
What if nothing works?
If none of what I’ve discussed so far works, then things get complicated.
You may consider these options:
- Boot from another bootable antivirus rescue CD. There are several, including from several anti-virus vendors. If you have a favorite anti-malware vendor, check with them to see if they provide a bootable scanning solution. These are interesting because they boot from the CD or USB, not your hard drive. That means the malware doesn’t have a chance to operate and block you. You can then run a scan of your hard disk, and hopefully clean it off.
- Remove the hard disk and place it in or connect it to another machine. Hardware issues aside, this needs to be done with care to prevent the malware from spreading. Just like booting from that CD, however, this boots from the other machine’s installation, not yours. You can then run anti-malware tools against your drive and hopefully clean it off.
Restore from backup
One of the best — and often quickest — solutions is to restore your machine using a recent image backup.
Assuming you have one, of course.
Regular backups are wonderful for this. They return your machine to the state it was in prior to the malware infection. It’s as if the infection never happened.
This is one reason why I so often harp on backing up.
It does have to be the correct type of backup: a full-system or image backup. Simply backing up your data will not be helpful in a scenario like this unless you are forced to take the final solution (see below).
For the record, my opinion is that Window’s System Restore is pretty useless when it comes to malware infections (assuming System Restore hasn’t already been completely disabled by the malware). Give it a try if you like, but I don’t have much hope for its success.
The final solution
That sounds dire because it is.
As I’ve mentioned before, once it’s infected with malware, your machine is no longer yours. You have no idea what’s been done to it. You also have no idea whether the cleaning steps you took removed any or all of the malware on the machine.
Even if it looks clean and acts clean, there’s no way to prove it’s clean.
You know it was infected, but there’s no way to know it’s not now.
The only way for you to know with absolute certainty the malware is gone is to reformat your machine and reinstall everything from scratch.
Sadly, it’s often the most pragmatic approach to removing particularly stubborn malware. Sometimes, all of the machinations we go through trying to clean up from a malware infection end up taking much more time than simply reformatting and reinstalling.
And reformatting and reinstalling is the only approach known to have a 100% success rate at malware removal.
If you don’t have a backup of your data, then at least copy the data off somehow before you reformat. Boot from a Linux Live CD or DVD if you must (Ubuntu is a good choice). That’ll give you access to all of the files on your machine and allow you to copy them to a USB device, or perhaps even upload them somewhere on the internet.
After things are cleared up and working again, take a few moments to consider how to prevent this from happening again, as well as what you can do to make the next time easier:
- See if you can identify how the infection occurred and then, to whatever extent you can, never do that again.
- Make sure you have the most up-to-date security measures to stay safe on the internet.
- Invest in a backup solution of some sort. Nothing can save you from more different kinds of problems than a regular backup.
As I said at the beginning, prevention is much, much easier than the cure.